Merge branch 'fast-dev-dp' of https://github.com/GoogleCloudPlatform/cloud-foundation-fabric into fast-dev-dp
This commit is contained in:
commit
94d94876a0
|
@ -218,26 +218,28 @@ vpc:
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ | |
|
| [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ | |
|
||||||
| [defaults](variables.tf#L35) | Project factory default values. | <code title="object({ billing_account_id = string billing_alert = object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string }) environment_dns_zone = string essential_contacts = list(string) labels = map(string) notification_channels = list(string) shared_vpc_self_link = string vpc_host_project = string })">object({…})</code> | ✓ | |
|
| [folder_id](variables.tf#L69) | Folder ID for the folder where the project will be created. | <code>string</code> | ✓ | |
|
||||||
| [folder_id](variables.tf#L68) | Folder ID for the folder where the project will be created. | <code>string</code> | ✓ | |
|
| [project_id](variables.tf#L118) | Project id. | <code>string</code> | ✓ | |
|
||||||
| [project_id](variables.tf#L111) | Project id. | <code>string</code> | ✓ | |
|
|
||||||
| [billing_alert](variables.tf#L22) | Billing alert configuration. | <code title="object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string })">object({…})</code> | | <code>null</code> |
|
| [billing_alert](variables.tf#L22) | Billing alert configuration. | <code title="object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string })">object({…})</code> | | <code>null</code> |
|
||||||
| [dns_zones](variables.tf#L56) | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list(string)</code> | | <code>[]</code> |
|
| [defaults](variables.tf#L35) | Project factory default values. | <code title="object({ billing_account_id = string billing_alert = object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string }) environment_dns_zone = string essential_contacts = list(string) labels = map(string) notification_channels = list(string) shared_vpc_self_link = string vpc_host_project = string })">object({…})</code> | | <code>null</code> |
|
||||||
| [essential_contacts](variables.tf#L62) | Email contacts to be used for billing and GCP notifications. | <code>list(string)</code> | | <code>[]</code> |
|
| [dns_zones](variables.tf#L57) | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [group_iam](variables.tf#L73) | Custom IAM settings in group => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [essential_contacts](variables.tf#L63) | Email contacts to be used for billing and GCP notifications. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [iam](variables.tf#L79) | Custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [group_iam](variables.tf#L74) | Custom IAM settings in group => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [kms_service_agents](variables.tf#L85) | KMS IAM configuration in as service => [key]. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [iam](variables.tf#L80) | Custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [labels](variables.tf#L91) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
| [kms_service_agents](variables.tf#L86) | KMS IAM configuration in as service => [key]. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [org_policies](variables.tf#L97) | Org-policy overrides at project level. | <code title="object({ policy_boolean = map(bool) policy_list = map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) })) })">object({…})</code> | | <code>null</code> |
|
| [labels](variables.tf#L92) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
| [service_accounts](variables.tf#L116) | Service accounts to be created, and roles to assign them. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [org_policies](variables.tf#L98) | Org-policy overrides at project level. | <code title="object({ policy_boolean = map(bool) policy_list = map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) })) })">object({…})</code> | | <code>null</code> |
