From 3972eb6df4b2f5f3a133afa72a253568cc3cf1df Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 29 Feb 2024 07:45:19 +0100 Subject: [PATCH] Align resource names in FAST networking stages (#2115) * stage c nva * fix tests * remove moved blocks from net c stage * simplify subnet naming in stage 2 net e * address most renames in stage 2 e * address most renames in stage 2 e * address most renames in stage 2 e * complete renames in stage 2 e * use non-regional names in subnets * use non-regional names in subnets * use non-regional names in subnets --- .../subnets/dev/dev-dataplatform-ew1.yaml | 1 + .../data/subnets/dev/dev-default-ew1.yaml | 1 + .../data/subnets/dev/dev-gke-nodes-ew1.yaml | 1 + .../subnets/landing/landing-default-ew1.yaml | 1 + .../data/subnets/prod/prod-default-ew1.yaml | 1 + fast/stages/2-networking-a-peering/dns-dev.tf | 15 - .../2-networking-a-peering/dns-landing.tf | 15 - .../stages/2-networking-a-peering/dns-prod.tf | 15 - .../2-networking-a-peering/net-landing.tf | 5 - .../subnets/dev/dev-dataplatform-ew1.yaml | 1 + .../data/subnets/dev/dev-default-ew1.yaml | 1 + .../data/subnets/dev/dev-gke-nodes-ew1.yaml | 1 + .../subnets/landing/landing-default-ew1.yaml | 1 + .../data/subnets/prod/prod-default-ew1.yaml | 1 + fast/stages/2-networking-b-vpn/dns-dev.tf | 15 - fast/stages/2-networking-b-vpn/dns-landing.tf | 15 - fast/stages/2-networking-b-vpn/dns-prod.tf | 15 - fast/stages/2-networking-b-vpn/net-landing.tf | 5 - fast/stages/2-networking-c-nva/README.md | 70 +- .../default-ingress.yaml | 2 +- .../{landing-untrusted => dmz}/rules.yaml | 2 +- .../landing}/default-ingress.yaml | 2 +- .../{landing-trusted => landing}/rules.yaml | 4 +- .../subnets/dev/dev-dataplatform-ew1.yaml | 1 + .../data/subnets/dev/dev-default-ew1.yaml | 1 + .../data/subnets/dev/dev-default-ew4.yaml | 1 + .../data/subnets/dev/dev-gke-nodes-ew1.yaml | 1 + .../dmz-ew1.yaml} | 3 +- .../dmz-ew4.yaml} | 3 +- .../landing-trusted-default-ew1.yaml | 5 - .../landing-trusted-default-ew4.yaml | 5 - .../subnets/landing/landing-default-ew1.yaml | 6 + .../subnets/landing/landing-default-ew4.yaml | 6 + .../data/subnets/prod/prod-default-ew1.yaml | 1 + .../data/subnets/prod/prod-default-ew4.yaml | 1 + fast/stages/2-networking-c-nva/dns-dev.tf | 21 +- fast/stages/2-networking-c-nva/dns-landing.tf | 33 +- fast/stages/2-networking-c-nva/dns-prod.tf | 18 +- fast/stages/2-networking-c-nva/main.tf | 4 +- fast/stages/2-networking-c-nva/net-dev.tf | 11 +- fast/stages/2-networking-c-nva/net-landing.tf | 46 +- fast/stages/2-networking-c-nva/net-prod.tf | 11 +- fast/stages/2-networking-c-nva/nva.tf | 52 +- fast/stages/2-networking-c-nva/outputs.tf | 8 +- .../2-networking-c-nva/test-resources.tf | 28 +- fast/stages/2-networking-c-nva/variables.tf | 16 +- fast/stages/2-networking-c-nva/vpn-onprem.tf | 4 +- .../subnets/dev/dev-dataplatform-ew1.yaml | 1 + .../data/subnets/dev/dev-default-ew1.yaml | 1 + .../data/subnets/dev/dev-gke-nodes-ew1.yaml | 1 + .../data/subnets/prod/prod-default-ew1.yaml | 1 + .../2-networking-d-separate-envs/dns-dev.tf | 10 - .../2-networking-d-separate-envs/dns-prod.tf | 10 - fast/stages/2-networking-e-nva-bgp/README.md | 38 +- .../data/bgp-config.tftpl | 42 +- .../2-networking-e-nva-bgp/data/cidrs.yaml | 4 +- .../firewall-rules/dmz}/default-ingress.yaml | 2 +- .../{landing-untrusted => dmz}/rules.yaml | 8 +- .../default-ingress.yaml | 2 +- .../{landing-trusted => landing}/rules.yaml | 8 +- .../subnets/dev/dev-dataplatform-ew1.yaml | 1 + .../data/subnets/dev/dev-default-ew1.yaml | 1 + .../data/subnets/dev/dev-default-ew4.yaml | 1 + .../data/subnets/dev/dev-gke-nodes-ew1.yaml | 1 + .../dmz-default-ew1.yaml} | 3 +- .../dmz-default-ew4.yaml} | 3 +- .../landing-default-ew1.yaml} | 3 +- .../landing-default-ew4.yaml} | 3 +- .../data/subnets/prod/prod-default-ew1.yaml | 1 + .../data/subnets/prod/prod-default-ew4.yaml | 1 + fast/stages/2-networking-e-nva-bgp/dns-dev.tf | 6 +- .../2-networking-e-nva-bgp/dns-landing.tf | 16 +- .../stages/2-networking-e-nva-bgp/dns-prod.tf | 6 +- fast/stages/2-networking-e-nva-bgp/main.tf | 4 +- fast/stages/2-networking-e-nva-bgp/ncc.tf | 64 +- fast/stages/2-networking-e-nva-bgp/net-dev.tf | 2 +- .../2-networking-e-nva-bgp/net-landing.tf | 42 +- .../stages/2-networking-e-nva-bgp/net-prod.tf | 2 +- fast/stages/2-networking-e-nva-bgp/nva.tf | 110 +- fast/stages/2-networking-e-nva-bgp/outputs.tf | 8 +- .../2-networking-e-nva-bgp/test-resources.tf | 36 +- .../2-networking-e-nva-bgp/variables.tf | 20 +- .../2-networking-e-nva-bgp/vpn-onprem.tf | 4 +- .../stages/s2_networking_c_nva/stage.yaml | 41 +- .../stages/s2_networking_e_nva_bgp/stage.yaml | 3639 +++++++++++++++++ 85 files changed, 4097 insertions(+), 525 deletions(-) rename fast/stages/2-networking-c-nva/data/firewall-rules/{landing-trusted => dmz}/default-ingress.yaml (85%) rename fast/stages/2-networking-c-nva/data/firewall-rules/{landing-untrusted => dmz}/rules.yaml (92%) rename fast/stages/{2-networking-e-nva-bgp/data/firewall-rules/landing-trusted => 2-networking-c-nva/data/firewall-rules/landing}/default-ingress.yaml (85%) rename fast/stages/2-networking-c-nva/data/firewall-rules/{landing-trusted => landing}/rules.yaml (88%) rename fast/stages/2-networking-c-nva/data/subnets/{landing-untrusted/landing-untrusted-default-ew1.yaml => dmz/dmz-ew1.yaml} (53%) rename fast/stages/2-networking-c-nva/data/subnets/{landing-untrusted/landing-untrusted-default-ew4.yaml => dmz/dmz-ew4.yaml} (53%) delete mode 100644 fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml delete mode 100644 fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml create mode 100644 fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew1.yaml create mode 100644 fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew4.yaml rename fast/stages/{2-networking-c-nva/data/firewall-rules/landing-untrusted => 2-networking-e-nva-bgp/data/firewall-rules/dmz}/default-ingress.yaml (84%) rename fast/stages/2-networking-e-nva-bgp/data/firewall-rules/{landing-untrusted => dmz}/rules.yaml (87%) rename fast/stages/2-networking-e-nva-bgp/data/firewall-rules/{landing-untrusted => landing}/default-ingress.yaml (84%) rename fast/stages/2-networking-e-nva-bgp/data/firewall-rules/{landing-trusted => landing}/rules.yaml (86%) rename fast/stages/2-networking-e-nva-bgp/data/subnets/{landing-untrusted/landing-untrusted-default-ew1.yaml => dmz/dmz-default-ew1.yaml} (53%) rename fast/stages/2-networking-e-nva-bgp/data/subnets/{landing-untrusted/landing-untrusted-default-ew4.yaml => dmz/dmz-default-ew4.yaml} (53%) rename fast/stages/2-networking-e-nva-bgp/data/subnets/{landing-trusted/landing-trusted-default-ew1.yaml => landing/landing-default-ew1.yaml} (50%) rename fast/stages/2-networking-e-nva-bgp/data/subnets/{landing-trusted/landing-trusted-default-ew4.yaml => landing/landing-default-ew4.yaml} (50%) diff --git a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml index b037772d..9b1cfb46 100644 --- a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-dataplatform region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.68.2.0/24 diff --git a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-default-ew1.yaml index fdb9c046..928fb1eb 100644 --- a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-default-ew1.yaml +++ b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-default region: europe-west1 ip_cidr_range: 10.68.0.0/24 description: Default subnet for dev diff --git a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-gke-nodes-ew1.yaml index 087056b9..d0c5155e 100644 --- a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-gke-nodes-ew1.yaml +++ b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-gke-nodes-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-gke-nodes region: europe-west1 description: Default subnet for prod gke nodes ip_cidr_range: 10.68.1.0/24 diff --git a/fast/stages/2-networking-a-peering/data/subnets/landing/landing-default-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/landing/landing-default-ew1.yaml index 3944c552..ad29c920 100644 --- a/fast/stages/2-networking-a-peering/data/subnets/landing/landing-default-ew1.yaml +++ b/fast/stages/2-networking-a-peering/data/subnets/landing/landing-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: landing-default region: europe-west1 ip_cidr_range: 10.64.0.0/24 description: Default subnet for landing diff --git a/fast/stages/2-networking-a-peering/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/prod/prod-default-ew1.yaml index 66a96398..cdc77d46 100644 --- a/fast/stages/2-networking-a-peering/data/subnets/prod/prod-default-ew1.yaml +++ b/fast/stages/2-networking-a-peering/data/subnets/prod/prod-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: prod-default region: europe-west1 ip_cidr_range: 10.72.0.0/24 description: Default subnet for prod diff --git a/fast/stages/2-networking-a-peering/dns-dev.tf b/fast/stages/2-networking-a-peering/dns-dev.tf index 4a021f3a..78522d6f 100644 --- a/fast/stages/2-networking-a-peering/dns-dev.tf +++ b/fast/stages/2-networking-a-peering/dns-dev.tf @@ -18,11 +18,6 @@ # GCP-specific environment zone -moved { - from = module.dev-dns-private-zone - to = module.dev-dns-priv-example -} - module "dev-dns-priv-example" { source = "../../../modules/dns" project_id = module.dev-spoke-project.project_id @@ -40,11 +35,6 @@ module "dev-dns-priv-example" { # root zone peering to landing to centralize configuration; remove if unneeded -moved { - from = module.dev-landing-root-dns-peering - to = module.dev-dns-peer-landing-root -} - module "dev-dns-peer-landing-root" { source = "../../../modules/dns" project_id = module.dev-spoke-project.project_id @@ -58,11 +48,6 @@ module "dev-dns-peer-landing-root" { } } -moved { - from = module.dev-reverse-10-dns-peering - to = module.dev-dns-peer-landing-rev-10 -} - module "dev-dns-peer-landing-rev-10" { source = "../../../modules/dns" project_id = module.dev-spoke-project.project_id diff --git a/fast/stages/2-networking-a-peering/dns-landing.tf b/fast/stages/2-networking-a-peering/dns-landing.tf index 2c627122..54f8d211 100644 --- a/fast/stages/2-networking-a-peering/dns-landing.tf +++ b/fast/stages/2-networking-a-peering/dns-landing.tf @@ -18,11 +18,6 @@ # forwarding to on-prem DNS resolvers -moved { - from = module.onprem-example-dns-forwarding - to = module.landing-dns-fwd-onprem-example -} - module "landing-dns-fwd-onprem-example" { source = "../../../modules/dns" count = length(var.dns.resolvers) > 0 ? 1 : 0 @@ -37,11 +32,6 @@ module "landing-dns-fwd-onprem-example" { } } -moved { - from = module.reverse-10-dns-forwarding - to = module.landing-dns-fwd-onprem-rev-10 -} - module "landing-dns-fwd-onprem-rev-10" { source = "../../../modules/dns" count = length(var.dns.resolvers) > 0 ? 1 : 0 @@ -56,11 +46,6 @@ module "landing-dns-fwd-onprem-rev-10" { } } -moved { - from = module.gcp-example-dns-private-zone - to = module.landing-dns-priv-gcp -} - module "landing-dns-priv-gcp" { source = "../../../modules/dns" project_id = module.landing-project.project_id diff --git a/fast/stages/2-networking-a-peering/dns-prod.tf b/fast/stages/2-networking-a-peering/dns-prod.tf index 8b376bb0..c5ddc453 100644 --- a/fast/stages/2-networking-a-peering/dns-prod.tf +++ b/fast/stages/2-networking-a-peering/dns-prod.tf @@ -18,11 +18,6 @@ # GCP-specific environment zone -moved { - from = module.prod-dns-private-zone - to = module.prod-dns-priv-example -} - module "prod-dns-priv-example" { source = "../../../modules/dns" project_id = module.prod-spoke-project.project_id @@ -40,11 +35,6 @@ module "prod-dns-priv-example" { # root zone peering to landing to centralize configuration; remove if unneeded -moved { - from = module.prod-landing-root-dns-peering - to = module.prod-dns-peer-landing-root -} - module "prod-dns-peer-landing-root" { source = "../../../modules/dns" project_id = module.prod-spoke-project.project_id @@ -58,11 +48,6 @@ module "prod-dns-peer-landing-root" { } } -moved { - from = module.prod-reverse-10-dns-peering - to = module.prod-dns-peer-landing-rev-10 -} - module "prod-dns-peer-landing-rev-10" { source = "../../../modules/dns" project_id = module.prod-spoke-project.project_id diff --git a/fast/stages/2-networking-a-peering/net-landing.tf b/fast/stages/2-networking-a-peering/net-landing.tf index 5e646bdd..9a96e580 100644 --- a/fast/stages/2-networking-a-peering/net-landing.tf +++ b/fast/stages/2-networking-a-peering/net-landing.tf @@ -74,11 +74,6 @@ module "landing-firewall" { } } -moved { - from = module.landing-nat-ew1 - to = module.landing-nat-primary -} - module "landing-nat-primary" { source = "../../../modules/net-cloudnat" count = var.enable_cloud_nat ? 1 : 0 diff --git a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml index b037772d..9b1cfb46 100644 --- a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-dataplatform region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.68.2.0/24 diff --git a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-default-ew1.yaml index fdb9c046..928fb1eb 100644 --- a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-default-ew1.yaml +++ b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-default region: europe-west1 ip_cidr_range: 10.68.0.0/24 description: Default subnet for dev diff --git a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-gke-nodes-ew1.yaml index 087056b9..d0c5155e 100644 --- a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-gke-nodes-ew1.yaml +++ b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-gke-nodes-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-gke-nodes region: europe-west1 description: Default subnet for prod gke nodes ip_cidr_range: 10.68.1.0/24 diff --git a/fast/stages/2-networking-b-vpn/data/subnets/landing/landing-default-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/landing/landing-default-ew1.yaml index 3944c552..ad29c920 100644 --- a/fast/stages/2-networking-b-vpn/data/subnets/landing/landing-default-ew1.yaml +++ b/fast/stages/2-networking-b-vpn/data/subnets/landing/landing-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: landing-default region: europe-west1 ip_cidr_range: 10.64.0.0/24 description: Default subnet for landing diff --git a/fast/stages/2-networking-b-vpn/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/prod/prod-default-ew1.yaml index 66a96398..cdc77d46 100644 --- a/fast/stages/2-networking-b-vpn/data/subnets/prod/prod-default-ew1.yaml +++ b/fast/stages/2-networking-b-vpn/data/subnets/prod/prod-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: prod-default region: europe-west1 ip_cidr_range: 10.72.0.0/24 description: Default subnet for prod diff --git a/fast/stages/2-networking-b-vpn/dns-dev.tf b/fast/stages/2-networking-b-vpn/dns-dev.tf index 4a021f3a..78522d6f 100644 --- a/fast/stages/2-networking-b-vpn/dns-dev.tf +++ b/fast/stages/2-networking-b-vpn/dns-dev.tf @@ -18,11 +18,6 @@ # GCP-specific environment zone -moved { - from = module.dev-dns-private-zone - to = module.dev-dns-priv-example -} - module "dev-dns-priv-example" { source = "../../../modules/dns" project_id = module.dev-spoke-project.project_id @@ -40,11 +35,6 @@ module "dev-dns-priv-example" { # root zone peering to landing to centralize configuration; remove if unneeded -moved { - from = module.dev-landing-root-dns-peering - to = module.dev-dns-peer-landing-root -} - module "dev-dns-peer-landing-root" { source = "../../../modules/dns" project_id = module.dev-spoke-project.project_id @@ -58,11 +48,6 @@ module "dev-dns-peer-landing-root" { } } -moved { - from = module.dev-reverse-10-dns-peering - to = module.dev-dns-peer-landing-rev-10 -} - module "dev-dns-peer-landing-rev-10" { source = "../../../modules/dns" project_id = module.dev-spoke-project.project_id diff --git a/fast/stages/2-networking-b-vpn/dns-landing.tf b/fast/stages/2-networking-b-vpn/dns-landing.tf index 2c627122..54f8d211 100644 --- a/fast/stages/2-networking-b-vpn/dns-landing.tf +++ b/fast/stages/2-networking-b-vpn/dns-landing.tf @@ -18,11 +18,6 @@ # forwarding to on-prem DNS resolvers -moved { - from = module.onprem-example-dns-forwarding - to = module.landing-dns-fwd-onprem-example -} - module "landing-dns-fwd-onprem-example" { source = "../../../modules/dns" count = length(var.dns.resolvers) > 0 ? 1 : 0 @@ -37,11 +32,6 @@ module "landing-dns-fwd-onprem-example" { } } -moved { - from = module.reverse-10-dns-forwarding - to = module.landing-dns-fwd-onprem-rev-10 -} - module "landing-dns-fwd-onprem-rev-10" { source = "../../../modules/dns" count = length(var.dns.resolvers) > 0 ? 1 : 0 @@ -56,11 +46,6 @@ module "landing-dns-fwd-onprem-rev-10" { } } -moved { - from = module.gcp-example-dns-private-zone - to = module.landing-dns-priv-gcp -} - module "landing-dns-priv-gcp" { source = "../../../modules/dns" project_id = module.landing-project.project_id diff --git a/fast/stages/2-networking-b-vpn/dns-prod.tf b/fast/stages/2-networking-b-vpn/dns-prod.tf index 8b376bb0..c5ddc453 100644 --- a/fast/stages/2-networking-b-vpn/dns-prod.tf +++ b/fast/stages/2-networking-b-vpn/dns-prod.tf @@ -18,11 +18,6 @@ # GCP-specific environment zone -moved { - from = module.prod-dns-private-zone - to = module.prod-dns-priv-example -} - module "prod-dns-priv-example" { source = "../../../modules/dns" project_id = module.prod-spoke-project.project_id @@ -40,11 +35,6 @@ module "prod-dns-priv-example" { # root zone peering to landing to centralize configuration; remove if unneeded -moved { - from = module.prod-landing-root-dns-peering - to = module.prod-dns-peer-landing-root -} - module "prod-dns-peer-landing-root" { source = "../../../modules/dns" project_id = module.prod-spoke-project.project_id @@ -58,11 +48,6 @@ module "prod-dns-peer-landing-root" { } } -moved { - from = module.prod-reverse-10-dns-peering - to = module.prod-dns-peer-landing-rev-10 -} - module "prod-dns-peer-landing-rev-10" { source = "../../../modules/dns" project_id = module.prod-spoke-project.project_id diff --git a/fast/stages/2-networking-b-vpn/net-landing.tf b/fast/stages/2-networking-b-vpn/net-landing.tf index 5e646bdd..9a96e580 100644 --- a/fast/stages/2-networking-b-vpn/net-landing.tf +++ b/fast/stages/2-networking-b-vpn/net-landing.tf @@ -74,11 +74,6 @@ module "landing-firewall" { } } -moved { - from = module.landing-nat-ew1 - to = module.landing-nat-primary -} - module "landing-nat-primary" { source = "../../../modules/net-cloudnat" count = var.enable_cloud_nat ? 1 : 0 diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md index b708137b..31428b42 100644 --- a/fast/stages/2-networking-c-nva/README.md +++ b/fast/stages/2-networking-c-nva/README.md @@ -2,11 +2,11 @@ This stage sets up the shared network infrastructure for the whole organization. -It is designed for those who would like to leverage Network Virtual Appliances (NVAs) between trusted and untrusted areas of the network, for example for Intrusion Prevention System (IPS) purposes. +It is designed for those who would like to leverage Network Virtual Appliances (NVAs) between landing and dmz areas of the network, for example for Intrusion Prevention System (IPS) purposes. It adopts the common “hub and spoke” reference design, which is well suited for multiple scenarios, and it offers several advantages versus other designs: -- the "trusted hub" VPC centralizes the external connectivity towards trusted network resources (e.g. on-prem, other cloud environments and the spokes), and it is ready to host cross-environment services like CI/CD, code repositories, and monitoring probes +- the "landing hub" VPC centralizes the external connectivity towards landing network resources (e.g. on-prem, other cloud environments and the spokes), and it is ready to host cross-environment services like CI/CD, code repositories, and monitoring probes - the "spoke" VPCs allow partitioning workloads (e.g. by environment like in this setup), while still retaining controlled access to central connectivity and services - Shared VPCs -both in hub and spokes- split the management of the network resources into specific (host) projects, while still allowing them to be consumed from the workload (service) projects - the design facilitates DNS centralization @@ -70,20 +70,20 @@ This provides enough redundancy to be resilient to regional failures. The "landing zone" is divided into two VPC networks: -- the trusted VPC: the connectivity hub towards other trusted networks -- the untrusted VPC: the connectivity hub towards any other untrusted network +- the landing VPC: the connectivity hub towards other landing networks +- the dmz VPC: the connectivity hub towards any other dmz network The VPCs are connected with two sets of sample NVA machines, grouped in regional (multi-zone) [Managed Instance Groups (MIGs)](https://cloud.google.com/compute/docs/instance-groups). The appliances are plain Linux machines, performing simple routing/natting, leveraging some standard Linux features, such as *ip route* or *iptables*. The appliances are suited for demo purposes only and they should be replaced with enterprise-grade solutions before moving to production. -The traffic destined to the VMs in each MIG is mediated through regional internal load balancers, both in the trusted and in the untrusted networks. +The traffic destined to the VMs in each MIG is mediated through regional internal load balancers, both in the landing and in the dmz networks. By default, the design assumes the following: -- on-premise networks (and related resources) are considered trusted. As such, the VPNs connecting with on-premises are terminated in GCP, in the trusted VPC -- the public Internet is considered untrusted. As such [Cloud NAT](https://cloud.google.com/nat/docs/overview) is deployed in the untrusted landing VPC only -- cross-environment traffic and traffic from any untrusted network to any trusted network (and vice versa) pass through the NVAs. For demo purposes, the current NVA performs simple routing/natting only -- any traffic from a trusted network to an untrusted network (e.g. Internet) is natted by the NVAs. Users can configure further exclusions +- on-premise networks (and related resources) are considered landing. As such, the VPNs connecting with on-premises are terminated in GCP, in the landing VPC +- the public Internet is considered dmz. As such [Cloud NAT](https://cloud.google.com/nat/docs/overview) is deployed in the dmz landing VPC only +- cross-environment traffic and traffic from any dmz network to any landing network (and vice versa) pass through the NVAs. For demo purposes, the current NVA performs simple routing/natting only +- any traffic from a landing network to an dmz network (e.g. Internet) is natted by the NVAs. Users can configure further exclusions -The trusted landing VPC acts as a hub: it bridges internal resources with the outside world and it hosts the shared services consumed by the spoke VPCs, connected to the hub through VPC network peerings. Spokes are used to partition the environments. By default: +The landing landing VPC acts as a hub: it bridges internal resources with the outside world and it hosts the shared services consumed by the spoke VPCs, connected to the hub through VPC network peerings. Spokes are used to partition the environments. By default: - one spoke VPC hosts the development environment resources - one spoke VPC hosts the production environment resources @@ -99,18 +99,18 @@ In multi-organization scenarios, where production and non-production resources u External connectivity to on-prem is implemented leveraging [Cloud HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) (two tunnels per region). This is what users normally deploy as a final solution, or to validate routing and to transfer data, while waiting for [interconnects](https://cloud.google.com/network-connectivity/docs/interconnect) to be provisioned. -Connectivity to additional on-prem sites or to other cloud providers should be implemented in a similar fashion, via VPN tunnels or interconnects, in the landing VPC (either trusted or untrusted, depending by the nature of the peers), sharing the same regional routers. +Connectivity to additional on-prem sites or to other cloud providers should be implemented in a similar fashion, via VPN tunnels or interconnects, in the landing VPC (either landing or dmz, depending by the nature of the peers), sharing the same regional routers. ### Internal connectivity -Internal connectivity (e.g. between the trusted landing VPC and the spokes) is realized with VPC network peerings. As mentioned, there are other ways to implement connectivity. These can be easily retrofitted with minimal code changes, although they introduce additional considerations on service interoperability, quotas and management. +Internal connectivity (e.g. between the landing landing VPC and the spokes) is realized with VPC network peerings. As mentioned, there are other ways to implement connectivity. These can be easily retrofitted with minimal code changes, although they introduce additional considerations on service interoperability, quotas and management. This is an options summary: -- [VPC Peering](https://cloud.google.com/vpc/docs/vpc-peering) (used here to connect the trusted landing VPC with the spokes, also used by [02-networking-vpn](../2-networking-b-vpn/)) +- [VPC Peering](https://cloud.google.com/vpc/docs/vpc-peering) (used here to connect the landing landing VPC with the spokes, also used by [02-networking-vpn](../2-networking-b-vpn/)) - Pros: no additional costs, full bandwidth with no configurations, no extra latency - Cons: no transitivity (e.g. to GKE masters, Cloud SQL, etc.), no selective exchange of routes, several quotas and limits shared between VPCs in a peering group -- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (used here to connect the trusted landing and untrusted VPCs) and multi-NIC appliances with NCC/BGP support implemented [here](../2-networking-e-nva-bgp/) +- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (used here to connect the landing landing and dmz VPCs) and multi-NIC appliances with NCC/BGP support implemented [here](../2-networking-e-nva-bgp/) - Pros: provides additional security features (e.g. IPS), potentially better integration with on-prem systems by using the same vendor - Cons: complex HA/failover setup, limited by VM bandwidth and scale, additional costs for VMs and licenses, out of band management of a critical cloud component - [HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) @@ -123,7 +123,7 @@ Minimizing the number of routes (and subnets) in the cloud environment is import This stage uses a dedicated /11 block (10.64.0.0/11), which should be sized to the own needs. The subnets created in each VPC derive from this range. -The /11 block is evenly split in eight, smaller /16 blocks, assigned to different areas of the GCP network: *landing untrusted europe-west1*, *landing untrusted europe-west4*, *landing trusted europe-west1*, *landing untrusted europe-west4*, *development europe-west1*, *development europe-west4*, *production europe-west1*, *production europe-west4*. +The /11 block is evenly split in eight, smaller /16 blocks, assigned to different areas of the GCP network: *landing dmz europe-west1*, *landing dmz europe-west4*, *landing landing europe-west1*, *landing dmz europe-west4*, *development europe-west1*, *development europe-west4*, *production europe-west1*, *production europe-west4*. The first /24 range in every area is allocated for a default subnet, which can be removed or modified as needed. The last three /24 ranges can be used for [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access)via the `psa_ranges` variable, or for [Internal Application Load Balancers (L7 LBs)](https://cloud.google.com/load-balancing/docs/l7-internal) subnets via the factory. @@ -131,10 +131,10 @@ This is a summary of the subnets allocated by default in this setup: | name | description | CIDR | |---|---|---| -| landing-trusted-default-ew1 | Trusted landing subnet - europe-west1 | 10.128.64.0/24 | -| landing-trusted-default-ew4 | Trusted landing subnet - europe-west4 | 10.128.96.0/24 | -| landing-untrusted-default-ew1 | Untrusted landing subnet - europe-west1 | 10.128.0.0/24 | -| landing-untrusted-default-ew4 | Untrusted landing subnet - europe-west4 | 10.128.32.0/24 | +| landing-default-ew1 | landing landing subnet - europe-west1 | 10.128.64.0/24 | +| landing-default-ew4 | landing landing subnet - europe-west4 | 10.128.96.0/24 | +| dmz-default-ew1 | dmz landing subnet - europe-west1 | 10.128.0.0/24 | +| dmz-default-ew4 | dmz landing subnet - europe-west4 | 10.128.32.0/24 | | dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.68.0.0/24 | | dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.253.0/24 | | dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.254.0/24 | @@ -159,17 +159,17 @@ Routes in GCP are either automatically created (for example, when a subnet is ad In this setup: - routes between multiple subnets within the same VPC are automatically exchanged by GCP -- the spokes and the trusted landing VPC exchange routes through VPC peerings -- on-premises is connected to the trusted landing VPC and it dynamically exchanges BGP routes with GCP (with the trusted VPC) using HA VPN -- for cross-environment (spokes) communications, and for connections to on-premises and to the Internet, the spokes leverage some default tagged routes that send the traffic of each region (whose machines are identified by a dedicated network tag, e.g. *ew1*) to a corresponding regional NVA in the trusted VPC, through an ILB (whose VIP is set as the route next-hop) +- the spokes and the landing landing VPC exchange routes through VPC peerings +- on-premises is connected to the landing landing VPC and it dynamically exchanges BGP routes with GCP (with the landing VPC) using HA VPN +- for cross-environment (spokes) communications, and for connections to on-premises and to the Internet, the spokes leverage some default tagged routes that send the traffic of each region (whose machines are identified by a dedicated network tag, e.g. *ew1*) to a corresponding regional NVA in the landing VPC, through an ILB (whose VIP is set as the route next-hop) - the spokes are configured with backup default routes, so if the NVAs in the same region become unavailable, more routes to the NVAs in the other region are already available. Current routes are not