add support for proxy and psc subnets to module factory (#1211)
This commit is contained in:
parent
21e451d4cb
commit
8fc9549c58
|
@ -347,20 +347,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [organization](variables.tf#L126) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [organization](variables.tf#L102) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L142) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev = "10.128.32.0/19" gcp_landing = "10.128.0.0/19" gcp_prod = "10.128.64.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev = "10.128.32.0/19" gcp_landing = "10.128.0.0/19" gcp_prod = "10.128.64.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
||||||
| [custom_roles](variables.tf#L55) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables.tf#L55) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L64) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
| [dns](variables.tf#L64) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||||
| [factories_config](variables.tf#L72) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
| [factories_config](variables.tf#L72) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||||
| [l7ilb_subnets](variables.tf#L102) | Subnets used for L7 ILBs. | <code title="object({ dev = optional(list(object({ ip_cidr_range = string region = string })), []) prod = optional(list(object({ ip_cidr_range = string region = string })), []) })">object({…})</code> | | <code title="{ dev = [ { ip_cidr_range = "10.128.60.0/24", region = "primary" }, { ip_cidr_range = "10.128.61.0/24", region = "secondary" } ] prod = [ { ip_cidr_range = "10.128.92.0/24", region = "primary" }, { ip_cidr_range = "10.128.93.0/24", region = "secondary" } ] }">{…}</code> | |
|
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [outputs_location](variables.tf#L136) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
|
||||||
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map(object({ export_local_custom_routes = bool export_peer_custom_routes = bool }))">map(object({…}))</code> | | <code title="{ dev = { export_local_custom_routes = true export_peer_custom_routes = true } prod = { export_local_custom_routes = true export_peer_custom_routes = true } }">{…}</code> | |
|
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map(object({ export_local_custom_routes = bool export_peer_custom_routes = bool }))">map(object({…}))</code> | | <code title="{ dev = { export_local_custom_routes = true export_peer_custom_routes = true } prod = { export_local_custom_routes = true export_peer_custom_routes = true } }">{…}</code> | |
|
||||||
| [psa_ranges](variables.tf#L153) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [regions](variables.tf#L190) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
| [regions](variables.tf#L166) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||||
| [router_onprem_configs](variables.tf#L202) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "65533" adv = null } }">{…}</code> | |
|
| [router_onprem_configs](variables.tf#L178) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "65533" adv = null } }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L220) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
| [service_accounts](variables.tf#L196) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||||
| [vpn_onprem_configs](variables.tf#L234) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
| [vpn_onprem_configs](variables.tf#L210) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -16,19 +16,6 @@
|
||||||
|
|
||||||
# tfdoc:file:description Dev spoke VPC and related resources.
|
# tfdoc:file:description Dev spoke VPC and related resources.
|
||||||
|
|
||||||
locals {
|
|
||||||
_l7ilb_subnets_dev = [
|
|
||||||
for v in var.l7ilb_subnets.dev : merge(v, {
|
|
||||||
active = true
|
|
||||||
region = lookup(var.regions, v.region, v.region)
|
|
||||||
})]
|
|
||||||
l7ilb_subnets_dev = [
|
|
||||||
for v in local._l7ilb_subnets_dev : merge(v, {
|
|
||||||
name = "dev-l7ilb-${local.region_shortnames[v.region]}"
|
|
||||||
})
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
module "dev-spoke-project" {
|
module "dev-spoke-project" {
|
||||||
source = "../../../modules/project"
|
source = "../../../modules/project"
|
||||||
billing_account = var.billing_account.id
|
billing_account = var.billing_account.id
|
||||||
|
@ -57,13 +44,12 @@ module "dev-spoke-project" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-spoke-vpc" {
|
module "dev-spoke-vpc" {
|
||||||
source = "../../../modules/net-vpc"
|
source = "../../../modules/net-vpc"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
name = "dev-spoke-0"
|
name = "dev-spoke-0"
|
||||||
mtu = 1500
|
mtu = 1500
|
||||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||||
psa_config = try(var.psa_ranges.dev, null)
|
psa_config = try(var.psa_ranges.dev, null)
