zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

stage 01

This commit is contained in:
Ludovico Magnocavallo 2022-06-30 18:22:57 +02:00
parent 7786dd3d90
commit 7b5ced7e15
19 changed files with 166 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
fast/stages/01-resman/branch-data-platform.tf
View File

@ -56,7 +56,8 @@ module "branch-dp-dev-folder" {
}
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.environment}/development"].id, null
module.organization.tag_values["${var.tag_names.environment}/development"].id,
null
)
}
}
@ -82,7 +83,8 @@ module "branch-dp-prod-folder" {
}
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.environment}/production"].id, null
module.organization.tag_values["${var.tag_names.environment}/production"].id,
null
)
}
}

156
fast/stages/01-resman/branch-gke.tf
View File

@ -16,99 +16,137 @@
# tfdoc:file:description GKE multitenant stage resources.
# top-level gke folder
moved {
from = module.branch-gke-folder
to = module.branch-gke-folder.0
}
module "branch-gke-folder" {
source = "../../../modules/folder"
count = var.fast_features.gke ? 1 : 0
parent = "organizations/${var.organization.id}"
name = "GKE"
# iam = {
# "roles/logging.admin" = [module.branch-gke-sa.iam_email]
# "roles/owner" = [module.branch-gke-sa.iam_email]
# "roles/resourcemanager.folderAdmin" = [module.branch-gke-sa.iam_email]
# "roles/resourcemanager.projectCreator" = [module.branch-gke-sa.iam_email]
# }
}
# GKE-level folders, service accounts and buckets for each individual environment
module "branch-gke-prod-folder" {
source = "../../../modules/folder"
parent = module.branch-gke-folder.id
name = "Production"
iam = {
"roles/owner" = [
module.branch-gke-prod-sa.iam_email
]
"roles/resourcemanager.projectCreator" = [
module.branch-gke-prod-sa.iam_email
]
"roles/compute.xpnAdmin" = [
module.branch-gke-prod-sa.iam_email
]
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.context}/gke"].id, null
)
}
}
module "branch-gke-prod-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
name = "prod-resman-gke-0"
description = "Terraform gke multitenant prod service account."
prefix = var.prefix
iam = {
# FIXME(jccb): who should we use here?
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
moved {
from = module.branch-gke-dev-folder
to = module.branch-gke-dev-folder.0
}
}
module "branch-gke-prod-gcs" {
source = "../../../modules/gcs"
project_id = var.automation.project_id
name = "prod-resman-gke-0"
prefix = var.prefix
versioning = true
iam = {
"roles/storage.objectAdmin" = [module.branch-gke-prod-sa.iam_email]
}
}
module "branch-gke-dev-folder" {
source = "../../../modules/folder"
parent = module.branch-gke-folder.id
count = var.fast_features.gke ? 1 : 0
parent = module.branch-gke-folder.0.id
name = "Development"
iam = {
"roles/owner" = [
module.branch-gke-dev-sa.iam_email
]
"roles/resourcemanager.projectCreator" = [
module.branch-gke-dev-sa.iam_email
]
"roles/compute.xpnAdmin" = [
module.branch-gke-dev-sa.iam_email
]
"roles/owner" = [module.branch-gke-dev-sa.0.iam_email]
"roles/logging.admin" = [module.branch-gke-dev-sa.0.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-gke-dev-sa.0.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-gke-dev-sa.0.iam_email]
"roles/compute.xpnAdmin" = [module.branch-gke-dev-sa.0.iam_email]
}
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.environment}/development"].id,
null
)
}
}
moved {
from = module.branch-gke-prod-folder
to = module.branch-gke-prod-folder.0
}
module "branch-gke-prod-folder" {
source = "../../../modules/folder"
count = var.fast_features.gke ? 1 : 0
parent = module.branch-gke-folder.0.id
name = "Production"
iam = {
"roles/owner" = [module.branch-gke-prod-sa.0.iam_email]
"roles/logging.admin" = [module.branch-gke-prod-sa.0.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-gke-prod-sa.0.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-gke-prod-sa.0.iam_email]
"roles/compute.xpnAdmin" = [module.branch-gke-prod-sa.0.iam_email]
}
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.environment}/production"].id,
null
)
}
}
moved {
from = module.branch-gke-dev-sa
to = module.branch-gke-dev-sa.0
}
module "branch-gke-dev-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.gke ? 1 : 0
project_id = var.automation.project_id
name = "dev-resman-gke-0"
description = "Terraform gke multitenant dev service account."
prefix = var.prefix
iam = {
# FIXME(jccb): who should we use here?
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
}
}
moved {
from = module.branch-gke-prod-sa
to = module.branch-gke-prod-sa.0
}
module "branch-gke-prod-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.gke ? 1 : 0
project_id = var.automation.project_id
name = "prod-resman-gke-0"
description = "Terraform gke multitenant prod service account."
prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
}
}
moved {
from = module.branch-gke-dev-gcs
to = module.branch-gke-dev-gcs.0
}
module "branch-gke-dev-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.gke ? 1 : 0
project_id = var.automation.project_id
name = "dev-resman-gke-0"
prefix = var.prefix
versioning = true
iam = {
"roles/storage.objectAdmin" = [module.branch-gke-dev-sa.iam_email]
"roles/storage.objectAdmin" = [module.branch-gke-dev-sa.0.iam_email]
}
}
moved {
from = module.branch-gke-prod-gcs
to = module.branch-gke-prod-gcs.0
}
module "branch-gke-prod-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.gke ? 1 : 0
project_id = var.automation.project_id
name = "prod-resman-gke-0"
prefix = var.prefix
versioning = true
iam = {
"roles/storage.objectAdmin" = [module.branch-gke-prod-sa.0.iam_email]
}
}

