From fd599ea2862751eaefc4605a39889d46d6eb71ec Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 11 Feb 2022 00:30:46 +0100 Subject: [PATCH 1/5] Fix renamed argument to project factory module --- fast/stages/03-project-factory/prod/main.tf | 36 ++++++++++----------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/fast/stages/03-project-factory/prod/main.tf b/fast/stages/03-project-factory/prod/main.tf index a6636b01..52c33675 100644 --- a/fast/stages/03-project-factory/prod/main.tf +++ b/fast/stages/03-project-factory/prod/main.tf @@ -33,24 +33,24 @@ locals { } module "projects" { - source = "../../../../examples/factories/project-factory" - for_each = local.projects - defaults = local.defaults - project_id = each.key - billing_account_id = try(each.value.billing_account_id, null) - billing_alert = try(each.value.billing_alert, null) - dns_zones = try(each.value.dns_zones, []) - essential_contacts = try(each.value.essential_contacts, []) - folder_id = each.value.folder_id - group_iam = try(each.value.group_iam, {}) - iam = try(each.value.iam, {}) - kms_service_agents = try(each.value.kms, {}) - labels = try(each.value.labels, {}) - org_policies = try(each.value.org_policies, null) - service_accounts = try(each.value.service_accounts, {}) - services = try(each.value.services, []) - services_iam = try(each.value.services_iam, {}) - vpc = try(each.value.vpc, null) + source = "../../../../examples/factories/project-factory" + for_each = local.projects + defaults = local.defaults + project_id = each.key + billing_account_id = try(each.value.billing_account_id, null) + billing_alert = try(each.value.billing_alert, null) + dns_zones = try(each.value.dns_zones, []) + essential_contacts = try(each.value.essential_contacts, []) + folder_id = each.value.folder_id + group_iam = try(each.value.group_iam, {}) + iam = try(each.value.iam, {}) + kms_service_agents = try(each.value.kms, {}) + labels = try(each.value.labels, {}) + org_policies = try(each.value.org_policies, null) + service_accounts = try(each.value.service_accounts, {}) + services = try(each.value.services, []) + service_identities_iam = try(each.value.services_iam, {}) + vpc = try(each.value.vpc, null) } From 096dce08e95358c64823568bbee16e544bb61b8d Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 11 Feb 2022 00:40:58 +0100 Subject: [PATCH 2/5] Use prefix for PF projects --- fast/stages/03-project-factory/prod/README.md | 5 +++-- fast/stages/03-project-factory/prod/main.tf | 1 + fast/stages/03-project-factory/prod/variables.tf | 6 ++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/fast/stages/03-project-factory/prod/README.md b/fast/stages/03-project-factory/prod/README.md index 9e29742f..7c2d3d68 100644 --- a/fast/stages/03-project-factory/prod/README.md +++ b/fast/stages/03-project-factory/prod/README.md @@ -108,11 +108,12 @@ terraform apply | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| | [billing_account_id](variables.tf#L19) | Billing account id. | string | ✓ | | 00-bootstrap | +| [prefix](variables.tf#L44) | Prefix used for resources that need unique names. | string | ✓ | | 00-bootstrap | | [data_dir](variables.tf#L25) | Relative path for the folder storing configuration data. | string | | "data/projects" | | | [defaults_file](variables.tf#L38) | Relative path for the file storing the project factory configuration. | string | | "data/defaults.yaml" | | | [environment_dns_zone](variables.tf#L31) | DNS zone suffix for environment. | string | | null | 02-networking | -| [shared_vpc_self_link](variables.tf#L44) | Self link for the shared VPC. | string | | null | 02-networking | -| [vpc_host_project](variables.tf#L51) | Host project for the shared VPC. | string | | null | 02-networking | +| [shared_vpc_self_link](variables.tf#L50) | Self link for the shared VPC. | string | | null | 02-networking | +| [vpc_host_project](variables.tf#L57) | Host project for the shared VPC. | string | | null | 02-networking | ## Outputs diff --git a/fast/stages/03-project-factory/prod/main.tf b/fast/stages/03-project-factory/prod/main.tf index 52c33675..ac562fe9 100644 --- a/fast/stages/03-project-factory/prod/main.tf +++ b/fast/stages/03-project-factory/prod/main.tf @@ -47,6 +47,7 @@ module "projects" { kms_service_agents = try(each.value.kms, {}) labels = try(each.value.labels, {}) org_policies = try(each.value.org_policies, null) + prefix = var.prefix service_accounts = try(each.value.service_accounts, {}) services = try(each.value.services, []) service_identities_iam = try(each.value.services_iam, {}) diff --git a/fast/stages/03-project-factory/prod/variables.tf b/fast/stages/03-project-factory/prod/variables.tf index 721a0ca9..2e2b2c95 100644 --- a/fast/stages/03-project-factory/prod/variables.tf +++ b/fast/stages/03-project-factory/prod/variables.tf @@ -41,6 +41,12 @@ variable "defaults_file" { default = "data/defaults.yaml" } +variable "prefix" { + # tfdoc:variable:source 00-bootstrap + description = "Prefix used for resources that need unique names." + type = string +} + variable "shared_vpc_self_link" { # tfdoc:variable:source 02-networking description = "Self link for the shared VPC." From 53144713aa99932b8cc58484f1fa1e528c0b766e Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Fri, 11 Feb 2022 08:20:33 +0100 Subject: [PATCH 3/5] update bootstrap commands (#536) --- fast/stages/00-bootstrap/README.md | 43 ++++++++++++++++++------------ 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md index a9b804e9..52a2e107 100644 --- a/fast/stages/00-bootstrap/README.md +++ b/fast/stages/00-bootstrap/README.md @@ -55,6 +55,7 @@ For same-organization billing, we configure a custom organization role that can For details on configuring the different billing account modes, refer to the [How to run this stage](#how-to-run-this-stage) section below. ### Organization-level logging + We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) and [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) into a Bigquery dataset in the top-level audit project. The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination. @@ -100,12 +101,20 @@ The roles that the Organization Admin used in the first `apply` needs to self-gr To quickly self-grant the above roles, run the following code snippet as the initial Organization Admin: ```bash -export BOOTSTRAP_ORG_ID=123456 -export BOOTSTRAP_USER=$(gcloud config list --format 'value(core.account)') -export BOOTSTRAP_ROLES="roles/billing.admin roles/logging.admin roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator" -for role in $BOOTSTRAP_ROLES; do - gcloud organizations add-iam-policy-binding $BOOTSTRAP_ORG_ID \ - --member user:$BOOTSTRAP_USER --role $role +# set variable for current logged in user +export FAST_BU=$(gcloud config list --format 'value(core.account)') + +# find and set your org id +gcloud organizations list --filter display_name:$partofyourdomain +export FAST_ORG_ID=123456 + +# set needed roles +export FAST_ROLES="roles/billing.admin roles/logging.admin \ + roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator" + +for role in $FAST_ROLES; do + gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ + --member user:$FAST_BU --role $role done ``` @@ -120,11 +129,11 @@ If that's not the case, an equivalent role needs to exist, or the predefined `re The identity applying this stage for the first time also needs two roles in billing organization, they can be removed after the first `apply` completes successfully: ```bash -export BILLING_ORG_ID=789012 -export BILLING_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin) -for role in $BILLING_ROLES; do - gcloud organizations add-iam-policy-binding $BILLING_ORG_ID \ - --member user:$BOOTSTRAP_USER --role $role +export FAST_BILLING_ORG_ID=789012 +export FAST_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin) +for role in $FAST_ROLES; do + gcloud organizations add-iam-policy-binding $FAST_BILLING_ORG_ID \ + --member user:$FAST_BU --role $role done ``` @@ -133,9 +142,9 @@ done If you are using a standalone billing account, the identity applying this stage for the first time needs to be a billing account administrator: ```bash -export BILLING_ACCOUNT_ID=ABCD-01234-ABCD -gcloud beta billing accounts add-iam-policy-binding $BILLING_ACCOUNT \ - --member user:$BOOTSTRAP_USER --role roles/billing.admin +export