|
||||||
subnets_proxy_only = local.l7ilb_subnets_dev
|
|
||||||
# set explicit routes for googleapis in case the default route is deleted
|
# set explicit routes for googleapis in case the default route is deleted
|
||||||
routes = {
|
routes = {
|
||||||
private-googleapis = {
|
private-googleapis = {
|
||||||
|
|
|
@ -16,19 +16,6 @@
|
||||||
|
|
||||||
# tfdoc:file:description Production spoke VPC and related resources.
|
# tfdoc:file:description Production spoke VPC and related resources.
|
||||||
|
|
||||||
locals {
|
|
||||||
_l7ilb_subnets_prod = [
|
|
||||||
for v in var.l7ilb_subnets.prod : merge(v, {
|
|
||||||
active = true
|
|
||||||
region = lookup(var.regions, v.region, v.region)
|
|
||||||
})]
|
|
||||||
l7ilb_subnets_prod = [
|
|
||||||
for v in local._l7ilb_subnets_prod : merge(v, {
|
|
||||||
name = "prod-l7ilb-${local.region_shortnames[v.region]}"
|
|
||||||
})
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
module "prod-spoke-project" {
|
module "prod-spoke-project" {
|
||||||
source = "../../../modules/project"
|
source = "../../../modules/project"
|
||||||
billing_account = var.billing_account.id
|
billing_account = var.billing_account.id
|
||||||
|
@ -57,13 +44,12 @@ module "prod-spoke-project" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-spoke-vpc" {
|
module "prod-spoke-vpc" {
|
||||||
source = "../../../modules/net-vpc"
|
source = "../../../modules/net-vpc"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
name = "prod-spoke-0"
|
name = "prod-spoke-0"
|
||||||
mtu = 1500
|
mtu = 1500
|
||||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||||
psa_config = try(var.psa_ranges.prod, null)
|
psa_config = try(var.psa_ranges.prod, null)
|
||||||
subnets_proxy_only = local.l7ilb_subnets_prod
|
|
||||||
# set explicit routes for googleapis in case the default route is deleted
|
# set explicit routes for googleapis in case the default route is deleted
|
||||||
routes = {
|
routes = {
|
||||||
private-googleapis = {
|
private-googleapis = {
|
||||||
|
|
|
@ -99,30 +99,6 @@ variable "folder_ids" {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "l7ilb_subnets" {
|
|
||||||
description = "Subnets used for L7 ILBs."
|
|
||||||
type = object({
|
|
||||||
dev = optional(list(object({
|
|
||||||
ip_cidr_range = string
|
|
||||||
region = string
|
|
||||||
})), [])
|
|
||||||
prod = optional(list(object({
|
|
||||||
ip_cidr_range = string
|
|
||||||
region = string
|
|
||||||
})), [])
|
|
||||||
})
|
|
||||||
default = {
|
|
||||||
dev = [
|
|
||||||
{ ip_cidr_range = "10.128.60.0/24", region = "primary" },
|
|
||||||
{ ip_cidr_range = "10.128.61.0/24", region = "secondary" }
|
|
||||||
]
|
|
||||||
prod = [
|
|
||||||
{ ip_cidr_range = "10.128.92.0/24", region = "primary" },
|
|
||||||
{ ip_cidr_range = "10.128.93.0/24", region = "secondary" }
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "organization" {
|
variable "organization" {
|
||||||
# tfdoc:variable:source 0-bootstrap
|
# tfdoc:variable:source 0-bootstrap
|
||||||
description = "Organization details."
|
description = "Organization details."
|
||||||
|
|
|
@ -372,20 +372,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [organization](variables.tf#L126) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [organization](variables.tf#L102) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L142) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev = "10.128.32.0/19" gcp_landing = "10.128.0.0/19" gcp_prod = "10.128.64.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev = "10.128.32.0/19" gcp_landing = "10.128.0.0/19" gcp_prod = "10.128.64.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
||||||
| [custom_roles](variables.tf#L55) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables.tf#L55) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L64) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
| [dns](variables.tf#L64) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||||
| [factories_config](variables.tf#L72) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
| [factories_config](variables.tf#L72) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||||