able to understand if the next-hop ILBs become unhealthy. As such, in case of a regional failure, users will need to manually withdraw the primary default routes, so the secondaries will take over - the NVAs are configured with static routes that allow the communication with on-premises and between the GCP resources (including the cross-environment communication) -The Cloud Routers (connected to the VPN gateways in the trusted VPC) are configured to exclude the default advertisement of VPC ranges and they only advertise their respective aggregate ranges, via custom advertisements. This greatly simplifies the routing configuration and avoids quota or limit issues, by keeping the number of routes small, instead of making it proportional to the subnets and to the secondary ranges in the VPCs. +The Cloud Routers (connected to the VPN gateways in the landing VPC) are configured to exclude the default advertisement of VPC ranges and they only advertise their respective aggregate ranges, via custom advertisements. This greatly simplifies the routing configuration and avoids quota or limit issues, by keeping the number of routes small, instead of making it proportional to the subnets and to the secondary ranges in the VPCs. ### Internet egress -In this setup, Internet egress is realized through [Cloud NAT](https://cloud.google.com/nat/docs/overview), deployed in the untrusted landing VPC. This allows instances in all other VPCs to reach the Internet, passing through the NVAs (being the public Internet considered untrusted). Cloud NAT is disabled by default; enable it by setting the `enable_cloud_nat` variable +In this setup, Internet egress is realized through [Cloud NAT](https://cloud.google.com/nat/docs/overview), deployed in the dmz landing VPC. This allows instances in all other VPCs to reach the Internet, passing through the NVAs (being the public Internet considered dmz). Cloud NAT is disabled by default; enable it by setting the `enable_cloud_nat` variable Several other scenarios are possible, with various degrees of complexity: @@ -214,30 +214,30 @@ This configuration is battle-tested, and flexible enough to lend itself to simpl ### VPCs -VPCs are defined in separate files, one for `landing` (trusted and untrusted), one for `prod` and one for `dev`. +VPCs are defined in separate files, one for `landing` (landing and dmz), one for `prod` and one for `dev`. These files contain different resources: - **project** ([`projects`](../../../modules/project)): the "[host projects](https://cloud.google.com/vpc/docs/shared-vpc)" containing the VPCs and enabling the required APIs. -- **VPCs** ([`net-vpc`](../../../modules/net-vpc)): manages the subnets, the explicit routes for `{private,restricted}.googleapis.com` and the DNS inbound policy for the trusted landing VPC. Non-infrastructural subnets are created leveraging resource factories. Sample subnets are shipped in [data/subnets](./data/subnets) and can be easily customized to fit users' needs. [PSA](https://cloud.google.com/vpc/docs/configure-private-services-access#allocating-range) are configured by the variable `psa_ranges` if managed services are needed. -- **Cloud NAT** ([`net-cloudnat`](../../../modules/net-cloudnat)) (in the untrusted landing VPC only): it manages the networking infrastructure required to enable the Internet egress. +- **VPCs** ([`net-vpc`](../../../modules/net-vpc)): manages the subnets, the explicit routes for `{private,restricted}.googleapis.com` and the DNS inbound policy for the landing landing VPC. Non-infrastructural subnets are created leveraging resource factories. Sample subnets are shipped in [data/subnets](./data/subnets) and can be easily customized to fit users' needs. [PSA](https://cloud.google.com/vpc/docs/configure-private-services-access#allocating-range) are configured by the variable `psa_ranges` if managed services are needed. +- **Cloud NAT** ([`net-cloudnat`](../../../modules/net-cloudnat)) (in the dmz landing VPC only): it manages the networking infrastructure required to enable the Internet egress. ### VPNs -The connectivity between on-premises and GCP (the trusted landing VPC) is implemented with Cloud HA VPN ([`net-vpn`](../../../modules/net-vpn-ha)) and defined in [`vpn-onprem.tf`](./vpn-onprem.tf). The file implements a single logical connection between on-premises and the trusted landing VPC, both in `europe-west1` and `europe-west4`. The relevant parameters for its configuration are found in the variables `vpn_onprem_primary_config` and `vpn_onprem_secondary_config`. +The connectivity between on-premises and GCP (the landing landing VPC) is implemented with Cloud HA VPN ([`net-vpn`](../../../modules/net-vpn-ha)) and defined in [`vpn-onprem.tf`](./vpn-onprem.tf). The file implements a single logical connection between on-premises and the landing landing VPC, both in `europe-west1` and `europe-west4`. The relevant parameters for its configuration are found in the variables `vpn_onprem_primary_config` and `vpn_onprem_secondary_config`. ### Routing and BGP -Each VPC network ([`net-vpc`](../../../modules/net-vpc)) manages a separate routing table, which can define static routes (e.g. to private.googleapis.com) and receives dynamic routes through VPC peering and BGP sessions established with the neighbor networks (e.g. the trusted landing VPC receives routes from on-premises, and the spokes receive RFC1918 from the trusted landing VPC). +Each VPC network ([`net-vpc`](../../../modules/net-vpc)) manages a separate routing table, which can define static routes (e.g. to private.googleapis.com) and receives dynamic routes through VPC peering and BGP sessions established with the neighbor networks (e.g. the landing landing VPC receives routes from on-premises, and the spokes receive RFC1918 from the landing landing VPC). Static routes are defined in `vpc-*.tf` files in the `routes` section of each `net-vpc` module. -BGP sessions for trusted landing to on-premises are configured through the variable `vpn_onprem_configs`. +BGP sessions for landing landing to on-premises are configured through the variable `vpn_onprem_configs`. ### Firewall **VPC firewall rules** ([`net-vpc-firewall`](../../../modules/net-vpc-firewall)) are defined per-vpc on each `vpc-*.tf` file and leverage a resource factory to massively create rules. -To add a new firewall rule, create a new file or edit an existing one in the `data_folder` directory defined in the module `net-vpc-firewall`, following the examples of the "[Rules factory](../../../modules/net-vpc-firewall#rules-factory)" section of the module documentation. Sample firewall rules are shipped in [data/firewall-rules/landing-untrusted](./data/firewall-rules/landing-untrusted) and in [data/firewall-rules/landing-trusted](./data/firewall-rules/landing-trusted), and can be easily customized. +To add a new firewall rule, create a new file or edit an existing one in the `data_folder` directory defined in the module `net-vpc-firewall`, following the examples of the "[Rules factory](../../../modules/net-vpc-firewall#rules-factory)" section of the module documentation. Sample firewall rules are shipped in [data/firewall-rules/dmz](./data/firewall-rules/dmz) and in [data/firewall-rules/landing](./data/firewall-rules/landing), and can be easily customized. **Hierarchical firewall policies** ([`folder`](../../../modules/folder)) are defined in `main.tf` and managed through a policy factory implemented by the `net-firewall-policy` module, which is then applied to the `Networking` folder containing all the core networking infrastructure. Policies are defined in the `rules_file` file, to define a new one simply use the [firewall policy module documentation](../../../modules/net-firewall-policy/README.md#factory)". Sample hierarchical firewall rules are shipped in [data/hierarchical-ingress-rules.yaml](./data/hierarchical-ingress-rules.yaml) and can be easily customised. @@ -250,7 +250,7 @@ Cloud DNS manages onprem forwarding, the main GCP zone (in this example `gcp.exa #### Cloud environment The root DNS zone defined in the landing project acts as the source of truth for DNS within the Cloud environment. The resources defined in the spoke VPCs consume the landing DNS infrastructure through DNS peering (e.g. `prod-landing-root-dns-peering`). -The spokes can optionally define private zones (e.g. `prod-dns-private-zone`). Granting visibility both to the trusted and untrusted landing VPCs ensures that the whole cloud environment can query such zones. +The spokes can optionally define private zones (e.g. `prod-dns-private-zone`). Granting visibility both to the landing and dmz landing VPCs ensures that the whole cloud environment can query such zones. #### Cloud to on-prem @@ -260,7 +260,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19 #### On-prem to cloud -The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. +The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *landing landing VPC module* ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. ## How to run this stage @@ -352,7 +352,7 @@ terraform apply [Private Google Access](https://cloud.google.com/vpc/docs/private-google-access) (or PGA) enables VMs and on-prem systems to consume Google APIs from within the Google network, and is already fully configured on this environment: - DNS response policies in the landing project implement rules for all supported domains reachable via PGA -- routes for the private and restricted ranges are defined in all VPCs except untrusted +- routes for the private and restricted ranges are defined in all VPCs except dmz To enable PGA access from on premises advertise the private/restricted ranges via the `vpn_onprem_primary_config` and `vpn_onprem_secondary_config` variables, using router or tunnel custom advertisements. @@ -467,7 +467,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [enable_cloud_nat](variables.tf#L82) | Deploy Cloud NAT. | bool | | false | | | [essential_contacts](variables.tf#L89) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L95) | Configuration for network resource factories. | object({…}) | | {…} | | -| [gcp_ranges](variables.tf#L126) | GCP address ranges in name => range format. | map(string) | | {…} | | +| [gcp_ranges](variables.tf#L126) | GCP address ranges in name => range format. | map(string) | | {…} | | | [onprem_cidr](variables.tf#L141) | Onprem addresses in name => range format. | map(string) | | {…} | | | [outputs_location](variables.tf#L159) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L176) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | | diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/dmz/default-ingress.yaml similarity index 85% rename from fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml rename to fast/stages/2-networking-c-nva/data/firewall-rules/dmz/default-ingress.yaml index e0d4ab60..e13a249b 100644 --- a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/dmz/default-ingress.yaml @@ -1,7 +1,7 @@ # skip boilerplate check ingress: - trusted-ingress-default-deny: + dmz-ingress-default-deny: description: "Deny and log any unmatched ingress traffic." deny: true priority: 65535 diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/dmz/rules.yaml similarity index 92% rename from fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml rename to fast/stages/2-networking-c-nva/data/firewall-rules/dmz/rules.yaml index f2793e49..165ffdfc 100644 --- a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/dmz/rules.yaml @@ -4,7 +4,7 @@ # You can retain `---` (start of the document) to indicate an empty document. ingress: - allow-hc-nva-ssh-untrusted: + allow-hc-nva-ssh-dmz: description: "Allow traffic from Google healthchecks to NVA appliances" source_ranges: - healthchecks diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing/default-ingress.yaml similarity index 85% rename from fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml rename to fast/stages/2-networking-c-nva/data/firewall-rules/landing/default-ingress.yaml index e0d4ab60..a8fd0c58 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing/default-ingress.yaml @@ -1,7 +1,7 @@ # skip boilerplate check ingress: - trusted-ingress-default-deny: + landing-ingress-default-deny: description: "Deny and log any unmatched ingress traffic." deny: true priority: 65535 diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing/rules.yaml similarity index 88% rename from fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml rename to fast/stages/2-networking-c-nva/data/firewall-rules/landing/rules.yaml index fea923b0..8950e128 100644 --- a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing/rules.yaml @@ -4,7 +4,7 @@ # You can retain `---` (start of the document) to indicate an empty document. ingress: - allow-hc-nva-ssh-trusted: + allow-hc-nva-ssh-landing: description: "Allow traffic from Google healthchecks to NVA appliances" source_ranges: - healthchecks @@ -12,7 +12,7 @@ ingress: - protocol: tcp ports: - 22 - allow-onprem-probes-trusted-example: + allow-onprem-probes-landing-example: description: "Allow traffic from onprem probes" source_ranges: - onprem_probes diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml index b037772d..9b1cfb46 100644 --- a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-dataplatform region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.68.2.0/24 diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml index 0048f212..735b4c76 100644 --- a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml +++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-default region: europe-west1 ip_cidr_range: 10.68.0.0/24 description: Default europe-west1 subnet for dev diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml index 47f41b96..4766f837 100644 --- a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml +++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-default region: europe-west4 ip_cidr_range: 10.84.0.0/24 description: Default europe-west4 subnet for dev diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml index 087056b9..d0c5155e 100644 --- a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml +++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-gke-nodes region: europe-west1 description: Default subnet for prod gke nodes ip_cidr_range: 10.68.1.0/24 diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew1.yaml similarity index 53% rename from fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml rename to fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew1.yaml index 7927eb3d..77963f30 100644 --- a/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml +++ b/fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dmz region: europe-west1 ip_cidr_range: 10.64.128.0/24 -description: Default europe-west1 subnet for landing untrusted +description: Default europe-west1 subnet for landing dmz diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml b/fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew4.yaml similarity index 53% rename from fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml rename to fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew4.yaml index 7461a860..13ac9c85 100644 --- a/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml +++ b/fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew4.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dmz region: europe-west4 ip_cidr_range: 10.80.128.0/24 -description: Default europe-west4 subnet for landing untrusted +description: Default europe-west4 subnet for landing dmz diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml deleted file mode 100644 index 66a234a5..00000000 --- a/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# skip boilerplate check - -region: europe-west1 -ip_cidr_range: 10.64.0.0/24 -description: Default europe-west1 subnet for landing trusted diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml b/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml deleted file mode 100644 index 4507fe44..00000000 --- a/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# skip boilerplate check - -region: europe-west4 -ip_cidr_range: 10.80.0.0/24 -description: Default europe-west4 subnet for landing trusted diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew1.yaml new file mode 100644 index 00000000..9954030b --- /dev/null +++ b/fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew1.yaml @@ -0,0 +1,6 @@ +# skip boilerplate check + +name: landing-default +region: europe-west1 +ip_cidr_range: 10.64.0.0/24 +description: Default europe-west1 subnet for landing landing diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew4.yaml b/fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew4.yaml new file mode 100644 index 00000000..2d3cbdbe --- /dev/null +++ b/fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew4.yaml @@ -0,0 +1,6 @@ +# skip boilerplate check + +name: landing-default +region: europe-west4 +ip_cidr_range: 10.80.0.0/24 +description: Default europe-west4 subnet for landing landing diff --git a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml index 9b34bf44..86a6ae6b 100644 --- a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml +++ b/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: prod-default region: europe-west1 ip_cidr_range: 10.72.0.0/24 description: Default europe-west1 subnet for prod diff --git a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml b/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml index a27e53b6..6084bc07 100644 --- a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml +++ b/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: prod-default region: europe-west4 ip_cidr_range: 10.88.0.0/24 description: Default europe-west4 subnet for prod diff --git a/fast/stages/2-networking-c-nva/dns-dev.tf b/fast/stages/2-networking-c-nva/dns-dev.tf index fb43d68e..88e4e23e 100644 --- a/fast/stages/2-networking-c-nva/dns-dev.tf +++ b/fast/stages/2-networking-c-nva/dns-dev.tf @@ -18,14 +18,17 @@ # GCP-specific environment zone -module "dev-dns-private-zone" { +module "dev-dns-priv-example" { source = "../../../modules/dns" project_id = module.dev-spoke-project.project_id name = "dev-gcp-example-com" zone_config = { domain = "dev.gcp.example.com." private = { - client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link] + client_networks = [ + module.landing-vpc.self_link, + module.dmz-vpc.self_link + ] } } recordsets = { @@ -35,11 +38,6 @@ module "dev-dns-private-zone" { # root zone peering to landing to centralize configuration; remove if unneeded -moved { - from = module.dev-landing-root-dns-peering - to = module.dev-dns-peer-landing-root -} - module "dev-dns-peer-landing-root" { source = "../../../modules/dns" project_id = module.dev-spoke-project.project_id @@ -48,16 +46,11 @@ module "dev-dns-peer-landing-root" { domain = "." peering = { client_networks = [module.dev-spoke-vpc.self_link] - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } } } -moved { - from = module.dev-reverse-10-dns-peering - to = module.dev-dns-peer-landing-rev-10 -} - module "dev-dns-peer-landing-rev-10" { source = "../../../modules/dns" project_id = module.dev-spoke-project.project_id @@ -66,7 +59,7 @@ module "dev-dns-peer-landing-rev-10" { domain = "10.in-addr.arpa." peering = { client_networks = [module.dev-spoke-vpc.self_link] - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } } } diff --git a/fast/stages/2-networking-c-nva/dns-landing.tf b/fast/stages/2-networking-c-nva/dns-landing.tf index 4b252dbd..168aac82 100644 --- a/fast/stages/2-networking-c-nva/dns-landing.tf +++ b/fast/stages/2-networking-c-nva/dns-landing.tf @@ -18,11 +18,6 @@ # forwarding to on-prem DNS resolvers -moved { - from = module.onprem-example-dns-forwarding - to = module.landing-dns-fwd-onprem-example -} - module "landing-dns-fwd-onprem-example" { source = "../../../modules/dns" count = length(var.dns.resolvers) > 0 ? 1 : 0 @@ -32,19 +27,14 @@ module "landing-dns-fwd-onprem-example" { domain = "onprem.example.com." forwarding = { client_networks = [ - module.landing-untrusted-vpc.self_link, - module.landing-trusted-vpc.self_link + module.dmz-vpc.self_link, + module.landing-vpc.self_link ] forwarders = { for ip in var.dns.resolvers : ip => null } } } } -moved { - from = module.reverse-10-dns-forwarding - to = module.landing-dns-fwd-onprem-rev-10 -} - module "landing-dns-fwd-onprem-rev-10" { source = "../../../modules/dns" count = length(var.dns.resolvers) > 0 ? 1 : 0 @@ -54,19 +44,14 @@ module "landing-dns-fwd-onprem-rev-10" { domain = "10.in-addr.arpa." forwarding = { client_networks = [ - module.landing-untrusted-vpc.self_link, - module.landing-trusted-vpc.self_link + module.dmz-vpc.self_link, + module.landing-vpc.self_link ] forwarders = { for ip in var.dns.resolvers : ip => null } } } } -moved { - from = module.gcp-example-dns-private-zone - to = module.landing-dns-priv-gcp -} - module "landing-dns-priv-gcp" { source = "../../../modules/dns" project_id = module.landing-project.project_id @@ -75,8 +60,8 @@ module "landing-dns-priv-gcp" { domain = "gcp.example.com." private = { client_networks = [ - module.landing-untrusted-vpc.self_link, - module.landing-trusted-vpc.self_link + module.dmz-vpc.self_link, + module.landing-vpc.self_link ] } } @@ -85,7 +70,7 @@ module "landing-dns-priv-gcp" { } } -# Google APIs +# Google APIs via response policies module "landing-dns-policy-googleapis" { source = "../../../modules/dns-response-policy" @@ -95,7 +80,7 @@ module "landing-dns-policy-googleapis" { rules = var.factories_config.dns_policy_rules_file } networks = { - landing-trusted = module.landing-trusted-vpc.self_link - landing-untrusted = module.landing-untrusted-vpc.self_link + landing = module.landing-vpc.self_link + dmz = module.dmz-vpc.self_link } } diff --git a/fast/stages/2-networking-c-nva/dns-prod.tf b/fast/stages/2-networking-c-nva/dns-prod.tf index dc162e55..5444ff32 100644 --- a/fast/stages/2-networking-c-nva/dns-prod.tf +++ b/fast/stages/2-networking-c-nva/dns-prod.tf @@ -18,14 +18,14 @@ # GCP-specific environment zone -module "prod-dns-private-zone" { +module "prod-dns-priv-example" { source = "../../../modules/dns" project_id = module.prod-spoke-project.project_id name = "prod-gcp-example-com" zone_config = { domain = "prod.gcp.example.com." private = { - client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link] + client_networks = [module.landing-vpc.self_link, module.dmz-vpc.self_link] } } recordsets = { @@ -35,11 +35,6 @@ module "prod-dns-private-zone" { # root zone peering to landing to centralize configuration; remove if unneeded -moved { - from = module.prod-landing-root-dns-peering - to = module.prod-dns-peer-landing-root -} - module "prod-dns-peer-landing-root" { source = "../../../modules/dns" project_id = module.prod-spoke-project.project_id @@ -48,16 +43,11 @@ module "prod-dns-peer-landing-root" { domain = "." peering = { client_networks = [module.prod-spoke-vpc.self_link] - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } } } -moved { - from = module.prod-reverse-10-dns-peering - to = module.prod-dns-peer-landing-rev-10 -} - module "prod-dns-peer-landing-rev-10" { source = "../../../modules/dns" project_id = module.prod-spoke-project.project_id @@ -66,7 +56,7 @@ module "prod-dns-peer-landing-rev-10" { domain = "10.in-addr.arpa." peering = { client_networks = [module.prod-spoke-vpc.self_link] - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } } } diff --git a/fast/stages/2-networking-c-nva/main.tf b/fast/stages/2-networking-c-nva/main.tf index ee2d58d6..dc58000c 100644 --- a/fast/stages/2-networking-c-nva/main.tf +++ b/fast/stages/2-networking-c-nva/main.tf @@ -22,8 +22,8 @@ locals { regions = distinct(concat( values(var.regions), values(module.dev-spoke-vpc.subnet_regions), - values(module.landing-trusted-vpc.subnet_regions), - values(module.landing-untrusted-vpc.subnet_regions), + values(module.landing-vpc.subnet_regions), + values(module.dmz-vpc.subnet_regions), values(module.prod-spoke-vpc.subnet_regions), )) service_accounts = { diff --git a/fast/stages/2-networking-c-nva/net-dev.tf b/fast/stages/2-networking-c-nva/net-dev.tf index d676da7b..739d012e 100644 --- a/fast/stages/2-networking-c-nva/net-dev.tf +++ b/fast/stages/2-networking-c-nva/net-dev.tf @@ -23,6 +23,7 @@ module "dev-spoke-project" { parent = var.folder_ids.networking-dev prefix = var.prefix services = [ + "container.googleapis.com", "compute.googleapis.com", "dns.googleapis.com", "iap.googleapis.com", @@ -88,28 +89,28 @@ module "dev-spoke-vpc" { priority = 1000 tags = ["primary"] next_hop_type = "ilb" - next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_addresses[""] + next_hop = module.ilb-nva-landing["primary"].forwarding_rule_addresses[""] } nva-secondary-to-secondary = { dest_range = "0.0.0.0/0" priority = 1000 tags = ["secondary"] next_hop_type = "ilb" - next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_addresses[""] + next_hop = module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""] } nva-primary-to-secondary = { dest_range = "0.0.0.0/0" priority = 1001 tags = ["primary"] next_hop_type = "ilb" - next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_addresses[""] + next_hop = module.ilb-nva-landing["primary"].forwarding_rule_addresses[""] } nva-secondary-to-primary = { dest_range = "0.0.0.0/0" priority = 1001 tags = ["secondary"] next_hop_type = "ilb" - next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_addresses[""] + next_hop = module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""] } } } @@ -131,5 +132,5 @@ module "peering-dev" { source = "../../../modules/net-vpc-peering" prefix = "dev-peering-0" local_network = module.dev-spoke-vpc.self_link - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } diff --git a/fast/stages/2-networking-c-nva/net-landing.tf b/fast/stages/2-networking-c-nva/net-landing.tf index 1cf6492a..f0eddc6f 100644 --- a/fast/stages/2-networking-c-nva/net-landing.tf +++ b/fast/stages/2-networking-c-nva/net-landing.tf @@ -42,12 +42,12 @@ module "landing-project" { } } -# Untrusted VPC +# DMZ (untrusted) VPC -module "landing-untrusted-vpc" { +module "dmz-vpc" { source = "../../../modules/net-vpc" project_id = module.landing-project.project_id - name = "prod-untrusted-landing-0" + name = "prod-dmz-0" mtu = 1500 dns_policy = { inbound = true @@ -55,31 +55,26 @@ module "landing-untrusted-vpc" { } create_googleapis_routes = null factories_config = { - subnets_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted" + subnets_folder = "${var.factories_config.data_dir}/subnets/dmz" } } -module "landing-untrusted-firewall" { +module "dmz-firewall" { source = "../../../modules/net-vpc-firewall" project_id = module.landing-project.project_id - network = module.landing-untrusted-vpc.name + network = module.dmz-vpc.name default_rules_config = { disabled = true } factories_config = { cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing-untrusted" + rules_folder = "${var.factories_config.data_dir}/firewall-rules/dmz" } } # NAT -moved { - from = module.landing-nat-ew1 - to = module.landing-nat-primary -} - -module "landing-nat-primary" { +module "dmz-nat-primary" { source = "../../../modules/net-cloudnat" count = var.enable_cloud_nat ? 1 : 0 project_id = module.landing-project.project_id @@ -87,15 +82,10 @@ module "landing-nat-primary" { name = local.region_shortnames[var.regions.primary] router_create = true router_name = "prod-nat-${local.region_shortnames[var.regions.primary]}" - router_network = module.landing-untrusted-vpc.name + router_network = module.dmz-vpc.name } -moved { - from = module.landing-nat-ew4 - to = module.landing-nat-secondary -} - -module "landing-nat-secondary" { +module "dmz-nat-secondary" { source = "../../../modules/net-cloudnat" count = var.enable_cloud_nat ? 