add support for proxy and psc subnets to module factory (#1211)
This commit is contained in:
Ludovico Magnocavallo
GitHub
parent
21e451d4cb
commit
8fc9549c58
|
|
@ -347,20 +347,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||
| [organization](variables.tf#L126) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L142) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [organization](variables.tf#L102) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev = "10.128.32.0/19" gcp_landing = "10.128.0.0/19" gcp_prod = "10.128.64.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
||||
| [custom_roles](variables.tf#L55) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L64) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||
| [factories_config](variables.tf#L72) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||
| [l7ilb_subnets](variables.tf#L102) | Subnets used for L7 ILBs. | <code title="object({ dev = optional(list(object({ ip_cidr_range = string region = string })), []) prod = optional(list(object({ ip_cidr_range = string region = string })), []) })">object({…})</code> | | <code title="{ dev = [ { ip_cidr_range = "10.128.60.0/24", region = "primary" }, { ip_cidr_range = "10.128.61.0/24", region = "secondary" } ] prod = [ { ip_cidr_range = "10.128.92.0/24", region = "primary" }, { ip_cidr_range = "10.128.93.0/24", region = "secondary" } ] }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L136) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map(object({ export_local_custom_routes = bool export_peer_custom_routes = bool }))">map(object({…}))</code> | | <code title="{ dev = { export_local_custom_routes = true export_peer_custom_routes = true } prod = { export_local_custom_routes = true export_peer_custom_routes = true } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L153) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [regions](variables.tf#L190) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L202) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L220) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L234) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [regions](variables.tf#L166) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L178) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L196) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L210) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -16,19 +16,6 @@
|
|||
|
||||
# tfdoc:file:description Dev spoke VPC and related resources.
|
||||
|
||||
locals {
|
||||
_l7ilb_subnets_dev = [
|
||||
for v in var.l7ilb_subnets.dev : merge(v, {
|
||||
active = true
|
||||
region = lookup(var.regions, v.region, v.region)
|
||||
})]
|
||||
l7ilb_subnets_dev = [
|
||||
for v in local._l7ilb_subnets_dev : merge(v, {
|
||||
name = "dev-l7ilb-${local.region_shortnames[v.region]}"
|
||||
})
|
||||
]
|
||||
}
|
||||
|
||||
module "dev-spoke-project" {
|
||||
source = "../../../modules/project"
|
||||
billing_account = var.billing_account.id
|
||||
|
|
@ -57,13 +44,12 @@ module "dev-spoke-project" {
|
|||
}
|
||||
|
||||
module "dev-spoke-vpc" {
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||
psa_config = try(var.psa_ranges.dev, null)
|
||||
subnets_proxy_only = local.l7ilb_subnets_dev
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||
psa_config = try(var.psa_ranges.dev, null)
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
|
|
|
|||
|
|
@ -16,19 +16,6 @@
|
|||
|
||||
# tfdoc:file:description Production spoke VPC and related resources.
|
||||
|
||||
locals {
|
||||
_l7ilb_subnets_prod = [
|
||||
for v in var.l7ilb_subnets.prod : merge(v, {
|
||||
active = true
|
||||
region = lookup(var.regions, v.region, v.region)
|
||||
})]
|
||||
l7ilb_subnets_prod = [
|
||||
for v in local._l7ilb_subnets_prod : merge(v, {
|
||||
name = "prod-l7ilb-${local.region_shortnames[v.region]}"
|
||||
})
|
||||
]
|
||||
}
|
||||
|
||||
module "prod-spoke-project" {
|
||||
source = "../../../modules/project"
|
||||
billing_account = var.billing_account.id
|
||||
|
|
@ -57,13 +44,12 @@ module "prod-spoke-project" {
|
|||
}
|
||||
|
||||
module "prod-spoke-vpc" {
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||
psa_config = try(var.psa_ranges.prod, null)
|
||||
subnets_proxy_only = local.l7ilb_subnets_prod
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||
psa_config = try(var.psa_ranges.prod, null)
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
|
|
|
|||
|
|
@ -99,30 +99,6 @@ variable "folder_ids" {
|
|||
})
|
||||
}
|
||||
|
||||
variable "l7ilb_subnets" {
|
||||
description = "Subnets used for L7 ILBs."