12
fast/stages/01-resman/branch-networking.tf
View File

@ -50,15 +50,16 @@ module "branch-network-prod-folder" {
parent = module.branch-network-folder.id
name = "Production"
iam = {
"roles/compute.xpnAdmin" = compact([
(local.custom_roles.service_project_network_admin) = compact([
try(module.branch-dp-prod-sa.0.iam_email, ""),
try(module.branch-pf-prod-sa.0.iam_email, ""),
module.branch-gke-prod-sa.iam_email,
try(module.branch-gke-prod-sa.0.iam_email, ""),
])
}
tag_bindings = {
environment = try(
module.organization.tag_values["${var.tag_names.environment}/production"].id, null
module.organization.tag_values["${var.tag_names.environment}/production"].id,
null
)
}
}
@ -71,12 +72,13 @@ module "branch-network-dev-folder" {
(local.custom_roles.service_project_network_admin) = compact([
try(module.branch-dp-dev-sa.0.iam_email, ""),
try(module.branch-pf-dev-sa.0.iam_email, ""),
module.branch-gke-dev-sa.iam_email,
try(module.branch-gke-dev-sa.iam_email, ""),
])
}
tag_bindings = {
environment = try(
module.organization.tag_values["${var.tag_names.environment}/development"].id, null
module.organization.tag_values["${var.tag_names.environment}/development"].id,
null
)
}
}

4
fast/stages/01-resman/organization.tf
View File

@ -29,8 +29,8 @@ locals {
branch_gke_sa_iam_emails = (
var.fast_features.gke
? [
module.branch-gke-dev-sa.iam_email,
module.branch-gke-prod-sa.iam_email
module.branch-gke-dev-sa.0.iam_email,
module.branch-gke-prod-sa.0.iam_email
]
: []
)