FAST_BILLING_ACCOUNT_ID=ABCD-01234-ABCD +gcloud beta billing accounts add-iam-policy-binding $FAST_BILLING_ACCOUNT_ID \ + --member user:$FAST_BU --role roles/billing.admin ``` #### Groups @@ -287,10 +296,10 @@ The one exception to this convention is for roles which are part of the delegate You can customize organization-level logs through the `log_sinks` variable in two ways: -* creating additional log sinks to capture more logs -* changing the destination of captured logs +- creating additional log sinks to capture more logs +- changing the destination of captured logs -By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub. +By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub. If you need to capture additional logs, please refer to GCP's documentation on [scenarios for exporting logging data](https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics), where you can find ready-made filter expressions for different use cases. From 547ded37b2403b6bbfb8caf73c067516a5f16926 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 11 Feb 2022 08:29:46 +0100 Subject: [PATCH 4/5] Update networking folder names to match teams folder --- fast/stages/01-resman/branch-networking.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fast/stages/01-resman/branch-networking.tf b/fast/stages/01-resman/branch-networking.tf index 49203051..bf712c4f 100644 --- a/fast/stages/01-resman/branch-networking.tf +++ b/fast/stages/01-resman/branch-networking.tf @@ -62,7 +62,7 @@ module "branch-network-gcs" { module "branch-network-prod-folder" { source = "../../../modules/folder" parent = module.branch-network-folder.id - name = "prod" + name = "Production" iam = { "roles/compute.xpnAdmin" = [ module.branch-teams-prod-projectfactory-sa.iam_email @@ -73,7 +73,7 @@ module "branch-network-prod-folder" { module "branch-network-dev-folder" { source = "../../../modules/folder" parent = module.branch-network-folder.id - name = "dev" + name = "Development" iam = { "roles/compute.xpnAdmin" = [ module.branch-teams-dev-projectfactory-sa.iam_email From a978000e3163b6fb19c64699a8ce889210348e81 Mon Sep 17 00:00:00 2001 From: Simone Ruffilli Date: Fri, 11 Feb 2022 10:23:57 +0100 Subject: [PATCH 5/5] Renamed vpc-(.*) files to (#538) --- fast/stages/02-networking-nva/README.md | 22 +++++++++---------- .../{vpc-landing.tf => landing.tf} | 0 .../{vpc-spoke-dev.tf => spoke-dev.tf} | 0 .../{vpc-spoke-prod.tf => spoke-prod.tf} | 0 fast/stages/02-networking-vpn/README.md | 12 +++++----- .../{vpc-landing.tf => landing.tf} | 0 .../{vpc-spoke-dev.tf => spoke-dev.tf} | 0 .../{vpc-spoke-prod.tf => spoke-prod.tf} | 0 8 files changed, 17 insertions(+), 17 deletions(-) rename fast/stages/02-networking-nva/{vpc-landing.tf => landing.tf} (100%) rename fast/stages/02-networking-nva/{vpc-spoke-dev.tf => spoke-dev.tf} (100%) rename fast/stages/02-networking-nva/{vpc-spoke-prod.tf => spoke-prod.tf} (100%) rename fast/stages/02-networking-vpn/{vpc-landing.tf => landing.tf} (100%) rename fast/stages/02-networking-vpn/{vpc-spoke-dev.tf => spoke-dev.tf} (100%) rename fast/stages/02-networking-vpn/{vpc-spoke-prod.tf => spoke-prod.tf} (100%) diff --git a/fast/stages/02-networking-nva/README.md b/fast/stages/02-networking-nva/README.md index b97d0fe4..2ff9056f 100644 --- a/fast/stages/02-networking-nva/README.md +++ b/fast/stages/02-networking-nva/README.md @@ -93,14 +93,13 @@ Spoke VPCs also define and reserve three "special" CIDR ranges, derived from the - [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access): - + The second-last /24 range is used for PSA (CloudSQL, Postrgres) + - The second-last /24 range is used for PSA (CloudSQL, Postrgres) - + The third-last /24 range is used for PSA (CloudSQL, MySQL) + - The third-last /24 range is used for PSA (CloudSQL, MySQL) - [Internal HTTPs Load Balancers (L7ILB)](https://cloud.google.com/load-balancing/docs/l7-internal): - + The last /24 range - + - The last /24 range This is a summary of the subnets allocated by default in this setup: @@ -229,6 +228,7 @@ If you have set a valid value for `outputs_location` in the bootstrap and in the ln -s ../../configs/example/02-networking/terraform-bootstrap.auto.tfvars.json