|
||||
type = object({
|
||||
dev = optional(list(object({
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
})), [])
|
||||
prod = optional(list(object({
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
})), [])
|
||||
})
|
||||
default = {
|
||||
dev = [
|
||||
{ ip_cidr_range = "10.128.60.0/24", region = "primary" },
|
||||
{ ip_cidr_range = "10.128.61.0/24", region = "secondary" }
|
||||
]
|
||||
prod = [
|
||||
{ ip_cidr_range = "10.128.92.0/24", region = "primary" },
|
||||
{ ip_cidr_range = "10.128.93.0/24", region = "secondary" }
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
variable "organization" {
|
||||
# tfdoc:variable:source 0-bootstrap
|
||||
description = "Organization details."
|
||||
|
|
|
|||
|
|
@ -372,20 +372,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||
| [organization](variables.tf#L126) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L142) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [organization](variables.tf#L102) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev = "10.128.32.0/19" gcp_landing = "10.128.0.0/19" gcp_prod = "10.128.64.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
||||
| [custom_roles](variables.tf#L55) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L64) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||
| [factories_config](variables.tf#L72) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||
| [l7ilb_subnets](variables.tf#L102) | Subnets used for L7 ILBs. | <code title="object({ dev = optional(list(object({ ip_cidr_range = string region = string })), []) prod = optional(list(object({ ip_cidr_range = string region = string })), []) })">object({…})</code> | | <code title="{ dev = [ { ip_cidr_range = "10.128.60.0/24", region = "primary" }, { ip_cidr_range = "10.128.61.0/24", region = "secondary" } ] prod = [ { ip_cidr_range = "10.128.92.0/24", region = "primary" }, { ip_cidr_range = "10.128.93.0/24", region = "secondary" } ] }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L136) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L153) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [regions](variables.tf#L190) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L202) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [regions](variables.tf#L166) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L178) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "64512", adv = null } landing-secondary = { asn = "64512", adv = null } spoke-dev-primary = { asn = "64513", adv = null } spoke-dev-secondary = { asn = "64513", adv = null } spoke-prod-primary = { asn = "64514", adv = null } spoke-prod-secondary = { asn = "64514", adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L220) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L234) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L196) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L210) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map(object({ default = bool custom = list(string) }))">map(object({…}))</code> | | <code title="{ landing-primary = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } landing-secondary = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } dev-primary = { default = false custom = ["gcp_dev"] } prod-primary = { default = false custom = ["gcp_prod"] } prod-secondary = { default = false custom = ["gcp_prod"] } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
|
|
|||
|
|
@ -16,19 +16,6 @@
|
|||
|
||||
# tfdoc:file:description Dev spoke VPC and related resources.
|
||||
|
||||
locals {
|
||||
_l7ilb_subnets_dev = [
|
||||
for v in var.l7ilb_subnets.dev : merge(v, {
|
||||
active = true
|
||||
region = lookup(var.regions, v.region, v.region)
|
||||
})]
|
||||
l7ilb_subnets_dev = [
|
||||
for v in local._l7ilb_subnets_dev : merge(v, {
|
||||
name = "dev-l7ilb-${local.region_shortnames[v.region]}"
|
||||
})
|
||||
]
|
||||
}
|
||||
|
||||
module "dev-spoke-project" {
|
||||
source = "../../../modules/project"
|
||||
billing_account = var.billing_account.id
|
||||
|
|
@ -57,13 +44,12 @@ module "dev-spoke-project" {
|
|||
}
|
||||
|
||||
module "dev-spoke-vpc" {
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||
psa_config = try(var.psa_ranges.dev, null)
|
||||
subnets_proxy_only = local.l7ilb_subnets_dev
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||
psa_config = try(var.psa_ranges.dev, null)