1 : 0 project_id = module.landing-project.project_id @@ -103,19 +93,19 @@ module "landing-nat-secondary" { name = local.region_shortnames[var.regions.secondary] router_create = true router_name = "prod-nat-${local.region_shortnames[var.regions.secondary]}" - router_network = module.landing-untrusted-vpc.name + router_network = module.dmz-vpc.name } -# Trusted VPC +# Landing (trusted) VPC -module "landing-trusted-vpc" { +module "landing-vpc" { source = "../../../modules/net-vpc" project_id = module.landing-project.project_id - name = "prod-trusted-landing-0" + name = "prod-landing-0" delete_default_routes_on_create = true mtu = 1500 factories_config = { - subnets_folder = "${var.factories_config.data_dir}/subnets/landing-trusted" + subnets_folder = "${var.factories_config.data_dir}/subnets/landing" } dns_policy = { inbound = true @@ -127,15 +117,15 @@ module "landing-trusted-vpc" { } } -module "landing-trusted-firewall" { +module "landing-firewall" { source = "../../../modules/net-vpc-firewall" project_id = module.landing-project.project_id - network = module.landing-trusted-vpc.name + network = module.landing-vpc.name default_rules_config = { disabled = true } factories_config = { cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing-trusted" + rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing" } } diff --git a/fast/stages/2-networking-c-nva/net-prod.tf b/fast/stages/2-networking-c-nva/net-prod.tf index a08ca0c4..fa9042e2 100644 --- a/fast/stages/2-networking-c-nva/net-prod.tf +++ b/fast/stages/2-networking-c-nva/net-prod.tf @@ -23,6 +23,7 @@ module "prod-spoke-project" { parent = var.folder_ids.networking-prod prefix = var.prefix services = [ + "container.googleapis.com", "compute.googleapis.com", "dns.googleapis.com", "iap.googleapis.com", @@ -86,28 +87,28 @@ module "prod-spoke-vpc" { priority = 1000 tags = ["primary"] next_hop_type = "ilb" - next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_addresses[""] + next_hop = module.ilb-nva-landing["primary"].forwarding_rule_addresses[""] } nva-secondary-to-secondary = { dest_range = "0.0.0.0/0" priority = 1000 tags = ["secondary"] next_hop_type = "ilb" - next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_addresses[""] + next_hop = module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""] } nva-primary-to-secondary = { dest_range = "0.0.0.0/0" priority = 1001 tags = ["primary"] next_hop_type = "ilb" - next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_addresses[""] + next_hop = module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""] } nva-secondary-to-primary = { dest_range = "0.0.0.0/0" priority = 1001 tags = ["secondary"] next_hop_type = "ilb" - next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_addresses[""] + next_hop = module.ilb-nva-landing["primary"].forwarding_rule_addresses[""] } } } @@ -129,5 +130,5 @@ module "peering-prod" { source = "../../../modules/net-vpc-peering" prefix = "prod-peering-0" local_network = module.prod-spoke-vpc.self_link - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } diff --git a/fast/stages/2-networking-c-nva/nva.tf b/fast/stages/2-networking-c-nva/nva.tf index 595b72b7..cc129124 100644 --- a/fast/stages/2-networking-c-nva/nva.tf +++ b/fast/stages/2-networking-c-nva/nva.tf @@ -19,20 +19,20 @@ locals { # local.routing_config[0] sets up the first interface, and so on. routing_config = [ { - name = "untrusted" + name = "dmz" enable_masquerading = true routes = [ - var.gcp_ranges.gcp_landing_untrusted_primary, - var.gcp_ranges.gcp_landing_untrusted_secondary, + var.gcp_ranges.gcp_dmz_primary, + var.gcp_ranges.gcp_dmz_secondary, ] }, { - name = "trusted" + name = "landing" routes = [ var.gcp_ranges.gcp_dev_primary, var.gcp_ranges.gcp_dev_secondary, - var.gcp_ranges.gcp_landing_trusted_primary, - var.gcp_ranges.gcp_landing_trusted_secondary, + var.gcp_ranges.gcp_landing_landing_primary, + var.gcp_ranges.gcp_landing_landing_secondary, var.gcp_ranges.gcp_prod_primary, var.gcp_ranges.gcp_prod_secondary, ] @@ -69,16 +69,20 @@ module "nva-template" { can_ip_forward = true network_interfaces = [ { - network = module.landing-untrusted-vpc.self_link - subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.shortname}"] - nat = false - addresses = null + network = module.dmz-vpc.self_link + subnetwork = try( + module.dmz-vpc.subnet_self_links["${each.value.region}/dmz-default"], null + ) + nat = false + addresses = null }, { - network = module.landing-trusted-vpc.self_link - subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.shortname}"] - nat = false - addresses = null + network = module.landing-vpc.self_link + subnetwork = try( + module.landing-vpc.subnet_self_links["${each.value.region}/landing-default"], null + ) + nat = false + addresses = null } ] boot_disk = { @@ -116,18 +120,18 @@ module "nva-mig" { } } -module "ilb-nva-untrusted" { +module "ilb-nva-dmz" { for_each = { for k, v in var.regions : k => { region = v shortname = local.region_shortnames[v] - subnet = "${v}/landing-untrusted-default-${local.region_shortnames[v]}" + subnet = "${v}/dmz-default-${local.region_shortnames[v]}" } } source = "../../../modules/net-lb-int" project_id = module.landing-project.project_id region = each.value.region - name = "nva-untrusted-${each.key}" + name = "nva-dmz-${each.key}" service_label = var.prefix forwarding_rules_config = { "" = { @@ -135,8 +139,8 @@ module "ilb-nva-untrusted" { } } vpc_config = { - network = module.landing-untrusted-vpc.self_link - subnetwork = module.landing-untrusted-vpc.subnet_self_links[each.value.subnet] + network = module.dmz-vpc.self_link + subnetwork = try(module.dmz-vpc.subnet_self_links[each.value.subnet], null) } backends = [ for k, v in module.nva-mig : @@ -151,18 +155,18 @@ module "ilb-nva-untrusted" { } } -module "ilb-nva-trusted" { +module "ilb-nva-landing" { for_each = { for k, v in var.regions : k => { region = v shortname = local.region_shortnames[v] - subnet = "${v}/landing-trusted-default-${local.region_shortnames[v]}" + subnet = "${v}/landing-default-${local.region_shortnames[v]}" } } source = "../../../modules/net-lb-int" project_id = module.landing-project.project_id region = each.value.region - name = "nva-trusted-${each.key}" + name = "nva-landing-${each.key}" service_label = var.prefix forwarding_rules_config = { "" = { @@ -170,8 +174,8 @@ module "ilb-nva-trusted" { } } vpc_config = { - network = module.landing-trusted-vpc.self_link - subnetwork = module.landing-trusted-vpc.subnet_self_links[each.value.subnet] + network = module.landing-vpc.self_link + subnetwork = try(module.landing-vpc.subnet_self_links[each.value.subnet], null) } backends = [ for k, v in module.nva-mig : diff --git a/fast/stages/2-networking-c-nva/outputs.tf b/fast/stages/2-networking-c-nva/outputs.tf index eb53a63f..96e16968 100644 --- a/fast/stages/2-networking-c-nva/outputs.tf +++ b/fast/stages/2-networking-c-nva/outputs.tf @@ -31,10 +31,10 @@ locals { vpc_self_links = local.vpc_self_links } vpc_self_links = { - prod-landing-trusted = module.landing-trusted-vpc.self_link - prod-landing-untrusted = module.landing-untrusted-vpc.self_link - dev-spoke-0 = module.dev-spoke-vpc.self_link - prod-spoke-0 = module.prod-spoke-vpc.self_link + prod-landing = module.landing-vpc.self_link + prod-dmz = module.dmz-vpc.self_link + dev-spoke-0 = module.dev-spoke-vpc.self_link + prod-spoke-0 = module.prod-spoke-vpc.self_link } } diff --git a/fast/stages/2-networking-c-nva/test-resources.tf b/fast/stages/2-networking-c-nva/test-resources.tf index 97bb7208..c2f2e1b2 100644 --- a/fast/stages/2-networking-c-nva/test-resources.tf +++ b/fast/stages/2-networking-c-nva/test-resources.tf @@ -16,16 +16,16 @@ # tfdoc:file:description temporary instances for testing -# # Untrusted (Landing) +# # dmz (Landing) -# module "test-vm-landing-untrusted-primary-0" { +# module "test-vm-dmz-primary-0" { # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.primary}-b" # name = "test-vm-lnd-unt-pri-0" # network_interfaces = [{ -# network = module.landing-untrusted-vpc.self_link -# subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.primary}/landing-untrusted-default-${local.region_shortnames[var.regions.primary]}"] +# network = module.dmz-vpc.self_link +# subnetwork = module.dmz-vpc.subnet_self_links["${var.regions.primary}/dmz-default-${local.region_shortnames[var.regions.primary]}"] # }] # tags = ["primary", "ssh"] # service_account_create = true @@ -46,14 +46,14 @@ # } # } -# module "test-vm-landing-untrusted-secondary-0" { +# module "test-vm-dmz-secondary-0" { # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.secondary}-a" # name = "test-vm-lnd-unt-sec-0" # network_interfaces = [{ -# network = module.landing-untrusted-vpc.self_link -# subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.secondary}/landing-untrusted-default-${local.region_shortnames[var.regions.secondary]}"] +# network = module.dmz-vpc.self_link +# subnetwork = module.dmz-vpc.subnet_self_links["${var.regions.secondary}/dmz-default-${local.region_shortnames[var.regions.secondary]}"] # }] # tags = ["secondary", "ssh"] # service_account_create = true @@ -74,16 +74,16 @@ # } # } -# # Trusted (hub) +# # landing (hub) -# module "test-vm-landing-trusted-primary-0" { +# module "test-vm-landing-primary-0" { # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.primary}-b" # name = "test-vm-lnd-tru-pri-0" # network_interfaces = [{ -# network = module.landing-trusted-vpc.self_link -# subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.primary}/landing-trusted-default-${local.region_shortnames[var.regions.primary]}"] +# network = module.landing-vpc.self_link +# subnetwork = module.landing-vpc.subnet_self_links["${var.regions.primary}/landing-default-${local.region_shortnames[var.regions.primary]}"] # }] # tags = ["primary", "ssh"] # service_account_create = true @@ -104,14 +104,14 @@ # } # } -# module "test-vm-landing-trusted-secondary-0" { +# module "test-vm-landing-secondary-0" { # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.secondary}-a" # name = "test-vm-lnd-tru-sec-0" # network_interfaces = [{ -# network = module.landing-trusted-vpc.self_link -# subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.secondary}/landing-trusted-default-${local.region_shortnames[var.regions.secondary]}"] +# network = module.landing-vpc.self_link +# subnetwork = module.landing-vpc.subnet_self_links["${var.regions.secondary}/landing-default-${local.region_shortnames[var.regions.secondary]}"] # }] # tags = ["secondary", "ssh"] # service_account_create = true diff --git a/fast/stages/2-networking-c-nva/variables.tf b/fast/stages/2-networking-c-nva/variables.tf index 452b672a..2b4d8ac6 100644 --- a/fast/stages/2-networking-c-nva/variables.tf +++ b/fast/stages/2-networking-c-nva/variables.tf @@ -127,14 +127,14 @@ variable "gcp_ranges" { description = "GCP address ranges in name => range format." type = map(string) default = { - gcp_dev_primary = "10.68.0.0/16" - gcp_dev_secondary = "10.84.0.0/16" - gcp_landing_trusted_primary = "10.64.0.0/17" - gcp_landing_trusted_secondary = "10.80.0.0/17" - gcp_landing_untrusted_primary = "10.64.127.0/17" - gcp_landing_untrusted_secondary = "10.80.127.0/17" - gcp_prod_primary = "10.72.0.0/16" - gcp_prod_secondary = "10.88.0.0/16" + gcp_dev_primary = "10.68.0.0/16" + gcp_dev_secondary = "10.84.0.0/16" + gcp_landing_landing_primary = "10.64.0.0/17" + gcp_landing_landing_secondary = "10.80.0.0/17" + gcp_dmz_primary = "10.64.127.0/17" + gcp_dmz_secondary = "10.80.127.0/17" + gcp_prod_primary = "10.72.0.0/16" + gcp_prod_secondary = "10.88.0.0/16" } } diff --git a/fast/stages/2-networking-c-nva/vpn-onprem.tf b/fast/stages/2-networking-c-nva/vpn-onprem.tf index 55127ce4..78c1985a 100644 --- a/fast/stages/2-networking-c-nva/vpn-onprem.tf +++ b/fast/stages/2-networking-c-nva/vpn-onprem.tf @@ -31,7 +31,7 @@ module "landing-to-onprem-primary-vpn" { count = var.vpn_onprem_primary_config == null ? 0 : 1 source = "../../../modules/net-vpn-ha" project_id = module.landing-project.project_id - network = module.landing-trusted-vpc.self_link + network = module.landing-vpc.self_link region = var.regions.primary name = "vpn-to-onprem-${local.region_shortnames[var.regions.primary]}" router_config = try(var.vpn_onprem_primary_config.router_config, {}) @@ -45,7 +45,7 @@ module "landing-to-onprem-secondary-vpn" { count = var.vpn_onprem_secondary_config == null ? 0 : 1 source = "../../../modules/net-vpn-ha" project_id = module.landing-project.project_id - network = module.landing-trusted-vpc.self_link + network = module.landing-vpc.self_link region = var.regions.secondary name = "vpn-to-onprem-${local.region_shortnames[var.regions.secondary]}" router_config = try(var.vpn_onprem_secondary_config.router_config, {}) diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml index b037772d..9b1cfb46 100644 --- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-dataplatform region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.68.2.0/24 diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml index fdb9c046..928fb1eb 100644 --- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-default region: europe-west1 ip_cidr_range: 10.68.0.0/24 description: Default subnet for dev diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-gke-nodes-ew1.yaml index 087056b9..d0c5155e 100644 --- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-gke-nodes-ew1.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-gke-nodes-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-gke-nodes region: europe-west1 description: Default subnet for prod gke nodes ip_cidr_range: 10.68.1.0/24 diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml index 66a96398..cdc77d46 100644 --- a/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: prod-default region: europe-west1 ip_cidr_range: 10.72.0.0/24 description: Default subnet for prod diff --git a/fast/stages/2-networking-d-separate-envs/dns-dev.tf b/fast/stages/2-networking-d-separate-envs/dns-dev.tf index 46d41316..b176af16 100644 --- a/fast/stages/2-networking-d-separate-envs/dns-dev.tf +++ b/fast/stages/2-networking-d-separate-envs/dns-dev.tf @@ -33,11 +33,6 @@ module "dev-dns-private-zone" { } } -moved { - from = module.dev-onprem-example-dns-forwarding - to = module.dev-dns-fwd-onprem-example -} - module "dev-dns-fwd-onprem-example" { source = "../../../modules/dns" count = length(var.dns.dev_resolvers) > 0 ? 1 : 0 @@ -52,11 +47,6 @@ module "dev-dns-fwd-onprem-example" { } } -moved { - from = module.dev-reverse-10-dns-forwarding - to = module.dev-dns-fwd-onprem-rev-10 -} - module "dev-dns-fwd-onprem-rev-10" { source = "../../../modules/dns" count = length(var.dns.dev_resolvers) > 0 ? 1 : 0 diff --git a/fast/stages/2-networking-d-separate-envs/dns-prod.tf b/fast/stages/2-networking-d-separate-envs/dns-prod.tf index cfef28dd..adcc3889 100644 --- a/fast/stages/2-networking-d-separate-envs/dns-prod.tf +++ b/fast/stages/2-networking-d-separate-envs/dns-prod.tf @@ -33,11 +33,6 @@ module "prod-dns-private-zone" { } } -moved { - from = module.prod-onprem-example-dns-forwarding - to = module.prod-dns-fwd-onprem-example -} - module "prod-dns-fwd-onprem-example" { source = "../../../modules/dns" count = length(var.dns.prod_resolvers) > 0 ? 1 : 0 @@ -52,11 +47,6 @@ module "prod-dns-fwd-onprem-example" { } } -moved { - from = module.prod-reverse-10-dns-forwarding - to = module.prod-dns-fwd-onprem-rev-10 -} - module "prod-dns-fwd-onprem-rev-10" { source = "../../../modules/dns" count = length(var.dns.prod_resolvers) > 0 ? 1 : 0 diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-e-nva-bgp/README.md index 5e3a636b..1e81f9bf 100644 --- a/fast/stages/2-networking-e-nva-bgp/README.md +++ b/fast/stages/2-networking-e-nva-bgp/README.md @@ -80,20 +80,20 @@ In case of a regional failure, the corresponding dynamic routes are withdrawn an The "landing zone" is divided into two VPC networks: -- the trusted VPC: the connectivity hub towards other trusted networks -- the untrusted VPC: the connectivity hub towards any other untrusted network +- the landing VPC: the connectivity hub towards other trusted networks +- the DMZ VPC: the connectivity hub towards any other untrusted network ### NCC, NVAs and BGP sessions The VPCs connect through two sets of sample NVA machines: one per region, each containing two instances. The appliances run [Container-Optimized OS](https://cloud.google.com/container-optimized-os/docs) and a container with [FRRouting](https://frrouting.org/). -We levarage NCC-RA to allow the NVAs to establish BGP sessions with Cloud Routers in the untrusted and in the trusted VPCs. This allows Cloud Routers to advertise routes to the NVAs, and the NVAs to announce routes to the Cloud Router, so it can program them in the VPC. +We leverage NCC-RA to allow the NVAs to establish BGP sessions with Cloud Routers in the untrusted and in the trusted VPCs. This allows Cloud Routers to advertise routes to the NVAs, and the NVAs to announce routes to the Cloud Router, so it can program them in the VPC. Specifically, each NVA establishes two BGP sessions (for redundancy) with the the Cloud Router deployed in the VPC and in the subnet where the interface of that VM is attached to. -**Cloud Routers in the untrusted VPC advertise the default route (0.0.0.0/0) to the NVAs**. The NVAs advertise the route to the Cloud Routers in the trusted VPC. These dynamic routes are then imported through VPC peerings in the spokes. +**Cloud Routers in the DMZ VPC advertise the default route (0.0.0.0/0) to the NVAs**. The NVAs advertise the route to the Cloud Routers in the landing. These dynamic routes are then imported through VPC peerings in the spokes. -**Cloud Routers in the trusted hub adverts to the NVAs** all the subnets of the trusted VPCs. This includes the regional subnets and the cross-regional subnets. The NVAs manipulate the route costs (MED) before advertising them to the Cloud Routers in the untrusted VPC. This is done to guarantee symmetric traffic paths (more [here](https://medium.com/google-cloud/gcp-routing-adventures-vol-2-enterprise-multi-regional-deployments-in-google-cloud-3968e9591d59)). +**Cloud Routers in the landing adverts to the NVAs** all the subnets of the trusted VPCs. This includes the regional subnets and the cross-regional subnets. The NVAs manipulate the route costs (MED) before advertising them to the Cloud Routers in the DMZ VPC. This is done to guarantee symmetric traffic paths (more [here](https://medium.com/google-cloud/gcp-routing-adventures-vol-2-enterprise-multi-regional-deployments-in-google-cloud-3968e9591d59)). NVAs establish **extra BGP sessions with both cross-regional NVAs**. In this case, the NVAs advertise the regional trusted routes only. This allows cross-spoke (environment) traffic to remain also symmetric (more [here](https://medium.com/google-cloud/gcp-routing-adventures-vol-2-enterprise-multi-regional-deployments-in-google-cloud-3968e9591d59)). We set these routes to be exchanged at a lower cost than the one set for the other routes. @@ -101,8 +101,8 @@ Following the majority of real-life deployments, **we assume appliances to be st By default, the design assumes that: -- on-premise networks (and related resources) are considered trusted. As such, the VPNs connecting with on-premises are terminated in GCP, in the trusted VPC -- the public Internet is considered untrusted. As such [Cloud NAT](https://cloud.google.com/nat/docs/overview) is deployed in the untrusted landing VPC only. Also, the default route is set to carry traffic from the trusted VPCs, through the NVAs, to the untrusted VPC. +- on-premise networks (and related resources) are considered trusted. As such, the VPNs connecting with on-premises are terminated in GCP, in the landing +- the public Internet is considered untrusted. As such [Cloud NAT](https://cloud.google.com/nat/docs/overview) is deployed in the DMZ VPC only. Also, the default route is set to carry traffic from the trusted VPCs, through the NVAs, to the DMZ. - cross-spoke (environment) traffic and traffic from any untrusted network to any trusted network (and vice versa) pass through the NVAs. - any traffic from a trusted network to an untrusted network (e.g. Internet) is natted by the NVAs. Users can configure further exclusions. @@ -133,7 +133,7 @@ This is an options summary: - [VPC Peering](https://cloud.google.com/vpc/docs/vpc-peering) (used here to connect the trusted landing VPC with the spokes, also used by [02-networking-vpn](../2-networking-b-vpn/)) - Pros: no additional costs, full bandwidth with no configurations, no extra latency - Cons: no transitivity (e.g. to GKE masters, Cloud SQL, etc.), no selective exchange of routes, several quotas and limits shared between VPCs in a peering group -- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (used here to connect the trusted landing and untrusted VPCs) +- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (used here to connect the trusted landing and DMZ) - Pros: provides additional security features (e.g. IPS), potentially better integration with on-prem systems by using the same vendor - Cons: complex HA/failover setup, limited by VM bandwidth and scale, additional costs for VMs and licenses, out of band management of a critical cloud component - [HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) @@ -154,10 +154,10 @@ This is a summary of the subnets allocated by default in this setup: | name | description | CIDR | |---|---|---| -| landing-trusted-default-ew1 | Trusted landing subnet - europe-west1 | 10.128.64.0/24 | -| landing-trusted-default-ew4 | Trusted landing subnet - europe-west4 | 10.128.96.0/24 | -| landing-untrusted-default-ew1 | Untrusted landing subnet - europe-west1 | 10.128.0.0/24 | -| landing-untrusted-default-ew4 | Untrusted landing subnet - europe-west4 | 10.128.32.0/24 | +| landing-default-ew1 | Trusted landing subnet - europe-west1 | 10.128.64.0/24 | +| landing-default-ew4 | Trusted landing subnet - europe-west4 | 10.128.96.0/24 | +| dmz-default-ew1 | Untrusted landing subnet - europe-west1 | 10.128.0.0/24 | +| dmz-default-ew4 | Untrusted landing subnet - europe-west4 | 10.128.32.0/24 | | dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.68.0.0/24 | | dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.253.0/24 | | dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.254.0/24 | @@ -183,10 +183,10 @@ In this setup: - routes between multiple subnets within the same VPC are automatically exchanged by GCP - the spokes and the trusted landing VPC exchange dynamic routes through VPC peerings -- on-premises is connected to the trusted landing VPC and it dynamically exchanges BGP routes with GCP (with the trusted VPC) using HA VPN -- the NVAs exchange dynamic routes using BGP with Cloud Routers in the untrusted VPC, Cloud Routers in the trusted VPC and cross-regional NVAs. This allows VMs in different environments and different regions to communicate. +- on-premises is connected to the trusted landing VPC and it dynamically exchanges BGP routes with GCP (with the landing) using HA VPN +- the NVAs exchange dynamic routes using BGP with Cloud Routers in the DMZ, Cloud Routers in the landing and cross-regional NVAs. This allows VMs in different environments and different regions to communicate. -The Cloud Routers (connected to the VPN gateways in the trusted VPC) are configured to exclude the default advertisement of VPC ranges and they only advertise their respective aggregate ranges, via custom advertisements. This greatly simplifies the routing configuration and avoids quota or limit issues, by keeping the number of routes small, instead of making it proportional to the subnets and to the secondary ranges in the VPCs. +The Cloud Routers (connected to the VPN gateways in the landing) are configured to exclude the default advertisement of VPC ranges and they only advertise their respective aggregate ranges, via custom advertisements. This greatly simplifies the routing configuration and avoids quota or limit issues, by keeping the number of routes small, instead of making it proportional to the subnets and to the secondary ranges in the VPCs. ### Internet egress @@ -253,14 +253,14 @@ Each VPC network ([`net-vpc`](../../../modules/net-vpc)) manages a separate rout NCC/Cloud Router BGP settings are defined in `ncc.tf`. NVA BGP settings are defined in the [bpg-config.tftpl template file](./data/bgp-config.tftpl). -The variable `ncc_asn` allows to change the Autonomous System Number (ASN) assigned to the untrusted VPC Cloud Routers, to the trusted VPC Cloud Routers and to the NVAs. +The variable `ncc_asn` allows to change the Autonomous System Number (ASN) assigned to the DMZ Cloud Routers, to the landing VPC Cloud Routers and to the NVAs. BGP sessions for trusted landing to on-premises are configured through the variable `vpn_onprem_configs`. ### Firewall **VPC firewall rules** ([`net-vpc-firewall`](../../../modules/net-vpc-firewall)) are defined per-vpc on each `vpc-*.tf` file and leverage a resource factory to massively create rules. -To add a new firewall rule, create a new file or edit an existing one in the `data_folder` directory defined in the module `net-vpc-firewall`, following the examples of the "[Rules factory](../../../modules/net-vpc-firewall#rules-factory)" section of the module documentation. Sample firewall rules are shipped in [data/firewall-rules/landing-untrusted](./data/firewall-rules/landing-untrusted) and in [data/firewall-rules/landing-trusted](./data/firewall-rules/landing-trusted), and can be easily customized. +To add a new firewall rule, create a new file or edit an existing one in the `data_folder` directory defined in the module `net-vpc-firewall`, following the examples of the "[Rules factory](../../../modules/net-vpc-firewall#rules-factory)" section of the module documentation. Sample firewall rules are shipped in [data/firewall-rules/landing-untrusted](./data/firewall-rules/dmz) and in [data/firewall-rules/landing-trusted](./data/firewall-rules/landing), and can be easily customized. **Hierarchical firewall policies** ([`folder`](../../../modules/folder)) are defined in `main.tf` and managed through a policy factory implemented by the `net-firewall-policy` module, which is then applied to the `Networking` folder containing all the core networking infrastructure. Policies are defined in the `rules_file` file, to define a new one simply use the [firewall policy module documentation](../../../modules/net-firewall-policy/README.md#factory)". Sample hierarchical firewall rules are shipped in [data/hierarchical-ingress-rules.yaml](./data/hierarchical-ingress-rules.yaml) and can be easily customised. @@ -493,8 +493,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [enable_cloud_nat](variables.tf#L82) | Deploy Cloud NAT. | bool | | false | | | [essential_contacts](variables.tf#L89) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L95) | Configuration for network resource factories. | object({…}) | | {…} | | -| [gcp_ranges](variables.tf#L126) | GCP address ranges in name => range format. | map(string) | | {…} | | -| [ncc_asn](variables.tf#L141) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | | +| [gcp_ranges](variables.tf#L126) | GCP address ranges in name => range format. | map(string) | | {…} | | +| [ncc_asn](variables.tf#L141) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | | | [onprem_cidr](variables.tf#L152) | Onprem addresses in name => range format. | map(string) | | {…} | | | [outputs_location](variables.tf#L170) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L187) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | | diff --git a/fast/stages/2-networking-e-nva-bgp/data/bgp-config.tftpl b/fast/stages/2-networking-e-nva-bgp/data/bgp-config.tftpl index 53009c17..ee370d9d 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/bgp-config.tftpl +++ b/fast/stages/2-networking-e-nva-bgp/data/bgp-config.tftpl @@ -5,27 +5,27 @@ no ipv6 forwarding service integrated-vtysh-config interface lo - ip address ${ip_untrusted}/32 + ip address ${ip_dmz}/32 ip prefix-list DEFAULT seq 10 permit 0.0.0.0/0 ! -ip prefix-list PRIMARY seq 10 permit ${gcp_landing_trusted_primary} +ip prefix-list PRIMARY seq 10 permit ${gcp_landing_landing_primary} ip prefix-list PRIMARY seq 20 permit ${gcp_dev_primary} ip prefix-list PRIMARY seq 30 permit ${gcp_prod_primary} ! -ip prefix-list SECONDARY seq 10 permit ${gcp_landing_trusted_secondary} +ip prefix-list SECONDARY seq 10 permit ${gcp_landing_landing_secondary} ip prefix-list SECONDARY seq 20 permit ${gcp_dev_secondary} ip prefix-list SECONDARY seq 30 permit ${gcp_prod_secondary} -route-map TO-UNTRUSTED permit 10 +route-map TO-DMZ permit 10 match ip address prefix-list PRIMARY set metric ${cost_primary} ! -route-map TO-UNTRUSTED permit 20 +route-map TO-DMZ permit 20 match ip address prefix-list SECONDARY set metric ${cost_secondary} ! -route-map TO-TRUSTED permit 10 +route-map TO-LANDING permit 10 match ip address prefix-list DEFAULT set metric 100 ! @@ -34,7 +34,7 @@ route-map TO-NVA permit 10 set metric 50 router bgp ${asn_nva} - bgp router-id ${ip_untrusted} + bgp router-id ${ip_dmz} bgp bestpath as-path ignore bgp disable-ebgp-connected-route-check bgp timers 20 60 @@ -42,13 +42,13 @@ router bgp ${asn_nva} no bgp ebgp-requires-policy no bgp network import-check ! - neighbor ${ip_neighbor_untrusted_0} remote-as ${asn_untrusted} - neighbor ${ip_neighbor_untrusted_1} remote-as ${asn_untrusted} + neighbor ${ip_neighbor_dmz_0} remote-as ${asn_dmz} + neighbor ${ip_neighbor_dmz_1} remote-as ${asn_dmz} ! - neighbor ${ip_neighbor_trusted_0} remote-as ${asn_trusted} - neighbor ${ip_neighbor_trusted_0} update-source ${ip_trusted} - neighbor ${ip_neighbor_trusted_1} remote-as ${asn_trusted} - neighbor ${ip_neighbor_trusted_1} update-source ${ip_trusted} + neighbor ${ip_neighbor_landing_0} remote-as ${asn_landing} + neighbor ${ip_neighbor_landing_0} update-source ${ip_landing} + neighbor ${ip_neighbor_landing_1} remote-as ${asn_landing} + neighbor ${ip_neighbor_landing_1} update-source ${ip_landing} ! neighbor ${ip_neighbor_cross_region_nva_0} remote-as ${asn_nva_cross_region} neighbor ${ip_neighbor_cross_region_nva_0} ebgp-multihop 2 @@ -56,17 +56,17 @@ router bgp ${asn_nva} neighbor ${ip_neighbor_cross_region_nva_1} ebgp-multihop 2 ! address-family ipv4 unicast - neighbor ${ip_neighbor_untrusted_0} route-map TO-UNTRUSTED out - neighbor ${ip_neighbor_untrusted_0} soft-reconfiguration inbound + neighbor ${ip_neighbor_dmz_0} route-map TO-DMZ out + neighbor ${ip_neighbor_dmz_0} soft-reconfiguration inbound ! - neighbor ${ip_neighbor_untrusted_1} route-map TO-UNTRUSTED out - neighbor ${ip_neighbor_untrusted_1} soft-reconfiguration inbound + neighbor ${ip_neighbor_dmz_1} route-map TO-DMZ out + neighbor ${ip_neighbor_dmz_1} soft-reconfiguration inbound ! - neighbor ${ip_neighbor_trusted_0} route-map TO-TRUSTED out - neighbor ${ip_neighbor_trusted_0} soft-reconfiguration inbound + neighbor ${ip_neighbor_landing_0} route-map TO-LANDING out + neighbor ${ip_neighbor_landing_0} soft-reconfiguration inbound ! - neighbor ${ip_neighbor_trusted_1} route-map TO-TRUSTED out - neighbor ${ip_neighbor_trusted_1} soft-reconfiguration inbound + neighbor ${ip_neighbor_landing_1} route-map TO-LANDING out + neighbor ${ip_neighbor_landing_1} soft-reconfiguration inbound ! neighbor ${ip_neighbor_cross_region_nva_0} route-map TO-NVA out neighbor ${ip_neighbor_cross_region_nva_0} soft-reconfiguration inbound diff --git a/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml b/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml index 1dc04881..15d17f94 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml @@ -9,13 +9,13 @@ healthchecks: - 209.85.152.0/22 - 209.85.204.0/22 -ncc_cloud_routers_trusted: +ncc_cloud_routers_landing: - 10.128.64.201/32 - 10.128.64.202/32 - 10.128.96.201/32 - 10.128.96.202/32 -ncc_cloud_routers_untrusted: +ncc_cloud_routers_dmz: - 10.128.0.201/32 - 10.128.0.202/32 - 10.128.32.201/32 diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/default-ingress.yaml similarity index 84% rename from fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml rename to fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/default-ingress.yaml index 7116a78e..e13a249b 100644 --- a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/default-ingress.yaml @@ -1,7 +1,7 @@ # skip boilerplate check ingress: - untrusted-ingress-default-deny: + dmz-ingress-default-deny: description: "Deny and log any unmatched ingress traffic." deny: true priority: 65535 diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/rules.yaml similarity index 87% rename from fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml rename to fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/rules.yaml index 3588af4d..f63c07fa 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/rules.yaml @@ -4,7 +4,7 @@ # You can retain `---` (start of the document) to indicate an empty document. ingress: - allow-hc-nva-ssh-untrusted: + allow-hc-nva-ssh-dmz: description: "Allow traffic from Google healthchecks to NVA appliances" source_ranges: - healthchecks @@ -15,16 +15,16 @@ ingress: # these are not really needed, but it's good to have them # in place if the more generic hierarchical firewall policies # get deleted - allow-ncc-nva-bgp-untrusted: + allow-ncc-nva-bgp-dmz: description: "Allow BGP traffic from NCC Cloud Routers to NVAs" source_ranges: - - ncc_cloud_routers_untrusted + - ncc_cloud_routers_dmz targets: ["nva"] rules: - protocol: tcp ports: - 179 - allow-nva-nva-bgp-untrusted: + allow-nva-nva-bgp-dmz: description: "Allow BGP traffic from cross-regional NVAs" sources: ["nva"] targets: ["nva"] diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/default-ingress.yaml similarity index 84% rename from fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml rename to fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/default-ingress.yaml index 7116a78e..a8fd0c58 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/default-ingress.yaml @@ -1,7 +1,7 @@ # skip boilerplate check ingress: - untrusted-ingress-default-deny: + landing-ingress-default-deny: description: "Deny and log any unmatched ingress traffic." deny: true priority: 65535 diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/rules.yaml similarity index 86% rename from fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml rename to fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/rules.yaml index bd7bee57..588f7e8c 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/rules.yaml @@ -4,7 +4,7 @@ # You can retain `---` (start of the document) to indicate an empty document. ingress: - allow-hc-nva-ssh-trusted: + allow-hc-nva-ssh-landing: description: "Allow traffic from Google healthchecks to NVA appliances" source_ranges: - healthchecks @@ -12,7 +12,7 @@ ingress: - protocol: tcp ports: - 22 - allow-onprem-probes-trusted-example: + allow-onprem-probes-landing-example: description: "Allow traffic from onprem probes" source_ranges: - onprem_probes @@ -23,10 +23,10 @@ ingress: # This is not really needed, but it's good to have it # in place if the more generic hierarchical firewall policies # get deleted - allow-ncc-nva-bgp-trusted: + allow-ncc-nva-bgp-landing: description: "Allow BGP traffic from NCC Cloud Routers to NVAs" source_ranges: - - ncc_cloud_routers_trusted + - ncc_cloud_routers_landing targets: ["nva"] rules: - protocol: tcp diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml index b037772d..9b1cfb46 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-dataplatform region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.68.2.0/24 diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml index 0048f212..735b4c76 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-default region: europe-west1 ip_cidr_range: 10.68.0.0/24 description: Default europe-west1 subnet for dev diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml index 47f41b96..4766f837 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-default region: europe-west4 ip_cidr_range: 10.84.0.0/24 description: Default europe-west4 subnet for dev diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml index 087056b9..d0c5155e 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dev-gke-nodes region: europe-west1 description: Default subnet for prod gke nodes ip_cidr_range: 10.68.1.0/24 diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew1.yaml similarity index 53% rename from fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml rename to fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew1.yaml index 7927eb3d..5436b135 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dmz-default region: europe-west1 ip_cidr_range: 10.64.128.0/24 -description: Default europe-west1 subnet for landing untrusted +description: Default europe-west1 subnet for DMZ diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew4.yaml similarity index 53% rename from fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml rename to fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew4.yaml index 7461a860..a9fd769b 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew4.