44
fast/stages/01-resman/outputs.tf
View File

@ -64,8 +64,8 @@ locals {
{
data-platform-dev = try(module.branch-dp-dev-folder.0.id, null)
data-platform-prod = try(module.branch-dp-prod-folder.0.id, null)
gke-multitenant-dev = module.branch-gke-dev-folder.id
gke-multitenant-prod = module.branch-gke-prod-folder.id
gke-dev = try(module.branch-gke-dev-folder.0.id, null)
gke-prod = try(module.branch-gke-prod-folder.0.id, null)
networking = module.branch-network-folder.id
networking-dev = module.branch-network-dev-folder.id
networking-prod = module.branch-network-prod-folder.id
@ -98,16 +98,6 @@ locals {
name = "security"
sa = module.branch-security-sa.email
})
"03-gke-dev" = templatefile(local._tpl_providers, {
bucket = module.branch-gke-dev-gcs.name
name = "gke-dev"
sa = module.branch-gke-dev-sa.email
})
"03-gke-prod" = templatefile(local._tpl_providers, {
bucket = module.branch-gke-prod-gcs.name
name = "gke-prod"
sa = module.branch-gke-prod-sa.email
})
},
!var.fast_features.data_platform ? {} : {
"03-data-platform-dev" = templatefile(local._tpl_providers, {
@ -121,6 +111,18 @@ locals {
sa = module.branch-dp-prod-sa.0.email
})
},
!var.fast_features.gke ? {} : {
"03-gke-dev" = templatefile(local._tpl_providers, {
bucket = module.branch-gke-dev-gcs.0.name
name = "gke-dev"
sa = module.branch-gke-dev-sa.0.email
})
"03-gke-prod" = templatefile(local._tpl_providers, {
bucket = module.branch-gke-prod-gcs.0.name
name = "gke-prod"
sa = module.branch-gke-prod-sa.0.email
})
},
!var.fast_features.project_factory ? {} : {
"03-project-factory-dev" = templatefile(local._tpl_providers, {
bucket = module.branch-pf-dev-gcs.0.name
@ -252,18 +254,22 @@ output "security" {
output "gke_multitenant" {
# tfdoc:output:consumers 03-gke-multitenant
description = "Data for the GKE multitenant stage."
value = {
value = (
var.fast_features.gke
? {
"dev" = {
folder = module.branch-gke-dev-folder.id
gcs_bucket = module.branch-gke-dev-gcs.name
service_account = module.branch-gke-dev-sa.email
folder = module.branch-gke-dev-folder.0.id
gcs_bucket = module.branch-gke-dev-gcs.0.name
service_account = module.branch-gke-dev-sa.0.email
}
"prod" = {
folder = module.branch-gke-prod-folder.id
gcs_bucket = module.branch-gke-prod-gcs.name
service_account = module.branch-gke-prod-sa.email
folder = module.branch-gke-prod-folder.0.id
gcs_bucket = module.branch-gke-prod-gcs.0.name
service_account = module.branch-gke-prod-sa.0.email
}
}
: {}
)
}
output "teams" {

2
fast/stages/02-networking-nva/spoke-dev.tf
View File

@ -126,7 +126,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-dev,
local.service_accounts.project-factory-dev,
local.service_accounts.gke-multitenant-dev,
local.service_accounts.gke-dev,
])
condition {
title = "dev_stage3_sa_delegated_grants"

2
fast/stages/02-networking-nva/spoke-prod.tf
View File

@ -126,7 +126,7 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-prod,
local.service_accounts.project-factory-prod,
local.service_accounts.gke-multitenant-prod,
local.service_accounts.gke-prod,
])
condition {
title = "prod_stage3_sa_delegated_grants"

4
fast/stages/02-networking-nva/variables.tf
View File

@ -209,8 +209,8 @@ variable "service_accounts" {
type = object({
data-platform-dev = string
data-platform-prod = string
gke-multitenant-dev = string
gke-multitenant-prod = string
gke-dev = string
gke-prod = string
project-factory-dev = string
project-factory-prod = string
})