| [l7ilb_subnets](variables.tf#L102) | Subnets used for L7 ILBs. | <code title="object({ dev = optional(list(object({ ip_cidr_range = string region = string })), []) prod = optional(list(object({ ip_cidr_range = string region = string })), []) })">object({…})</code> | | <code title="{ dev = [ { ip_cidr_range = "10.128.60.0/24", region = "primary" }, { ip_cidr_range = "10.128.61.0/24", region = "secondary" } ] prod = [ { ip_cidr_range = "10.128.92.0/24", region = "primary" }, { ip_cidr_range = "10.128.93.0/24", region = "secondary" } ] }">{…}</code> | |
|
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [outputs_location](variables.tf#L136) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L153) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [regions](variables.tf#L166) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||||
| [regions](variables.tf#L190) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
| [router_onprem_configs](variables.tf#L178) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "65533" adv = null } }">{…}</code> | |
|
||||||
| [router_onprem_configs](variables.tf#L202) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "65533" adv = null } }">{…}</code> | |
|
|
||||||
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "64512", adv = null } landing-secondary = { asn = "64512", adv = null } spoke-dev-primary = { asn = "64513", adv = null } spoke-dev-secondary = { asn = "64513", adv = null } spoke-prod-primary = { asn = "64514", adv = null } spoke-prod-secondary = { asn = "64514", adv = null } }">{…}</code> | |
|
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-primary = { asn = "64512", adv = null } landing-secondary = { asn = "64512", adv = null } spoke-dev-primary = { asn = "64513", adv = null } spoke-dev-secondary = { asn = "64513", adv = null } spoke-prod-primary = { asn = "64514", adv = null } spoke-prod-secondary = { asn = "64514", adv = null } }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L220) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
| [service_accounts](variables.tf#L196) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||||
| [vpn_onprem_configs](variables.tf#L234) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
| [vpn_onprem_configs](variables.tf#L210) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||||
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map(object({ default = bool custom = list(string) }))">map(object({…}))</code> | | <code title="{ landing-primary = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } landing-secondary = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } dev-primary = { default = false custom = ["gcp_dev"] } prod-primary = { default = false custom = ["gcp_prod"] } prod-secondary = { default = false custom = ["gcp_prod"] } }">{…}</code> | |
|
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map(object({ default = bool custom = list(string) }))">map(object({…}))</code> | | <code title="{ landing-primary = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } landing-secondary = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } dev-primary = { default = false custom = ["gcp_dev"] } prod-primary = { default = false custom = ["gcp_prod"] } prod-secondary = { default = false custom = ["gcp_prod"] } }">{…}</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
|
@ -16,19 +16,6 @@
|
||||||
|
|
||||||
# tfdoc:file:description Dev spoke VPC and related resources.
|
# tfdoc:file:description Dev spoke VPC and related resources.
|
||||||
|
|
||||||
locals {
|
|
||||||
_l7ilb_subnets_dev = [
|
|
||||||
for v in var.l7ilb_subnets.dev : merge(v, {
|
|
||||||
active = true
|
|
||||||
region = lookup(var.regions, v.region, v.region)
|
|
||||||
})]
|
|
||||||
l7ilb_subnets_dev = [
|
|
||||||
for v in local._l7ilb_subnets_dev : merge(v, {
|
|
||||||
name = "dev-l7ilb-${local.region_shortnames[v.region]}"
|
|
||||||
})
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
module "dev-spoke-project" {
|
module "dev-spoke-project" {
|
||||||
source = "../../../modules/project"
|
source = "../../../modules/project"
|
||||||
billing_account = var.billing_account.id
|
billing_account = var.billing_account.id
|
||||||
|
@ -57,13 +44,12 @@ module "dev-spoke-project" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-spoke-vpc" {
|
module "dev-spoke-vpc" {
|
||||||
source = "../../../modules/net-vpc"
|
source = "../../../modules/net-vpc"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
name = "dev-spoke-0"
|
name = "dev-spoke-0"
|
||||||
mtu = 1500
|
mtu = 1500
|
||||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||||
psa_config = try(var.psa_ranges.dev, null)
|
psa_config = try(var.psa_ranges.dev, null)