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: dmz-default region: europe-west4 ip_cidr_range: 10.80.128.0/24 -description: Default europe-west4 subnet for landing untrusted +description: Default europe-west4 subnet for DMZ diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew1.yaml similarity index 50% rename from fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml rename to fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew1.yaml index 66a234a5..7ba6b15a 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: landing-default region: europe-west1 ip_cidr_range: 10.64.0.0/24 -description: Default europe-west1 subnet for landing trusted +description: Default europe-west1 subnet for landing diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew4.yaml similarity index 50% rename from fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml rename to fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew4.yaml index 4507fe44..f6bf1d67 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew4.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: landing-default region: europe-west4 ip_cidr_range: 10.80.0.0/24 -description: Default europe-west4 subnet for landing trusted +description: Default europe-west4 subnet for landing diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml index 9b34bf44..86a6ae6b 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: prod-default region: europe-west1 ip_cidr_range: 10.72.0.0/24 description: Default europe-west1 subnet for prod diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml index a27e53b6..6084bc07 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml @@ -1,5 +1,6 @@ # skip boilerplate check +name: prod-default region: europe-west4 ip_cidr_range: 10.88.0.0/24 description: Default europe-west4 subnet for prod diff --git a/fast/stages/2-networking-e-nva-bgp/dns-dev.tf b/fast/stages/2-networking-e-nva-bgp/dns-dev.tf index fb43d68e..8b1954d6 100644 --- a/fast/stages/2-networking-e-nva-bgp/dns-dev.tf +++ b/fast/stages/2-networking-e-nva-bgp/dns-dev.tf @@ -25,7 +25,7 @@ module "dev-dns-private-zone" { zone_config = { domain = "dev.gcp.example.com." private = { - client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link] + client_networks = [module.landing-vpc.self_link, module.dmz-vpc.self_link] } } recordsets = { @@ -48,7 +48,7 @@ module "dev-dns-peer-landing-root" { domain = "." peering = { client_networks = [module.dev-spoke-vpc.self_link] - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } } } @@ -66,7 +66,7 @@ module "dev-dns-peer-landing-rev-10" { domain = "10.in-addr.arpa." peering = { client_networks = [module.dev-spoke-vpc.self_link] - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } } } diff --git a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf b/fast/stages/2-networking-e-nva-bgp/dns-landing.tf index 4b252dbd..27028049 100644 --- a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf +++ b/fast/stages/2-networking-e-nva-bgp/dns-landing.tf @@ -32,8 +32,8 @@ module "landing-dns-fwd-onprem-example" { domain = "onprem.example.com." forwarding = { client_networks = [ - module.landing-untrusted-vpc.self_link, - module.landing-trusted-vpc.self_link + module.dmz-vpc.self_link, + module.landing-vpc.self_link ] forwarders = { for ip in var.dns.resolvers : ip => null } } @@ -54,8 +54,8 @@ module "landing-dns-fwd-onprem-rev-10" { domain = "10.in-addr.arpa." forwarding = { client_networks = [ - module.landing-untrusted-vpc.self_link, - module.landing-trusted-vpc.self_link + module.dmz-vpc.self_link, + module.landing-vpc.self_link ] forwarders = { for ip in var.dns.resolvers : ip => null } } @@ -75,8 +75,8 @@ module "landing-dns-priv-gcp" { domain = "gcp.example.com." private = { client_networks = [ - module.landing-untrusted-vpc.self_link, - module.landing-trusted-vpc.self_link + module.dmz-vpc.self_link, + module.landing-vpc.self_link ] } } @@ -95,7 +95,7 @@ module "landing-dns-policy-googleapis" { rules = var.factories_config.dns_policy_rules_file } networks = { - landing-trusted = module.landing-trusted-vpc.self_link - landing-untrusted = module.landing-untrusted-vpc.self_link + landing = module.landing-vpc.self_link + dmz = module.dmz-vpc.self_link } } diff --git a/fast/stages/2-networking-e-nva-bgp/dns-prod.tf b/fast/stages/2-networking-e-nva-bgp/dns-prod.tf index dc162e55..ae1a7607 100644 --- a/fast/stages/2-networking-e-nva-bgp/dns-prod.tf +++ b/fast/stages/2-networking-e-nva-bgp/dns-prod.tf @@ -25,7 +25,7 @@ module "prod-dns-private-zone" { zone_config = { domain = "prod.gcp.example.com." private = { - client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link] + client_networks = [module.landing-vpc.self_link, module.dmz-vpc.self_link] } } recordsets = { @@ -48,7 +48,7 @@ module "prod-dns-peer-landing-root" { domain = "." peering = { client_networks = [module.prod-spoke-vpc.self_link] - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } } } @@ -66,7 +66,7 @@ module "prod-dns-peer-landing-rev-10" { domain = "10.in-addr.arpa." peering = { client_networks = [module.prod-spoke-vpc.self_link] - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } } } diff --git a/fast/stages/2-networking-e-nva-bgp/main.tf b/fast/stages/2-networking-e-nva-bgp/main.tf index ee2d58d6..dc58000c 100644 --- a/fast/stages/2-networking-e-nva-bgp/main.tf +++ b/fast/stages/2-networking-e-nva-bgp/main.tf @@ -22,8 +22,8 @@ locals { regions = distinct(concat( values(var.regions), values(module.dev-spoke-vpc.subnet_regions), - values(module.landing-trusted-vpc.subnet_regions), - values(module.landing-untrusted-vpc.subnet_regions), + values(module.landing-vpc.subnet_regions), + values(module.dmz-vpc.subnet_regions), values(module.prod-spoke-vpc.subnet_regions), )) service_accounts = { diff --git a/fast/stages/2-networking-e-nva-bgp/ncc.tf b/fast/stages/2-networking-e-nva-bgp/ncc.tf index 97fb5f37..0d1f1f51 100644 --- a/fast/stages/2-networking-e-nva-bgp/ncc.tf +++ b/fast/stages/2-networking-e-nva-bgp/ncc.tf @@ -14,28 +14,28 @@ * limitations under the License. */ -resource "google_network_connectivity_hub" "hub_trusted" { - name = "prod-hub-trusted" - description = "Prod hub trusted" +resource "google_network_connectivity_hub" "hub_landing" { + name = "prod-hub-landing" + description = "Prod hub landing (trusted)" project = module.landing-project.project_id } -resource "google_network_connectivity_hub" "hub_untrusted" { - name = "prod-hub-untrusted" - description = "Prod hub untrusted" +resource "google_network_connectivity_hub" "hub_dmz" { + name = "prod-hub-dmz" + description = "Prod hub DMZ (untrusted)" project = module.landing-project.project_id } -module "spokes-trusted" { +module "spokes-landing" { for_each = var.regions source = "../../../modules/ncc-spoke-ra" - name = "prod-spoke-trusted-${local.region_shortnames[each.value]}" + name = "prod-spoke-landing-${local.region_shortnames[each.value]}" project_id = module.landing-project.project_id region = each.value hub = { create = false, - id = google_network_connectivity_hub.hub_trusted.id + id = google_network_connectivity_hub.hub_landing.id } router_appliances = [ @@ -47,9 +47,13 @@ module "spokes-trusted" { ] router_config = { - asn = var.ncc_asn.trusted - ip_interface0 = cidrhost(module.landing-trusted-vpc.subnet_ips["${each.value}/landing-trusted-default-${local.region_shortnames[each.value]}"], 201) - ip_interface1 = cidrhost(module.landing-trusted-vpc.subnet_ips["${each.value}/landing-trusted-default-${local.region_shortnames[each.value]}"], 202) + asn = var.ncc_asn.landing + ip_interface0 = cidrhost( + module.landing-vpc.subnet_ips["${each.value}/landing-default"], 201 + ) + ip_interface1 = cidrhost( + module.landing-vpc.subnet_ips["${each.value}/landing-default"], 202 + ) peer_asn = ( each.key == "primary" ? var.ncc_asn.nva_primary @@ -60,32 +64,32 @@ module "spokes-trusted" { custom_advertise = { all_subnets = false ip_ranges = { - "${var.gcp_ranges.gcp_landing_trusted_primary}" = "GCP landing trusted primary." - "${var.gcp_ranges.gcp_landing_trusted_secondary}" = "GCP landing trusted secondary." - "${var.gcp_ranges.gcp_dev_primary}" = "GCP dev primary.", - "${var.gcp_ranges.gcp_dev_secondary}" = "GCP dev secondary.", - "${var.gcp_ranges.gcp_prod_primary}" = "GCP prod primary.", - "${var.gcp_ranges.gcp_prod_secondary}" = "GCP prod secondary.", + "${var.gcp_ranges.gcp_landing_primary}" = "GCP landing primary." + "${var.gcp_ranges.gcp_landing_secondary}" = "GCP landing secondary." + "${var.gcp_ranges.gcp_dev_primary}" = "GCP dev primary.", + "${var.gcp_ranges.gcp_dev_secondary}" = "GCP dev secondary.", + "${var.gcp_ranges.gcp_prod_primary}" = "GCP prod primary.", + "${var.gcp_ranges.gcp_prod_secondary}" = "GCP prod secondary.", } } } vpc_config = { - network_name = module.landing-trusted-vpc.self_link - subnet_self_link = module.landing-trusted-vpc.subnet_self_links["${each.value}/landing-trusted-default-${local.region_shortnames[each.value]}"] + network_name = module.landing-vpc.self_link + subnet_self_link = module.landing-vpc.subnet_self_links["${each.value}/landing-default"] } } -module "spokes-untrusted" { +module "spokes-dmz" { for_each = var.regions source = "../../../modules/ncc-spoke-ra" - name = "prod-spoke-untrusted-${local.region_shortnames[each.value]}" + name = "prod-spoke-dmz-${local.region_shortnames[each.value]}" project_id = module.landing-project.project_id region = each.value hub = { create = false, - id = google_network_connectivity_hub.hub_untrusted.id + id = google_network_connectivity_hub.hub_dmz.id } router_appliances = [ @@ -97,9 +101,13 @@ module "spokes-untrusted" { ] router_config = { - asn = var.ncc_asn.untrusted - ip_interface0 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${each.value}/landing-untrusted-default-${local.region_shortnames[each.value]}"], 201) - ip_interface1 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${each.value}/landing-untrusted-default-${local.region_shortnames[each.value]}"], 202) + asn = var.ncc_asn.dmz + ip_interface0 = cidrhost( + module.dmz-vpc.subnet_ips["${each.value}/dmz-default"], 201 + ) + ip_interface1 = cidrhost( + module.dmz-vpc.subnet_ips["${each.value}/dmz-default"], 202 + ) peer_asn = ( each.key == "primary" ? var.ncc_asn.nva_primary @@ -114,7 +122,7 @@ module "spokes-untrusted" { } vpc_config = { - network_name = module.landing-untrusted-vpc.self_link - subnet_self_link = module.landing-untrusted-vpc.subnet_self_links["${each.value}/landing-untrusted-default-${local.region_shortnames[each.value]}"] + network_name = module.dmz-vpc.self_link + subnet_self_link = module.dmz-vpc.subnet_self_links["${each.value}/dmz-default"] } } diff --git a/fast/stages/2-networking-e-nva-bgp/net-dev.tf b/fast/stages/2-networking-e-nva-bgp/net-dev.tf index 0387c749..3b3c3efe 100644 --- a/fast/stages/2-networking-e-nva-bgp/net-dev.tf +++ b/fast/stages/2-networking-e-nva-bgp/net-dev.tf @@ -101,5 +101,5 @@ module "peering-dev" { source = "../../../modules/net-vpc-peering" prefix = "dev-peering-0" local_network = module.dev-spoke-vpc.self_link - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } diff --git a/fast/stages/2-networking-e-nva-bgp/net-landing.tf b/fast/stages/2-networking-e-nva-bgp/net-landing.tf index 8225d30e..900bd274 100644 --- a/fast/stages/2-networking-e-nva-bgp/net-landing.tf +++ b/fast/stages/2-networking-e-nva-bgp/net-landing.tf @@ -43,12 +43,12 @@ module "landing-project" { } } -# Untrusted VPC +# DMZ (untrusted) VPC -module "landing-untrusted-vpc" { +module "dmz-vpc" { source = "../../../modules/net-vpc" project_id = module.landing-project.project_id - name = "prod-untrusted-landing-0" + name = "prod-dmz-0" mtu = 1500 dns_policy = { inbound = true @@ -56,30 +56,25 @@ module "landing-untrusted-vpc" { } create_googleapis_routes = null factories_config = { - subnets_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted" + subnets_folder = "${var.factories_config.data_dir}/subnets/dmz" } } -module "landing-untrusted-firewall" { +module "dmz-firewall" { source = "../../../modules/net-vpc-firewall" project_id = module.landing-project.project_id - network = module.landing-untrusted-vpc.name + network = module.dmz-vpc.name default_rules_config = { disabled = true } factories_config = { cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing-untrusted" + rules_folder = "${var.factories_config.data_dir}/firewall-rules/dmz" } } # NAT -moved { - from = module.landing-nat-ew1 - to = module.landing-nat-primary -} - module "landing-nat-primary" { source = "../../../modules/net-cloudnat" count = var.enable_cloud_nat ? 1 : 0 @@ -88,12 +83,7 @@ module "landing-nat-primary" { name = local.region_shortnames[var.regions.primary] router_create = true router_name = "prod-nat-${local.region_shortnames[var.regions.primary]}" - router_network = module.landing-untrusted-vpc.name -} - -moved { - from = module.landing-nat-ew4 - to = module.landing-nat-secondary + router_network = module.dmz-vpc.name } module "landing-nat-secondary" { @@ -104,19 +94,19 @@ module "landing-nat-secondary" { name = local.region_shortnames[var.regions.secondary] router_create = true router_name = "prod-nat-${local.region_shortnames[var.regions.secondary]}" - router_network = module.landing-untrusted-vpc.name + router_network = module.dmz-vpc.name } -# Trusted VPC +# landing (trusted) VPC -module "landing-trusted-vpc" { +module "landing-vpc" { source = "../../../modules/net-vpc" project_id = module.landing-project.project_id - name = "prod-trusted-landing-0" + name = "prod-landing-0" delete_default_routes_on_create = true mtu = 1500 factories_config = { - subnets_folder = "${var.factories_config.data_dir}/subnets/landing-trusted" + subnets_folder = "${var.factories_config.data_dir}/subnets/landing" } dns_policy = { inbound = true @@ -128,15 +118,15 @@ module "landing-trusted-vpc" { } } -module "landing-trusted-firewall" { +module "landing-firewall" { source = "../../../modules/net-vpc-firewall" project_id = module.landing-project.project_id - network = module.landing-trusted-vpc.name + network = module.landing-vpc.name default_rules_config = { disabled = true } factories_config = { cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing-trusted" + rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing" } } diff --git a/fast/stages/2-networking-e-nva-bgp/net-prod.tf b/fast/stages/2-networking-e-nva-bgp/net-prod.tf index 3a1a9a37..7e9d7e34 100644 --- a/fast/stages/2-networking-e-nva-bgp/net-prod.tf +++ b/fast/stages/2-networking-e-nva-bgp/net-prod.tf @@ -99,5 +99,5 @@ module "peering-prod" { source = "../../../modules/net-vpc-peering" prefix = "prod-peering-0" local_network = module.prod-spoke-vpc.self_link - peer_network = module.landing-trusted-vpc.self_link + peer_network = module.landing-vpc.self_link } diff --git a/fast/stages/2-networking-e-nva-bgp/nva.tf b/fast/stages/2-networking-e-nva-bgp/nva.tf index 66ede6fd..5b3f8ad6 100644 --- a/fast/stages/2-networking-e-nva-bgp/nva.tf +++ b/fast/stages/2-networking-e-nva-bgp/nva.tf @@ -18,7 +18,7 @@ locals { _nva_zones = ["b", "c"] # The configurations used to create the NVA VMs. - # + # # Rendered as following: # nva_configs = { # primary-b = {...} @@ -43,33 +43,51 @@ locals { ? var.ncc_asn.nva_secondary : var.ncc_asn.nva_primary ) - asn_trusted = var.ncc_asn.trusted - asn_untrusted = var.ncc_asn.untrusted + asn_landing = var.ncc_asn.landing + asn_dmz = var.ncc_asn.dmz # To guarantee traffic to remain symmetric, # NVAs need to advertise cross-region routes with a higher cost (10100) - cost_primary = v.0 == "primary" ? "100" : "10100" - cost_secondary = v.0 == "primary" ? "10100" : "100" - gcp_dev_primary = var.gcp_ranges.gcp_dev_primary - gcp_dev_secondary = var.gcp_ranges.gcp_dev_secondary - gcp_landing_trusted_primary = var.gcp_ranges.gcp_landing_trusted_primary - gcp_landing_trusted_secondary = var.gcp_ranges.gcp_landing_trusted_secondary - gcp_landing_untrusted_primary = var.gcp_ranges.gcp_landing_untrusted_primary - gcp_landing_untrusted_secondary = var.gcp_ranges.gcp_landing_untrusted_secondary - gcp_prod_primary = var.gcp_ranges.gcp_prod_primary - gcp_prod_secondary = var.gcp_ranges.gcp_prod_secondary - # The IPs of cross-region NVA VMs in the untrusted VPC (x.y.w.z) - ip_neighbor_cross_region_nva_0 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${local._regions_cross[v.0]}/landing-untrusted-default-${local.region_shortnames[local._regions_cross[v.0]]}"], 101) - ip_neighbor_cross_region_nva_1 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${local._regions_cross[v.0]}/landing-untrusted-default-${local.region_shortnames[local._regions_cross[v.0]]}"], 102) - # The Cloud router IPs (x.y.w.z) in the untrusted - # and in the trusted VPCs, where the NVA connects to - ip_neighbor_trusted_0 = cidrhost(module.landing-trusted-vpc.subnet_ips["${var.regions[v.0]}/landing-trusted-default-${local.region_shortnames[var.regions[v.0]]}"], 201) - ip_neighbor_trusted_1 = cidrhost(module.landing-trusted-vpc.subnet_ips["${var.regions[v.0]}/landing-trusted-default-${local.region_shortnames[var.regions[v.0]]}"], 202) - ip_neighbor_untrusted_0 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${var.regions[v.0]}/landing-untrusted-default-${local.region_shortnames[var.regions[v.0]]}"], 201) - ip_neighbor_untrusted_1 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${var.regions[v.0]}/landing-untrusted-default-${local.region_shortnames[var.regions[v.0]]}"], 202) + cost_primary = v.0 == "primary" ? "100" : "10100" + cost_secondary = v.0 == "primary" ? "10100" : "100" + gcp_dev_primary = var.gcp_ranges.gcp_dev_primary + gcp_dev_secondary = var.gcp_ranges.gcp_dev_secondary + gcp_landing_landing_primary = var.gcp_ranges.gcp_landing_primary + gcp_landing_landing_secondary = var.gcp_ranges.gcp_landing_secondary + gcp_landing_dmz_primary = var.gcp_ranges.gcp_dmz_primary + gcp_landing_dmz_secondary = var.gcp_ranges.gcp_dmz_secondary + gcp_prod_primary = var.gcp_ranges.gcp_prod_primary + gcp_prod_secondary = var.gcp_ranges.gcp_prod_secondary + # The IPs of cross-region NVA VMs in the DMZ VPC (x.y.w.z) + ip_neighbor_cross_region_nva_0 = cidrhost( + module.dmz-vpc.subnet_ips["${local._regions_cross[v.0]}/dmz-default"], 101 + ) + ip_neighbor_cross_region_nva_1 = cidrhost( + module.dmz-vpc.subnet_ips["${local._regions_cross[v.0]}/dmz-default"], 102 + ) + # The Cloud router IPs (x.y.w.z) in the DMZ + # and in the landing VPCs, where the NVA connects to + ip_neighbor_landing_0 = cidrhost( + module.landing-vpc.subnet_ips["${var.regions[v.0]}/landing-default"], 201 + ) + ip_neighbor_landing_1 = cidrhost( + module.landing-vpc.subnet_ips["${var.regions[v.0]}/landing-default"], 202 + ) + ip_neighbor_dmz_0 = cidrhost( + module.dmz-vpc.subnet_ips["${var.regions[v.0]}/dmz-default"], 201 + ) + ip_neighbor_dmz_1 = cidrhost( + module.dmz-vpc.subnet_ips["${var.regions[v.0]}/dmz-default"], 202 + ) # The IPs to assign to the NVA NICs - # in the trusted and in the untrusted VPCs. - ip_trusted = cidrhost(module.landing-trusted-vpc.subnet_ips["${var.regions[v.0]}/landing-trusted-default-${local.region_shortnames[var.regions[v.0]]}"], 101 + index(var.zones, v.1)) - ip_untrusted = cidrhost(module.landing-untrusted-vpc.subnet_ips["${var.regions[v.0]}/landing-untrusted-default-${local.region_shortnames[var.regions[v.0]]}"], 101 + index(var.zones, v.1)) + # in the landing and in the DMZ VPCs. + ip_landing = cidrhost( + module.landing-vpc.subnet_ips["${var.regions[v.0]}/landing-default"], + 101 + index(var.zones, v.1) + ) + ip_dmz = cidrhost( + module.dmz-vpc.subnet_ips["${var.regions[v.0]}/dmz-default"], + 101 + index(var.zones, v.1) + ) # Either primary or secondary name = v.0 # The name of the region where the NVA lives. @@ -89,17 +107,17 @@ locals { routing_config = [ { enable_masquerading = true - name = "untrusted" + name = "dmz" routes = [ - var.gcp_ranges.gcp_landing_untrusted_primary, - var.gcp_ranges.gcp_landing_untrusted_secondary + var.gcp_ranges.gcp_dmz_primary, + var.gcp_ranges.gcp_dmz_secondary ] }, { - name = "trusted" + name = "landing" routes = [ - var.gcp_ranges.gcp_landing_trusted_primary, - var.gcp_ranges.gcp_landing_trusted_secondary + var.gcp_ranges.gcp_landing_primary, + var.gcp_ranges.gcp_landing_secondary ] } ] @@ -116,23 +134,25 @@ module "nva-bgp-cloud-config" { } } -resource "google_compute_address" "nva_static_ip_trusted" { +# TODO: use address module + +resource "google_compute_address" "nva_static_ip_landing" { for_each = local.nva_configs - name = "nva-ip-trusted-${each.value.shortname}-${each.value.zone}" + name = "nva-ip-landing-${each.value.shortname}-${each.value.zone}" project = module.landing-project.project_id - subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.shortname}"] + subnetwork = module.landing-vpc.subnet_self_links["${each.value.region}/landing-default"] address_type = "INTERNAL" - address = each.value.ip_trusted + address = each.value.ip_landing region = each.value.region } -resource "google_compute_address" "nva_static_ip_untrusted" { +resource "google_compute_address" "nva_static_ip_dmz" { for_each = local.nva_configs - name = "nva-ip-untrusted-${each.value.shortname}-${each.value.zone}" + name = "nva-ip-dmz-${each.value.shortname}-${each.value.zone}" project = module.landing-project.project_id - subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.shortname}"] + subnetwork = module.dmz-vpc.subnet_self_links["${each.value.region}/dmz-default"] address_type = "INTERNAL" - address = each.value.ip_untrusted + address = each.value.ip_dmz region = each.value.region } @@ -148,19 +168,19 @@ module "nva" { network_interfaces = [ { - network = module.landing-untrusted-vpc.self_link - subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.shortname}"] + network = module.dmz-vpc.self_link + subnetwork = module.dmz-vpc.subnet_self_links["${each.value.region}/dmz-default"] nat = false addresses = { - internal = google_compute_address.nva_static_ip_untrusted[each.key].address + internal = google_compute_address.nva_static_ip_dmz[each.key].address } }, { - network = module.landing-trusted-vpc.self_link - subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.shortname}"] + network = module.landing-vpc.self_link + subnetwork = module.landing-vpc.subnet_self_links["${each.value.region}/landing-default"] nat = false addresses = { - internal = google_compute_address.nva_static_ip_trusted[each.key].address + internal = google_compute_address.nva_static_ip_landing[each.key].address } } ] diff --git a/fast/stages/2-networking-e-nva-bgp/outputs.tf b/fast/stages/2-networking-e-nva-bgp/outputs.tf index eb53a63f..96e16968 100644 --- a/fast/stages/2-networking-e-nva-bgp/outputs.tf +++ b/fast/stages/2-networking-e-nva-bgp/outputs.tf @@ -31,10 +31,10 @@ locals { vpc_self_links = local.vpc_self_links } vpc_self_links = { - prod-landing-trusted = module.landing-trusted-vpc.self_link - prod-landing-untrusted = module.landing-untrusted-vpc.self_link - dev-spoke-0 = module.dev-spoke-vpc.self_link - prod-spoke-0 = module.prod-spoke-vpc.self_link + prod-landing = module.landing-vpc.self_link + prod-dmz = module.dmz-vpc.self_link + dev-spoke-0 = module.dev-spoke-vpc.self_link + prod-spoke-0 = module.prod-spoke-vpc.self_link } } diff --git a/fast/stages/2-networking-e-nva-bgp/test-resources.tf b/fast/stages/2-networking-e-nva-bgp/test-resources.tf index b2816e4f..1e96004a 100644 --- a/fast/stages/2-networking-e-nva-bgp/test-resources.tf +++ b/fast/stages/2-networking-e-nva-bgp/test-resources.tf @@ -16,16 +16,14 @@ # tfdoc:file:description temporary instances for testing -# # Untrusted (Landing) - -# module "test-vm-landing-untrusted-primary-0" { +# module "test-vm-dmz-primary-0" { # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.primary}-b" # name = "test-vm-lnd-unt-primary-0" # network_interfaces = [{ -# network = module.landing-untrusted-vpc.self_link -# subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.primary}/landing-untrusted-default-${local.region_shortnames[var.regions.primary]}"] +# network = module.dmz-vpc.self_link +# subnetwork = module.dmz-vpc.subnet_self_links["${var.regions.primary}/dmz-default-${local.region_shortnames[var.regions.primary]}"] # }] # tags = ["primary", "ssh"] # boot_disk = { @@ -45,14 +43,14 @@ # } # } -# module "test-vm-landing-untrusted-secondary-0" { +# module "test-vm-dmz-secondary-0" { # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.secondary}-a" # name = "test-vm-lnd-unt-secondary-0" # network_interfaces = [{ -# network = module.landing-untrusted-vpc.self_link -# subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.secondary}/landing-untrusted-default-${local.region_shortnames[var.regions.secondary]}"] +# network = module.dmz-vpc.self_link +# subnetwork = module.dmz-vpc.subnet_self_links["${var.regions.secondary}/dmz-default-${local.region_shortnames[var.regions.secondary]}"] # }] # tags = ["secondary", "ssh"] # boot_disk = { @@ -72,16 +70,16 @@ # } # } -# # Trusted (hub) +# # Landing (hub) -# module "test-vm-landing-trusted-primary-0" { +# module "test-vm-landing-primary-0" { # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.primary}-b" # name = "test-vm-lnd-tru-primary-0" # network_interfaces = [{ -# network = module.landing-trusted-vpc.self_link -# subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.primary}/landing-trusted-default-${local.region_shortnames[var.regions.primary]}"] +# network = module.landing-vpc.self_link +# subnetwork = module.landing-vpc.subnet_self_links["${var.regions.primary}/landing-default"] # }] # tags = ["primary", "ssh"] # boot_disk = { @@ -101,14 +99,14 @@ # } # } -# module "test-vm-landing-trusted-secondary-0" { +# module "test-vm-landing-secondary-0" { # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.secondary}-a" # name = "test-vm-lnd-tru-secondary-0" # network_interfaces = [{ -# network = module.landing-trusted-vpc.self_link -# subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.secondary}/landing-trusted-default-${local.region_shortnames[var.regions.secondary]}"] +# network = module.landing-vpc.self_link +# subnetwork = module.landing-vpc.subnet_self_links["${var.regions.secondary}/landing-default"] # }] # tags = ["secondary", "ssh"] # boot_disk = { @@ -138,7 +136,7 @@ # network_interfaces = [{ # network = module.dev-spoke-vpc.self_link # # change the subnet name to match the values you are actually using -# subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.primary}/dev-default-${local.region_shortnames[var.regions.primary]}"] +# subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.primary}/dev-default"] # }] # tags = ["primary", "ssh"] # boot_disk = { @@ -166,7 +164,7 @@ # network_interfaces = [{ # network = module.dev-spoke-vpc.self_link # # change the subnet name to match the values you are actually using -# subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.secondary}/dev-default-${local.region_shortnames[var.regions.secondary]}"] +# subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.secondary}/dev-default"] # }] # tags = ["secondary", "ssh"] # boot_disk = { @@ -196,7 +194,7 @@ # network_interfaces = [{ # network = module.prod-spoke-vpc.self_link # # change the subnet name to match the values you are actually using -# subnetwork = module.prod-spoke-vpc.subnet_self_links["${var.regions.primary}/prod-default-${local.region_shortnames[var.regions.primary]}"] +# subnetwork = module.prod-spoke-vpc.subnet_self_links["${var.regions.primary}/prod-default"] # }] # tags = ["primary", "ssh"] # boot_disk = { @@ -224,7 +222,7 @@ # network_interfaces = [{ # network = module.prod-spoke-vpc.self_link # # change the subnet name to match the values you are actually using -# subnetwork = module.prod-spoke-vpc.subnet_self_links["${var.regions.secondary}/prod-default-${local.region_shortnames[var.regions.secondary]}"] +# subnetwork = module.prod-spoke-vpc.subnet_self_links["${var.regions.secondary}/prod-default"] # }] # tags = ["secondary", "ssh"] # boot_disk = { diff --git a/fast/stages/2-networking-e-nva-bgp/variables.tf b/fast/stages/2-networking-e-nva-bgp/variables.tf index 2d2af441..f92eefcd 100644 --- a/fast/stages/2-networking-e-nva-bgp/variables.tf +++ b/fast/stages/2-networking-e-nva-bgp/variables.tf @@ -127,14 +127,14 @@ variable "gcp_ranges" { description = "GCP address ranges in name => range format." type = map(string) default = { - gcp_dev_primary = "10.68.0.0/16" - gcp_dev_secondary = "10.84.0.0/16" - gcp_landing_trusted_primary = "10.64.0.0/17" - gcp_landing_trusted_secondary = "10.80.0.0/17" - gcp_landing_untrusted_primary = "10.64.127.0/17" - gcp_landing_untrusted_secondary = "10.80.127.0/17" - gcp_prod_primary = "10.72.0.0/16" - gcp_prod_secondary = "10.88.0.0/16" + gcp_dev_primary = "10.68.0.0/16" + gcp_dev_secondary = "10.84.0.0/16" + gcp_landing_primary = "10.64.0.0/17" + gcp_landing_secondary = "10.80.0.0/17" + gcp_dmz_primary = "10.64.127.0/17" + gcp_dmz_secondary = "10.80.127.0/17" + gcp_prod_primary = "10.72.0.0/16" + gcp_prod_secondary = "10.88.0.0/16" } } @@ -144,8 +144,8 @@ variable "ncc_asn" { default = { nva_primary = 64513 nva_secondary = 64514 - trusted = 64515 - untrusted = 64512 + landing = 64515 + dmz = 64512 } } diff --git a/fast/stages/2-networking-e-nva-bgp/vpn-onprem.tf b/fast/stages/2-networking-e-nva-bgp/vpn-onprem.tf index 55127ce4..78c1985a 100644 --- a/fast/stages/2-networking-e-nva-bgp/vpn-onprem.tf +++ b/fast/stages/2-networking-e-nva-bgp/vpn-onprem.tf @@ -31,7 +31,7 @@ module "landing-to-onprem-primary-vpn" { count = var.vpn_onprem_primary_config == null ? 