diff --git a/examples/factories/project-factory/README.md b/examples/factories/project-factory/README.md
index 268c173f..f815f9d5 100644
--- a/examples/factories/project-factory/README.md
+++ b/examples/factories/project-factory/README.md
@@ -218,26 +218,28 @@ vpc:
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [billing_account_id](variables.tf#L17) | Billing account id. | string | ✓ | |
-| [defaults](variables.tf#L35) | Project factory default values. | object({…}) | ✓ | |
-| [folder_id](variables.tf#L68) | Folder ID for the folder where the project will be created. | string | ✓ | |
-| [project_id](variables.tf#L111) | Project id. | string | ✓ | |
+| [folder_id](variables.tf#L69) | Folder ID for the folder where the project will be created. | string | ✓ | |
+| [project_id](variables.tf#L118) | Project id. | string | ✓ | |
| [billing_alert](variables.tf#L22) | Billing alert configuration. | object({…}) | | null |
-| [dns_zones](variables.tf#L56) | DNS private zones to create as child of var.defaults.environment_dns_zone. | list(string) | | [] |
-| [essential_contacts](variables.tf#L62) | Email contacts to be used for billing and GCP notifications. | list(string) | | [] |
-| [group_iam](variables.tf#L73) | Custom IAM settings in group => [role] format. | map(list(string)) | | {} |
-| [iam](variables.tf#L79) | Custom IAM settings in role => [principal] format. | map(list(string)) | | {} |
-| [kms_service_agents](variables.tf#L85) | KMS IAM configuration in as service => [key]. | map(list(string)) | | {} |
-| [labels](variables.tf#L91) | Labels to be assigned at project level. | map(string) | | {} |
-| [org_policies](variables.tf#L97) | Org-policy overrides at project level. | object({…}) | | null |
-| [service_accounts](variables.tf#L116) | Service accounts to be created, and roles to assign them. | map(list(string)) | | {} |
-| [services](variables.tf#L122) | Services to be enabled for the project. | list(string) | | [] |
-| [services_iam](variables.tf#L128) | Custom IAM settings for robot ServiceAccounts in service => [role] format. | map(list(string)) | | {} |
-| [vpc](variables.tf#L134) | VPC configuration for the project. | object({…}) | | null |
+| [defaults](variables.tf#L35) | Project factory default values. | object({…}) | | null |
+| [dns_zones](variables.tf#L57) | DNS private zones to create as child of var.defaults.environment_dns_zone. | list(string) | | [] |
+| [essential_contacts](variables.tf#L63) | Email contacts to be used for billing and GCP notifications. | list(string) | | [] |
+| [group_iam](variables.tf#L74) | Custom IAM settings in group => [role] format. | map(list(string)) | | {} |
+| [iam](variables.tf#L80) | Custom IAM settings in role => [principal] format. | map(list(string)) | | {} |
+| [kms_service_agents](variables.tf#L86) | KMS IAM configuration in as service => [key]. | map(list(string)) | | {} |
+| [labels](variables.tf#L92) | Labels to be assigned at project level. | map(string) | | {} |
+| [org_policies](variables.tf#L98) | Org-policy overrides at project level. | object({…}) | | null |
+| [prefix](variables.tf#L112) | Prefix used for the project id. | string | | null |
+| [service_accounts](variables.tf#L123) | Service accounts to be created, and roles to assign them. | map(list(string)) | | {} |
+| [services](variables.tf#L129) | Services to be enabled for the project. | list(string) | | [] |
+| [services_iam](variables.tf#L135) | Custom IAM settings for robot ServiceAccounts in service => [role] format. | map(list(string)) | | {} |