ln -s ../../configs/example/02-networking/terraform-resman.auto.tfvars.json ``` + If you want to continue to rely on `outputs_location` logic, create a `terraform.tfvars` file and configure it as described [here](../00-bootstrap/#output-files-and-cross-stage-variables). Please, refer to the [variables](#variables) table below for a map of the variable origins, and use the sections below to understand how to adapt this stage to your networking configuration. @@ -284,7 +284,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19 #### On-premises to cloud -The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`vpc-landing.tf`](./vpc-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. +The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. ### Private Google Access @@ -296,7 +296,7 @@ For PGA to work: Subnets created using the `net-vpc` module are PGA-enabled by default. - 199.36.153.4/30 (`restricted.googleapis.com`) and 199.36.153.8/30 (`private.googleapis.com`) should be routed from on-premises to the trusted landing VPC, and from there to the `default-internet-gateway`. \ -The `vpn_onprem_configs` variable contains the ranges advertised from GCP to on-premises. Furthermore, the trusted landing VPC (e.g. see `landing-trusted-vpc` in [`vpc-landing.tf`](./vpc-landing.tf)) has explicit routes to send traffic destined to restricted and private - googleapis.com to the Internet gateway (which works for Google APIs only, and not for the whole Internet, since Cloud NAT is not configured in the trusted landing VPC). +The `vpn_onprem_configs` variable contains the ranges advertised from GCP to on-premises. Furthermore, the trusted landing VPC (e.g. see `landing-trusted-vpc` in [`landing.tf`](./landing.tf)) has explicit routes to send traffic destined to restricted and private - googleapis.com to the Internet gateway (which works for Google APIs only, and not for the whole Internet, since Cloud NAT is not configured in the trusted landing VPC). - On-premises, a private DNS zone for `googleapis.com` should be created and configured per [this article](https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config-domain). Its configuration can be copied from the module `googleapis-private-zone` in [`dns.tf`](./dns.tf) @@ -320,9 +320,9 @@ You're now ready to run `terraform init` and `terraform apply`. To create a new environment (e.g. `staging`), a few changes are required: -Create a `vpc-spoke-staging.tf` file by copying `vpc-spoke-prod.tf` file. +Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file. Adapt the new file by replacing the value "prod" with the value "staging". -Running `diff vpc-spoke-dev.tf vpc-spoke-prod.tf` can help to see how environment files differ. +Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ. The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`). >`custom_adv` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing. @@ -348,15 +348,15 @@ Don't forget to add a peering zone in the landing project and point it to the ne | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | | | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns | | | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | | +| [landing.tf](./landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder | | | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | | [nva.tf](./nva.tf) | None | compute-mig · compute-vm · net-ilb | | | [outputs.tf](./outputs.tf) | Module outputs. | | local_file | +| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-address · net-vpc · net-vpc-firewall · net-vpc-peering · project | | +| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-address · net-vpc · net-vpc-firewall · net-vpc-peering · project | | | [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | | [variables.tf](./variables.tf) | Module variables. | | | -| [vpc-landing.tf](./vpc-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | -| [vpc-spoke-dev.tf](./vpc-spoke-dev.tf) | Dev spoke VPC and related resources. | net-address · net-vpc · net-vpc-firewall · net-vpc-peering · project | | -| [vpc-spoke-prod.tf](./vpc-spoke-prod.tf) | Production spoke VPC and related