0 : 1 source = "../../../modules/net-vpn-ha" project_id = module.landing-project.project_id - network = module.landing-trusted-vpc.self_link + network = module.landing-vpc.self_link region = var.regions.primary name = "vpn-to-onprem-${local.region_shortnames[var.regions.primary]}" router_config = try(var.vpn_onprem_primary_config.router_config, {}) @@ -45,7 +45,7 @@ module "landing-to-onprem-secondary-vpn" { count = var.vpn_onprem_secondary_config == null ? 0 : 1 source = "../../../modules/net-vpn-ha" project_id = module.landing-project.project_id - network = module.landing-trusted-vpc.self_link + network = module.landing-vpc.self_link region = var.regions.secondary name = "vpn-to-onprem-${local.region_shortnames[var.regions.secondary]}" router_config = try(var.vpn_onprem_secondary_config.router_config, {}) diff --git a/tests/fast/stages/s2_networking_c_nva/stage.yaml b/tests/fast/stages/s2_networking_c_nva/stage.yaml index 1d2d9e03..b4e8299d 100644 --- a/tests/fast/stages/s2_networking_c_nva/stage.yaml +++ b/tests/fast/stages/s2_networking_c_nva/stage.yaml @@ -13,5 +13,44 @@ # limitations under the License. counts: + google_compute_external_vpn_gateway: 2 + google_compute_firewall: 9 + google_compute_firewall_policy: 1 + google_compute_firewall_policy_association: 1 + google_compute_firewall_policy_rule: 4 + google_compute_forwarding_rule: 4 + google_compute_ha_vpn_gateway: 2 + google_compute_health_check: 8 + google_compute_instance_template: 4 + google_compute_network: 6 + google_compute_network_peering: 4 + google_compute_region_backend_service: 4 + google_compute_region_instance_group_manager: 4 + google_compute_route: 14 + google_compute_router: 4 + google_compute_router_interface: 4 + google_compute_router_nat: 2 + google_compute_router_peer: 4 + google_compute_shared_vpc_host_project: 3 + google_compute_subnetwork: 12 + google_compute_vpn_tunnel: 4 + google_dns_managed_zone: 9 + google_dns_policy: 4 + google_dns_record_set: 3 + google_dns_response_policy: 1 + google_dns_response_policy_rule: 34 + google_essential_contacts_contact: 1 + google_folder: 1 + google_monitoring_alert_policy: 2 + google_monitoring_dashboard: 3 + google_monitoring_monitored_project: 2 + google_project: 3 + google_project_iam_binding: 6 + google_project_iam_member: 2 + google_project_service: 21 + google_project_service_identity: 5 + google_storage_bucket_object: 2 + google_vpc_access_connector: 2 modules: 43 - resources: 201 + random_id: 2 + resources: 203 diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml index eeb4d3bf..99db2b22 100644 --- a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml +++ b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml @@ -12,6 +12,3645 @@ # See the License for the specific language governing permissions and # limitations under the License. +values: + google_compute_address.nva_static_ip_landing["primary-b"]: + address: 10.64.0.101 + address_type: INTERNAL + description: null + ip_version: null + ipv6_endpoint_type: null + labels: null + name: nva-ip-landing-ew1-b + network: null + project: fast2-prod-net-landing-0 + region: europe-west1 + timeouts: null + google_compute_address.nva_static_ip_landing["primary-c"]: + address: 10.64.0.102 + address_type: INTERNAL + description: null + ip_version: null + ipv6_endpoint_type: null + labels: null + name: nva-ip-landing-ew1-c + network: null + project: fast2-prod-net-landing-0 + region: europe-west1 + timeouts: null + google_compute_address.nva_static_ip_landing["secondary-b"]: + address: 10.80.0.101 + address_type: INTERNAL + description: null + ip_version: null + ipv6_endpoint_type: null + labels: null + name: nva-ip-landing-ew4-b + network: null + project: fast2-prod-net-landing-0 + region: europe-west4 + timeouts: null + google_compute_address.nva_static_ip_landing["secondary-c"]: + address: 10.80.0.102 + address_type: INTERNAL + description: null + ip_version: null + ipv6_endpoint_type: null + labels: null + name: nva-ip-landing-ew4-c + network: null + project: fast2-prod-net-landing-0 + region: europe-west4 + timeouts: null + google_compute_address.nva_static_ip_dmz["primary-b"]: + address: 10.64.128.101 + address_type: INTERNAL + description: null + ip_version: null + ipv6_endpoint_type: null + labels: null + name: nva-ip-dmz-ew1-b + network: null + project: fast2-prod-net-landing-0 + region: europe-west1 + timeouts: null + google_compute_address.nva_static_ip_dmz["primary-c"]: + address: 10.64.128.102 + address_type: INTERNAL + description: null + ip_version: null + ipv6_endpoint_type: null + labels: null + name: nva-ip-dmz-ew1-c + network: null + project: fast2-prod-net-landing-0 + region: europe-west1 + timeouts: null + google_compute_address.nva_static_ip_dmz["secondary-b"]: + address: 10.80.128.101 + address_type: INTERNAL + description: null + ip_version: null + ipv6_endpoint_type: null + labels: null + name: nva-ip-dmz-ew4-b + network: null + project: fast2-prod-net-landing-0 + region: europe-west4 + timeouts: null + google_compute_address.nva_static_ip_dmz["secondary-c"]: + address: 10.80.128.102 + address_type: INTERNAL + description: null + ip_version: null + ipv6_endpoint_type: null + labels: null + name: nva-ip-dmz-ew4-c + network: null + project: fast2-prod-net-landing-0 + region: europe-west4 + timeouts: null + google_monitoring_alert_policy.vpn_tunnel_bandwidth[0]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: + - duration: 120s + evaluation_missing_data: null + query: fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count; + metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)| + group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition + val() > 187.5 "MBy/s" + trigger: + - count: 1 + percent: null + condition_prometheus_query_language: [] + condition_threshold: [] + display_name: VPN Tunnel Bandwidth usage + display_name: VPN Tunnel Bandwidth usage + documentation: [] + enabled: true + notification_channels: [] + project: fast2-prod-net-landing-0 + severity: null + timeouts: null + user_labels: null + google_monitoring_alert_policy.vpn_tunnel_established[0]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: + - duration: 120s + evaluation_missing_data: null + query: 'fetch vpn_gateway| metric vpn.googleapis.com/tunnel_established| group_by + 5m, [value_tunnel_established_max: max(value.tunnel_established)]| every + 5m| condition val() < 1 ''1''' + trigger: + - count: 1 + percent: null + condition_prometheus_query_language: [] + condition_threshold: [] + display_name: VPN Tunnel Established + display_name: VPN Tunnel Established + documentation: [] + enabled: true + notification_channels: [] + project: fast2-prod-net-landing-0 + severity: null + timeouts: null + user_labels: null + google_monitoring_dashboard.dashboard["firewall_insights.json"]: + dashboard_json: '{"displayName":"Firewall Insights Monitoring","gridLayout":{"columns":"2","widgets":[{"title":"Subnet + Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/subnet/firewall_hit_count\" + resource.type=\"gce_subnetwork\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},{"title":"VM + Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/vm/firewall_hit_count\" + resource.type=\"gce_instance\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}}]}}' + project: fast2-prod-net-landing-0 + timeouts: null + google_monitoring_dashboard.dashboard["vpc_and_vpc_peering_group_quotas.json"]: + dashboard_json: '{"dashboardFilters":[],"displayName":"VPC \u0026 VPC Peering + Group Quotas","labels":{},"mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Internal + network (L4) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch + compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/usage\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/limit\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6},{"height":4,"widget":{"title":"Internal + network (L4) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch + compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/usage\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/limit\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6},{"height":4,"widget":{"title":"Internal + application (L7) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch + compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/usage\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/limit\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Internal + application (L7) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch + compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/usage\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/limit\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Instances + per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch + compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_vpc_network/usage\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .max()\n ; metric\n compute.googleapis.com/quota/instances_per_vpc_network/limit\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Instances + per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch + compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_peering_group/usage\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .max()\n ; metric\n compute.googleapis.com/quota/instances_per_peering_group/limit\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Subnet + ranges per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch + compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/usage\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/limit\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":12},{"height":4,"widget":{"title":"Subnet + ranges per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch + compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/usage\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/limit\n | + align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], + .min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12}]}}' + project: fast2-prod-net-landing-0 + timeouts: null + google_monitoring_dashboard.dashboard["vpn.json"]: + dashboard_json: '{"displayName":"VPN Monitoring","mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Number + of connections","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/gateway/connections\" + resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4},{"height":4,"widget":{"title":"Tunnel + established","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/tunnel_established\" + resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4,"xPos":4},{"height":4,"widget":{"title":"VPN + Tunnel Bandwidth usage","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch + vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count; metric vpn.googleapis.com/network/received_bytes_count + }| align rate (1m)| group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + + val(1)| condition val() \u003e 187.5 \"MBy/s\""}}],"thresholds":[{"targetAxis":"Y1","value":187500000}],"timeshiftDuration":"0s","yAxis":{"scale":"LINEAR"}}},"width":4,"xPos":8},{"height":4,"widget":{"title":"Cloud + VPN Gateway - Received bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_bytes_count\" + resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Cloud + VPN Gateway - Sent bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_bytes_count\" + resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Cloud + VPN Gateway - Received packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_packets_count\" + resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Cloud + VPN Gateway - Sent packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_packets_count\" + resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Incoming + packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_received_packets_count\" + resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12},{"height":4,"widget":{"title":"Outgoing + packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_sent_packets_count\" + resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":12}]}}' + project: fast2-prod-net-landing-0 + timeouts: null + google_network_connectivity_hub.hub_landing: + description: Prod hub landing (trusted) + labels: null + name: prod-hub-landing + project: fast2-prod-net-landing-0 + timeouts: null + google_network_connectivity_hub.hub_dmz: + description: Prod hub DMZ (untrusted) + labels: null + name: prod-hub-dmz + project: fast2-prod-net-landing-0 + timeouts: null + google_storage_bucket_object.tfvars: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: tfvars/2-networking.auto.tfvars.json + retention: [] + source: null + temporary_hold: null + timeouts: null + module.dev-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]: + cloud_logging_config: + - enable_logging: false + description: Terraform managed. + dns_name: 10.in-addr.arpa. + dnssec_config: [] + force_destroy: false + forwarding_config: [] + labels: null + name: dev-reverse-10-dns-peering + project: fast2-dev-net-spoke-0 + reverse_lookup: false + service_directory_config: [] + timeouts: null + visibility: private + module.dev-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]: + cloud_logging_config: + - enable_logging: false + description: Terraform managed. + dns_name: . + dnssec_config: [] + force_destroy: false + forwarding_config: [] + labels: null + name: dev-root-dns-peering + project: fast2-dev-net-spoke-0 + reverse_lookup: false + service_directory_config: [] + timeouts: null + visibility: private + module.dev-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]: + cloud_logging_config: + - enable_logging: false + description: Terraform managed. + dns_name: dev.gcp.example.com. + dnssec_config: [] + force_destroy: false + forwarding_config: [] + labels: null + name: dev-gcp-example-com + peering_config: [] + project: fast2-dev-net-spoke-0 + service_directory_config: [] + timeouts: null + visibility: private + module.dev-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]: + managed_zone: dev-gcp-example-com + name: localhost.dev.gcp.example.com. + project: fast2-dev-net-spoke-0 + routing_policy: [] + rrdatas: + - 127.0.0.1 + ttl: 300 + type: A + module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-composer-nodes"]: + allow: + - ports: + - '80' + - '443' + - '3306' + - '3307' + protocol: tcp + deny: [] + description: Allow traffic to Composer nodes. + direction: INGRESS + disabled: false + log_config: [] + name: ingress-allow-composer-nodes + priority: 1000 + project: fast2-dev-net-spoke-0 + source_ranges: null + source_service_accounts: null + source_tags: + - composer-worker + target_service_accounts: null + target_tags: + - composer-worker + timeouts: null + module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-dataflow-load"]: + allow: + - ports: + - '12345' + - '12346' + protocol: tcp + deny: [] + description: Allow traffic to Dataflow nodes. + direction: INGRESS + disabled: false + log_config: [] + name: ingress-allow-dataflow-load + priority: 1000 + project: fast2-dev-net-spoke-0 + source_ranges: null + source_service_accounts: null + source_tags: + - dataflow + target_service_accounts: null + target_tags: + - dataflow + timeouts: null + module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]: + allow: [] + deny: + - ports: [] + protocol: all + description: Deny and log any unmatched ingress traffic. + direction: INGRESS + disabled: false + log_config: + - metadata: EXCLUDE_ALL_METADATA + name: ingress-default-deny + priority: 65535 + project: fast2-dev-net-spoke-0 + source_ranges: + - 0.0.0.0/0 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.dev-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]: + project: fast2-dev-net-spoke-0 + timeouts: null + module.dev-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]: + metrics_scope: fast2-prod-net-landing-0 + name: fast2-dev-net-spoke-0 + timeouts: null + module.dev-spoke-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + folder_id: null + labels: null + name: fast2-dev-net-spoke-0 + org_id: null + project_id: fast2-dev-net-spoke-0 + skip_delete: false + timeouts: null + module.dev-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]: + condition: [] + members: + - serviceAccount:string + project: fast2-dev-net-spoke-0 + role: roles/dns.admin + module.dev-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]: + condition: + - description: Development host project delegated grants. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']) + title: dev_stage3_sa_delegated_grants + members: + - serviceAccount:string + project: fast2-dev-net-spoke-0 + role: roles/resourcemanager.projectIamAdmin + module.dev-spoke-project.google_project_iam_member.servicenetworking[0]: + condition: [] + project: fast2-dev-net-spoke-0 + role: roles/servicenetworking.serviceAgent + module.dev-spoke-project.google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-dev-net-spoke-0 + service: compute.googleapis.com + timeouts: null + module.dev-spoke-project.google_project_service.project_services["dns.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-dev-net-spoke-0 + service: dns.googleapis.com + timeouts: null + module.dev-spoke-project.google_project_service.project_services["iap.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-dev-net-spoke-0 + service: iap.googleapis.com + timeouts: null + module.dev-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-dev-net-spoke-0 + service: networkmanagement.googleapis.com + timeouts: null + module.dev-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-dev-net-spoke-0 + service: servicenetworking.googleapis.com + timeouts: null + module.dev-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-dev-net-spoke-0 + service: stackdriver.googleapis.com + timeouts: null + module.dev-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-dev-net-spoke-0 + service: vpcaccess.googleapis.com + timeouts: null + module.dev-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]: + project: fast2-dev-net-spoke-0 + service: iap.googleapis.com + timeouts: null + module.dev-spoke-project.google_project_service_identity.servicenetworking[0]: + project: fast2-dev-net-spoke-0 + service: servicenetworking.googleapis.com + timeouts: null + module.dev-spoke-vpc.google_compute_network.network[0]: + auto_create_subnetworks: false + delete_default_routes_on_create: true + description: Terraform-managed. + enable_ula_internal_ipv6: null + mtu: 1500 + name: dev-spoke-0 + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL + project: fast2-dev-net-spoke-0 + routing_mode: GLOBAL + timeouts: null + module.dev-spoke-vpc.google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: dev-spoke-0-private-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: fast2-dev-net-spoke-0 + tags: null + timeouts: null + module.dev-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: dev-spoke-0-restricted-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: fast2-dev-net-spoke-0 + tags: null + timeouts: null + module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-dataplatform"]: + description: Default subnet for dev Data Platform + ip_cidr_range: 10.68.2.0/24 + ipv6_access_type: null + log_config: [] + name: dev-dataplatform + private_ip_google_access: true + project: fast2-dev-net-spoke-0 + region: europe-west1 + role: null + secondary_ip_range: + - ip_cidr_range: 100.69.0.0/16 + range_name: pods + - ip_cidr_range: 100.71.2.0/24 + range_name: services + timeouts: null + module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-default"]: + description: Default europe-west1 subnet for dev + ip_cidr_range: 10.68.0.0/24 + ipv6_access_type: null + log_config: [] + name: dev-default + private_ip_google_access: true + project: fast2-dev-net-spoke-0 + region: europe-west1 + role: null + secondary_ip_range: [] + timeouts: null + module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-gke-nodes"]: + description: Default subnet for prod gke nodes + ip_cidr_range: 10.68.1.0/24 + ipv6_access_type: null + log_config: [] + name: dev-gke-nodes + private_ip_google_access: true + project: fast2-dev-net-spoke-0 + region: europe-west1 + role: null + secondary_ip_range: + - ip_cidr_range: 100.68.0.0/16 + range_name: pods + - ip_cidr_range: 100.71.1.0/24 + range_name: services + timeouts: null + module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/dev-default"]: + description: Default europe-west4 subnet for dev + ip_cidr_range: 10.84.0.0/24 + ipv6_access_type: null + log_config: [] + name: dev-default + private_ip_google_access: true + project: fast2-dev-net-spoke-0 + region: europe-west4 + role: null + secondary_ip_range: [] + timeouts: null + module.dev-spoke-vpc.google_dns_policy.default[0]: + alternative_name_server_config: [] + description: Managed by Terraform + enable_inbound_forwarding: null + enable_logging: true + name: dev-spoke-0 + networks: + - {} + project: fast2-dev-net-spoke-0 + timeouts: null + module.firewall-policy-default.google_compute_firewall_policy.hierarchical[0]: + description: null + short_name: net-default + timeouts: null + module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]: + action: allow + description: Enable HTTP and HTTPS healthchecks + direction: INGRESS + disabled: false + enable_logging: null + match: + - dest_address_groups: null + dest_fqdns: null + dest_ip_ranges: null + dest_region_codes: null + dest_threat_intelligences: null + layer4_configs: + - ip_protocol: tcp + ports: + - '80' + - '443' + src_address_groups: null + src_fqdns: null + src_ip_ranges: + - 35.191.0.0/16 + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + src_region_codes: null + src_threat_intelligences: null + priority: 1001 + target_resources: null + target_service_accounts: null + timeouts: null + module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]: + action: allow + description: Enable ICMP + direction: INGRESS + disabled: false + enable_logging: null + match: + - dest_address_groups: null + dest_fqdns: null + dest_ip_ranges: null + dest_region_codes: null + dest_threat_intelligences: null + layer4_configs: + - ip_protocol: icmp + ports: [] + src_address_groups: null + src_fqdns: null + src_ip_ranges: + - 0.0.0.0/0 + src_region_codes: null + src_threat_intelligences: null + priority: 1003 + target_resources: null + target_service_accounts: null + timeouts: null + module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]: + action: allow + description: Enable NAT ranges for VPC serverless connector + direction: INGRESS + disabled: false + enable_logging: null + match: + - dest_address_groups: null + dest_fqdns: null + dest_ip_ranges: null + dest_region_codes: null + dest_threat_intelligences: null + layer4_configs: + - ip_protocol: all + ports: null + src_address_groups: null + src_fqdns: null + src_ip_ranges: + - 107.178.230.64/26 + - 35.199.224.0/19 + src_region_codes: null + src_threat_intelligences: null + priority: 1004 + target_resources: null + target_service_accounts: null + timeouts: null + module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]: + action: allow + description: Enable SSH from IAP + direction: INGRESS + disabled: false + enable_logging: true + match: + - dest_address_groups: null + dest_fqdns: null + dest_ip_ranges: null + dest_region_codes: null + dest_threat_intelligences: null + layer4_configs: + - ip_protocol: tcp + ports: + - '22' + src_address_groups: null + src_fqdns: null + src_ip_ranges: + - 35.235.240.0/20 + src_region_codes: null + src_threat_intelligences: null + priority: 1002 + target_resources: null + target_service_accounts: null + timeouts: null + module.folder.google_compute_firewall_policy_association.default[0]: + name: default + timeouts: null + module.folder.google_essential_contacts_contact.contact["gcp-network-admins@fast.example.com"]: + email: gcp-network-admins@fast.example.com + language_tag: en + notification_category_subscriptions: + - ALL + timeouts: null + module.folder.google_folder.folder[0]: + display_name: Networking + parent: organizations/123456789012 + timeouts: null + module.landing-dns-fwd-onprem-example[0].google_dns_managed_zone.dns_managed_zone[0]: + cloud_logging_config: + - enable_logging: false + description: Terraform managed. + dns_name: onprem.example.com. + dnssec_config: [] + force_destroy: false + forwarding_config: + - target_name_servers: + - forwarding_path: '' + ipv4_address: 10.10.10.10 + labels: null + name: example-com + peering_config: [] + project: fast2-prod-net-landing-0 + reverse_lookup: false + service_directory_config: [] + timeouts: null + visibility: private + module.landing-dns-fwd-onprem-rev-10[0].google_dns_managed_zone.dns_managed_zone[0]: + cloud_logging_config: + - enable_logging: false + description: Terraform managed. + dns_name: 10.in-addr.arpa. + dnssec_config: [] + force_destroy: false + forwarding_config: + - target_name_servers: + - forwarding_path: '' + ipv4_address: 10.10.10.10 + labels: null + name: root-reverse-10 + peering_config: [] + project: fast2-prod-net-landing-0 + reverse_lookup: false + service_directory_config: [] + timeouts: null + visibility: private + module.landing-dns-policy-googleapis.google_dns_response_policy.default[0]: + description: Managed by Terraform + gke_clusters: [] + networks: + - {} + - {} + project: fast2-prod-net-landing-0 + response_policy_name: googleapis + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["accounts"]: + behavior: null + dns_name: accounts.google.com. + local_data: + - local_datas: + - name: accounts.google.com. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: accounts + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud"]: + behavior: null + dns_name: backupdr.cloud.google.com. + local_data: + - local_datas: + - name: backupdr.cloud.google.com. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: backupdr-cloud + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud-all"]: + behavior: null + dns_name: '*.backupdr.cloud.google.com.' + local_data: + - local_datas: + - name: '*.backupdr.cloud.google.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: backupdr-cloud-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu"]: + behavior: null + dns_name: backupdr.googleusercontent.google.com. + local_data: + - local_datas: + - name: backupdr.googleusercontent.google.com. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: backupdr-gu + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu-all"]: + behavior: null + dns_name: '*.backupdr.googleusercontent.google.com.' + local_data: + - local_datas: + - name: '*.backupdr.googleusercontent.google.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: backupdr-gu-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudfunctions"]: + behavior: null + dns_name: '*.cloudfunctions.net.' + local_data: + - local_datas: + - name: '*.cloudfunctions.net.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: cloudfunctions + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudproxy"]: + behavior: null + dns_name: '*.cloudproxy.app.' + local_data: + - local_datas: + - name: '*.cloudproxy.app.