+| [vpc](variables.tf#L141) | VPC configuration for the project. | object({…}) | | null |
## Outputs
| name | description | sensitive |
|---|---|:---:|
-| [project_id](outputs.tf#L19) | Project ID. | |
+| [project](outputs.tf#L19) | The project resource as return by the `project` module | |
+| [project_id](outputs.tf#L30) | Project ID. | |
diff --git a/examples/factories/project-factory/main.tf b/examples/factories/project-factory/main.tf
index c4928371..df449edb 100644
--- a/examples/factories/project-factory/main.tf
+++ b/examples/factories/project-factory/main.tf
@@ -15,15 +15,12 @@
*/
locals {
- _gke_iam_hsau = try(var.vpc.gke_setup.enable_security_admin, false) ? {
- "roles/container.hostServiceAgentUser" = [
- "serviceAccount:${local.service_accounts_robots["container-engine"]}"
- ] } : {}
-
+ _gke_iam_hsau = try(var.vpc.gke_setup.enable_host_service_agent, false) ? {
+ "roles/container.hostServiceAgentUser" = "serviceAccount:${module.project.service_accounts.robots.container-engine}"
+ } : {}
_gke_iam_securityadmin = try(var.vpc.gke_setup.enable_security_admin, false) ? {
- "roles/compute.securityAdmin" = [
- "serviceAccount:${local.service_accounts_robots["container-engine"]}"
- ] } : {}
+ "roles/compute.securityAdmin" = "serviceAccount:${module.project.service_accounts.robots.container-engine}"
+ } : {}
_group_iam = {
for r in local._group_iam_roles : r => [
for k, v in var.group_iam : "group:${k}" if try(index(v, r), null) != null
@@ -47,59 +44,41 @@ locals {
_services_iam_roles = distinct(flatten(values(var.services_iam)))
_services_iam = {
for r in local._services_iam_roles : r => [
- for k, v in var.services_iam : "serviceAccount:${local.service_accounts_robots[k]}" if try(index(v, r), null) != null
+ for k, v in var.services_iam : "serviceAccount:${module.project.service_accounts.robots[k]}" if try(index(v, r), null) != null
]
}
- billing_account_id = coalesce(var.billing_account_id, var.defaults.billing_account_id)
- billing_alert = var.billing_alert == null ? var.defaults.billing_alert : var.billing_alert
+ billing_account_id = coalesce(var.billing_account_id, try(var.defaults.billing_account_id, ""))
+ billing_alert = var.billing_alert == null ? try(var.defaults.billing_alert, null) : var.billing_alert
essential_contacts = concat(try(var.defaults.essential_contacts, []), var.essential_contacts)
+ host_project_bindings = merge(
+ local._gke_iam_hsau,
+ local._gke_iam_securityadmin
+ )
iam = {
for role in distinct(concat(
keys(var.iam),
keys(local._group_iam),
- keys(local._gke_iam_hsau),
- keys(local._gke_iam_securityadmin),
keys(local._service_accounts_iam),
keys(local._services_iam),
)) :
role => concat(
try(var.iam[role], []),
try(local._group_iam[role], []),
- try(local._gke_iam_hsau[role], []),
- try(local._gke_iam_securityadmin[role], []),
try(local._service_accounts_iam[role], []),
try(local._services_iam[role], []),
)
}
- labels = merge(coalesce(var.labels, {}), coalesce(var.defaults.labels, {}))
+ labels = merge(coalesce(var.labels, {}), coalesce(try(var.defaults.labels, {}), {}))
network_user_service_accounts = concat(
contains(local.services, "compute.googleapis.com") ? [
- "serviceAccount:${local.service_accounts_robots.compute}"
+ "serviceAccount:${module.project.service_accounts.robots.compute}"
] : [],
contains(local.services, "container.googleapis.com") ? [
- "serviceAccount:${local.service_accounts_robots.container-engine}",