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
|
|
|
|||
|
|
@ -16,19 +16,6 @@
|
|||
|
||||
# tfdoc:file:description Production spoke VPC and related resources.
|
||||
|
||||
locals {
|
||||
_l7ilb_subnets_prod = [
|
||||
for v in var.l7ilb_subnets.prod : merge(v, {
|
||||
active = true
|
||||
region = lookup(var.regions, v.region, v.region)
|
||||
})]
|
||||
l7ilb_subnets_prod = [
|
||||
for v in local._l7ilb_subnets_prod : merge(v, {
|
||||
name = "prod-l7ilb-${local.region_shortnames[v.region]}"
|
||||
})
|
||||
]
|
||||
}
|
||||
|
||||
module "prod-spoke-project" {
|
||||
source = "../../../modules/project"
|
||||
billing_account = var.billing_account.id
|
||||
|
|
@ -57,13 +44,12 @@ module "prod-spoke-project" {
|
|||
}
|
||||
|
||||
module "prod-spoke-vpc" {
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||
psa_config = try(var.psa_ranges.prod, null)
|
||||
subnets_proxy_only = local.l7ilb_subnets_prod
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||
psa_config = try(var.psa_ranges.prod, null)
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
|
|
|
|||
|
|
@ -99,30 +99,6 @@ variable "folder_ids" {
|
|||
})
|
||||
}
|
||||
|
||||
variable "l7ilb_subnets" {
|
||||
description = "Subnets used for L7 ILBs."
|
||||
type = object({
|
||||
dev = optional(list(object({
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
})), [])
|
||||
prod = optional(list(object({
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
})), [])
|
||||
})
|
||||
default = {
|
||||
dev = [
|
||||
{ ip_cidr_range = "10.128.60.0/24", region = "primary" },
|
||||
{ ip_cidr_range = "10.128.61.0/24", region = "secondary" }
|
||||
]
|
||||
prod = [
|
||||
{ ip_cidr_range = "10.128.92.0/24", region = "primary" },
|
||||
{ ip_cidr_range = "10.128.93.0/24", region = "secondary" }
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
variable "organization" {
|
||||
# tfdoc:variable:source 0-bootstrap
|
||||
description = "Organization details."
|
||||
|
|
|
|||
|
|
@ -421,20 +421,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [folder_ids](variables.tf#L97) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||
| [organization](variables.tf#L133) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L149) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [organization](variables.tf#L115) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L131) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev_primary = "10.128.128.0/19" gcp_dev_secondary = "10.128.160.0/19" gcp_landing_trusted_primary = "10.128.64.0/19" gcp_landing_trusted_secondary = "10.128.96.0/19" gcp_landing_untrusted_primary = "10.128.0.0/19" gcp_landing_untrusted_secondary = "10.128.32.0/19" gcp_prod_primary = "10.128.192.0/19" gcp_prod_secondary = "10.128.224.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
||||
| [custom_roles](variables.tf#L60) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L69) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||
| [factories_config](variables.tf#L77) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||
| [l7ilb_subnets](variables.tf#L107) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ dev = [ { ip_cidr_range = "10.128.159.0/24", region = "primary" }, { ip_cidr_range = "10.128.191.0/24", region = "secondary" } ] prod = [ { ip_cidr_range = "10.128.223.0/24", region = "primary" }, { ip_cidr_range = "10.128.255.0/24", region = "secondary" } ] }">{…}</code> | |
|
||||
| [onprem_cidr](variables.tf#L125) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L143) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L160) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [regions](variables.tf#L181) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [router_configs](variables.tf#L193) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-primary = { asn = "64512" adv = null } landing-trusted-secondary = { asn = "64512" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L216) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L230) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-secondary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [onprem_cidr](variables.tf#L107) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L125) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L142) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [regions](variables.tf#L163) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [router_configs](variables.tf#L175) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-primary = { asn = "64512" adv = null } landing-trusted-secondary = { asn = "64512" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L198) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L212) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-secondary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -18,12 +18,6 @@
|
|||
|
||||
locals {
|
||||
custom_roles = coalesce(var.custom_roles, {})
|
||||
l7ilb_subnets = { for env, v in var.l7ilb_subnets : env => [
|
||||
for s in v : merge(s, {
|
||||
active = true
|
||||
name = "${env}-l7ilb-${s.region}"
|
||||
})]