|
||||||
| [services](variables.tf#L122) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
| [prefix](variables.tf#L112) | Prefix used for the project id. | <code>string</code> | | <code>null</code> |
|
||||||
| [services_iam](variables.tf#L128) | Custom IAM settings for robot ServiceAccounts in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [service_accounts](variables.tf#L123) | Service accounts to be created, and roles to assign them. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [vpc](variables.tf#L134) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
| [services](variables.tf#L129) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
|
| [services_iam](variables.tf#L135) | Custom IAM settings for robot ServiceAccounts in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
|
| [vpc](variables.tf#L141) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
| name | description | sensitive |
|
| name | description | sensitive |
|
||||||
|---|---|:---:|
|
|---|---|:---:|
|
||||||
| [project_id](outputs.tf#L19) | Project ID. | |
|
| [project](outputs.tf#L19) | The project resource as return by the `project` module | |
|
||||||
|
| [project_id](outputs.tf#L30) | Project ID. | |
|
||||||
|
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
|
@ -15,15 +15,12 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
_gke_iam_hsau = try(var.vpc.gke_setup.enable_security_admin, false) ? {
|
_gke_iam_hsau = try(var.vpc.gke_setup.enable_host_service_agent, false) ? {
|
||||||
"roles/container.hostServiceAgentUser" = [
|
"roles/container.hostServiceAgentUser" = "serviceAccount:${module.project.service_accounts.robots.container-engine}"
|
||||||
"serviceAccount:${local.service_accounts_robots["container-engine"]}"
|
} : {}
|
||||||
] } : {}
|
|
||||||
|
|
||||||
_gke_iam_securityadmin = try(var.vpc.gke_setup.enable_security_admin, false) ? {
|
_gke_iam_securityadmin = try(var.vpc.gke_setup.enable_security_admin, false) ? {
|
||||||
"roles/compute.securityAdmin" = [
|
"roles/compute.securityAdmin" = "serviceAccount:${module.project.service_accounts.robots.container-engine}"
|
||||||
"serviceAccount:${local.service_accounts_robots["container-engine"]}"
|
} : {}
|
||||||
] } : {}
|
|
||||||
_group_iam = {
|
_group_iam = {
|
||||||
for r in local._group_iam_roles : r => [
|
for r in local._group_iam_roles : r => [
|
||||||
for k, v in var.group_iam : "group:${k}" if try(index(v, r), null) != null
|
for k, v in var.group_iam : "group:${k}" if try(index(v, r), null) != null
|
||||||
|
@ -47,59 +44,41 @@ locals {
|
||||||
_services_iam_roles = distinct(flatten(values(var.services_iam)))
|
_services_iam_roles = distinct(flatten(values(var.services_iam)))
|
||||||
_services_iam = {
|
_services_iam = {
|
||||||
for r in local._services_iam_roles : r => [
|
for r in local._services_iam_roles : r => [
|
||||||
for k, v in var.services_iam : "serviceAccount:${local.service_accounts_robots[k]}" if try(index(v, r), null) != null
|
for k, v in var.services_iam : "serviceAccount:${module.project.service_accounts.robots[k]}" if try(index(v, r), null) != null
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
billing_account_id = coalesce(var.billing_account_id, var.defaults.billing_account_id)
|
billing_account_id = coalesce(var.billing_account_id, try(var.defaults.billing_account_id, ""))
|
||||||
billing_alert = var.billing_alert == null ? var.defaults.billing_alert : var.billing_alert
|
billing_alert = var.billing_alert == null ? try(var.defaults.billing_alert, null) : var.billing_alert
|
||||||
essential_contacts = concat(try(var.defaults.essential_contacts, []), var.essential_contacts)
|
essential_contacts = concat(try(var.defaults.essential_contacts, []), var.essential_contacts)
|
||||||
|
host_project_bindings = merge(
|
||||||
|
local._gke_iam_hsau,
|
||||||
|
local._gke_iam_securityadmin
|
||||||
|
)
|
||||||
iam = {
|
iam = {
|
||||||
for role in distinct(concat(
|