- "serviceAccount:${local.service_accounts.cloud_services}"
+ "serviceAccount:${module.project.service_accounts.robots.container-engine}",
+ "serviceAccount:${module.project.service_accounts.cloud_services}"
] : [],
[])
- services = distinct(concat(var.services, local._services))
- service_accounts_robots = {
- for service, name in local.service_accounts_robot_services :
- service => "${service == "bq" ? "bq" : "service"}-${module.project.number}@${name}.iam.gserviceaccount.com"
- }
- service_accounts_robot_services = {
- cloudasset = "gcp-sa-cloudasset"
- cloudbuild = "gcp-sa-cloudbuild"
- compute = "compute-system"
- container-engine = "container-engine-robot"
- containerregistry = "containerregistry"
- dataflow = "dataflow-service-producer-prod"
- dataproc = "dataproc-accounts"
- gae-flex = "gae-api-prod"
- gcf = "gcf-admin-robot"
- pubsub = "gcp-sa-pubsub"
- secretmanager = "gcp-sa-secretmanager"
- storage = "gs-project-accounts"
- }
+ services = distinct(concat(var.services, local._services))
vpc_host_project = try(var.vpc.host_project, var.defaults.vpc_host_project)
vpc_setup = var.vpc != null
}
@@ -134,6 +113,7 @@ module "project" {
source = "../../../modules/project"
billing_account = local.billing_account_id
name = var.project_id
+ prefix = var.prefix
contacts = { for c in local.essential_contacts : c => ["ALL"] }
iam = local.iam
labels = local.labels
@@ -155,6 +135,7 @@ module "service-accounts" {
project_id = module.project.project_id
}
+# TODO(jccb): we should probably change this to non-authoritative bindings
resource "google_compute_subnetwork_iam_binding" "binding" {
for_each = local.vpc_setup ? coalesce(var.vpc.subnets_iam, {}) : {}
project = local.vpc_host_project
@@ -163,3 +144,10 @@ resource "google_compute_subnetwork_iam_binding" "binding" {
role = "roles/compute.networkUser"
members = concat(each.value, local.network_user_service_accounts)
}
+
+resource "google_project_iam_member" "host_project_bindings" {
+ for_each = local.host_project_bindings
+ project = local.vpc_host_project
+ role = each.key
+ member = each.value
+}
diff --git a/examples/factories/project-factory/outputs.tf b/examples/factories/project-factory/outputs.tf
index 1ee734ed..7504eda5 100644
--- a/examples/factories/project-factory/outputs.tf
+++ b/examples/factories/project-factory/outputs.tf
@@ -16,7 +16,23 @@
# TODO(): proper outputs
+output "project" {
+ description = "The project resource as return by the `project` module"
+ value = module.project
+
+ depends_on = [
+ google_compute_subnetwork_iam_binding.binding,
+ google_project_iam_member.host_project_bindings,
+ module.dns
+ ]
+}
+
output "project_id" {
description = "Project ID."
value = module.project.project_id
+ depends_on = [
+ google_compute_subnetwork_iam_binding.binding,
+ google_project_iam_member.host_project_bindings,
+ module.dns
+ ]
}
diff --git a/examples/factories/project-factory/variables.tf b/examples/factories/project-factory/variables.tf
index adae051a..777dce71 100644
--- a/examples/factories/project-factory/variables.tf
+++ b/examples/factories/project-factory/variables.tf
@@ -51,6 +51,7 @@ variable "defaults" {
shared_vpc_self_link = string
vpc_host_project = string
})
+ default = null
}
variable "dns_zones" {
@@ -108,6 +109,12 @@ variable "org_policies" {
default = null
}
+variable "prefix" {
+ description = "Prefix used for the project id."
+ type = string
+ default = null
+}
+
variable "project_id" {
description = "Project id."