|
||||
}
|
||||
# combine all regions from variables and subnets
|
||||
regions = distinct(concat(
|
||||
values(var.regions),
|
||||
|
|
|
|||
|
|
@ -16,19 +16,6 @@
|
|||
|
||||
# tfdoc:file:description Dev spoke VPC and related resources.
|
||||
|
||||
locals {
|
||||
_l7ilb_subnets_dev = [
|
||||
for v in var.l7ilb_subnets.dev : merge(v, {
|
||||
active = true
|
||||
region = lookup(var.regions, v.region, v.region)
|
||||
})]
|
||||
l7ilb_subnets_dev = [
|
||||
for v in local._l7ilb_subnets_dev : merge(v, {
|
||||
name = "dev-l7ilb-${local.region_shortnames[v.region]}"
|
||||
})
|
||||
]
|
||||
}
|
||||
|
||||
module "dev-spoke-project" {
|
||||
source = "../../../modules/project"
|
||||
billing_account = var.billing_account.id
|
||||
|
|
@ -63,7 +50,6 @@ module "dev-spoke-vpc" {
|
|||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||
delete_default_routes_on_create = true
|
||||
psa_config = try(var.psa_ranges.dev, null)
|
||||
subnets_proxy_only = local.l7ilb_subnets_dev
|
||||
# Set explicit routes for googleapis; send everything else to NVAs
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
|
|
|
|||
|
|
@ -16,19 +16,6 @@
|
|||
|
||||
# tfdoc:file:description Production spoke VPC and related resources.
|
||||
|
||||
locals {
|
||||
_l7ilb_subnets_prod = [
|
||||
for v in var.l7ilb_subnets.prod : merge(v, {
|
||||
active = true
|
||||
region = lookup(var.regions, v.region, v.region)
|
||||
})]
|
||||
l7ilb_subnets_prod = [
|
||||
for v in local._l7ilb_subnets_prod : merge(v, {
|
||||
name = "prod-l7ilb-${local.region_shortnames[v.region]}"
|
||||
})
|
||||
]
|
||||
}
|
||||
|
||||
module "prod-spoke-project" {
|
||||
source = "../../../modules/project"
|
||||
billing_account = var.billing_account.id
|
||||
|
|
@ -63,7 +50,6 @@ module "prod-spoke-vpc" {
|
|||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||
delete_default_routes_on_create = true
|
||||
psa_config = try(var.psa_ranges.prod, null)
|
||||
subnets_proxy_only = local.l7ilb_subnets_prod
|
||||
# Set explicit routes for googleapis; send everything else to NVAs
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
|
|
|
|||
|
|
@ -104,24 +104,6 @@ variable "folder_ids" {
|
|||
})
|
||||
}
|
||||
|
||||
variable "l7ilb_subnets" {
|
||||
description = "Subnets used for L7 ILBs."
|
||||
type = map(list(object({
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
})))
|
||||
default = {
|
||||
dev = [
|
||||
{ ip_cidr_range = "10.128.159.0/24", region = "primary" },
|
||||
{ ip_cidr_range = "10.128.191.0/24", region = "secondary" }
|
||||
]
|
||||
prod = [
|
||||
{ ip_cidr_range = "10.128.223.0/24", region = "primary" },
|
||||
{ ip_cidr_range = "10.128.255.0/24", region = "secondary" }
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
variable "onprem_cidr" {
|
||||
description = "Onprem addresses in name => range format."