2
fast/stages/02-networking-peering/README.md
View File

@ -302,7 +302,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map&#40;object&#40;&#123;&#10; export_local_custom_routes &#61; bool&#10; export_peer_custom_routes &#61; bool&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#10; export_local_custom_routes &#61; true&#10; export_peer_custom_routes &#61; true&#10; &#125;&#10; prod &#61; &#123;&#10; export_local_custom_routes &#61; true&#10; export_peer_custom_routes &#61; true&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object&#40;&#123;&#10; dev &#61; object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; routes &#61; object&#40;&#123;&#10; export &#61; bool&#10; import &#61; bool&#10; &#125;&#41;&#10; &#125;&#41;&#10; prod &#61; object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; routes &#61; object&#40;&#123;&#10; export &#61; bool&#10; import &#61; bool&#10; &#125;&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; custom &#61; list&#40;string&#41;&#10; default &#61; bool&#10; &#125;&#41;&#10; asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; asn &#61; &#34;65533&#34;&#10; adv &#61; null&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; gke-multitenant-dev &#61; string&#10; gke-multitenant-prod &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>01-resman</code> |
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; gke-dev &#61; string&#10; gke-multitenant-prod &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>01-resman</code> |
| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; default &#61; bool&#10; custom &#61; list&#40;string&#41;&#10; &#125;&#41;&#10; peer_external_gateway &#61; object&#40;&#123;&#10; redundancy_type &#61; string&#10; interfaces &#61; list&#40;object&#40;&#123;&#10; id &#61; number&#10; ip_address &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; tunnels &#61; list&#40;object&#40;&#123;&#10; peer_asn &#61; number&#10; peer_external_gateway_interface &#61; number&#10; secret &#61; string&#10; session_range &#61; string&#10; vpn_gateway_interface &#61; number&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#10; &#34;cloud_dns&#34;, &#34;googleapis_private&#34;, &#34;googleapis_restricted&#34;, &#34;gcp_all&#34;&#10; &#93;&#10; &#125;&#10; peer_external_gateway &#61; &#123;&#10; redundancy_type &#61; &#34;SINGLE_IP_INTERNALLY_REDUNDANT&#34;&#10; interfaces &#61; &#91;&#10; &#123; id &#61; 0, ip_address &#61; &#34;8.8.8.8&#34; &#125;,&#10; &#93;&#10; &#125;&#10; tunnels &#61; &#91;&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.0&#47;30&#34;&#10; vpn_gateway_interface &#61; 0&#10; &#125;,&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.4&#47;30&#34;&#10; vpn_gateway_interface &#61; 1&#10; &#125;&#10; &#93;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
## Outputs

2
fast/stages/02-networking-peering/spoke-dev.tf
View File

@ -103,7 +103,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-dev,
local.service_accounts.project-factory-dev,
local.service_accounts.gke-multitenant-dev,
local.service_accounts.gke-dev,
])
condition {
title = "dev_stage3_sa_delegated_grants"

2
fast/stages/02-networking-peering/spoke-prod.tf
View File

@ -103,7 +103,7 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-prod,
local.service_accounts.project-factory-prod,
local.service_accounts.gke-multitenant-prod,
local.service_accounts.gke-prod,
])
condition {
title = "prod_stage3_sa_delegated_grants"

4
fast/stages/02-networking-peering/variables.tf
View File

@ -187,8 +187,8 @@ variable "service_accounts" {
type = object({
data-platform-dev = string
data-platform-prod = string
gke-multitenant-dev = string
gke-multitenant-prod = string
gke-dev = string
gke-prod = string
project-factory-dev = string
project-factory-prod = string
})