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: cloudproxy + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-cloud-all"]: + behavior: null + dns_name: '*.composer.cloud.google.com.' + local_data: + - local_datas: + - name: '*.composer.cloud.google.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: composer-cloud-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-gu-all"]: + behavior: null + dns_name: '*.composer.googleusercontent.com.' + local_data: + - local_datas: + - name: '*.composer.googleusercontent.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: composer-gu-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-all"]: + behavior: null + dns_name: '*.datafusion.cloud.google.com.' + local_data: + - local_datas: + - name: '*.datafusion.cloud.google.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: datafusion-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-gu-all"]: + behavior: null + dns_name: '*.datafusion.googleusercontent.com.' + local_data: + - local_datas: + - name: '*.datafusion.googleusercontent.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: datafusion-gu-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc"]: + behavior: null + dns_name: dataproc.cloud.google.com. + local_data: + - local_datas: + - name: dataproc.cloud.google.com. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: dataproc + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-all"]: + behavior: null + dns_name: '*.dataproc.cloud.google.com.' + local_data: + - local_datas: + - name: '*.dataproc.cloud.google.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: dataproc-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu"]: + behavior: null + dns_name: dataproc.googleusercontent.com. + local_data: + - local_datas: + - name: dataproc.googleusercontent.com. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: dataproc-gu + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu-all"]: + behavior: null + dns_name: '*.dataproc.googleusercontent.com.' + local_data: + - local_datas: + - name: '*.dataproc.googleusercontent.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: dataproc-gu-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dl"]: + behavior: null + dns_name: dl.google.com. + local_data: + - local_datas: + - name: dl.google.com. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: dl + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr"]: + behavior: null + dns_name: gcr.io. + local_data: + - local_datas: + - name: gcr.io. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: gcr + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr-all"]: + behavior: null + dns_name: '*.gcr.io.' + local_data: + - local_datas: + - name: '*.gcr.io.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: gcr-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-all"]: + behavior: null + dns_name: '*.googleapis.com.' + local_data: + - local_datas: + - name: '*.googleapis.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: googleapis-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-private"]: + behavior: null + dns_name: private.googleapis.com. + local_data: + - local_datas: + - name: private.googleapis.com. + rrdatas: + - 199.36.153.8 + - 199.36.153.9 + - 199.36.153.10 + - 199.36.153.11 + ttl: null + type: A + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: googleapis-private + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-restricted"]: + behavior: null + dns_name: restricted.googleapis.com. + local_data: + - local_datas: + - name: restricted.googleapis.com. + rrdatas: + - 199.36.153.4 + - 199.36.153.5 + - 199.36.153.6 + - 199.36.153.7 + ttl: null + type: A + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: googleapis-restricted + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gstatic-all"]: + behavior: null + dns_name: '*.gstatic.com.' + local_data: + - local_datas: + - name: '*.gstatic.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: gstatic-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu"]: + behavior: null + dns_name: kernels.googleusercontent.com. + local_data: + - local_datas: + - name: kernels.googleusercontent.com. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: kernels-gu + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu-all"]: + behavior: null + dns_name: '*.kernels.googleusercontent.com.' + local_data: + - local_datas: + - name: '*.kernels.googleusercontent.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: kernels-gu-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-all"]: + behavior: null + dns_name: '*.notebooks.cloud.google.com.' + local_data: + - local_datas: + - name: '*.notebooks.cloud.google.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: notebooks-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-gu-all"]: + behavior: null + dns_name: '*.notebooks.googleusercontent.com.' + local_data: + - local_datas: + - name: '*.notebooks.googleusercontent.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: notebooks-gu-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud"]: + behavior: null + dns_name: packages.cloud.google.com. + local_data: + - local_datas: + - name: packages.cloud.google.com. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: packages-cloud + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud-all"]: + behavior: null + dns_name: '*.packages.cloud.google.com.' + local_data: + - local_datas: + - name: '*.packages.cloud.google.com.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: packages-cloud-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev"]: + behavior: null + dns_name: pkg.dev. + local_data: + - local_datas: + - name: pkg.dev. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: pkgdev + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev-all"]: + behavior: null + dns_name: '*.pkg.dev.' + local_data: + - local_datas: + - name: '*.pkg.dev.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: pkgdev-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog"]: + behavior: null + dns_name: pki.goog. + local_data: + - local_datas: + - name: pki.goog. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: pkigoog + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog-all"]: + behavior: null + dns_name: '*.pki.goog.' + local_data: + - local_datas: + - name: '*.pki.goog.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: pkigoog-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["run-all"]: + behavior: null + dns_name: '*.run.app.' + local_data: + - local_datas: + - name: '*.run.app.' + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: run-all + timeouts: null + module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["source"]: + behavior: null + dns_name: source.developers.google.com. + local_data: + - local_datas: + - name: source.developers.google.com. + rrdatas: + - private.googleapis.com. + ttl: null + type: CNAME + project: fast2-prod-net-landing-0 + response_policy: googleapis + rule_name: source + timeouts: null + module.landing-dns-priv-gcp.google_dns_managed_zone.dns_managed_zone[0]: + cloud_logging_config: + - enable_logging: false + description: Terraform managed. + dns_name: gcp.example.com. + dnssec_config: [] + force_destroy: false + forwarding_config: [] + labels: null + name: gcp-example-com + peering_config: [] + project: fast2-prod-net-landing-0 + service_directory_config: [] + timeouts: null + visibility: private + module.landing-dns-priv-gcp.google_dns_record_set.dns_record_set["A localhost"]: + managed_zone: gcp-example-com + name: localhost.gcp.example.com. + project: fast2-prod-net-landing-0 + routing_policy: [] + rrdatas: + - 127.0.0.1 + ttl: 300 + type: A + module.landing-nat-primary[0].google_compute_router.router[0]: + bgp: [] + description: null + encrypted_interconnect_router: null + name: prod-nat-ew1 + project: fast2-prod-net-landing-0 + region: europe-west1 + timeouts: null + module.landing-nat-primary[0].google_compute_router_nat.nat: + drain_nat_ips: null + enable_dynamic_port_allocation: false + enable_endpoint_independent_mapping: true + icmp_idle_timeout_sec: 30 + log_config: + - enable: false + filter: ALL + max_ports_per_vm: 65536 + min_ports_per_vm: 64 + name: ew1 + nat_ip_allocate_option: AUTO_ONLY + nat_ips: null + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-nat-ew1 + rules: [] + source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES + subnetwork: [] + tcp_established_idle_timeout_sec: 1200 + tcp_time_wait_timeout_sec: 120 + tcp_transitory_idle_timeout_sec: 30 + timeouts: null + udp_idle_timeout_sec: 30 + module.landing-nat-secondary[0].google_compute_router.router[0]: + bgp: [] + description: null + encrypted_interconnect_router: null + name: prod-nat-ew4 + project: fast2-prod-net-landing-0 + region: europe-west4 + timeouts: null + module.landing-nat-secondary[0].google_compute_router_nat.nat: + drain_nat_ips: null + enable_dynamic_port_allocation: false + enable_endpoint_independent_mapping: true + icmp_idle_timeout_sec: 30 + log_config: + - enable: false + filter: ALL + max_ports_per_vm: 65536 + min_ports_per_vm: 64 + name: ew4 + nat_ip_allocate_option: AUTO_ONLY + nat_ips: null + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-nat-ew4 + rules: [] + source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES + subnetwork: [] + tcp_established_idle_timeout_sec: 1200 + tcp_time_wait_timeout_sec: 120 + tcp_transitory_idle_timeout_sec: 30 + timeouts: null + udp_idle_timeout_sec: 30 + module.landing-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]: + project: fast2-prod-net-landing-0 + timeouts: null + module.landing-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + folder_id: null + labels: null + name: fast2-prod-net-landing-0 + org_id: null + project_id: fast2-prod-net-landing-0 + skip_delete: false + timeouts: null + module.landing-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/foo"]: + condition: [] + members: + - serviceAccount:string + project: fast2-prod-net-landing-0 + role: organizations/123456789012/roles/foo + module.landing-project.google_project_iam_binding.authoritative["roles/dns.admin"]: + condition: [] + members: + - serviceAccount:string + project: fast2-prod-net-landing-0 + role: roles/dns.admin + module.landing-project.google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-landing-0 + service: compute.googleapis.com + timeouts: null + module.landing-project.google_project_service.project_services["dns.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-landing-0 + service: dns.googleapis.com + timeouts: null + module.landing-project.google_project_service.project_services["iap.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-landing-0 + service: iap.googleapis.com + timeouts: null + module.landing-project.google_project_service.project_services["networkconnectivity.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-landing-0 + service: networkconnectivity.googleapis.com + timeouts: null + module.landing-project.google_project_service.project_services["networkmanagement.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-landing-0 + service: networkmanagement.googleapis.com + timeouts: null + module.landing-project.google_project_service.project_services["stackdriver.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-landing-0 + service: stackdriver.googleapis.com + timeouts: null + module.landing-project.google_project_service_identity.jit_si["iap.googleapis.com"]: + project: fast2-prod-net-landing-0 + service: iap.googleapis.com + timeouts: null + module.landing-to-onprem-primary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]: + description: Terraform managed external VPN gateway + interface: + - id: 0 + ip_address: 8.8.8.8 + labels: null + name: vpn-to-onprem-ew1-default + project: fast2-prod-net-landing-0 + redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT + timeouts: null + module.landing-to-onprem-primary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]: + description: Terraform managed external VPN gateway + name: vpn-to-onprem-ew1 + project: fast2-prod-net-landing-0 + region: europe-west1 + stack_type: IPV4_ONLY + timeouts: null + module.landing-to-onprem-primary-vpn[0].google_compute_router.router[0]: + bgp: + - advertise_mode: CUSTOM + advertised_groups: [] + advertised_ip_ranges: + - description: gcp + range: 10.1.0.0/16 + - description: gcp-restricted + range: 199.36.153.4/30 + - description: gcp-dns + range: 35.199.192.0/19 + asn: 65501 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: vpn-vpn-to-onprem-ew1 + project: fast2-prod-net-landing-0 + region: europe-west1 + timeouts: null + module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["0"]: + interconnect_attachment: null + ip_range: 169.254.1.2/30 + name: vpn-to-onprem-ew1-0 + private_ip_address: null + project: fast2-prod-net-landing-0 + region: europe-west1 + router: vpn-vpn-to-onprem-ew1 + subnetwork: null + timeouts: null + vpn_tunnel: vpn-to-onprem-ew1-0 + module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["1"]: + interconnect_attachment: null + ip_range: 169.254.2.2/30 + name: vpn-to-onprem-ew1-1 + private_ip_address: null + project: fast2-prod-net-landing-0 + region: europe-west1 + router: vpn-vpn-to-onprem-ew1 + subnetwork: null + timeouts: null + vpn_tunnel: vpn-to-onprem-ew1-1 + module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["0"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: vpn-to-onprem-ew1-0 + md5_authentication_key: [] + name: vpn-to-onprem-ew1-0 + peer_asn: 65500 + peer_ip_address: 169.254.1.1 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: vpn-vpn-to-onprem-ew1 + router_appliance_instance: null + timeouts: null + module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["1"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: vpn-to-onprem-ew1-1 + md5_authentication_key: [] + name: vpn-to-onprem-ew1-1 + peer_asn: 64513 + peer_ip_address: 169.254.2.1 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: vpn-vpn-to-onprem-ew1 + router_appliance_instance: null + timeouts: null + module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]: + description: null + ike_version: 2 + labels: null + name: vpn-to-onprem-ew1-0 + peer_external_gateway_interface: null + peer_gcp_gateway: null + project: fast2-prod-net-landing-0 + region: europe-west1 + router: vpn-vpn-to-onprem-ew1 + shared_secret: foo + target_vpn_gateway: null + timeouts: null + vpn_gateway_interface: 0 + module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]: + description: null + ike_version: 2 + labels: null + name: vpn-to-onprem-ew1-1 + peer_external_gateway_interface: null + peer_gcp_gateway: null + project: fast2-prod-net-landing-0 + region: europe-west1 + router: vpn-vpn-to-onprem-ew1 + shared_secret: foo + target_vpn_gateway: null + timeouts: null + vpn_gateway_interface: 1 + module.landing-to-onprem-primary-vpn[0].random_id.secret: + byte_length: 8 + keepers: null + prefix: null + module.landing-to-onprem-secondary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]: + description: Terraform managed external VPN gateway + interface: + - id: 0 + ip_address: 8.8.4.4 + labels: null + name: vpn-to-onprem-ew4-default + project: fast2-prod-net-landing-0 + redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT + timeouts: null + module.landing-to-onprem-secondary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]: + description: Terraform managed external VPN gateway + name: vpn-to-onprem-ew4 + project: fast2-prod-net-landing-0 + region: europe-west4 + stack_type: IPV4_ONLY + timeouts: null + module.landing-to-onprem-secondary-vpn[0].google_compute_router.router[0]: + bgp: + - advertise_mode: CUSTOM + advertised_groups: [] + advertised_ip_ranges: + - description: gcp + range: 10.1.0.0/16 + - description: gcp-restricted + range: 199.36.153.4/30 + - description: gcp-dns + range: 35.199.192.0/19 + asn: 65501 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: vpn-vpn-to-onprem-ew4 + project: fast2-prod-net-landing-0 + region: europe-west4 + timeouts: null + module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["0"]: + interconnect_attachment: null + ip_range: 169.254.3.2/30 + name: vpn-to-onprem-ew4-0 + private_ip_address: null + project: fast2-prod-net-landing-0 + region: europe-west4 + router: vpn-vpn-to-onprem-ew4 + subnetwork: null + timeouts: null + vpn_tunnel: vpn-to-onprem-ew4-0 + module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["1"]: + interconnect_attachment: null + ip_range: 169.254.4.2/30 + name: vpn-to-onprem-ew4-1 + private_ip_address: null + project: fast2-prod-net-landing-0 + region: europe-west4 + router: vpn-vpn-to-onprem-ew4 + subnetwork: null + timeouts: null + vpn_tunnel: vpn-to-onprem-ew4-1 + module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["0"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: vpn-to-onprem-ew4-0 + md5_authentication_key: [] + name: vpn-to-onprem-ew4-0 + peer_asn: 65500 + peer_ip_address: 169.254.1.1 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: vpn-vpn-to-onprem-ew4 + router_appliance_instance: null + timeouts: null + module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["1"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: vpn-to-onprem-ew4-1 + md5_authentication_key: [] + name: vpn-to-onprem-ew4-1 + peer_asn: 64513 + peer_ip_address: 169.254.2.1 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: vpn-vpn-to-onprem-ew4 + router_appliance_instance: null + timeouts: null + module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]: + description: null + ike_version: 2 + labels: null + name: vpn-to-onprem-ew4-0 + peer_external_gateway_interface: null + peer_gcp_gateway: null + project: fast2-prod-net-landing-0 + region: europe-west4 + router: vpn-vpn-to-onprem-ew4 + shared_secret: foo + target_vpn_gateway: null + timeouts: null + vpn_gateway_interface: 0 + module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]: + description: null + ike_version: 2 + labels: null + name: vpn-to-onprem-ew4-1 + peer_external_gateway_interface: null + peer_gcp_gateway: null + project: fast2-prod-net-landing-0 + region: europe-west4 + router: vpn-vpn-to-onprem-ew4 + shared_secret: foo + target_vpn_gateway: null + timeouts: null + vpn_gateway_interface: 1 + module.landing-to-onprem-secondary-vpn[0].random_id.secret: + byte_length: 8 + keepers: null + prefix: null + module.landing-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-landing"]: + allow: + - ports: + - '22' + protocol: tcp + deny: [] + description: Allow traffic from Google healthchecks to NVA appliances + direction: INGRESS + disabled: false + log_config: [] + name: allow-hc-nva-ssh-landing + priority: 1000 + project: fast2-prod-net-landing-0 + source_ranges: + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.landing-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-landing"]: + allow: + - ports: + - '179' + protocol: tcp + deny: [] + description: Allow BGP traffic from NCC Cloud Routers to NVAs + direction: INGRESS + disabled: false + log_config: [] + name: allow-ncc-nva-bgp-landing + priority: 1000 + project: fast2-prod-net-landing-0 + source_ranges: + - 10.128.64.201/32 + - 10.128.64.202/32 + - 10.128.96.201/32 + - 10.128.96.202/32 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: + - nva + timeouts: null + module.landing-firewall.google_compute_firewall.custom-rules["allow-onprem-probes-landing-example"]: + allow: + - ports: + - '12345' + protocol: tcp + deny: [] + description: Allow traffic from onprem probes + direction: INGRESS + disabled: false + log_config: [] + name: allow-onprem-probes-landing-example + priority: 1000 + project: fast2-prod-net-landing-0 + source_ranges: + - 10.255.255.254/32 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.landing-firewall.google_compute_firewall.custom-rules["landing-ingress-default-deny"]: + allow: [] + deny: + - ports: [] + protocol: all + description: Deny and log any unmatched ingress traffic. + direction: INGRESS + disabled: false + log_config: + - metadata: EXCLUDE_ALL_METADATA + name: landing-ingress-default-deny + priority: 65535 + project: fast2-prod-net-landing-0 + source_ranges: + - 0.0.0.0/0 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.landing-vpc.google_compute_network.network[0]: + auto_create_subnetworks: false + delete_default_routes_on_create: true + description: Terraform-managed. + enable_ula_internal_ipv6: null + mtu: 1500 + name: prod-landing-0 + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL + project: fast2-prod-net-landing-0 + routing_mode: GLOBAL + timeouts: null + module.landing-vpc.google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: prod-landing-0-private-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: fast2-prod-net-landing-0 + tags: null + timeouts: null + module.landing-vpc.google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: prod-landing-0-restricted-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: fast2-prod-net-landing-0 + tags: null + timeouts: null + module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west1/landing-default"]: + description: Default europe-west1 subnet for landing + ip_cidr_range: 10.64.0.0/24 + ipv6_access_type: null + log_config: [] + name: landing-default + private_ip_google_access: true + project: fast2-prod-net-landing-0 + region: europe-west1 + role: null + secondary_ip_range: [] + timeouts: null + module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west4/landing-default"]: + description: Default europe-west4 subnet for landing + ip_cidr_range: 10.80.0.0/24 + ipv6_access_type: null + log_config: [] + name: landing-default + private_ip_google_access: true + project: fast2-prod-net-landing-0 + region: europe-west4 + role: null + secondary_ip_range: [] + timeouts: null + module.landing-vpc.google_dns_policy.default[0]: + alternative_name_server_config: [] + description: Managed by Terraform + enable_inbound_forwarding: true + enable_logging: null + name: prod-landing-0 + networks: + - {} + project: fast2-prod-net-landing-0 + timeouts: null + module.dmz-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-dmz"]: + allow: + - ports: + - '22' + protocol: tcp + deny: [] + description: Allow traffic from Google healthchecks to NVA appliances + direction: INGRESS + disabled: false + log_config: [] + name: allow-hc-nva-ssh-dmz + priority: 1000 + project: fast2-prod-net-landing-0 + source_ranges: + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.dmz-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-dmz"]: + allow: + - ports: + - '179' + protocol: tcp + deny: [] + description: Allow BGP traffic from NCC Cloud Routers to NVAs + direction: INGRESS + disabled: false + log_config: [] + name: allow-ncc-nva-bgp-dmz + priority: 1000 + project: fast2-prod-net-landing-0 + source_ranges: + - 10.128.0.201/32 + - 10.128.0.202/32 + - 10.128.32.201/32 + - 10.128.32.202/32 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: + - nva + timeouts: null + module.dmz-firewall.google_compute_firewall.custom-rules["allow-nva-nva-bgp-dmz"]: + allow: + - ports: + - '179' + protocol: tcp + deny: [] + description: Allow BGP traffic from cross-regional NVAs + direction: INGRESS + disabled: false + log_config: [] + name: allow-nva-nva-bgp-dmz + priority: 1000 + project: fast2-prod-net-landing-0 + source_ranges: null + source_service_accounts: null + source_tags: + - nva + target_service_accounts: null + target_tags: + - nva + timeouts: null + module.dmz-firewall.google_compute_firewall.custom-rules["dmz-ingress-default-deny"]: + allow: [] + deny: + - ports: [] + protocol: all + description: Deny and log any unmatched ingress traffic. + direction: INGRESS + disabled: false + log_config: + - metadata: EXCLUDE_ALL_METADATA + name: dmz-ingress-default-deny + priority: 65535 + project: fast2-prod-net-landing-0 + source_ranges: + - 0.0.0.0/0 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.dmz-vpc.google_compute_network.network[0]: + auto_create_subnetworks: false + delete_default_routes_on_create: false + description: Terraform-managed. + enable_ula_internal_ipv6: null + mtu: 1500 + name: prod-dmz-0 + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL + project: fast2-prod-net-landing-0 + routing_mode: GLOBAL + timeouts: null + module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west1/dmz-default"]: + description: Default europe-west1 subnet for DMZ + ip_cidr_range: 10.64.128.0/24 + ipv6_access_type: null + log_config: [] + name: dmz-default + private_ip_google_access: true + project: fast2-prod-net-landing-0 + region: europe-west1 + role: null + secondary_ip_range: [] + timeouts: null + module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west4/dmz-default"]: + description: Default europe-west4 subnet for DMZ + ip_cidr_range: 10.80.128.0/24 + ipv6_access_type: null + log_config: [] + name: dmz-default + private_ip_google_access: true + project: fast2-prod-net-landing-0 + region: europe-west4 + role: null + secondary_ip_range: [] + timeouts: null + module.dmz-vpc.google_dns_policy.default[0]: + alternative_name_server_config: [] + description: Managed by Terraform + enable_inbound_forwarding: true + enable_logging: true + name: prod-dmz-0 + networks: + - {} + project: fast2-prod-net-landing-0 + timeouts: null + module.nva["primary-b"].google_compute_instance.default[0]: + advanced_machine_features: [] + allow_stopping_for_update: true + attached_disk: [] + boot_disk: + - auto_delete: true + disk_encryption_key_raw: null + initialize_params: + - enable_confidential_compute: null + image: projects/cos-cloud/global/images/family/cos-stable + resource_manager_tags: null + size: 10 + type: pd-balanced + mode: READ_WRITE + can_ip_forward: true + deletion_protection: false + description: Managed by the compute-vm Terraform module. + desired_status: null + enable_display: false + hostname: null + labels: null + machine_type: e2-standard-2 + metadata: + user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ + \ file except in compliance with the License.\n# You may obtain a copy of\ + \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ + # Unless required by applicable law or agreed to in writing, software\n# distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ + \ for the specific language governing permissions and\n# limitations under\ + \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ + \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ + \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ + );\n # you may not use this file except in compliance with the License.\n\ + \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n zebra=no\n\ + \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ + \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ + \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ + \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ + \ script automatically loads\n # the config via \"vtysh -b\" when the\ + \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ + \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ + \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ + \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ + \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ + \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ + \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ + \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ + \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ + \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ + \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ + \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ + \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ + \ of daemons to watch is automatically generated by the init script.\n \ + \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ + \ specify a \"wrap\" command to start instead\n # of starting the daemon\ + \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ + \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ + \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ + \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ + \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ + \ template\n \n log syslog informational\n no ipv6 forwarding\n\ + \ service integrated-vtysh-config\n \n interface lo\n \ + \ ip address 10.64.128.101/32\n \n ip prefix-list DEFAULT seq 10\ + \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ + \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ + \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ + \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ + \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ + \ \n route-map TO-DMZ permit 10\n match ip address\ + \ prefix-list PRIMARY\n set metric 100\n !\n route-map TO-DMZ\ + \ permit 20\n match ip address prefix-list SECONDARY\n set metric\ + \ 10100\n !\n route-map TO-LANDING permit 10\n match ip address\ + \ prefix-list DEFAULT\n set metric 100\n !\n route-map TO-NVA\ + \ permit 10\n match ip address prefix-list PRIMARY\n set metric\ + \ 50\n \n router bgp 64513\n bgp router-id 10.64.128.101\n\ + \ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\ + \ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \ + \ no bgp network import-check\n !\n neighbor 10.64.128.201\ + \ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\ + \ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\ + \ update-source 10.64.0.101\n neighbor 10.64.0.202 remote-as 64515\n\ + \ neighbor 10.64.0.202 update-source 10.64.0.101\n !\n neighbor\ + \ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\ + \ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\ + \ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\ + \ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201\ + \ soft-reconfiguration inbound\n !\n neighbor 10.64.128.202 route-map\ + \ TO-DMZ out\n neighbor 10.64.128.202 soft-reconfiguration inbound\n\ + \ !\n neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor\ + \ 10.64.0.201 soft-reconfiguration inbound\n !\n neighbor 10.64.0.202\ + \ route-map TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration\ + \ inbound\n !\n neighbor 10.80.128.101 route-map TO-NVA out\n\ + \ neighbor 10.80.128.101 soft-reconfiguration inbound\n !