|
||||
type = map(string)
|
||||
|
|
|
|||
|
|
@ -291,19 +291,18 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|
|||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||
| [organization](variables.tf#L118) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L134) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [organization](variables.tf#L102) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev = "10.128.32.0/19" gcp_prod = "10.128.64.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
||||
| [custom_roles](variables.tf#L54) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L63) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ prod = ["10.0.1.1"] dev = ["10.0.2.1"] }">{…}</code> | |
|
||||
| [factories_config](variables.tf#L72) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||
| [l7ilb_subnets](variables.tf#L102) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, ] dev = [ { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, ] }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L128) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L145) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [regions](variables.tf#L182) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L192) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ prod-primary = { asn = "65533" adv = null } dev-primary = { asn = "65534" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L227) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ dev-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_dev" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65544 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65544 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } prod-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_prod" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65543 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65543 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [regions](variables.tf#L166) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L176) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ prod-primary = { asn = "65533" adv = null } dev-primary = { asn = "65534" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L199) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L211) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ dev-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_dev" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65544 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65544 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } prod-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_prod" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65543 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65543 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -18,19 +18,6 @@
|
|||
|
||||
locals {
|
||||
custom_roles = coalesce(var.custom_roles, {})
|
||||
_l7ilb_subnets = {
|
||||
for k, v in var.l7ilb_subnets : k => [
|
||||
for s in v : merge(s, {
|
||||
active = true
|
||||
region = lookup(var.regions, s.region, s.region)
|
||||
})]
|
||||
}
|
||||
l7ilb_subnets = {
|
||||
for k, v in local._l7ilb_subnets : k => [
|
||||
for s in v : merge(s, {
|
||||
name = "${k}-l7ilb-${local.region_shortnames[s.region]}"
|
||||
})]
|
||||
}
|
||||
# combine all regions from variables and subnets
|
||||
regions = distinct(concat(
|
||||
values(var.regions),
|
||||
|
|
|
|||
|
|
@ -43,13 +43,12 @@ module "dev-spoke-project" {
|
|||
}
|
||||
|
||||
module "dev-spoke-vpc" {
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||
psa_config = try(var.psa_ranges.dev, null)
|
||||
subnets_proxy_only = local.l7ilb_subnets.dev
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||
psa_config = try(var.psa_ranges.dev, null)
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
|
|
|
|||
|
|
@ -43,13 +43,12 @@ module "prod-spoke-project" {
|
|||
}
|
||||
|
||||
module "prod-spoke-vpc" {
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||
psa_config = try(var.psa_ranges.prod, null)
|
||||
subnets_proxy_only = local.l7ilb_subnets.prod
|
||||
source = "../../../modules/net-vpc"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||
psa_config = try(var.psa_ranges.prod, null)
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
|
|
|
|||
|
|
@ -99,22 +99,6 @@ variable "folder_ids" {
|
|||
})
|
||||
}
|
||||
|
||||
variable "l7ilb_subnets" {
|
||||
description = "Subnets used for L7 ILBs."
|
||||
type = map(list(object({
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
})))
|
||||
default = {
|
||||
prod = [
|
||||
{ ip_cidr_range = "10.128.92.0/24", region = "europe-west1" },
|
||||
]
|
||||
dev = [
|
||||
{ ip_cidr_range = "10.128.60.0/24", region = "europe-west1" },
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
variable "organization" {
|
||||
# tfdoc:variable:source 0-bootstrap
|
||||
description = "Organization details."
|
||||
|
|
|
|||
|
|
@ -34,6 +34,7 @@ module "vpc" {
|
|||
```
|
||||
|
||||
### Subnet Options
|
||||
|
||||
```hcl
|
||||
module "vpc" {
|
||||
source = "./fabric/modules/net-vpc"
|
||||
|
|
@ -305,7 +306,7 @@ module "vpc" {
|
|||
|
||||
### Subnet Factory
|
||||
|
||||
The `net-vpc` module includes a subnet factory (see [Resource Factories](../../blueprints/factories/)) for the massive creation of subnets leveraging one configuration file per subnet.
|
||||
The `net-vpc` module includes a subnet factory (see [Resource Factories](../../blueprints/factories/)) for the massive creation of subnets leveraging one configuration file per subnet. The factory also supports proxy-only and PSC subnets via the `purpose` attribute.
|
||||
|
||||
```hcl
|
||||
module "vpc" {
|
||||
|
|
@ -314,7 +315,7 @@ module "vpc" {
|
|||
name = "my-network"
|
||||
data_folder = "config/subnets"
|
||||
}
|
||||
# tftest modules=1 resources=4 files=subnet-simple,subnet-detailed inventory=factory.yaml
|
||||
# tftest modules=1 resources=6 files=subnet-simple,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
|
|
@ -342,6 +343,20 @@ flow_logs: # enable, set to empty map to use defaults
|
|||
filter_expression: null
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=subnet-proxy path=config/subnets/subnet-proxy.yaml
|
||||
region: europe-west4
|
||||
ip_cidr_range: 10.1.0.0/24
|
||||
purpose: REGIONAL_MANAGED_PROXY
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml
|
||||
region: europe-west4
|
||||
ip_cidr_range: 10.2.0.0/24
|
||||
purpose: PRIVATE_SERVICE_CONNECT
|
||||
```
|
||||
|
||||
### Custom Routes
|
||||
|
||||
VPC routes can be configured through the `routes` variable.