|
||||||
subnets_proxy_only = local.l7ilb_subnets_dev
|
|
||||||
# set explicit routes for googleapis in case the default route is deleted
|
# set explicit routes for googleapis in case the default route is deleted
|
||||||
routes = {
|
routes = {
|
||||||
private-googleapis = {
|
private-googleapis = {
|
||||||
|
|
|
@ -16,19 +16,6 @@
|
||||||
|
|
||||||
# tfdoc:file:description Production spoke VPC and related resources.
|
# tfdoc:file:description Production spoke VPC and related resources.
|
||||||
|
|
||||||
locals {
|
|
||||||
_l7ilb_subnets_prod = [
|
|
||||||
for v in var.l7ilb_subnets.prod : merge(v, {
|
|
||||||
active = true
|
|
||||||
region = lookup(var.regions, v.region, v.region)
|
|
||||||
})]
|
|
||||||
l7ilb_subnets_prod = [
|
|
||||||
for v in local._l7ilb_subnets_prod : merge(v, {
|
|
||||||
name = "prod-l7ilb-${local.region_shortnames[v.region]}"
|
|
||||||
})
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
module "prod-spoke-project" {
|
module "prod-spoke-project" {
|
||||||
source = "../../../modules/project"
|
source = "../../../modules/project"
|
||||||
billing_account = var.billing_account.id
|
billing_account = var.billing_account.id
|
||||||
|
@ -57,13 +44,12 @@ module "prod-spoke-project" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-spoke-vpc" {
|
module "prod-spoke-vpc" {
|
||||||
source = "../../../modules/net-vpc"
|
source = "../../../modules/net-vpc"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
name = "prod-spoke-0"
|
name = "prod-spoke-0"
|
||||||
mtu = 1500
|
mtu = 1500
|
||||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||||
psa_config = try(var.psa_ranges.prod, null)
|
psa_config = try(var.psa_ranges.prod, null)
|
||||||
subnets_proxy_only = local.l7ilb_subnets_prod
|
|
||||||
# set explicit routes for googleapis in case the default route is deleted
|
# set explicit routes for googleapis in case the default route is deleted
|
||||||
routes = {
|
routes = {
|
||||||
private-googleapis = {
|
private-googleapis = {
|
||||||
|
|
|
@ -99,30 +99,6 @@ variable "folder_ids" {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "l7ilb_subnets" {
|
|
||||||
description = "Subnets used for L7 ILBs."
|
|
||||||
type = object({
|
|
||||||
dev = optional(list(object({
|
|
||||||
ip_cidr_range = string
|
|
||||||
region = string
|
|
||||||
})), [])
|
|
||||||
prod = optional(list(object({
|
|
||||||
ip_cidr_range = string
|
|
||||||
region = string
|
|
||||||
})), [])
|
|
||||||
})
|
|
||||||
default = {
|
|
||||||
dev = [
|
|
||||||
{ ip_cidr_range = "10.128.60.0/24", region = "primary" },
|
|
||||||
{ ip_cidr_range = "10.128.61.0/24", region = "secondary" }
|
|
||||||
]
|
|
||||||
prod = [
|
|
||||||
{ ip_cidr_range = "10.128.92.0/24", region = "primary" },
|
|
||||||
{ ip_cidr_range = "10.128.93.0/24", region = "secondary" }
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "organization" {
|
variable "organization" {
|
||||||
# tfdoc:variable:source 0-bootstrap
|
# tfdoc:variable:source 0-bootstrap
|
||||||
description = "Organization details."
|
description = "Organization details."
|
||||||
|
|
|
@ -421,20 +421,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L97) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L97) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [organization](variables.tf#L133) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [organization](variables.tf#L115) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L149) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables.tf#L131) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev_primary = "10.128.128.0/19" gcp_dev_secondary = "10.128.160.0/19" gcp_landing_trusted_primary = "10.128.64.0/19" gcp_landing_trusted_secondary = "10.128.96.0/19" gcp_landing_untrusted_primary = "10.128.0.0/19" gcp_landing_untrusted_secondary = "10.128.32.0/19" gcp_prod_primary = "10.128.192.0/19" gcp_prod_secondary = "10.128.224.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev_primary = "10.128.128.0/19" gcp_dev_secondary = "10.128.160.0/19" gcp_landing_trusted_primary = "10.128.64.0/19" gcp_landing_trusted_secondary = "10.128.96.0/19" gcp_landing_untrusted_primary = "10.128.0.0/19" gcp_landing_untrusted_secondary = "10.128.32.0/19" gcp_prod_primary = "10.128.192.0/19" gcp_prod_secondary = "10.128.224.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
||||||
| [custom_roles](variables.tf#L60) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables.tf#L60) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L69) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
| [dns](variables.tf#L69) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||||
| [factories_config](variables.tf#L77) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
| [factories_config](variables.tf#L77) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||||
| [l7ilb_subnets](variables.tf#L107) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ dev = [ { ip_cidr_range = "10.128.159.0/24", region = "primary" }, { ip_cidr_range = "10.128.191.0/24", region = "secondary" } ] prod = [ { ip_cidr_range = "10.128.223.0/24", region = "primary" }, { ip_cidr_range = "10.128.255.0/24", region = "secondary" } ] }">{…}</code> | |
|
| [onprem_cidr](variables.tf#L107) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
||||||
| [onprem_cidr](variables.tf#L125) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
| [outputs_location](variables.tf#L125) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [outputs_location](variables.tf#L143) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L142) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L160) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [regions](variables.tf#L163) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||||
| [regions](variables.tf#L181) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
| [router_configs](variables.tf#L175) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-primary = { asn = "64512" adv = null } landing-trusted-secondary = { asn = "64512" adv = null } }">{…}</code> | |
|
||||||
| [router_configs](variables.tf#L193) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-primary = { asn = "64512" adv = null } landing-trusted-secondary = { asn = "64512" adv = null } }">{…}</code> | |
|
| [service_accounts](variables.tf#L198) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||||
| [service_accounts](variables.tf#L216) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
| [vpn_onprem_configs](variables.tf#L212) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-secondary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||||
| [vpn_onprem_configs](variables.tf#L230) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-secondary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -18,12 +18,6 @@
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
custom_roles = coalesce(var.custom_roles, {})
|
custom_roles = coalesce(var.custom_roles, {})
|
||||||
l7ilb_subnets = { for env, v in var.l7ilb_subnets : env => [
|
|
||||||
for s in v : merge(s, {
|
|
||||||
active = true
|
|
||||||
name = "${env}-l7ilb-${s.region}"
|
|
||||||
})]