\n \ + \ neighbor 10.80.128.102 route-map TO-NVA out\n neighbor 10.80.128.102\ + \ soft-reconfiguration inbound\n exit-address-family\n \n\n -\ + \ path: /etc/frr/vtysh.conf\n owner: root\n permissions: 0644\n content:\ + \ |\n # Copyright 2023 Google LLC\n #\n # Licensed under the\ + \ Apache License, Version 2.0 (the \"License\");\n # you may not use\ + \ this file except in compliance with the License.\n # You may obtain\ + \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n #\ + \ This is a sample file used to remove warnings\n # when users open the\ + \ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\ + \ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\ + \ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\ + \ owner: root\n permissions: 0644\n content: |\n # Copyright\ + \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ + \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ + \ with the License.\n # You may obtain a copy of the License at\n \ + \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ + \ # Unless required by applicable law or agreed to in writing, software\n\ + \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ + \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ # See the License for the specific language governing permissions and\n\ + \ # limitations under the License.\n \n [Unit]\n Description=Start\ + \ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\ + \ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\ + HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\ + \ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\ + \ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \ + \ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\ + \ owner: root\n permissions: 0644\n content: |\n {\n\ + \ \"live-restore\": true,\n \"storage-driver\"\ + : \"overlay2\",\n \"log-opts\": {\n \"max-size\"\ + : \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\ + \ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\ + \ \n # Copyright 2023 Google LLC\n #\n # Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n # you may not\ + \ use this file except in compliance with the License.\n # You may obtain\ + \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n #\ + \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ + \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ + \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ + \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ + \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ + \ Google LLC\n #\n # Licensed under the Apache License, Version\ + \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ + \ with the License.\n # You may obtain a copy of the License at\n \ + \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ + \ # Unless required by applicable law or agreed to in writing, software\n\ + \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ + \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ # See the License for the specific language governing permissions and\n\ + \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ + \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ + \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ + \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ + \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ + \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ + \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ + \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ + n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ + \ do\n # Configure hc routing table if not available for this\ + \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ + \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ + \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ + \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ + \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ + \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ + \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ + \ configure PBR for old LB removed from network interface\n # first\ + \ get list of PBR on this network interface and retrieve LB IP addresses\n\ + \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ + \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ + \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ + \n do\n # check if the PBR LB IP belongs to the current array\ + \ of LB IPs attached to the\n # network interface, if not delete\ + \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ + \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ + \ fi\n done\n sleep 2\n done\n \n\n\n -\ + \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ + \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ + \ [Unit]\n Description=Start routing\n After=network-online.target\n\ + \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ + \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ + \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ + \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ + \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ + \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ + \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ + \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ + \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ + \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ + \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ + \ systemctl start routing\n - systemctl start frr\n" + metadata_startup_script: null + name: nva-ew1-b + network_interface: + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network_ip: 10.64.128.101 + nic_type: null + queue_count: null + security_policy: null + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network_ip: 10.64.0.101 + nic_type: null + queue_count: null + security_policy: null + network_performance_config: [] + params: [] + project: fast2-prod-net-landing-0 + resource_policies: null + scheduling: + - automatic_restart: true + instance_termination_action: null + local_ssd_recovery_timeout: [] + maintenance_interval: null + max_run_duration: [] + min_node_cpus: null + node_affinities: [] + on_host_maintenance: MIGRATE + preemptible: false + provisioning_model: STANDARD + scratch_disk: [] + service_account: + - scopes: + - https://www.googleapis.com/auth/devstorage.read_only + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring.write + shielded_instance_config: [] + tags: + - nva + timeouts: null + zone: europe-west1-b + module.nva["primary-c"].google_compute_instance.default[0]: + advanced_machine_features: [] + allow_stopping_for_update: true + attached_disk: [] + boot_disk: + - auto_delete: true + disk_encryption_key_raw: null + initialize_params: + - enable_confidential_compute: null + image: projects/cos-cloud/global/images/family/cos-stable + resource_manager_tags: null + size: 10 + type: pd-balanced + mode: READ_WRITE + can_ip_forward: true + deletion_protection: false + description: Managed by the compute-vm Terraform module. + desired_status: null + enable_display: false + hostname: null + labels: null + machine_type: e2-standard-2 + metadata: + user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ + \ file except in compliance with the License.\n# You may obtain a copy of\ + \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ + # Unless required by applicable law or agreed to in writing, software\n# distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ + \ for the specific language governing permissions and\n# limitations under\ + \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ + \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ + \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ + );\n # you may not use this file except in compliance with the License.\n\ + \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n zebra=no\n\ + \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ + \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ + \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ + \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ + \ script automatically loads\n # the config via \"vtysh -b\" when the\ + \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ + \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ + \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ + \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ + \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ + \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ + \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ + \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ + \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ + \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ + \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ + \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ + \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ + \ of daemons to watch is automatically generated by the init script.\n \ + \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ + \ specify a \"wrap\" command to start instead\n # of starting the daemon\ + \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ + \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ + \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ + \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ + \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ + \ template\n \n log syslog informational\n no ipv6 forwarding\n\ + \ service integrated-vtysh-config\n \n interface lo\n \ + \ ip address 10.64.128.102/32\n \n ip prefix-list DEFAULT seq 10\ + \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ + \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ + \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ + \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ + \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ + \ \n route-map TO-DMZ permit 10\n match ip address\ + \ prefix-list PRIMARY\n set metric 100\n !\n route-map TO-DMZ\ + \ permit 20\n match ip address prefix-list SECONDARY\n set metric\ + \ 10100\n !\n route-map TO-LANDING permit 10\n match ip address\ + \ prefix-list DEFAULT\n set metric 100\n !\n route-map TO-NVA\ + \ permit 10\n match ip address prefix-list PRIMARY\n set metric\ + \ 50\n \n router bgp 64513\n bgp router-id 10.64.128.102\n\ + \ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\ + \ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \ + \ no bgp network import-check\n !\n neighbor 10.64.128.201\ + \ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\ + \ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\ + \ update-source 10.64.0.102\n neighbor 10.64.0.202 remote-as 64515\n\ + \ neighbor 10.64.0.202 update-source 10.64.0.102\n !\n neighbor\ + \ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\ + \ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\ + \ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\ + \ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201\ + \ soft-reconfiguration inbound\n !\n neighbor 10.64.128.202 route-map\ + \ TO-DMZ out\n neighbor 10.64.128.202 soft-reconfiguration inbound\n\ + \ !\n neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor\ + \ 10.64.0.201 soft-reconfiguration inbound\n !\n neighbor 10.64.0.202\ + \ route-map TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration\ + \ inbound\n !\n neighbor 10.80.128.101 route-map TO-NVA out\n\ + \ neighbor 10.80.128.101 soft-reconfiguration inbound\n !\n \ + \ neighbor 10.80.128.102 route-map TO-NVA out\n neighbor 10.80.128.102\ + \ soft-reconfiguration inbound\n exit-address-family\n \n\n -\ + \ path: /etc/frr/vtysh.conf\n owner: root\n permissions: 0644\n content:\ + \ |\n # Copyright 2023 Google LLC\n #\n # Licensed under the\ + \ Apache License, Version 2.0 (the \"License\");\n # you may not use\ + \ this file except in compliance with the License.\n # You may obtain\ + \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n #\ + \ This is a sample file used to remove warnings\n # when users open the\ + \ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\ + \ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\ + \ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\ + \ owner: root\n permissions: 0644\n content: |\n # Copyright\ + \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ + \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ + \ with the License.\n # You may obtain a copy of the License at\n \ + \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ + \ # Unless required by applicable law or agreed to in writing, software\n\ + \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ + \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ # See the License for the specific language governing permissions and\n\ + \ # limitations under the License.\n \n [Unit]\n Description=Start\ + \ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\ + \ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\ + HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\ + \ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\ + \ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \ + \ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\ + \ owner: root\n permissions: 0644\n content: |\n {\n\ + \ \"live-restore\": true,\n \"storage-driver\"\ + : \"overlay2\",\n \"log-opts\": {\n \"max-size\"\ + : \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\ + \ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\ + \ \n # Copyright 2023 Google LLC\n #\n # Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n # you may not\ + \ use this file except in compliance with the License.\n # You may obtain\ + \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n #\ + \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ + \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ + \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ + \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ + \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ + \ Google LLC\n #\n # Licensed under the Apache License, Version\ + \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ + \ with the License.\n # You may obtain a copy of the License at\n \ + \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ + \ # Unless required by applicable law or agreed to in writing, software\n\ + \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ + \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ # See the License for the specific language governing permissions and\n\ + \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ + \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ + \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ + \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ + \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ + \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ + \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ + \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ + n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ + \ do\n # Configure hc routing table if not available for this\ + \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ + \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ + \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ + \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ + \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ + \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ + \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ + \ configure PBR for old LB removed from network interface\n # first\ + \ get list of PBR on this network interface and retrieve LB IP addresses\n\ + \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ + \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ + \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ + \n do\n # check if the PBR LB IP belongs to the current array\ + \ of LB IPs attached to the\n # network interface, if not delete\ + \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ + \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ + \ fi\n done\n sleep 2\n done\n \n\n\n -\ + \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ + \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ + \ [Unit]\n Description=Start routing\n After=network-online.target\n\ + \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ + \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ + \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ + \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ + \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ + \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ + \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ + \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ + \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ + \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ + \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ + \ systemctl start routing\n - systemctl start frr\n" + metadata_startup_script: null + name: nva-ew1-c + network_interface: + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network_ip: 10.64.128.102 + nic_type: null + queue_count: null + security_policy: null + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network_ip: 10.64.0.102 + nic_type: null + queue_count: null + security_policy: null + network_performance_config: [] + params: [] + project: fast2-prod-net-landing-0 + resource_policies: null + scheduling: + - automatic_restart: true + instance_termination_action: null + local_ssd_recovery_timeout: [] + maintenance_interval: null + max_run_duration: [] + min_node_cpus: null + node_affinities: [] + on_host_maintenance: MIGRATE + preemptible: false + provisioning_model: STANDARD + scratch_disk: [] + service_account: + - scopes: + - https://www.googleapis.com/auth/devstorage.read_only + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring.write + shielded_instance_config: [] + tags: + - nva + timeouts: null + zone: europe-west1-c + module.nva["secondary-b"].google_compute_instance.default[0]: + advanced_machine_features: [] + allow_stopping_for_update: true + attached_disk: [] + boot_disk: + - auto_delete: true + disk_encryption_key_raw: null + initialize_params: + - enable_confidential_compute: null + image: projects/cos-cloud/global/images/family/cos-stable + resource_manager_tags: null + size: 10 + type: pd-balanced + mode: READ_WRITE + can_ip_forward: true + deletion_protection: false + description: Managed by the compute-vm Terraform module. + desired_status: null + enable_display: false + hostname: null + labels: null + machine_type: e2-standard-2 + metadata: + user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ + \ file except in compliance with the License.\n# You may obtain a copy of\ + \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ + # Unless required by applicable law or agreed to in writing, software\n# distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ + \ for the specific language governing permissions and\n# limitations under\ + \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ + \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ + \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ + );\n # you may not use this file except in compliance with the License.\n\ + \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n zebra=no\n\ + \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ + \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ + \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ + \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ + \ script automatically loads\n # the config via \"vtysh -b\" when the\ + \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ + \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ + \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ + \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ + \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ + \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ + \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ + \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ + \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ + \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ + \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ + \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ + \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ + \ of daemons to watch is automatically generated by the init script.\n \ + \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ + \ specify a \"wrap\" command to start instead\n # of starting the daemon\ + \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ + \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ + \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ + \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ + \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ + \ template\n \n log syslog informational\n no ipv6 forwarding\n\ + \ service integrated-vtysh-config\n \n interface lo\n \ + \ ip address 10.80.128.101/32\n \n ip prefix-list DEFAULT seq 10\ + \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ + \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ + \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ + \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ + \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ + \ \n route-map TO-DMZ permit 10\n match ip address\ + \ prefix-list PRIMARY\n set metric 10100\n !\n route-map\ + \ TO-DMZ permit 20\n match ip address prefix-list SECONDARY\n\ + \ set metric 100\n !\n route-map TO-LANDING permit 10\n \ + \ match ip address prefix-list DEFAULT\n set metric 100\n \ + \ !\n route-map TO-NVA permit 10\n match ip address prefix-list\ + \ SECONDARY\n set metric 50\n \n router bgp 64514\n \ + \ bgp router-id 10.80.128.101\n bgp bestpath as-path ignore\n \ + \ bgp disable-ebgp-connected-route-check\n bgp timers 20 60\n \ + \ !\n no bgp ebgp-requires-policy\n no bgp network import-check\n\ + \ !\n neighbor 10.80.128.201 remote-as 64512\n neighbor 10.80.128.202\ + \ remote-as 64512\n !\n neighbor 10.80.0.201 remote-as 64515\n\ + \ neighbor 10.80.0.201 update-source 10.80.0.101\n neighbor 10.80.0.202\ + \ remote-as 64515\n neighbor 10.80.0.202 update-source 10.80.0.101\n\ + \ !\n neighbor 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101\ + \ ebgp-multihop 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor\ + \ 10.64.128.102 ebgp-multihop 2\n !\n address-family ipv4 unicast\n\ + \ neighbor 10.80.128.201 route-map TO-DMZ out\n neighbor\ + \ 10.80.128.201 soft-reconfiguration inbound\n !\n neighbor 10.80.128.202\ + \ route-map TO-DMZ out\n neighbor 10.80.128.202 soft-reconfiguration\ + \ inbound\n !\n neighbor 10.80.0.201 route-map TO-LANDING out\n\ + \ neighbor 10.80.0.201 soft-reconfiguration inbound\n !\n \ + \ neighbor 10.80.0.202 route-map TO-LANDING out\n neighbor 10.80.0.202\ + \ soft-reconfiguration inbound\n !\n neighbor 10.64.128.101 route-map\ + \ TO-NVA out\n neighbor 10.64.128.101 soft-reconfiguration inbound\n\ + \ !\n neighbor 10.64.128.102 route-map TO-NVA out\n neighbor\ + \ 10.64.128.102 soft-reconfiguration inbound\n exit-address-family\n\ + \ \n\n - path: /etc/frr/vtysh.conf\n owner: root\n permissions:\ + \ 0644\n content: |\n # Copyright 2023 Google LLC\n #\n \ + \ # Licensed under the Apache License, Version 2.0 (the \"License\");\n \ + \ # you may not use this file except in compliance with the License.\n\ + \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n #\ + \ This is a sample file used to remove warnings\n # when users open the\ + \ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\ + \ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\ + \ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\ + \ owner: root\n permissions: 0644\n content: |\n # Copyright\ + \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ + \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ + \ with the License.\n # You may obtain a copy of the License at\n \ + \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ + \ # Unless required by applicable law or agreed to in writing, software\n\ + \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ + \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ # See the License for the specific language governing permissions and\n\ + \ # limitations under the License.\n \n [Unit]\n Description=Start\ + \ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\ + \ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\ + HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\ + \ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\ + \ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \ + \ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\ + \ owner: root\n permissions: 0644\n content: |\n {\n\ + \ \"live-restore\": true,\n \"storage-driver\"\ + : \"overlay2\",\n \"log-opts\": {\n \"max-size\"\ + : \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\ + \ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\ + \ \n # Copyright 2023 Google LLC\n #\n # Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n # you may not\ + \ use this file except in compliance with the License.\n # You may obtain\ + \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n #\ + \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ + \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ + \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ + \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ + \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ + \ Google LLC\n #\n # Licensed under the Apache License, Version\ + \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ + \ with the License.\n # You may obtain a copy of the License at\n \ + \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ + \ # Unless required by applicable law or agreed to in writing, software\n\ + \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ + \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ # See the License for the specific language governing permissions and\n\ + \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ + \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ + \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ + \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ + \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ + \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ + \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ + \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ + n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ + \ do\n # Configure hc routing table if not available for this\ + \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ + \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ + \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ + \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ + \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ + \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ + \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ + \ configure PBR for old LB removed from network interface\n # first\ + \ get list of PBR on this network interface and retrieve LB IP addresses\n\ + \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ + \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ + \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ + \n do\n # check if the PBR LB IP belongs to the current array\ + \ of LB IPs attached to the\n # network interface, if not delete\ + \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ + \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ + \ fi\n done\n sleep 2\n done\n \n\n\n -\ + \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ + \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ + \ [Unit]\n Description=Start routing\n After=network-online.target\n\ + \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ + \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ + \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ + \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ + \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ + \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ + \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ + \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ + \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ + \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ + \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ + \ systemctl start routing\n - systemctl start frr\n" + metadata_startup_script: null + name: nva-ew4-b + network_interface: + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network_ip: 10.80.128.101 + nic_type: null + queue_count: null + security_policy: null + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network_ip: 10.80.0.101 + nic_type: null + queue_count: null + security_policy: null + network_performance_config: [] + params: [] + project: fast2-prod-net-landing-0 + resource_policies: null + scheduling: + - automatic_restart: true + instance_termination_action: null + local_ssd_recovery_timeout: [] + maintenance_interval: null + max_run_duration: [] + min_node_cpus: null + node_affinities: [] + on_host_maintenance: MIGRATE + preemptible: false + provisioning_model: STANDARD + scratch_disk: [] + service_account: + - scopes: + - https://www.googleapis.com/auth/devstorage.read_only + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring.write + shielded_instance_config: [] + tags: + - nva + timeouts: null + zone: europe-west4-b + module.nva["secondary-c"].google_compute_instance.default[0]: + advanced_machine_features: [] + allow_stopping_for_update: true + attached_disk: [] + boot_disk: + - auto_delete: true + disk_encryption_key_raw: null + initialize_params: + - enable_confidential_compute: null + image: projects/cos-cloud/global/images/family/cos-stable + resource_manager_tags: null + size: 10 + type: pd-balanced + mode: READ_WRITE + can_ip_forward: true + deletion_protection: false + description: Managed by the compute-vm Terraform module. + desired_status: null + enable_display: false + hostname: null + labels: null + machine_type: e2-standard-2 + metadata: + user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ + \ file except in compliance with the License.