for role in distinct(concat(
|
||||||
keys(var.iam),
|
keys(var.iam),
|
||||||
keys(local._group_iam),
|
keys(local._group_iam),
|
||||||
keys(local._gke_iam_hsau),
|
|
||||||
keys(local._gke_iam_securityadmin),
|
|
||||||
keys(local._service_accounts_iam),
|
keys(local._service_accounts_iam),
|
||||||
keys(local._services_iam),
|
keys(local._services_iam),
|
||||||
)) :
|
)) :
|
||||||
role => concat(
|
role => concat(
|
||||||
try(var.iam[role], []),
|
try(var.iam[role], []),
|
||||||
try(local._group_iam[role], []),
|
try(local._group_iam[role], []),
|
||||||
try(local._gke_iam_hsau[role], []),
|
|
||||||
try(local._gke_iam_securityadmin[role], []),
|
|
||||||
try(local._service_accounts_iam[role], []),
|
try(local._service_accounts_iam[role], []),
|
||||||
try(local._services_iam[role], []),
|
try(local._services_iam[role], []),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
labels = merge(coalesce(var.labels, {}), coalesce(var.defaults.labels, {}))
|
labels = merge(coalesce(var.labels, {}), coalesce(try(var.defaults.labels, {}), {}))
|
||||||
network_user_service_accounts = concat(
|
network_user_service_accounts = concat(
|
||||||
contains(local.services, "compute.googleapis.com") ? [
|
contains(local.services, "compute.googleapis.com") ? [
|
||||||
"serviceAccount:${local.service_accounts_robots.compute}"
|
"serviceAccount:${module.project.service_accounts.robots.compute}"
|
||||||
] : [],
|
] : [],
|
||||||
contains(local.services, "container.googleapis.com") ? [
|
contains(local.services, "container.googleapis.com") ? [
|
||||||
"serviceAccount:${local.service_accounts_robots.container-engine}",
|
"serviceAccount:${module.project.service_accounts.robots.container-engine}",
|
||||||
"serviceAccount:${local.service_accounts.cloud_services}"
|
"serviceAccount:${module.project.service_accounts.cloud_services}"
|
||||||
] : [],
|
] : [],
|
||||||
[])
|
[])
|
||||||
services = distinct(concat(var.services, local._services))
|
services = distinct(concat(var.services, local._services))
|
||||||
service_accounts_robots = {
|
|
||||||
for service, name in local.service_accounts_robot_services :
|
|
||||||
service => "${service == "bq" ? "bq" : "service"}-${module.project.number}@${name}.iam.gserviceaccount.com"
|
|
||||||
}
|
|
||||||
service_accounts_robot_services = {
|
|
||||||
cloudasset = "gcp-sa-cloudasset"
|
|
||||||
cloudbuild = "gcp-sa-cloudbuild"
|
|
||||||
compute = "compute-system"
|
|
||||||
container-engine = "container-engine-robot"
|
|
||||||
containerregistry = "containerregistry"
|
|
||||||
dataflow = "dataflow-service-producer-prod"
|
|
||||||
dataproc = "dataproc-accounts"
|
|
||||||
gae-flex = "gae-api-prod"
|
|
||||||
gcf = "gcf-admin-robot"
|
|
||||||
pubsub = "gcp-sa-pubsub"
|
|
||||||
secretmanager = "gcp-sa-secretmanager"
|
|
||||||
storage = "gs-project-accounts"
|
|
||||||
}
|
|
||||||
vpc_host_project = try(var.vpc.host_project, var.defaults.vpc_host_project)
|
vpc_host_project = try(var.vpc.host_project, var.defaults.vpc_host_project)
|
||||||
vpc_setup = var.vpc != null
|
vpc_setup = var.vpc != null
|
||||||
}
|
}
|
||||||
|
@ -134,6 +113,7 @@ module "project" {
|
||||||
source = "../../../modules/project"
|
source = "../../../modules/project"
|
||||||
billing_account = local.billing_account_id
|
billing_account = local.billing_account_id
|
||||||
name = var.project_id
|
name = var.project_id
|
||||||
|
prefix = var.prefix
|
||||||
contacts = { for c in local.essential_contacts : c => ["ALL"] }
|
contacts = { for c in local.essential_contacts : c => ["ALL"] }
|
||||||
iam = local.iam
|
iam = local.iam
|
||||||
labels = local.labels
|
labels = local.labels
|
||||||
|
@ -155,6 +135,7 @@ module "service-accounts" {
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# TODO(jccb): we should probably change this to non-authoritative bindings
|
||||||
resource "google_compute_subnetwork_iam_binding" "binding" {
|
resource "google_compute_subnetwork_iam_binding" "binding" {
|