|
||||
|
|
@ -380,7 +395,6 @@ module "vpc" {
|
|||
# tftest modules=5 resources=15 inventory=routes.yaml
|
||||
```
|
||||
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|
|
|
|||
|
|
@ -34,6 +34,8 @@ locals {
|
|||
iam_groups = try(v.iam_groups, [])
|
||||
iam_users = try(v.iam_users, [])
|
||||
iam_service_accounts = try(v.iam_service_accounts, [])
|
||||
purpose = try(v.purpose, null)
|
||||
active = try(v.active, null)
|
||||
}
|
||||
}
|
||||
_factory_subnets_iam = [
|
||||
|
|
@ -45,7 +47,7 @@ locals {
|
|||
formatlist("user:%s", lookup(v, "iam_users", [])),
|
||||
formatlist("serviceAccount:%s", lookup(v, "iam_service_accounts", []))
|
||||
)
|
||||
}
|
||||
} if v.purpose == null
|
||||
]
|
||||
_subnet_iam_members = flatten([
|
||||
for subnet, roles in(var.subnet_iam == null ? {} : var.subnet_iam) : [
|
||||
|
|
@ -61,17 +63,17 @@ locals {
|
|||
local._subnet_iam_members
|
||||
)
|
||||
subnets = merge(
|
||||
{ for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet },
|
||||
local._factory_subnets
|
||||
{ for s in var.subnets : "${s.region}/${s.name}" => s },
|
||||
{ for k, v in local._factory_subnets : k => v if v.purpose == null }
|
||||
)
|
||||
subnets_proxy_only = merge(
|
||||
{ for s in var.subnets_proxy_only : "${s.region}/${s.name}" => s },
|
||||
{ for k, v in local._factory_subnets : k => v if v.purpose == "REGIONAL_MANAGED_PROXY" }
|
||||
)
|
||||
subnets_psc = merge(
|
||||
{ for s in var.subnets_psc : "${s.region}/${s.name}" => s },
|
||||
{ for k, v in local._factory_subnets : k => v if v.purpose == "PRIVATE_SERVICE_CONNECT" }
|
||||
)
|
||||
subnets_proxy_only = {
|
||||
for subnet in var.subnets_proxy_only :
|
||||
"${subnet.region}/${subnet.name}" => subnet
|
||||
}
|
||||
subnets_psc = {
|
||||
for subnet in var.subnets_psc :
|
||||
"${subnet.region}/${subnet.name}" => subnet
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_subnetwork" "subnetwork" {
|
||||
|
|
@ -120,9 +122,7 @@ resource "google_compute_subnetwork" "proxy_only" {
|
|||
: each.value.description
|
||||
)
|
||||
purpose = "REGIONAL_MANAGED_PROXY"
|
||||
role = (
|
||||
each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP"
|
||||
)
|
||||
role = each.value.active != false ? "ACTIVE" : "BACKUP"
|
||||
}
|
||||
|
||||
resource "google_compute_subnetwork" "psc" {
|
||||
|
|
|
|||
|
|
@ -54,8 +54,16 @@ values:
|
|||
region: europe-west1
|
||||
role: roles/compute.networkUser
|
||||
subnetwork: subnet-detailed
|
||||
module.vpc.google_compute_subnetwork.proxy_only["europe-west4/subnet-proxy"]:
|
||||
region: europe-west4
|
||||
ip_cidr_range: 10.1.0.0/24
|
||||
purpose: REGIONAL_MANAGED_PROXY
|
||||
module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc"]:
|
||||
region: europe-west4
|
||||
ip_cidr_range: 10.2.0.0/24
|
||||
purpose: PRIVATE_SERVICE_CONNECT
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_compute_subnetwork: 2
|
||||
google_compute_subnetwork: 4
|
||||
google_compute_subnetwork_iam_binding: 1
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@
|
|||
# limitations under the License.
|
||||
|
||||
import click
|
||||
import os
|
||||
import sys
|
||||
import tempfile
|
||||
import yaml
|
||||
|
|
|
|||
Loading…
Reference in New Issue