|
|
||||||
}
|
|
||||||
# combine all regions from variables and subnets
|
# combine all regions from variables and subnets
|
||||||
regions = distinct(concat(
|
regions = distinct(concat(
|
||||||
values(var.regions),
|
values(var.regions),
|
||||||
|
|
|
@ -16,19 +16,6 @@
|
||||||
|
|
||||||
# tfdoc:file:description Dev spoke VPC and related resources.
|
# tfdoc:file:description Dev spoke VPC and related resources.
|
||||||
|
|
||||||
locals {
|
|
||||||
_l7ilb_subnets_dev = [
|
|
||||||
for v in var.l7ilb_subnets.dev : merge(v, {
|
|
||||||
active = true
|
|
||||||
region = lookup(var.regions, v.region, v.region)
|
|
||||||
})]
|
|
||||||
l7ilb_subnets_dev = [
|
|
||||||
for v in local._l7ilb_subnets_dev : merge(v, {
|
|
||||||
name = "dev-l7ilb-${local.region_shortnames[v.region]}"
|
|
||||||
})
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
module "dev-spoke-project" {
|
module "dev-spoke-project" {
|
||||||
source = "../../../modules/project"
|
source = "../../../modules/project"
|
||||||
billing_account = var.billing_account.id
|
billing_account = var.billing_account.id
|
||||||
|
@ -63,7 +50,6 @@ module "dev-spoke-vpc" {
|
||||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||||
delete_default_routes_on_create = true
|
delete_default_routes_on_create = true
|
||||||
psa_config = try(var.psa_ranges.dev, null)
|
psa_config = try(var.psa_ranges.dev, null)
|
||||||
subnets_proxy_only = local.l7ilb_subnets_dev
|
|
||||||
# Set explicit routes for googleapis; send everything else to NVAs
|
# Set explicit routes for googleapis; send everything else to NVAs
|
||||||
routes = {
|
routes = {
|
||||||
private-googleapis = {
|
private-googleapis = {
|
||||||
|
|
|
@ -16,19 +16,6 @@
|
||||||
|
|
||||||
# tfdoc:file:description Production spoke VPC and related resources.
|
# tfdoc:file:description Production spoke VPC and related resources.
|
||||||
|
|
||||||
locals {
|
|
||||||
_l7ilb_subnets_prod = [
|
|
||||||
for v in var.l7ilb_subnets.prod : merge(v, {
|
|
||||||
active = true
|
|
||||||
region = lookup(var.regions, v.region, v.region)
|
|
||||||
})]
|
|
||||||
l7ilb_subnets_prod = [
|
|
||||||
for v in local._l7ilb_subnets_prod : merge(v, {
|
|
||||||
name = "prod-l7ilb-${local.region_shortnames[v.region]}"
|
|
||||||
})
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
module "prod-spoke-project" {
|
module "prod-spoke-project" {
|
||||||
source = "../../../modules/project"
|
source = "../../../modules/project"
|
||||||
billing_account = var.billing_account.id
|
billing_account = var.billing_account.id
|
||||||
|
@ -63,7 +50,6 @@ module "prod-spoke-vpc" {
|
||||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||||
delete_default_routes_on_create = true
|
delete_default_routes_on_create = true
|
||||||
psa_config = try(var.psa_ranges.prod, null)
|
psa_config = try(var.psa_ranges.prod, null)
|
||||||
subnets_proxy_only = local.l7ilb_subnets_prod
|
|
||||||
# Set explicit routes for googleapis; send everything else to NVAs
|
# Set explicit routes for googleapis; send everything else to NVAs
|
||||||
routes = {
|
routes = {
|
||||||
private-googleapis = {
|
private-googleapis = {
|
||||||
|
|
|
@ -104,24 +104,6 @@ variable "folder_ids" {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "l7ilb_subnets" {
|
|
||||||
description = "Subnets used for L7 ILBs."