type = string
diff --git a/fast/stages/00-bootstrap/terraform.tfvars.sample b/fast/stages/00-bootstrap/terraform.tfvars.sample
new file mode 100644
index 00000000..e9b9a90a
--- /dev/null
+++ b/fast/stages/00-bootstrap/terraform.tfvars.sample
@@ -0,0 +1,18 @@
+# use `gcloud beta billing accounts list`
+billing_account = {
+ id = "012345-67890A-BCDEF0"
+ organization_id = 1234567890
+}
+
+# use `gcloud organizations list`
+organization = {
+ domain = "example.org"
+ id = 1234567890
+ customer_id = "C000001"
+}
+
+outputs_location = "~/fast-config"
+
+# use something unique and short
+prefix = "abcd"
+
diff --git a/fast/stages/01-resman/variables.tf b/fast/stages/01-resman/variables.tf
index c1d63c86..3570441e 100644
--- a/fast/stages/01-resman/variables.tf
+++ b/fast/stages/01-resman/variables.tf
@@ -96,7 +96,7 @@ variable "team_folders" {
# team-a = {
# descriptive_name = "Team A"
# group_iam = {
- # team-a-group = [roles/owner, roles/projectCreator]
+ # team-a-group@example.com = ["roles/owner", "roles/resourcemanager.projectCreator"]
# }
# impersonation_groups = ["team-a-admins@example.com"]
# }
diff --git a/fast/stages/02-networking-nva/README.md b/fast/stages/02-networking-nva/README.md
index 1ffc4d0c..b97d0fe4 100644
--- a/fast/stages/02-networking-nva/README.md
+++ b/fast/stages/02-networking-nva/README.md
@@ -83,9 +83,51 @@ This is an options summary:
Minimizing the number of routes (and subnets) in the cloud environment is important, as it simplifies management and it avoids hitting [Cloud Router](https://cloud.google.com/network-connectivity/docs/router/quotas) and [VPC](https://cloud.google.com/vpc/docs/quota) quotas and limits. For this reason, we recommend to carefully plan the IP space used in your cloud environment. This allows the use of larger IP CIDR blocks in routes, whenever possible.
-This stage uses a dedicated /16 block, which should be sized to the own needs. The subnets created in each VPC derive from this range.
+This stage uses a dedicated /16 block (10.128.0.0/16), which should be sized to the own needs. The subnets created in each VPC derive from this range.
-Spoke VPCs also define and reserve two "special" CIDR ranges dedicated to [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access) and [Internal HTTPs Load Balancers (L7ILB)](https://cloud.google.com/load-balancing/docs/l7-internal).
+The /16 block is evenly split in eight, smaller /19 blocks, assigned to different areas of the GCP network: *landing untrusted europe-west1*, *landing untrusted europe-west4*, *landing trusted europe-west1*, *landing untrusted europe-west4*, *development europe-west1*, *development europe-west4*, *production europe-west1*, *production europe-west4*.
+
+The first /24 range in every area is allocated for a default subnet, which can be removed or modified as needed.
+
+Spoke VPCs also define and reserve three "special" CIDR ranges, derived from the respective /19, dedicated to
+
+- [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access):
+
+ + The second-last /24 range is used for PSA (CloudSQL, Postrgres)
+
+ + The third-last /24 range is used for PSA (CloudSQL, MySQL)
+
+- [Internal HTTPs Load Balancers (L7ILB)](https://cloud.google.com/load-balancing/docs/l7-internal):
+
+ + The last /24 range
+
+
+This is a summary of the subnets allocated by default in this setup:
+
+| name | description | CIDR |
+|---|---|---|
+| landing-trusted-default-ew1 | Trusted landing subnet - europe-west1 | 10.128.64.0/24 |
+| landing-trusted-default-ew4 | Trusted landing subnet - europe-west4 | 10.128.96.0/24 |
+| landing-untrusted-default-ew1 | Untrusted landing subnet - europe-west1 | 10.128.0.0/24 |
+| landing-untrusted-default-ew4 | Untrusted landing subnet - europe-west4 | 10.128.32.0/24 |
+| dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.128.128.0/24 |
+| dev-default-ew1 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west1 | 10.128.157.0/24 |
+| dev-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west1 | 10.128.158.0/24 |
+| dev-default-ew1 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west1 | 10.128.92.0/24 |
+| dev-default-ew4 | Dev spoke subnet - europe-west4 | 10.128.160.0/24 |
+| dev-default-ew4 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west4 | 10.128.189.0/24 |
+| dev-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west4 | 10.128.190.0/24 |
+| dev-default-ew4 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west4 | 10.128.93.0/24 |
+| prod-default-ew1 | Prod spoke subnet - europe-west1 | 10.128.192.0/24 |
+| prod-default-ew1 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west1 | 10.128.221.0/24 |
+| prod-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west1 | 10.128.253.0/24 |
+| prod-default-ew1 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west1 | 10.128.60.0/24 |
+| prod-default-ew4 | Prod spoke subnet - europe-west4 | 10.128.224.0/24 |
+| prod-default-ew4 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west4 | 10.128.222.0/24 |
+| prod-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west4 | 10.128.254.0/24 |
+| prod-default-ew4 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west4 | 10.128.61.0/24 |
+
+These subnets are advertised to on-premises as a whole /16 range (10.128.0.0/16).