2
fast/stages/02-networking-vpn/README.md
View File

@ -327,7 +327,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object&#40;&#123;&#10; dev &#61; object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; routes &#61; object&#40;&#123;&#10; export &#61; bool&#10; import &#61; bool&#10; &#125;&#41;&#10; &#125;&#41;&#10; prod &#61; object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; routes &#61; object&#40;&#123;&#10; export &#61; bool&#10; import &#61; bool&#10; &#125;&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; custom &#61; list&#40;string&#41;&#10; default &#61; bool&#10; &#125;&#41;&#10; asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; asn &#61; &#34;65533&#34;&#10; adv &#61; null&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; custom &#61; list&#40;string&#41;&#10; default &#61; bool&#10; &#125;&#41;&#10; asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123; asn &#61; &#34;64512&#34;, adv &#61; null &#125;&#10; landing-ew4 &#61; &#123; asn &#61; &#34;64512&#34;, adv &#61; null &#125;&#10; spoke-dev-ew1 &#61; &#123; asn &#61; &#34;64513&#34;, adv &#61; null &#125;&#10; spoke-dev-ew4 &#61; &#123; asn &#61; &#34;64513&#34;, adv &#61; null &#125;&#10; spoke-prod-ew1 &#61; &#123; asn &#61; &#34;64514&#34;, adv &#61; null &#125;&#10; spoke-prod-ew4 &#61; &#123; asn &#61; &#34;64514&#34;, adv &#61; null &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; gke-multitenant-dev &#61; string&#10; gke-multitenant-prod &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>01-resman</code> |
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; gke-dev &#61; string&#10; gke-multitenant-prod &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>01-resman</code> |
| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; default &#61; bool&#10; custom &#61; list&#40;string&#41;&#10; &#125;&#41;&#10; peer_external_gateway &#61; object&#40;&#123;&#10; redundancy_type &#61; string&#10; interfaces &#61; list&#40;object&#40;&#123;&#10; id &#61; number&#10; ip_address &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; tunnels &#61; list&#40;object&#40;&#123;&#10; peer_asn &#61; number&#10; peer_external_gateway_interface &#61; number&#10; secret &#61; string&#10; session_range &#61; string&#10; vpn_gateway_interface &#61; number&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#10; &#34;cloud_dns&#34;, &#34;googleapis_private&#34;, &#34;googleapis_restricted&#34;, &#34;gcp_all&#34;&#10; &#93;&#10; &#125;&#10; peer_external_gateway &#61; &#123;&#10; redundancy_type &#61; &#34;SINGLE_IP_INTERNALLY_REDUNDANT&#34;&#10; interfaces &#61; &#91;&#10; &#123; id &#61; 0, ip_address &#61; &#34;8.8.8.8&#34; &#125;,&#10; &#93;&#10; &#125;&#10; tunnels &#61; &#91;&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.0&#47;30&#34;&#10; vpn_gateway_interface &#61; 0&#10; &#125;,&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.4&#47;30&#34;&#10; vpn_gateway_interface &#61; 1&#10; &#125;&#10; &#93;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map&#40;object&#40;&#123;&#10; default &#61; bool&#10; custom &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10; &#125;&#10; landing-ew4 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10; &#125;&#10; dev-ew1 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_dev&#34;&#93;&#10; &#125;&#10; prod-ew1 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_prod&#34;&#93;&#10; &#125;&#10; prod-ew4 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_prod&#34;&#93;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |

2
fast/stages/02-networking-vpn/spoke-dev.tf
View File

@ -103,7 +103,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-dev,
local.service_accounts.project-factory-dev,
local.service_accounts.gke-multitenant-dev,
local.service_accounts.gke-dev,
])
condition {
title = "dev_stage3_sa_delegated_grants"

2
fast/stages/02-networking-vpn/spoke-prod.tf
View File

@ -103,7 +103,7 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-prod,
local.service_accounts.project-factory-prod,
local.service_accounts.gke-multitenant-prod,
local.service_accounts.gke-prod,
])
condition {
title = "prod_stage3_sa_delegated_grants"

4
fast/stages/02-networking-vpn/variables.tf
View File

@ -187,8 +187,8 @@ variable "service_accounts" {
type = object({
data-platform-dev = string
data-platform-prod = string
gke-multitenant-dev = string
gke-multitenant-prod = string
gke-dev = string
gke-prod = string
project-factory-dev = string
project-factory-prod = string
})

2
fast/stages/03-gke-multitenant/dev/gke-hub.tf
View File

@ -27,7 +27,7 @@ module "gke-hub" {
config_sync = {
gcp_service_account_email = null
https_proxy = null
policy_dir = "fast/stages/03-gke-multitenant/config"
policy_dir = "fast/stages/03-gke/config"
secret_type = "none"
source_format = "hierarchy"
sync_branch = "fast-dev-gke-marzi"

2
fast/stages/03-gke-multitenant/dev/main.tf
View File

@ -25,7 +25,7 @@ module "gke-project-0" {
source = "../../../../modules/project"
billing_account = var.billing_account.id
name = "dev-gke-clusters-0"
parent = var.folder_ids.gke-multitenant-dev
parent = var.folder_ids.gke-dev
prefix = var.prefix
labels = local.labels
services = [

2
fast/stages/03-gke-multitenant/dev/variables.tf
View File

@ -113,7 +113,7 @@ variable "folder_ids" {
# tfdoc:variable:source 01-resman
description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created."
type = object({
gke-multitenant-dev = string
gke-dev = string
})
}