|
|
||||||
type = map(list(object({
|
|
||||||
ip_cidr_range = string
|
|
||||||
region = string
|
|
||||||
})))
|
|
||||||
default = {
|
|
||||||
dev = [
|
|
||||||
{ ip_cidr_range = "10.128.159.0/24", region = "primary" },
|
|
||||||
{ ip_cidr_range = "10.128.191.0/24", region = "secondary" }
|
|
||||||
]
|
|
||||||
prod = [
|
|
||||||
{ ip_cidr_range = "10.128.223.0/24", region = "primary" },
|
|
||||||
{ ip_cidr_range = "10.128.255.0/24", region = "secondary" }
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "onprem_cidr" {
|
variable "onprem_cidr" {
|
||||||
description = "Onprem addresses in name => range format."
|
description = "Onprem addresses in name => range format."
|
||||||
type = map(string)
|
type = map(string)
|
||||||
|
|
|
@ -291,19 +291,18 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [organization](variables.tf#L118) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [organization](variables.tf#L102) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L134) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev = "10.128.32.0/19" gcp_prod = "10.128.64.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
| [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev = "10.128.32.0/19" gcp_prod = "10.128.64.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
||||||
| [custom_roles](variables.tf#L54) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables.tf#L54) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L63) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ prod = ["10.0.1.1"] dev = ["10.0.2.1"] }">{…}</code> | |
|
| [dns](variables.tf#L63) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ prod = ["10.0.1.1"] dev = ["10.0.2.1"] }">{…}</code> | |
|
||||||
| [factories_config](variables.tf#L72) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
| [factories_config](variables.tf#L72) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||||
| [l7ilb_subnets](variables.tf#L102) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, ] dev = [ { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, ] }">{…}</code> | |
|
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [outputs_location](variables.tf#L128) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L145) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [regions](variables.tf#L166) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
||||||
| [regions](variables.tf#L182) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
| [router_onprem_configs](variables.tf#L176) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ prod-primary = { asn = "65533" adv = null } dev-primary = { asn = "65534" adv = null } }">{…}</code> | |
|
||||||
| [router_onprem_configs](variables.tf#L192) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ prod-primary = { asn = "65533" adv = null } dev-primary = { asn = "65534" adv = null } }">{…}</code> | |
|
| [service_accounts](variables.tf#L199) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||||
| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
| [vpn_onprem_configs](variables.tf#L211) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ dev-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_dev" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65544 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65544 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } prod-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_prod" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65543 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65543 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||||
| [vpn_onprem_configs](variables.tf#L227) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(string) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ dev-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_dev" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65544 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65544 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } prod-primary = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_prod" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = ["8.8.8.8"] } tunnels = [ { peer_asn = 65543 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65543 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -18,19 +18,6 @@
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
custom_roles = coalesce(var.custom_roles, {})
|
custom_roles = coalesce(var.custom_roles, {})
|
||||||
_l7ilb_subnets = {
|
|
||||||
for k, v in var.l7ilb_subnets : k => [
|
|
||||||
for s in v : merge(s, {
|
|
||||||
active = true
|
|
||||||
region = lookup(var.regions, s.region, s.region)
|
|
||||||
})]
|
|
||||||
}
|
|
||||||
l7ilb_subnets = {
|
|
||||||
for k, v in local._l7ilb_subnets : k => [
|
|
||||||
for s in v : merge(s, {
|
|
||||||
name = "${k}-l7ilb-${local.region_shortnames[s.region]}"
|
|
||||||
})]
|
|
||||||
}
|
|
||||||
# combine all regions from variables and subnets
|
# combine all regions from variables and subnets
|
||||||
regions = distinct(concat(
|
regions = distinct(concat(
|
||||||
values(var.regions),
|
values(var.regions),
|
||||||
|
|
|
@ -43,13 +43,12 @@ module "dev-spoke-project" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-spoke-vpc" {
|
module "dev-spoke-vpc" {
|
||||||
source = "../../../modules/net-vpc"
|
source = "../../../modules/net-vpc"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
name = "dev-spoke-0"
|
name = "dev-spoke-0"
|
||||||
mtu = 1500
|
mtu = 1500
|
||||||
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
data_folder = "${var.factories_config.data_dir}/subnets/dev"
|
||||||
psa_config = try(var.psa_ranges.dev, null)
|
psa_config = try(var.psa_ranges.dev, null)
|
||||||
subnets_proxy_only = local.l7ilb_subnets.dev
|
|
||||||
# set explicit routes for googleapis in case the default route is deleted
|
# set explicit routes for googleapis in case the default route is deleted
|
||||||
routes = {
|
routes = {
|
||||||
private-googleapis = {
|
private-googleapis = {
|
||||||
|
|
|
@ -43,13 +43,12 @@ module "prod-spoke-project" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-spoke-vpc" {
|
module "prod-spoke-vpc" {
|
||||||
source = "../../../modules/net-vpc"
|
source = "../../../modules/net-vpc"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
name = "prod-spoke-0"
|
name = "prod-spoke-0"
|
||||||
mtu = 1500
|
mtu = 1500
|
||||||
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
data_folder = "${var.factories_config.data_dir}/subnets/prod"
|
||||||
psa_config = try(var.psa_ranges.prod, null)
|
psa_config = try(var.psa_ranges.prod, null)
|
||||||
subnets_proxy_only = local.l7ilb_subnets.prod
|
|
||||||
# set explicit routes for googleapis in case the default route is deleted
|
# set explicit routes for googleapis in case the default route is deleted
|
||||||
routes = {
|
routes = {
|
||||||
private-googleapis = {
|
private-googleapis = {
|
||||||
|
|
|
@ -99,22 +99,6 @@ variable "folder_ids" {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "l7ilb_subnets" {
|
|
||||||
description = "Subnets used for L7 ILBs."