Routes in GCP are either automatically created (for example, when a subnet is added to a VPC), manually created via static routes, dynamically exchanged through VPC peerings, or dynamically programmed by [Cloud Routers](https://cloud.google.com/network-connectivity/docs/router#docs) when a BGP session is established. BGP sessions can be configured to advertise VPC ranges, and/or custom ranges via custom advertisements.
@@ -328,13 +370,13 @@ Don't forget to add a peering zone in the landing project and point it to the ne
| [custom_adv](variables.tf#L23) | Custom advertisement definitions in name => range format. | map(string) | | {…} | |
| [data_dir](variables.tf#L45) | Relative path for the folder storing configuration data for network resources. | string | | "data" | |
| [dns](variables.tf#L51) | Onprem DNS resolvers | map(list(string)) | | {…} | |
-| [l7ilb_subnets](variables.tf#L65) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | |
+| [l7ilb_subnets](variables.tf#L65) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | |
| [onprem_cidr](variables.tf#L83) | Onprem addresses in name => range format. | map(string) | | {…} | |
| [outputs_location](variables.tf#L101) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [project_factory_sa](variables.tf#L113) | IAM emails for project factory service accounts | map(string) | | {} | 01-resman |
-| [psa_ranges](variables.tf#L120) | IP ranges used for Private Service Access (e.g. CloudSQL). | map(map(string)) | | {…} | |
-| [router_configs](variables.tf#L135) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | |
-| [vpn_onprem_configs](variables.tf#L158) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [psa_ranges](variables.tf#L120) | IP ranges used for Private Service Access (e.g. CloudSQL). | map(map(string)) | | {…} | |
+| [router_configs](variables.tf#L139) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | |
+| [vpn_onprem_configs](variables.tf#L162) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-nva/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/02-networking-nva/data/subnets/dev/dev-default-ew1.yaml
index 3baaf148..d6e4fcdb 100644
--- a/fast/stages/02-networking-nva/data/subnets/dev/dev-default-ew1.yaml
+++ b/fast/stages/02-networking-nva/data/subnets/dev/dev-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.128.0/19
+ip_cidr_range: 10.128.128.0/24
description: Default europe-west1 subnet for dev
diff --git a/fast/stages/02-networking-nva/data/subnets/dev/dev-default-ew4.yaml b/fast/stages/02-networking-nva/data/subnets/dev/dev-default-ew4.yaml
index 38769455..2a070fb5 100644
--- a/fast/stages/02-networking-nva/data/subnets/dev/dev-default-ew4.yaml
+++ b/fast/stages/02-networking-nva/data/subnets/dev/dev-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.160.0/19
+ip_cidr_range: 10.128.160.0/24
description: Default europe-west4 subnet for dev
diff --git a/fast/stages/02-networking-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml b/fast/stages/02-networking-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml
index 47404523..1a83620c 100644
--- a/fast/stages/02-networking-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml
+++ b/fast/stages/02-networking-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.64.0/19
+ip_cidr_range: 10.128.64.0/24
description: Default europe-west1 subnet for landing trusted
diff --git a/fast/stages/02-networking-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml b/fast/stages/02-networking-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml
index 463066fb..b302fef6 100644
--- a/fast/stages/02-networking-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml
+++ b/fast/stages/02-networking-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.96.0/19
+ip_cidr_range: 10.128.96.0/24