resources. | net-address · net-vpc · net-vpc-firewall · net-vpc-peering · project | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | ## Variables diff --git a/fast/stages/02-networking-nva/vpc-landing.tf b/fast/stages/02-networking-nva/landing.tf similarity index 100% rename from fast/stages/02-networking-nva/vpc-landing.tf rename to fast/stages/02-networking-nva/landing.tf diff --git a/fast/stages/02-networking-nva/vpc-spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf similarity index 100% rename from fast/stages/02-networking-nva/vpc-spoke-dev.tf rename to fast/stages/02-networking-nva/spoke-dev.tf diff --git a/fast/stages/02-networking-nva/vpc-spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf similarity index 100% rename from fast/stages/02-networking-nva/vpc-spoke-prod.tf rename to fast/stages/02-networking-nva/spoke-prod.tf diff --git a/fast/stages/02-networking-vpn/README.md b/fast/stages/02-networking-vpn/README.md index e6cb4fe4..afab994a 100644 --- a/fast/stages/02-networking-vpn/README.md +++ b/fast/stages/02-networking-vpn/README.md @@ -226,7 +226,7 @@ DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/1 #### On-prem to cloud -The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./vpc-landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP. +The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP. ### Private Google Access @@ -262,9 +262,9 @@ You're now ready to run `terraform init` and `apply`. To create a new environment (e.g. `staging`), a few changes are required. -Create a `vpc-spoke-staging.tf` file by copying `vpc-spoke-prod.tf` file, +Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file, and adapt the new file by replacing the value "prod" with the value "staging". -Running `diff vpc-spoke-dev.tf vpc-spoke-prod.tf` can help to see how environment files differ. +Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ. The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`). >`custom_adv` is a map that "resolves" CIDR names to actual addresses, and will be used later to configure routing. @@ -292,14 +292,14 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | | | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns | | | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | | +| [landing.tf](./landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder | | | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | | [outputs.tf](./outputs.tf) | Module outputs. | | local_file | +| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-address · net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding | +| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-address · net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding | | [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | | [variables.tf](./variables.tf) | Module variables. | | | -| [vpc-landing.tf](./vpc-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | -| [vpc-spoke-dev.tf](./vpc-spoke-dev.tf) | Dev spoke VPC and related resources. | net-address · net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding | -| [vpc-spoke-prod.tf](./vpc-spoke-prod.tf) | Production spoke VPC and related resources. | net-address · net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | | [vpn-spoke-dev.tf](./vpn-spoke-dev.tf) | VPN between landing and development spoke. | net-vpn-ha | | | [vpn-spoke-prod.tf](./vpn-spoke-prod.tf) | VPN between landing and production spoke. | net-vpn-ha | | diff --git a/fast/stages/02-networking-vpn/vpc-landing.tf b/fast/stages/02-networking-vpn/landing.tf similarity index 100% rename from fast/stages/02-networking-vpn/vpc-landing.tf rename to fast/stages/02-networking-vpn/landing.tf diff --git a/fast/stages/02-networking-vpn/vpc-spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf similarity index 100% rename from fast/stages/02-networking-vpn/vpc-spoke-dev.tf rename to fast/stages/02-networking-vpn/spoke-dev.tf diff --git a/fast/stages/02-networking-vpn/vpc-spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf similarity index 100% rename from fast/stages/02-networking-vpn/vpc-spoke-prod.tf rename to fast/stages/02-networking-vpn/spoke-prod.tf