|
|
||||||
type = map(list(object({
|
|
||||||
ip_cidr_range = string
|
|
||||||
region = string
|
|
||||||
})))
|
|
||||||
default = {
|
|
||||||
prod = [
|
|
||||||
{ ip_cidr_range = "10.128.92.0/24", region = "europe-west1" },
|
|
||||||
]
|
|
||||||
dev = [
|
|
||||||
{ ip_cidr_range = "10.128.60.0/24", region = "europe-west1" },
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "organization" {
|
variable "organization" {
|
||||||
# tfdoc:variable:source 0-bootstrap
|
# tfdoc:variable:source 0-bootstrap
|
||||||
description = "Organization details."
|
description = "Organization details."
|
||||||
|
|
|
@ -34,6 +34,7 @@ module "vpc" {
|
||||||
```
|
```
|
||||||
|
|
||||||
### Subnet Options
|
### Subnet Options
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "vpc" {
|
module "vpc" {
|
||||||
source = "./fabric/modules/net-vpc"
|
source = "./fabric/modules/net-vpc"
|
||||||
|
@ -305,7 +306,7 @@ module "vpc" {
|
||||||
|
|
||||||
### Subnet Factory
|
### Subnet Factory
|
||||||
|
|
||||||
The `net-vpc` module includes a subnet factory (see [Resource Factories](../../blueprints/factories/)) for the massive creation of subnets leveraging one configuration file per subnet.
|
The `net-vpc` module includes a subnet factory (see [Resource Factories](../../blueprints/factories/)) for the massive creation of subnets leveraging one configuration file per subnet. The factory also supports proxy-only and PSC subnets via the `purpose` attribute.
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "vpc" {
|
module "vpc" {
|
||||||
|
@ -314,7 +315,7 @@ module "vpc" {
|
||||||
name = "my-network"
|
name = "my-network"
|
||||||
data_folder = "config/subnets"
|
data_folder = "config/subnets"
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=4 files=subnet-simple,subnet-detailed inventory=factory.yaml
|
# tftest modules=1 resources=6 files=subnet-simple,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
@ -342,6 +343,20 @@ flow_logs: # enable, set to empty map to use defaults
|
||||||
filter_expression: null
|
filter_expression: null
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
# tftest-file id=subnet-proxy path=config/subnets/subnet-proxy.yaml
|
||||||
|
region: europe-west4
|
||||||
|
ip_cidr_range: 10.1.0.0/24
|
||||||
|
purpose: REGIONAL_MANAGED_PROXY
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
# tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml
|
||||||
|
region: europe-west4
|
||||||
|
ip_cidr_range: 10.2.0.0/24
|
||||||
|
purpose: PRIVATE_SERVICE_CONNECT
|
||||||
|
```
|
||||||
|
|
||||||
### Custom Routes
|
### Custom Routes
|
||||||
|
|
||||||
VPC routes can be configured through the `routes` variable.
|
VPC routes can be configured through the `routes` variable.