||||||
for_each = local.vpc_setup ? coalesce(var.vpc.subnets_iam, {}) : {}
|
for_each = local.vpc_setup ? coalesce(var.vpc.subnets_iam, {}) : {}
|
||||||
project = local.vpc_host_project
|
project = local.vpc_host_project
|
||||||
|
@ -163,3 +144,10 @@ resource "google_compute_subnetwork_iam_binding" "binding" {
|
||||||
role = "roles/compute.networkUser"
|
role = "roles/compute.networkUser"
|
||||||
members = concat(each.value, local.network_user_service_accounts)
|
members = concat(each.value, local.network_user_service_accounts)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_project_iam_member" "host_project_bindings" {
|
||||||
|
for_each = local.host_project_bindings
|
||||||
|
project = local.vpc_host_project
|
||||||
|
role = each.key
|
||||||
|
member = each.value
|
||||||
|
}
|
||||||
|
|
|
@ -16,7 +16,23 @@
|
||||||
|
|
||||||
# TODO(): proper outputs
|
# TODO(): proper outputs
|
||||||
|
|
||||||
|
output "project" {
|
||||||
|
description = "The project resource as return by the `project` module"
|
||||||
|
value = module.project
|
||||||
|
|
||||||
|
depends_on = [
|
||||||
|
google_compute_subnetwork_iam_binding.binding,
|
||||||
|
google_project_iam_member.host_project_bindings,
|
||||||
|
module.dns
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
output "project_id" {
|
output "project_id" {
|
||||||
description = "Project ID."
|
description = "Project ID."
|
||||||
value = module.project.project_id
|
value = module.project.project_id
|
||||||
|
depends_on = [
|
||||||
|
google_compute_subnetwork_iam_binding.binding,
|
||||||
|
google_project_iam_member.host_project_bindings,
|
||||||
|
module.dns
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -51,6 +51,7 @@ variable "defaults" {
|
||||||
shared_vpc_self_link = string
|
shared_vpc_self_link = string
|
||||||
vpc_host_project = string
|
vpc_host_project = string
|
||||||
})
|
})
|
||||||
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "dns_zones" {
|
variable "dns_zones" {
|
||||||
|
@ -108,6 +109,12 @@ variable "org_policies" {
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "prefix" {
|
||||||
|
description = "Prefix used for the project id."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "project_id" {
|
variable "project_id" {
|
||||||
description = "Project id."
|
description = "Project id."
|
||||||
type = string
|
type = string
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
# use `gcloud beta billing accounts list`
|
||||||
|
billing_account = {
|
||||||
|
id = "012345-67890A-BCDEF0"
|
||||||
|
organization_id = 1234567890
|
||||||
|
}
|
||||||
|
|
||||||
|
# use `gcloud organizations list`
|
||||||
|
organization = {
|
||||||
|
domain = "example.org"
|
||||||
|
id = 1234567890
|
||||||
|
customer_id = "C000001"
|
||||||
|
}
|
||||||
|
|
||||||
|
outputs_location = "~/fast-config"
|
||||||
|
|
||||||
|
# use something unique and short
|
||||||
|
prefix = "abcd"
|
||||||
|
|
|
@ -96,7 +96,7 @@ variable "team_folders" {
|
||||||
# team-a = {
|
# team-a = {
|
||||||
# descriptive_name = "Team A"
|
# descriptive_name = "Team A"
|
||||||
# group_iam = {
|
# group_iam = {
|
||||||
# team-a-group = [roles/owner, roles/projectCreator]
|
# team-a-group@example.com = ["roles/owner", "roles/resourcemanager.projectCreator"]
|
||||||
# }
|
# }
|
||||||
# impersonation_groups = ["team-a-admins@example.com"]
|
# impersonation_groups = ["team-a-admins@example.com"]
|
||||||
# }
|
# }
|
||||||
|
|
|
@ -83,9 +83,51 @@ This is an options summary:
|
||||||
|
|
||||||
Minimizing the number of routes (and subnets) in the cloud environment is important, as it simplifies management and it avoids hitting [Cloud Router](https://cloud.google.com/network-connectivity/docs/router/quotas) and [VPC](https://cloud.google.com/vpc/docs/quota) quotas and limits. For this reason, we recommend to carefully plan the IP space used in your cloud environment. This allows the use of larger IP CIDR blocks in routes, whenever possible.