description: Default europe-west4 subnet for landing trusted
diff --git a/fast/stages/02-networking-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml b/fast/stages/02-networking-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml
index 2758da5f..fae0f2eb 100644
--- a/fast/stages/02-networking-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml
+++ b/fast/stages/02-networking-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.0.0/19
+ip_cidr_range: 10.128.0.0/24
description: Default europe-west1 subnet for landing untrusted
diff --git a/fast/stages/02-networking-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml b/fast/stages/02-networking-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml
index 25bad9db..5588d55e 100644
--- a/fast/stages/02-networking-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml
+++ b/fast/stages/02-networking-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.32.0/19
+ip_cidr_range: 10.128.32.0/24
description: Default europe-west4 subnet for landing untrusted
diff --git a/fast/stages/02-networking-nva/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/02-networking-nva/data/subnets/prod/prod-default-ew1.yaml
index b829cb94..24155840 100644
--- a/fast/stages/02-networking-nva/data/subnets/prod/prod-default-ew1.yaml
+++ b/fast/stages/02-networking-nva/data/subnets/prod/prod-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.192.0/19
+ip_cidr_range: 10.128.192.0/24
description: Default europe-west1 subnet for prod
diff --git a/fast/stages/02-networking-nva/data/subnets/prod/prod-default-ew4.yaml b/fast/stages/02-networking-nva/data/subnets/prod/prod-default-ew4.yaml
index dbd716cd..26260e42 100644
--- a/fast/stages/02-networking-nva/data/subnets/prod/prod-default-ew4.yaml
+++ b/fast/stages/02-networking-nva/data/subnets/prod/prod-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.224.0/19
+ip_cidr_range: 10.128.224.0/24
description: Default europe-west4 subnet for prod
diff --git a/fast/stages/02-networking-nva/variables.tf b/fast/stages/02-networking-nva/variables.tf
index 355eccf4..0659628d 100644
--- a/fast/stages/02-networking-nva/variables.tf
+++ b/fast/stages/02-networking-nva/variables.tf
@@ -69,13 +69,13 @@ variable "l7ilb_subnets" {
region = string
})))
default = {
- prod = [
- { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" },
- { ip_cidr_range = "10.128.93.0/24", region = "europe-west4" }
- ]
dev = [
- { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" },
- { ip_cidr_range = "10.128.61.0/24", region = "europe-west4" }
+ { ip_cidr_range = "10.128.159.0/24", region = "europe-west1" },
+ { ip_cidr_range = "10.128.191.0/24", region = "europe-west4" }
+ ]
+ prod = [
+ { ip_cidr_range = "10.128.223.0/24", region = "europe-west1" },
+ { ip_cidr_range = "10.128.255.0/24", region = "europe-west4" }
]
}
}
@@ -121,13 +121,17 @@ variable "psa_ranges" {
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
type = map(map(string))
default = {
- prod = {
- cloudsql-mysql = "10.128.94.0/24"
- cloudsql-sqlserver = "10.128.95.0/24"
- }
dev = {
- cloudsql-mysql = "10.128.62.0/24"
- cloudsql-sqlserver = "10.128.63.0/24"
+ cloudsql-mysql-ew1 = "10.128.157.0/24"
+ cloudsql-mysql-ew4 = "10.128.189.0/24"
+ cloudsql-sqlserver-ew1 = "10.128.158.0/24"
+ cloudsql-sqlserver-ew4 = "10.128.190.0/24"
+ }
+ prod = {
+ cloudsql-mysql-ew1 = "10.128.221.0/24"
+ cloudsql-mysql-ew4 = "10.128.253.0/24"
+ cloudsql-sqlserver-ew1 = "10.128.222.0/24"
+ cloudsql-sqlserver-ew4 = "10.128.254.0/24"
}
}
}
@@ -143,12 +147,12 @@ variable "router_configs" {
}))
default = {
landing-trusted-ew1 = {
- asn = "65534"
+ asn = "64512"
adv = null
# adv = { default = false, custom = [] }
}
landing-trusted-ew4 = {
- asn = "65534"
+ asn = "64512"
adv = null
# adv = { default = false, custom = [] }
}