|
||||||
|
@ -380,7 +395,6 @@ module "vpc" {
|
||||||
# tftest modules=5 resources=15 inventory=routes.yaml
|
# tftest modules=5 resources=15 inventory=routes.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|
|
|
@ -34,6 +34,8 @@ locals {
|
||||||
iam_groups = try(v.iam_groups, [])
|
iam_groups = try(v.iam_groups, [])
|
||||||
iam_users = try(v.iam_users, [])
|
iam_users = try(v.iam_users, [])
|
||||||
iam_service_accounts = try(v.iam_service_accounts, [])
|
iam_service_accounts = try(v.iam_service_accounts, [])
|
||||||
|
purpose = try(v.purpose, null)
|
||||||
|
active = try(v.active, null)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
_factory_subnets_iam = [
|
_factory_subnets_iam = [
|
||||||
|
@ -45,7 +47,7 @@ locals {
|
||||||
formatlist("user:%s", lookup(v, "iam_users", [])),
|
formatlist("user:%s", lookup(v, "iam_users", [])),
|
||||||
formatlist("serviceAccount:%s", lookup(v, "iam_service_accounts", []))
|
formatlist("serviceAccount:%s", lookup(v, "iam_service_accounts", []))
|
||||||
)
|
)
|
||||||
}
|
} if v.purpose == null
|
||||||
]
|
]
|
||||||
_subnet_iam_members = flatten([
|
_subnet_iam_members = flatten([
|
||||||
for subnet, roles in(var.subnet_iam == null ? {} : var.subnet_iam) : [
|
for subnet, roles in(var.subnet_iam == null ? {} : var.subnet_iam) : [
|
||||||
|
@ -61,17 +63,17 @@ locals {
|
||||||
local._subnet_iam_members
|
local._subnet_iam_members
|
||||||
)
|
)
|
||||||
subnets = merge(
|
subnets = merge(
|
||||||
{ for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet },
|
{ for s in var.subnets : "${s.region}/${s.name}" => s },
|
||||||
local._factory_subnets
|
{ for k, v in local._factory_subnets : k => v if v.purpose == null }
|
||||||
|
)
|
||||||
|
subnets_proxy_only = merge(
|
||||||
|
{ for s in var.subnets_proxy_only : "${s.region}/${s.name}" => s },
|
||||||
|
{ for k, v in local._factory_subnets : k => v if v.purpose == "REGIONAL_MANAGED_PROXY" }
|
||||||
|
)
|
||||||
|
subnets_psc = merge(
|
||||||
|
{ for s in var.subnets_psc : "${s.region}/${s.name}" => s },
|
||||||
|
{ for k, v in local._factory_subnets : k => v if v.purpose == "PRIVATE_SERVICE_CONNECT" }
|
||||||
)
|
)
|
||||||
subnets_proxy_only = {
|
|
||||||
for subnet in var.subnets_proxy_only :
|
|
||||||
"${subnet.region}/${subnet.name}" => subnet
|
|
||||||
}
|
|
||||||
subnets_psc = {
|
|
||||||
for subnet in var.subnets_psc :
|
|
||||||
"${subnet.region}/${subnet.name}" => subnet
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_subnetwork" "subnetwork" {
|
resource "google_compute_subnetwork" "subnetwork" {
|
||||||
|
@ -120,9 +122,7 @@ resource "google_compute_subnetwork" "proxy_only" {
|
||||||
: each.value.description
|
: each.value.description
|
||||||
)
|
)
|
||||||
purpose = "REGIONAL_MANAGED_PROXY"
|
purpose = "REGIONAL_MANAGED_PROXY"
|
||||||
role = (
|
role = each.value.active != false ? "ACTIVE" : "BACKUP"
|
||||||
each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP"
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_subnetwork" "psc" {
|
resource "google_compute_subnetwork" "psc" {
|
||||||
|
|
|
@ -54,8 +54,16 @@ values:
|
||||||
region: europe-west1
|
region: europe-west1
|
||||||
role: roles/compute.networkUser
|
role: roles/compute.networkUser
|
||||||
subnetwork: subnet-detailed
|
subnetwork: subnet-detailed
|
||||||
|
module.vpc.google_compute_subnetwork.proxy_only["europe-west4/subnet-proxy"]:
|
||||||
|
region: europe-west4
|
||||||
|
ip_cidr_range: 10.1.0.0/24
|
||||||
|
purpose: REGIONAL_MANAGED_PROXY
|
||||||
|
module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc"]:
|
||||||
|
region: europe-west4
|
||||||
|
ip_cidr_range: 10.2.0.0/24
|
||||||
|
purpose: PRIVATE_SERVICE_CONNECT
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
google_compute_network: 1
|
google_compute_network: 1
|
||||||
google_compute_subnetwork: 2
|
google_compute_subnetwork: 4
|
||||||
google_compute_subnetwork_iam_binding: 1
|
google_compute_subnetwork_iam_binding: 1
|
||||||
|
|
|
@ -15,7 +15,6 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import click
|
import click
|
||||||
import os
|
|
||||||
import sys
|
import sys
|
||||||
import tempfile
|
import tempfile
|
||||||
import yaml
|
import yaml
|
||||||
|
|
Loading…
Reference in New Issue