|
Minimizing the number of routes (and subnets) in the cloud environment is important, as it simplifies management and it avoids hitting [Cloud Router](https://cloud.google.com/network-connectivity/docs/router/quotas) and [VPC](https://cloud.google.com/vpc/docs/quota) quotas and limits. For this reason, we recommend to carefully plan the IP space used in your cloud environment. This allows the use of larger IP CIDR blocks in routes, whenever possible.
|
||||||
|
|
||||||
This stage uses a dedicated /16 block, which should be sized to the own needs. The subnets created in each VPC derive from this range.
|
This stage uses a dedicated /16 block (10.128.0.0/16), which should be sized to the own needs. The subnets created in each VPC derive from this range.
|
||||||
|
|
||||||
Spoke VPCs also define and reserve two "special" CIDR ranges dedicated to [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access) and [Internal HTTPs Load Balancers (L7ILB)](https://cloud.google.com/load-balancing/docs/l7-internal).
|
The /16 block is evenly split in eight, smaller /19 blocks, assigned to different areas of the GCP network: *landing untrusted europe-west1*, *landing untrusted europe-west4*, *landing trusted europe-west1*, *landing untrusted europe-west4*, *development europe-west1*, *development europe-west4*, *production europe-west1*, *production europe-west4*.
|
||||||
|
|
||||||
|
The first /24 range in every area is allocated for a default subnet, which can be removed or modified as needed.
|
||||||
|
|
||||||
|
Spoke VPCs also define and reserve three "special" CIDR ranges, derived from the respective /19, dedicated to
|
||||||
|
|
||||||
|
- [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access):
|
||||||
|
|
||||||
|
+ The second-last /24 range is used for PSA (CloudSQL, Postrgres)
|
||||||
|
|
||||||
|
+ The third-last /24 range is used for PSA (CloudSQL, MySQL)
|
||||||
|
|
||||||
|
- [Internal HTTPs Load Balancers (L7ILB)](https://cloud.google.com/load-balancing/docs/l7-internal):
|
||||||
|
|
||||||
|
+ The last /24 range
|
||||||
|
|
||||||
|
|
||||||
|
This is a summary of the subnets allocated by default in this setup:
|
||||||
|
|
||||||
|
| name | description | CIDR |
|
||||||
|
|---|---|---|
|
||||||
|
| landing-trusted-default-ew1 | Trusted landing subnet - europe-west1 | 10.128.64.0/24 |
|
||||||
|
| landing-trusted-default-ew4 | Trusted landing subnet - europe-west4 | 10.128.96.0/24 |
|
||||||
|
| landing-untrusted-default-ew1 | Untrusted landing subnet - europe-west1 | 10.128.0.0/24 |
|
||||||
|
| landing-untrusted-default-ew4 | Untrusted landing subnet - europe-west4 | 10.128.32.0/24 |
|
||||||
|
| dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.128.128.0/24 |
|
||||||
|
| dev-default-ew1 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west1 | 10.128.157.0/24 |
|
||||||
|
| dev-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west1 | 10.128.158.0/24 |
|
||||||
|
| dev-default-ew1 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west1 | 10.128.92.0/24 |
|
||||||
|
| dev-default-ew4 | Dev spoke subnet - europe-west4 | 10.128.160.0/24 |
|
||||||
|
| dev-default-ew4 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west4 | 10.128.189.0/24 |
|
||||||
|
| dev-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west4 | 10.128.190.0/24 |
|
||||||
|
| dev-default-ew4 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west4 | 10.128.93.0/24 |
|
||||||
|
| prod-default-ew1 | Prod spoke subnet - europe-west1 | 10.128.192.0/24 |
|
||||||
|
| prod-default-ew1 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west1 | 10.128.221.0/24 |
|
||||||
|
| prod-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west1 | 10.128.253.0/24 |
|
||||||
|
| prod-default-ew1 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west1 | 10.128.60.0/24 |
|
||||||
|
| prod-default-ew4 | Prod spoke subnet - europe-west4 | 10.128.224.0/24 |
|
||||||
|
| prod-default-ew4 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west4 | 10.128.222.0/24 |
|
||||||
|
| prod-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west4 | 10.128.254.0/24 |
|
||||||
|
| prod-default-ew4 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west4 | 10.128.61.0/24 |
|
||||||
|
|
||||||
|
These subnets are advertised to on-premises as a whole /16 range (10.128.0.0/16).