\n# You may obtain a copy of\ + \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ + # Unless required by applicable law or agreed to in writing, software\n# distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ + \ for the specific language governing permissions and\n# limitations under\ + \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ + \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ + \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ + );\n # you may not use this file except in compliance with the License.\n\ + \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n zebra=no\n\ + \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ + \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ + \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ + \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ + \ script automatically loads\n # the config via \"vtysh -b\" when the\ + \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ + \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ + \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ + \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ + \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ + \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ + \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ + \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ + \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ + \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ + \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ + \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ + \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ + \ of daemons to watch is automatically generated by the init script.\n \ + \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ + \ specify a \"wrap\" command to start instead\n # of starting the daemon\ + \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ + \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ + \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ + \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ + \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ + \ template\n \n log syslog informational\n no ipv6 forwarding\n\ + \ service integrated-vtysh-config\n \n interface lo\n \ + \ ip address 10.80.128.102/32\n \n ip prefix-list DEFAULT seq 10\ + \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ + \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ + \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ + \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ + \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ + \ \n route-map TO-DMZ permit 10\n match ip address\ + \ prefix-list PRIMARY\n set metric 10100\n !\n route-map\ + \ TO-DMZ permit 20\n match ip address prefix-list SECONDARY\n\ + \ set metric 100\n !\n route-map TO-LANDING permit 10\n \ + \ match ip address prefix-list DEFAULT\n set metric 100\n \ + \ !\n route-map TO-NVA permit 10\n match ip address prefix-list\ + \ SECONDARY\n set metric 50\n \n router bgp 64514\n \ + \ bgp router-id 10.80.128.102\n bgp bestpath as-path ignore\n \ + \ bgp disable-ebgp-connected-route-check\n bgp timers 20 60\n \ + \ !\n no bgp ebgp-requires-policy\n no bgp network import-check\n\ + \ !\n neighbor 10.80.128.201 remote-as 64512\n neighbor 10.80.128.202\ + \ remote-as 64512\n !\n neighbor 10.80.0.201 remote-as 64515\n\ + \ neighbor 10.80.0.201 update-source 10.80.0.102\n neighbor 10.80.0.202\ + \ remote-as 64515\n neighbor 10.80.0.202 update-source 10.80.0.102\n\ + \ !\n neighbor 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101\ + \ ebgp-multihop 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor\ + \ 10.64.128.102 ebgp-multihop 2\n !\n address-family ipv4 unicast\n\ + \ neighbor 10.80.128.201 route-map TO-DMZ out\n neighbor\ + \ 10.80.128.201 soft-reconfiguration inbound\n !\n neighbor 10.80.128.202\ + \ route-map TO-DMZ out\n neighbor 10.80.128.202 soft-reconfiguration\ + \ inbound\n !\n neighbor 10.80.0.201 route-map TO-LANDING out\n\ + \ neighbor 10.80.0.201 soft-reconfiguration inbound\n !\n \ + \ neighbor 10.80.0.202 route-map TO-LANDING out\n neighbor 10.80.0.202\ + \ soft-reconfiguration inbound\n !\n neighbor 10.64.128.101 route-map\ + \ TO-NVA out\n neighbor 10.64.128.101 soft-reconfiguration inbound\n\ + \ !\n neighbor 10.64.128.102 route-map TO-NVA out\n neighbor\ + \ 10.64.128.102 soft-reconfiguration inbound\n exit-address-family\n\ + \ \n\n - path: /etc/frr/vtysh.conf\n owner: root\n permissions:\ + \ 0644\n content: |\n # Copyright 2023 Google LLC\n #\n \ + \ # Licensed under the Apache License, Version 2.0 (the \"License\");\n \ + \ # you may not use this file except in compliance with the License.\n\ + \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n #\ + \ This is a sample file used to remove warnings\n # when users open the\ + \ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\ + \ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\ + \ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\ + \ owner: root\n permissions: 0644\n content: |\n # Copyright\ + \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ + \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ + \ with the License.\n # You may obtain a copy of the License at\n \ + \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ + \ # Unless required by applicable law or agreed to in writing, software\n\ + \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ + \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ # See the License for the specific language governing permissions and\n\ + \ # limitations under the License.\n \n [Unit]\n Description=Start\ + \ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\ + \ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\ + HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\ + \ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\ + \ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \ + \ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\ + \ owner: root\n permissions: 0644\n content: |\n {\n\ + \ \"live-restore\": true,\n \"storage-driver\"\ + : \"overlay2\",\n \"log-opts\": {\n \"max-size\"\ + : \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\ + \ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\ + \ \n # Copyright 2023 Google LLC\n #\n # Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n # you may not\ + \ use this file except in compliance with the License.\n # You may obtain\ + \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ + \ #\n # Unless required by applicable law or agreed to in writing,\ + \ software\n # distributed under the License is distributed on an \"\ + AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ + \ express or implied.\n # See the License for the specific language governing\ + \ permissions and\n # limitations under the License.\n \n #\ + \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ + \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ + \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ + \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ + \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ + \ Google LLC\n #\n # Licensed under the Apache License, Version\ + \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ + \ with the License.\n # You may obtain a copy of the License at\n \ + \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ + \ # Unless required by applicable law or agreed to in writing, software\n\ + \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ + \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ # See the License for the specific language governing permissions and\n\ + \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ + \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ + \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ + \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ + \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ + \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ + \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ + \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ + n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ + \ do\n # Configure hc routing table if not available for this\ + \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ + \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ + \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ + \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ + \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ + \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ + \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ + \ configure PBR for old LB removed from network interface\n # first\ + \ get list of PBR on this network interface and retrieve LB IP addresses\n\ + \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ + \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ + \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ + \n do\n # check if the PBR LB IP belongs to the current array\ + \ of LB IPs attached to the\n # network interface, if not delete\ + \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ + \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ + \ fi\n done\n sleep 2\n done\n \n\n\n -\ + \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ + \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ + \ [Unit]\n Description=Start routing\n After=network-online.target\n\ + \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ + \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ + \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ + \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ + \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ + \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ + \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ + \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ + \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ + \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ + \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ + \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ + \ systemctl start routing\n - systemctl start frr\n" + metadata_startup_script: null + name: nva-ew4-c + network_interface: + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network_ip: 10.80.128.102 + nic_type: null + queue_count: null + security_policy: null + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network_ip: 10.80.0.102 + nic_type: null + queue_count: null + security_policy: null + network_performance_config: [] + params: [] + project: fast2-prod-net-landing-0 + resource_policies: null + scheduling: + - automatic_restart: true + instance_termination_action: null + local_ssd_recovery_timeout: [] + maintenance_interval: null + max_run_duration: [] + min_node_cpus: null + node_affinities: [] + on_host_maintenance: MIGRATE + preemptible: false + provisioning_model: STANDARD + scratch_disk: [] + service_account: + - scopes: + - https://www.googleapis.com/auth/devstorage.read_only + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring.write + shielded_instance_config: [] + tags: + - nva + timeouts: null + zone: europe-west4-c + module.peering-dev.google_compute_network_peering.local_network_peering: + export_custom_routes: true + export_subnet_routes_with_public_ip: true + import_custom_routes: true + import_subnet_routes_with_public_ip: null + stack_type: IPV4_ONLY + timeouts: null + module.peering-dev.google_compute_network_peering.peer_network_peering[0]: + export_custom_routes: true + export_subnet_routes_with_public_ip: true + import_custom_routes: true + import_subnet_routes_with_public_ip: null + stack_type: IPV4_ONLY + timeouts: null + module.peering-prod.google_compute_network_peering.local_network_peering: + export_custom_routes: true + export_subnet_routes_with_public_ip: true + import_custom_routes: true + import_subnet_routes_with_public_ip: null + stack_type: IPV4_ONLY + timeouts: null + module.peering-prod.google_compute_network_peering.peer_network_peering[0]: + export_custom_routes: true + export_subnet_routes_with_public_ip: true + import_custom_routes: true + import_subnet_routes_with_public_ip: null + stack_type: IPV4_ONLY + timeouts: null + module.prod-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]: + cloud_logging_config: + - enable_logging: false + description: Terraform managed. + dns_name: 10.in-addr.arpa. + dnssec_config: [] + force_destroy: false + forwarding_config: [] + labels: null + name: prod-reverse-10-dns-peering + project: fast2-prod-net-spoke-0 + reverse_lookup: false + service_directory_config: [] + timeouts: null + visibility: private + module.prod-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]: + cloud_logging_config: + - enable_logging: false + description: Terraform managed. + dns_name: . + dnssec_config: [] + force_destroy: false + forwarding_config: [] + labels: null + name: prod-root-dns-peering + project: fast2-prod-net-spoke-0 + reverse_lookup: false + service_directory_config: [] + timeouts: null + visibility: private + module.prod-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]: + cloud_logging_config: + - enable_logging: false + description: Terraform managed. + dns_name: prod.gcp.example.com. + dnssec_config: [] + force_destroy: false + forwarding_config: [] + labels: null + name: prod-gcp-example-com + peering_config: [] + project: fast2-prod-net-spoke-0 + service_directory_config: [] + timeouts: null + visibility: private + module.prod-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]: + managed_zone: prod-gcp-example-com + name: localhost.prod.gcp.example.com. + project: fast2-prod-net-spoke-0 + routing_policy: [] + rrdatas: + - 127.0.0.1 + ttl: 300 + type: A + module.prod-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]: + allow: [] + deny: + - ports: [] + protocol: all + description: Deny and log any unmatched ingress traffic. + direction: INGRESS + disabled: false + log_config: + - metadata: EXCLUDE_ALL_METADATA + name: ingress-default-deny + priority: 65535 + project: fast2-prod-net-spoke-0 + source_ranges: + - 0.0.0.0/0 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.prod-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]: + project: fast2-prod-net-spoke-0 + timeouts: null + module.prod-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]: + metrics_scope: fast2-prod-net-landing-0 + name: fast2-prod-net-spoke-0 + timeouts: null + module.prod-spoke-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + folder_id: null + labels: null + name: fast2-prod-net-spoke-0 + org_id: null + project_id: fast2-prod-net-spoke-0 + skip_delete: false + timeouts: null + module.prod-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]: + condition: [] + members: + - serviceAccount:string + project: fast2-prod-net-spoke-0 + role: roles/dns.admin + module.prod-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]: + condition: + - description: Production host project delegated grants. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']) + title: prod_stage3_sa_delegated_grants + members: + - serviceAccount:string + project: fast2-prod-net-spoke-0 + role: roles/resourcemanager.projectIamAdmin + module.prod-spoke-project.google_project_iam_member.servicenetworking[0]: + condition: [] + project: fast2-prod-net-spoke-0 + role: roles/servicenetworking.serviceAgent + module.prod-spoke-project.google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-spoke-0 + service: compute.googleapis.com + timeouts: null + module.prod-spoke-project.google_project_service.project_services["dns.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-spoke-0 + service: dns.googleapis.com + timeouts: null + module.prod-spoke-project.google_project_service.project_services["iap.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-spoke-0 + service: iap.googleapis.com + timeouts: null + module.prod-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-spoke-0 + service: networkmanagement.googleapis.com + timeouts: null + module.prod-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-spoke-0 + service: servicenetworking.googleapis.com + timeouts: null + module.prod-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-spoke-0 + service: stackdriver.googleapis.com + timeouts: null + module.prod-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-prod-net-spoke-0 + service: vpcaccess.googleapis.com + timeouts: null + module.prod-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]: + project: fast2-prod-net-spoke-0 + service: iap.googleapis.com + timeouts: null + module.prod-spoke-project.google_project_service_identity.servicenetworking[0]: + project: fast2-prod-net-spoke-0 + service: servicenetworking.googleapis.com + timeouts: null + module.prod-spoke-vpc.google_compute_network.network[0]: + auto_create_subnetworks: false + delete_default_routes_on_create: true + description: Terraform-managed. + enable_ula_internal_ipv6: null + mtu: 1500 + name: prod-spoke-0 + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL + project: fast2-prod-net-spoke-0 + routing_mode: GLOBAL + timeouts: null + module.prod-spoke-vpc.google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: prod-spoke-0-private-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: fast2-prod-net-spoke-0 + tags: null + timeouts: null + module.prod-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: prod-spoke-0-restricted-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: fast2-prod-net-spoke-0 + tags: null + timeouts: null + module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/prod-default"]: + description: Default europe-west1 subnet for prod + ip_cidr_range: 10.72.0.0/24 + ipv6_access_type: null + log_config: [] + name: prod-default + private_ip_google_access: true + project: fast2-prod-net-spoke-0 + region: europe-west1 + role: null + secondary_ip_range: [] + timeouts: null + module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/prod-default"]: + description: Default europe-west4 subnet for prod + ip_cidr_range: 10.88.0.0/24 + ipv6_access_type: null + log_config: [] + name: prod-default + private_ip_google_access: true + project: fast2-prod-net-spoke-0 + region: europe-west4 + role: null + secondary_ip_range: [] + timeouts: null + module.prod-spoke-vpc.google_dns_policy.default[0]: + alternative_name_server_config: [] + description: Managed by Terraform + enable_inbound_forwarding: null + enable_logging: true + name: prod-spoke-0 + networks: + - {} + project: fast2-prod-net-spoke-0 + timeouts: null + module.spokes-landing["primary"].google_compute_router.cr: + bgp: + - advertise_mode: CUSTOM + advertised_groups: [] + advertised_ip_ranges: + - description: GCP landing primary. + range: 10.64.0.0/17 + - description: GCP dev primary. + range: 10.68.0.0/16 + - description: GCP prod primary. + range: 10.72.0.0/16 + - description: GCP landing secondary. + range: 10.80.0.0/17 + - description: GCP dev secondary. + range: 10.84.0.0/16 + - description: GCP prod secondary. + range: 10.88.0.0/16 + asn: 64515 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: prod-spoke-landing-ew1-cr + project: fast2-prod-net-landing-0 + region: europe-west1 + timeouts: null + module.spokes-landing["primary"].google_compute_router_interface.intf_0: + interconnect_attachment: null + name: prod-spoke-landing-ew1-cr-intf0 + private_ip_address: 10.64.0.201 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-landing-ew1-cr + timeouts: null + vpn_tunnel: null + module.spokes-landing["primary"].google_compute_router_interface.intf_1: + interconnect_attachment: null + name: prod-spoke-landing-ew1-cr-intf1 + private_ip_address: 10.64.0.202 + project: fast2-prod-net-landing-0 + redundant_interface: prod-spoke-landing-ew1-cr-intf0 + region: europe-west1 + router: prod-spoke-landing-ew1-cr + timeouts: null + vpn_tunnel: null + module.spokes-landing["primary"].google_compute_router_peer.peer_0["0"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-landing-ew1-cr-intf0 + md5_authentication_key: [] + peer_asn: 64513 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-landing-ew1-cr + timeouts: null + module.spokes-landing["primary"].google_compute_router_peer.peer_0["1"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-landing-ew1-cr-intf0 + md5_authentication_key: [] + peer_asn: 64513 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-landing-ew1-cr + timeouts: null + module.spokes-landing["primary"].google_compute_router_peer.peer_1["0"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-landing-ew1-cr-intf1 + md5_authentication_key: [] + peer_asn: 64513 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-landing-ew1-cr + timeouts: null + module.spokes-landing["primary"].google_compute_router_peer.peer_1["1"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-landing-ew1-cr-intf1 + md5_authentication_key: [] + peer_asn: 64513 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-landing-ew1-cr + timeouts: null + module.spokes-landing["primary"].google_network_connectivity_spoke.spoke-ra: + description: null + labels: null + linked_interconnect_attachments: [] + linked_router_appliance_instances: + - instances: + - {} + - {} + site_to_site_data_transfer: false + linked_vpc_network: [] + linked_vpn_tunnels: [] + location: europe-west1 + name: prod-spoke-landing-ew1 + project: fast2-prod-net-landing-0 + timeouts: null + module.spokes-landing["secondary"].google_compute_router.cr: + bgp: + - advertise_mode: CUSTOM + advertised_groups: [] + advertised_ip_ranges: + - description: GCP landing primary. + range: 10.64.0.0/17 + - description: GCP dev primary. + range: 10.68.0.0/16 + - description: GCP prod primary. + range: 10.72.0.0/16 + - description: GCP landing secondary. + range: 10.80.0.0/17 + - description: GCP dev secondary. + range: 10.84.0.0/16 + - description: GCP prod secondary. + range: 10.88.0.0/16 + asn: 64515 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: prod-spoke-landing-ew4-cr + project: fast2-prod-net-landing-0 + region: europe-west4 + timeouts: null + module.spokes-landing["secondary"].google_compute_router_interface.intf_0: + interconnect_attachment: null + name: prod-spoke-landing-ew4-cr-intf0 + private_ip_address: 10.80.0.201 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-landing-ew4-cr + timeouts: null + vpn_tunnel: null + module.spokes-landing["secondary"].google_compute_router_interface.intf_1: + interconnect_attachment: null + name: prod-spoke-landing-ew4-cr-intf1 + private_ip_address: 10.80.0.202 + project: fast2-prod-net-landing-0 + redundant_interface: prod-spoke-landing-ew4-cr-intf0 + region: europe-west4 + router: prod-spoke-landing-ew4-cr + timeouts: null + vpn_tunnel: null + module.spokes-landing["secondary"].google_compute_router_peer.peer_0["0"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-landing-ew4-cr-intf0 + md5_authentication_key: [] + peer_asn: 64514 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-landing-ew4-cr + timeouts: null + module.spokes-landing["secondary"].google_compute_router_peer.peer_0["1"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-landing-ew4-cr-intf0 + md5_authentication_key: [] + peer_asn: 64514 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-landing-ew4-cr + timeouts: null + module.spokes-landing["secondary"].google_compute_router_peer.peer_1["0"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-landing-ew4-cr-intf1 + md5_authentication_key: [] + peer_asn: 64514 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-landing-ew4-cr + timeouts: null + module.spokes-landing["secondary"].google_compute_router_peer.peer_1["1"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-landing-ew4-cr-intf1 + md5_authentication_key: [] + peer_asn: 64514 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-landing-ew4-cr + timeouts: null + module.spokes-landing["secondary"].google_network_connectivity_spoke.spoke-ra: + description: null + labels: null + linked_interconnect_attachments: [] + linked_router_appliance_instances: + - instances: + - {} + - {} + site_to_site_data_transfer: false + linked_vpc_network: [] + linked_vpn_tunnels: [] + location: europe-west4 + name: prod-spoke-landing-ew4 + project: fast2-prod-net-landing-0 + timeouts: null + module.spokes-dmz["primary"].google_compute_router.cr: + bgp: + - advertise_mode: CUSTOM + advertised_groups: [] + advertised_ip_ranges: + - description: Default route. + range: 0.0.0.0/0 + asn: 64512 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: prod-spoke-dmz-ew1-cr + project: fast2-prod-net-landing-0 + region: europe-west1 + timeouts: null + module.spokes-dmz["primary"].google_compute_router_interface.intf_0: + interconnect_attachment: null + name: prod-spoke-dmz-ew1-cr-intf0 + private_ip_address: 10.64.128.201 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-dmz-ew1-cr + timeouts: null + vpn_tunnel: null + module.spokes-dmz["primary"].google_compute_router_interface.intf_1: + interconnect_attachment: null + name: prod-spoke-dmz-ew1-cr-intf1 + private_ip_address: 10.64.128.202 + project: fast2-prod-net-landing-0 + redundant_interface: prod-spoke-dmz-ew1-cr-intf0 + region: europe-west1 + router: prod-spoke-dmz-ew1-cr + timeouts: null + vpn_tunnel: null + module.spokes-dmz["primary"].google_compute_router_peer.peer_0["0"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-dmz-ew1-cr-intf0 + md5_authentication_key: [] + peer_asn: 64513 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-dmz-ew1-cr + timeouts: null + module.spokes-dmz["primary"].google_compute_router_peer.peer_0["1"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-dmz-ew1-cr-intf0 + md5_authentication_key: [] + peer_asn: 64513 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-dmz-ew1-cr + timeouts: null + module.spokes-dmz["primary"].google_compute_router_peer.peer_1["0"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-dmz-ew1-cr-intf1 + md5_authentication_key: [] + peer_asn: 64513 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-dmz-ew1-cr + timeouts: null + module.spokes-dmz["primary"].google_compute_router_peer.peer_1["1"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-dmz-ew1-cr-intf1 + md5_authentication_key: [] + peer_asn: 64513 + project: fast2-prod-net-landing-0 + region: europe-west1 + router: prod-spoke-dmz-ew1-cr + timeouts: null + module.spokes-dmz["primary"].google_network_connectivity_spoke.spoke-ra: + description: null + labels: null + linked_interconnect_attachments: [] + linked_router_appliance_instances: + - instances: + - {} + - {} + site_to_site_data_transfer: false + linked_vpc_network: [] + linked_vpn_tunnels: [] + location: europe-west1 + name: prod-spoke-dmz-ew1 + project: fast2-prod-net-landing-0 + timeouts: null + module.spokes-dmz["secondary"].google_compute_router.cr: + bgp: + - advertise_mode: CUSTOM + advertised_groups: [] + advertised_ip_ranges: + - description: Default route. + range: 0.0.0.0/0 + asn: 64512 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: prod-spoke-dmz-ew4-cr + project: fast2-prod-net-landing-0 + region: europe-west4 + timeouts: null + module.spokes-dmz["secondary"].google_compute_router_interface.intf_0: + interconnect_attachment: null + name: prod-spoke-dmz-ew4-cr-intf0 + private_ip_address: 10.80.128.201 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-dmz-ew4-cr + timeouts: null + vpn_tunnel: null + module.spokes-dmz["secondary"].google_compute_router_interface.intf_1: + interconnect_attachment: null + name: prod-spoke-dmz-ew4-cr-intf1 + private_ip_address: 10.80.128.202 + project: fast2-prod-net-landing-0 + redundant_interface: prod-spoke-dmz-ew4-cr-intf0 + region: europe-west4 + router: prod-spoke-dmz-ew4-cr + timeouts: null + vpn_tunnel: null + module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["0"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-dmz-ew4-cr-intf0 + md5_authentication_key: [] + peer_asn: 64514 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-dmz-ew4-cr + timeouts: null + module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["1"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-dmz-ew4-cr-intf0 + md5_authentication_key: [] + peer_asn: 64514 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-dmz-ew4-cr + timeouts: null + module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["0"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-dmz-ew4-cr-intf1 + md5_authentication_key: [] + peer_asn: 64514 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-dmz-ew4-cr + timeouts: null + module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["1"]: + advertise_mode: DEFAULT + advertised_groups: null + advertised_ip_ranges: [] + advertised_route_priority: 100 + enable: true + enable_ipv6: false + interface: prod-spoke-dmz-ew4-cr-intf1 + md5_authentication_key: [] + peer_asn: 64514 + project: fast2-prod-net-landing-0 + region: europe-west4 + router: prod-spoke-dmz-ew4-cr + timeouts: null + module.spokes-dmz["secondary"].google_network_connectivity_spoke.spoke-ra: + description: null + labels: null + linked_interconnect_attachments: [] + linked_router_appliance_instances: + - instances: + - {} + - {} + site_to_site_data_transfer: false + linked_vpc_network: [] + linked_vpn_tunnels: [] + location: europe-west4 + name: prod-spoke-dmz-ew4 + project: fast2-prod-net-landing-0 + timeouts: null + counts: + google_compute_address: 8 + google_compute_external_vpn_gateway: 2 + google_compute_firewall: 12 + google_compute_firewall_policy: 1 + google_compute_firewall_policy_association: 1 + google_compute_firewall_policy_rule: 4 + google_compute_ha_vpn_gateway: 2 + google_compute_instance: 4 + google_compute_network: 4 + google_compute_network_peering: 4 + google_compute_route: 6 + google_compute_router: 8 + google_compute_router_interface: 12 + google_compute_router_nat: 2 + google_compute_router_peer: 20 + google_compute_shared_vpc_host_project: 3 + google_compute_subnetwork: 10 + google_compute_vpn_tunnel: 4 + google_dns_managed_zone: 9 + google_dns_policy: 4 + google_dns_record_set: 3 + google_dns_response_policy: 1 + google_dns_response_policy_rule: 34 + google_essential_contacts_contact: 1 + google_folder: 1 + google_monitoring_alert_policy: 2 + google_monitoring_dashboard: 3 + google_monitoring_monitored_project: 2 + google_network_connectivity_hub: 2 + google_network_connectivity_spoke: 4 + google_project: 3 + google_project_iam_binding: 6 + google_project_iam_member: 2 + google_project_service: 20 + google_project_service_identity: 5 + google_storage_bucket_object: 1 modules: 37 + random_id: 2 resources: 212