|
||||||
|
|
||||||
Routes in GCP are either automatically created (for example, when a subnet is added to a VPC), manually created via static routes, dynamically exchanged through VPC peerings, or dynamically programmed by [Cloud Routers](https://cloud.google.com/network-connectivity/docs/router#docs) when a BGP session is established. BGP sessions can be configured to advertise VPC ranges, and/or custom ranges via custom advertisements.
|
Routes in GCP are either automatically created (for example, when a subnet is added to a VPC), manually created via static routes, dynamically exchanged through VPC peerings, or dynamically programmed by [Cloud Routers](https://cloud.google.com/network-connectivity/docs/router#docs) when a BGP session is established. BGP sessions can be configured to advertise VPC ranges, and/or custom ranges via custom advertisements.
|
||||||
|
|
||||||
|
@ -328,13 +370,13 @@ Don't forget to add a peering zone in the landing project and point it to the ne
|
||||||
| [custom_adv](variables.tf#L23) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev_ew1 = "10.128.128.0/19" gcp_dev_ew4 = "10.128.160.0/19" gcp_landing_trusted_ew1 = "10.128.64.0/19" gcp_landing_trusted_ew4 = "10.128.96.0/19" gcp_landing_untrusted_ew1 = "10.128.0.0/19" gcp_landing_untrusted_ew4 = "10.128.32.0/19" gcp_prod_ew1 = "10.128.192.0/19" gcp_prod_ew4 = "10.128.224.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
| [custom_adv](variables.tf#L23) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" gcp_all = "10.128.0.0/16" gcp_dev_ew1 = "10.128.128.0/19" gcp_dev_ew4 = "10.128.160.0/19" gcp_landing_trusted_ew1 = "10.128.64.0/19" gcp_landing_trusted_ew4 = "10.128.96.0/19" gcp_landing_untrusted_ew1 = "10.128.0.0/19" gcp_landing_untrusted_ew4 = "10.128.32.0/19" gcp_prod_ew1 = "10.128.192.0/19" gcp_prod_ew4 = "10.128.224.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/12" rfc_1918_192 = "192.168.0.0/16" }">{…}</code> | |
|
||||||
| [data_dir](variables.tf#L45) | Relative path for the folder storing configuration data for network resources. | <code>string</code> | | <code>"data"</code> | |
|
| [data_dir](variables.tf#L45) | Relative path for the folder storing configuration data for network resources. | <code>string</code> | | <code>"data"</code> | |
|
||||||
| [dns](variables.tf#L51) | Onprem DNS resolvers | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
| [dns](variables.tf#L51) | Onprem DNS resolvers | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||||
| [l7ilb_subnets](variables.tf#L65) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.93.0/24", region = "europe-west4" } ] dev = [ { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.61.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
| [l7ilb_subnets](variables.tf#L65) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ dev = [ { ip_cidr_range = "10.128.159.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.191.0/24", region = "europe-west4" } ] prod = [ { ip_cidr_range = "10.128.223.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.255.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||||
| [onprem_cidr](variables.tf#L83) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
| [onprem_cidr](variables.tf#L83) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
||||||
| [outputs_location](variables.tf#L101) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L101) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [project_factory_sa](variables.tf#L113) | IAM emails for project factory service accounts | <code>map(string)</code> | | <code>{}</code> | <code>01-resman</code> |
|
| [project_factory_sa](variables.tf#L113) | IAM emails for project factory service accounts | <code>map(string)</code> | | <code>{}</code> | <code>01-resman</code> |
|
||||||
| [psa_ranges](variables.tf#L120) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code>map(map(string))</code> | | <code title="{ prod = { cloudsql-mysql = "10.128.94.0/24" cloudsql-sqlserver = "10.128.95.0/24" } dev = { cloudsql-mysql = "10.128.62.0/24" cloudsql-sqlserver = "10.128.63.0/24" } }">{…}</code> | |
|
| [psa_ranges](variables.tf#L120) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code>map(map(string))</code> | | <code title="{ dev = { cloudsql-mysql-ew1 = "10.128.157.0/24" cloudsql-mysql-ew4 = "10.128.189.0/24" cloudsql-sqlserver-ew1 = "10.128.158.0/24" cloudsql-sqlserver-ew4 = "10.128.190.0/24" } prod = { cloudsql-mysql-ew1 = "10.128.221.0/24" cloudsql-mysql-ew4 = "10.128.253.0/24" cloudsql-sqlserver-ew1 = "10.128.222.0/24" cloudsql-sqlserver-ew4 = "10.128.254.0/24" } }">{…}</code> | |
|
||||||
| [router_configs](variables.tf#L135) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { asn = "65534" adv = null } landing-trusted-ew4 = { asn = "65534" adv = null } }">{…}</code> | |
|
| [router_configs](variables.tf#L139) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { asn = "64512" adv = null } landing-trusted-ew4 = { asn = "64512" adv = null } }">{…}</code> | |
|
||||||
| [vpn_onprem_configs](variables.tf#L158) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-ew4 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
| [vpn_onprem_configs](variables.tf#L162) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-ew4 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# skip boilerplate check
|
# skip boilerplate check
|
||||||
|
|
||||||
region: europe-west1
|
region: europe-west1
|
||||||
ip_cidr_range: 10.128.128.0/19
|
ip_cidr_range: 10.128.128.0/24
|
||||||
description: Default europe-west1 subnet for dev
|
description: Default europe-west1 subnet for dev
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# skip boilerplate check
|
# skip boilerplate check
|
||||||
|
|
||||||
region: europe-west4
|
region: europe-west4
|
||||||
ip_cidr_range: 10.128.160.0/19
|
ip_cidr_range: 10.128.160.0/24
|
||||||
description: Default europe-west4 subnet for dev
|
description: Default europe-west4 subnet for dev
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# skip boilerplate check
|
# skip boilerplate check
|
||||||
|
|
||||||
region: europe-west1
|
region: europe-west1
|
||||||
ip_cidr_range: 10.128.64.0/19
|
ip_cidr_range: 10.128.64.0/24
|
||||||
description: Default europe-west1 subnet for landing trusted
|
description: Default europe-west1 subnet for landing trusted
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# skip boilerplate check
|
# skip boilerplate check
|
||||||
|
|
||||||
region: europe-west4
|
region: europe-west4
|
||||||
ip_cidr_range: 10.128.96.0/19
|
ip_cidr_range: 10.128.96.0/24
|
||||||
description: Default europe-west4 subnet for landing trusted
|
description: Default europe-west4 subnet for landing trusted
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# skip boilerplate check
|
# skip boilerplate check
|
||||||
|
|
||||||
region: europe-west1
|
region: europe-west1
|
||||||
ip_cidr_range: 10.128.0.0/19
|
ip_cidr_range: 10.128.0.0/24
|
||||||
description: Default europe-west1 subnet for landing untrusted
|
description: Default europe-west1 subnet for landing untrusted
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# skip boilerplate check
|
# skip boilerplate check
|
||||||
|
|
||||||
region: europe-west4
|
region: europe-west4
|
||||||
ip_cidr_range: 10.128.32.0/19
|
ip_cidr_range: 10.128.32.0/24
|
||||||
description: Default europe-west4 subnet for landing untrusted
|
description: Default europe-west4 subnet for landing untrusted
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# skip boilerplate check
|
# skip boilerplate check
|
||||||
|
|
||||||
region: europe-west1
|
region: europe-west1
|
||||||
ip_cidr_range: 10.128.192.0/19
|
ip_cidr_range: 10.128.192.0/24
|
||||||
description: Default europe-west1 subnet for prod
|
description: Default europe-west1 subnet for prod
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# skip boilerplate check
|
# skip boilerplate check
|
||||||
|
|
||||||
region: europe-west4
|
region: europe-west4
|
||||||
ip_cidr_range: 10.128.224.0/19
|
ip_cidr_range: 10.128.224.0/24
|
||||||
description: Default europe-west4 subnet for prod
|
description: Default europe-west4 subnet for prod
|
||||||
|
|
|
@ -69,13 +69,13 @@ variable "l7ilb_subnets" {
|
||||||
region = string
|
region = string
|
||||||
})))
|
})))
|
||||||
default = {
|
default = {
|
||||||
prod = [
|
|
||||||
{ ip_cidr_range = "10.128.92.0/24", region = "europe-west1" },
|
|
||||||
{ ip_cidr_range = "10.128.93.0/24", region = "europe-west4" }
|
|
||||||
]
|
|
||||||
dev = [
|
dev = [
|
||||||
{ ip_cidr_range = "10.128.60.0/24", region = "europe-west1" },
|
{ ip_cidr_range = "10.128.159.0/24", region = "europe-west1" },
|
||||||
{ ip_cidr_range = "10.128.61.0/24", region = "europe-west4" }
|
{ ip_cidr_range = "10.128.191.0/24", region = "europe-west4" }
|
||||||
|
]
|
||||||
|
prod = [
|
||||||
|
{ ip_cidr_range = "10.128.223.0/24", region = "europe-west1" },
|
||||||
|
{ ip_cidr_range = "10.128.255.0/24", region = "europe-west4" }
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -121,13 +121,17 @@ variable "psa_ranges" {
|
||||||
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
|
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
|
||||||
type = map(map(string))
|
type = map(map(string))
|
||||||
default = {
|
default = {
|
||||||
prod = {
|
|
||||||
cloudsql-mysql = "10.128.94.0/24"
|
|
||||||
cloudsql-sqlserver = "10.128.95.0/24"
|
|
||||||
}
|
|
||||||
dev = {
|
dev = {
|
||||||
cloudsql-mysql = "10.128.62.0/24"
|
cloudsql-mysql-ew1 = "10.128.157.0/24"
|
||||||
cloudsql-sqlserver = "10.128.63.0/24"
|
cloudsql-mysql-ew4 = "10.128.189.0/24"
|
||||||
|
cloudsql-sqlserver-ew1 = "10.128.158.0/24"
|
||||||
|
cloudsql-sqlserver-ew4 = "10.128.190.0/24"
|
||||||
|
}
|
||||||
|
prod = {
|
||||||
|
cloudsql-mysql-ew1 = "10.128.221.0/24"
|
||||||
|
cloudsql-mysql-ew4 = "10.128.253.0/24"
|
||||||
|
cloudsql-sqlserver-ew1 = "10.128.222.0/24"
|
||||||
|
cloudsql-sqlserver-ew4 = "10.128.254.0/24"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -143,12 +147,12 @@ variable "router_configs" {
|
||||||
}))
|
}))
|
||||||
default = {
|
default = {
|
||||||
landing-trusted-ew1 = {
|
landing-trusted-ew1 = {
|
||||||
asn = "65534"
|
asn = "64512"
|
||||||
adv = null
|
adv = null
|
||||||
# adv = { default = false, custom = [] }
|
# adv = { default = false, custom = [] }
|
||||||
}
|
}
|
||||||
landing-trusted-ew4 = {
|
landing-trusted-ew4 = {
|
||||||
asn = "65534"
|
asn = "64512"
|
||||||
adv = null
|
adv = null
|
||||||
# adv = { default = false, custom = [] }
|
# adv = { default = false, custom = [] }
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue