Merge branch 'master' into fast-dev-dp
This commit is contained in:
commit
b98a093722
|
@ -55,6 +55,7 @@ For same-organization billing, we configure a custom organization role that can
|
||||||
For details on configuring the different billing account modes, refer to the [How to run this stage](#how-to-run-this-stage) section below.
|
For details on configuring the different billing account modes, refer to the [How to run this stage](#how-to-run-this-stage) section below.
|
||||||
|
|
||||||
### Organization-level logging
|
### Organization-level logging
|
||||||
|
|
||||||
We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) and [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) into a Bigquery dataset in the top-level audit project.
|
We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) and [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) into a Bigquery dataset in the top-level audit project.
|
||||||
|
|
||||||
The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
|
The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
|
||||||
|
@ -100,12 +101,20 @@ The roles that the Organization Admin used in the first `apply` needs to self-gr
|
||||||
To quickly self-grant the above roles, run the following code snippet as the initial Organization Admin:
|
To quickly self-grant the above roles, run the following code snippet as the initial Organization Admin:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
export BOOTSTRAP_ORG_ID=123456
|
# set variable for current logged in user
|
||||||
export BOOTSTRAP_USER=$(gcloud config list --format 'value(core.account)')
|
export FAST_BU=$(gcloud config list --format 'value(core.account)')
|
||||||
export BOOTSTRAP_ROLES="roles/billing.admin roles/logging.admin roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator"
|
|
||||||
for role in $BOOTSTRAP_ROLES; do
|
# find and set your org id
|
||||||
gcloud organizations add-iam-policy-binding $BOOTSTRAP_ORG_ID \
|
gcloud organizations list --filter display_name:$partofyourdomain
|
||||||
--member user:$BOOTSTRAP_USER --role $role
|
export FAST_ORG_ID=123456
|
||||||
|
|
||||||
|
# set needed roles
|
||||||
|
export FAST_ROLES="roles/billing.admin roles/logging.admin \
|
||||||
|
roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator"
|
||||||
|
|
||||||
|
for role in $FAST_ROLES; do
|
||||||
|
gcloud organizations add-iam-policy-binding $FAST_ORG_ID \
|
||||||
|
--member user:$FAST_BU --role $role
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -120,11 +129,11 @@ If that's not the case, an equivalent role needs to exist, or the predefined `re
|
||||||
The identity applying this stage for the first time also needs two roles in billing organization, they can be removed after the first `apply` completes successfully:
|
The identity applying this stage for the first time also needs two roles in billing organization, they can be removed after the first `apply` completes successfully:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
export BILLING_ORG_ID=789012
|
export FAST_BILLING_ORG_ID=789012
|
||||||
export BILLING_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin)
|
export FAST_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin)
|
||||||
for role in $BILLING_ROLES; do
|
for role in $FAST_ROLES; do
|
||||||
gcloud organizations add-iam-policy-binding $BILLING_ORG_ID \
|
gcloud organizations add-iam-policy-binding $FAST_BILLING_ORG_ID \
|
||||||
--member user:$BOOTSTRAP_USER --role $role
|
--member user:$FAST_BU --role $role
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -133,9 +142,9 @@ done
|
||||||
If you are using a standalone billing account, the identity applying this stage for the first time needs to be a billing account administrator:
|
If you are using a standalone billing account, the identity applying this stage for the first time needs to be a billing account administrator:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
export BILLING_ACCOUNT_ID=ABCD-01234-ABCD
|
export FAST_BILLING_ACCOUNT_ID=ABCD-01234-ABCD
|
||||||
gcloud beta billing accounts add-iam-policy-binding $BILLING_ACCOUNT \
|
gcloud beta billing accounts add-iam-policy-binding $FAST_BILLING_ACCOUNT_ID \
|
||||||
--member user:$BOOTSTRAP_USER --role roles/billing.admin
|
--member user:$FAST_BU --role roles/billing.admin
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Groups
|
#### Groups
|
||||||
|
@ -287,10 +296,10 @@ The one exception to this convention is for roles which are part of the delegate
|
||||||
|
|
||||||
You can customize organization-level logs through the `log_sinks` variable in two ways:
|
You can customize organization-level logs through the `log_sinks` variable in two ways:
|
||||||
|
|
||||||
* creating additional log sinks to capture more logs
|
- creating additional log sinks to capture more logs
|
||||||
* changing the destination of captured logs
|
- changing the destination of captured logs
|
||||||
|
|
||||||
By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub.
|
By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub.
|
||||||
|
|
||||||
If you need to capture additional logs, please refer to GCP's documentation on [scenarios for exporting logging data](https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics), where you can find ready-made filter expressions for different use cases.
|
If you need to capture additional logs, please refer to GCP's documentation on [scenarios for exporting logging data](https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics), where you can find ready-made filter expressions for different use cases.
|
||||||
|
|
||||||
|
|
|
@ -62,7 +62,7 @@ module "branch-network-gcs" {
|
||||||
module "branch-network-prod-folder" {
|
module "branch-network-prod-folder" {
|
||||||
source = "../../../modules/folder"
|
source = "../../../modules/folder"
|
||||||
parent = module.branch-network-folder.id
|
parent = module.branch-network-folder.id
|
||||||
name = "prod"
|
name = "Production"
|
||||||
iam = {
|
iam = {
|
||||||
"roles/compute.xpnAdmin" = [
|
"roles/compute.xpnAdmin" = [
|
||||||
module.branch-teams-prod-projectfactory-sa.iam_email
|
module.branch-teams-prod-projectfactory-sa.iam_email
|
||||||
|
@ -73,7 +73,7 @@ module "branch-network-prod-folder" {
|
||||||
module "branch-network-dev-folder" {
|
module "branch-network-dev-folder" {
|
||||||
source = "../../../modules/folder"
|
source = "../../../modules/folder"
|
||||||
parent = module.branch-network-folder.id
|
parent = module.branch-network-folder.id
|
||||||
name = "dev"
|
name = "Development"
|
||||||
iam = {
|
iam = {
|
||||||
"roles/compute.xpnAdmin" = [
|
"roles/compute.xpnAdmin" = [
|
||||||
module.branch-teams-dev-projectfactory-sa.iam_email
|
module.branch-teams-dev-projectfactory-sa.iam_email
|
||||||
|
|
|
@ -93,14 +93,13 @@ Spoke VPCs also define and reserve three "special" CIDR ranges, derived from the
|
||||||
|
|
||||||
- [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access):
|
- [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access):
|
||||||
|
|
||||||
+ The second-last /24 range is used for PSA (CloudSQL, Postrgres)
|
- The second-last /24 range is used for PSA (CloudSQL, Postrgres)
|
||||||
|
|
||||||
+ The third-last /24 range is used for PSA (CloudSQL, MySQL)
|
- The third-last /24 range is used for PSA (CloudSQL, MySQL)
|
||||||
|
|
||||||
- [Internal HTTPs Load Balancers (L7ILB)](https://cloud.google.com/load-balancing/docs/l7-internal):
|
- [Internal HTTPs Load Balancers (L7ILB)](https://cloud.google.com/load-balancing/docs/l7-internal):
|
||||||
|
|
||||||
+ The last /24 range
|
- The last /24 range
|
||||||
|
|
||||||
|
|
||||||
This is a summary of the subnets allocated by default in this setup:
|
This is a summary of the subnets allocated by default in this setup:
|
||||||
|
|
||||||
|
@ -229,6 +228,7 @@ If you have set a valid value for `outputs_location` in the bootstrap and in the
|
||||||
ln -s ../../configs/example/02-networking/terraform-bootstrap.auto.tfvars.json
|
ln -s ../../configs/example/02-networking/terraform-bootstrap.auto.tfvars.json
|
||||||
ln -s ../../configs/example/02-networking/terraform-resman.auto.tfvars.json
|
ln -s ../../configs/example/02-networking/terraform-resman.auto.tfvars.json
|
||||||
```
|
```
|
||||||
|
|
||||||
If you want to continue to rely on `outputs_location` logic, create a `terraform.tfvars` file and configure it as described [here](../00-bootstrap/#output-files-and-cross-stage-variables).
|
If you want to continue to rely on `outputs_location` logic, create a `terraform.tfvars` file and configure it as described [here](../00-bootstrap/#output-files-and-cross-stage-variables).
|
||||||
|
|
||||||
Please, refer to the [variables](#variables) table below for a map of the variable origins, and use the sections below to understand how to adapt this stage to your networking configuration.
|
Please, refer to the [variables](#variables) table below for a map of the variable origins, and use the sections below to understand how to adapt this stage to your networking configuration.
|
||||||
|
@ -284,7 +284,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19
|
||||||
|
|
||||||
#### On-premises to cloud
|
#### On-premises to cloud
|
||||||
|
|
||||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`vpc-landing.tf`](./vpc-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
|
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
|
||||||
|
|
||||||
### Private Google Access
|
### Private Google Access
|
||||||
|
|
||||||
|
@ -296,7 +296,7 @@ For PGA to work:
|
||||||
Subnets created using the `net-vpc` module are PGA-enabled by default.
|
Subnets created using the `net-vpc` module are PGA-enabled by default.
|
||||||
|
|
||||||
- 199.36.153.4/30 (`restricted.googleapis.com`) and 199.36.153.8/30 (`private.googleapis.com`) should be routed from on-premises to the trusted landing VPC, and from there to the `default-internet-gateway`. \
|
- 199.36.153.4/30 (`restricted.googleapis.com`) and 199.36.153.8/30 (`private.googleapis.com`) should be routed from on-premises to the trusted landing VPC, and from there to the `default-internet-gateway`. \
|
||||||
The `vpn_onprem_configs` variable contains the ranges advertised from GCP to on-premises. Furthermore, the trusted landing VPC (e.g. see `landing-trusted-vpc` in [`vpc-landing.tf`](./vpc-landing.tf)) has explicit routes to send traffic destined to restricted and private - googleapis.com to the Internet gateway (which works for Google APIs only, and not for the whole Internet, since Cloud NAT is not configured in the trusted landing VPC).
|
The `vpn_onprem_configs` variable contains the ranges advertised from GCP to on-premises. Furthermore, the trusted landing VPC (e.g. see `landing-trusted-vpc` in [`landing.tf`](./landing.tf)) has explicit routes to send traffic destined to restricted and private - googleapis.com to the Internet gateway (which works for Google APIs only, and not for the whole Internet, since Cloud NAT is not configured in the trusted landing VPC).
|
||||||
|
|
||||||
- On-premises, a private DNS zone for `googleapis.com` should be created and configured per [this article](https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config-domain). Its configuration can be copied from the module `googleapis-private-zone` in [`dns.tf`](./dns.tf)
|
- On-premises, a private DNS zone for `googleapis.com` should be created and configured per [this article](https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config-domain). Its configuration can be copied from the module `googleapis-private-zone` in [`dns.tf`](./dns.tf)
|
||||||
|
|
||||||
|
@ -320,9 +320,9 @@ You're now ready to run `terraform init` and `terraform apply`.
|
||||||
|
|
||||||
To create a new environment (e.g. `staging`), a few changes are required:
|
To create a new environment (e.g. `staging`), a few changes are required:
|
||||||
|
|
||||||
Create a `vpc-spoke-staging.tf` file by copying `vpc-spoke-prod.tf` file.
|
Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file.
|
||||||
Adapt the new file by replacing the value "prod" with the value "staging".
|
Adapt the new file by replacing the value "prod" with the value "staging".
|
||||||
Running `diff vpc-spoke-dev.tf vpc-spoke-prod.tf` can help to see how environment files differ.
|
Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
|
||||||
|
|
||||||
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
|
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
|
||||||
>`custom_adv` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing.
|
>`custom_adv` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing.
|
||||||
|
@ -348,15 +348,15 @@ Don't forget to add a peering zone in the landing project and point it to the ne
|
||||||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
|
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||||
| [nva.tf](./nva.tf) | None | <code>compute-mig</code> · <code>compute-vm</code> · <code>net-ilb</code> | |
|
| [nva.tf](./nva.tf) | None | <code>compute-mig</code> · <code>compute-vm</code> · <code>net-ilb</code> | |
|
||||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>local_file</code> |
|
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>local_file</code> |
|
||||||
|
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||||
|
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||||
| [vpc-landing.tf](./vpc-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
|
||||||
| [vpc-spoke-dev.tf](./vpc-spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
|
||||||
| [vpc-spoke-prod.tf](./vpc-spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
|
||||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||||
|
|
||||||
## Variables
|
## Variables
|
||||||
|
|
|
@ -226,7 +226,7 @@ DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/1
|
||||||
|
|
||||||
#### On-prem to cloud
|
#### On-prem to cloud
|
||||||
|
|
||||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./vpc-landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
|
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
|
||||||
|
|
||||||
### Private Google Access
|
### Private Google Access
|
||||||
|
|
||||||
|
@ -262,9 +262,9 @@ You're now ready to run `terraform init` and `apply`.
|
||||||
|
|
||||||
To create a new environment (e.g. `staging`), a few changes are required.
|
To create a new environment (e.g. `staging`), a few changes are required.
|
||||||
|
|
||||||
Create a `vpc-spoke-staging.tf` file by copying `vpc-spoke-prod.tf` file,
|
Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file,
|
||||||
and adapt the new file by replacing the value "prod" with the value "staging".
|
and adapt the new file by replacing the value "prod" with the value "staging".
|
||||||
Running `diff vpc-spoke-dev.tf vpc-spoke-prod.tf` can help to see how environment files differ.
|
Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
|
||||||
|
|
||||||
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
|
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
|
||||||
>`custom_adv` is a map that "resolves" CIDR names to actual addresses, and will be used later to configure routing.
|
>`custom_adv` is a map that "resolves" CIDR names to actual addresses, and will be used later to configure routing.
|
||||||
|
@ -292,14 +292,14 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
|
||||||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
|
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>local_file</code> |
|
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>local_file</code> |
|
||||||
|
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||||
|
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||||
| [vpc-landing.tf](./vpc-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
|
||||||
| [vpc-spoke-dev.tf](./vpc-spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
|
||||||
| [vpc-spoke-prod.tf](./vpc-spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
|
||||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||||
| [vpn-spoke-dev.tf](./vpn-spoke-dev.tf) | VPN between landing and development spoke. | <code>net-vpn-ha</code> | |
|
| [vpn-spoke-dev.tf](./vpn-spoke-dev.tf) | VPN between landing and development spoke. | <code>net-vpn-ha</code> | |
|
||||||
| [vpn-spoke-prod.tf](./vpn-spoke-prod.tf) | VPN between landing and production spoke. | <code>net-vpn-ha</code> | |
|
| [vpn-spoke-prod.tf](./vpn-spoke-prod.tf) | VPN between landing and production spoke. | <code>net-vpn-ha</code> | |
|
||||||
|
|
|
@ -108,11 +108,12 @@ terraform apply
|
||||||
| name | description | type | required | default | producer |
|
| name | description | type | required | default | producer |
|
||||||
|---|---|:---:|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|:---:|
|
||||||
| [billing_account_id](variables.tf#L19) | Billing account id. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
| [billing_account_id](variables.tf#L19) | Billing account id. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||||
|
| [prefix](variables.tf#L44) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||||
| [data_dir](variables.tf#L25) | Relative path for the folder storing configuration data. | <code>string</code> | | <code>"data/projects"</code> | |
|
| [data_dir](variables.tf#L25) | Relative path for the folder storing configuration data. | <code>string</code> | | <code>"data/projects"</code> | |
|
||||||
| [defaults_file](variables.tf#L38) | Relative path for the file storing the project factory configuration. | <code>string</code> | | <code>"data/defaults.yaml"</code> | |
|
| [defaults_file](variables.tf#L38) | Relative path for the file storing the project factory configuration. | <code>string</code> | | <code>"data/defaults.yaml"</code> | |
|
||||||
| [environment_dns_zone](variables.tf#L31) | DNS zone suffix for environment. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
| [environment_dns_zone](variables.tf#L31) | DNS zone suffix for environment. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||||
| [shared_vpc_self_link](variables.tf#L44) | Self link for the shared VPC. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
| [shared_vpc_self_link](variables.tf#L50) | Self link for the shared VPC. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||||
| [vpc_host_project](variables.tf#L51) | Host project for the shared VPC. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
| [vpc_host_project](variables.tf#L57) | Host project for the shared VPC. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -33,24 +33,25 @@ locals {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "projects" {
|
module "projects" {
|
||||||
source = "../../../../examples/factories/project-factory"
|
source = "../../../../examples/factories/project-factory"
|
||||||
for_each = local.projects
|
for_each = local.projects
|
||||||
defaults = local.defaults
|
defaults = local.defaults
|
||||||
project_id = each.key
|
project_id = each.key
|
||||||
billing_account_id = try(each.value.billing_account_id, null)
|
billing_account_id = try(each.value.billing_account_id, null)
|
||||||
billing_alert = try(each.value.billing_alert, null)
|
billing_alert = try(each.value.billing_alert, null)
|
||||||
dns_zones = try(each.value.dns_zones, [])
|
dns_zones = try(each.value.dns_zones, [])
|
||||||
essential_contacts = try(each.value.essential_contacts, [])
|
essential_contacts = try(each.value.essential_contacts, [])
|
||||||
folder_id = each.value.folder_id
|
folder_id = each.value.folder_id
|
||||||
group_iam = try(each.value.group_iam, {})
|
group_iam = try(each.value.group_iam, {})
|
||||||
iam = try(each.value.iam, {})
|
iam = try(each.value.iam, {})
|
||||||
kms_service_agents = try(each.value.kms, {})
|
kms_service_agents = try(each.value.kms, {})
|
||||||
labels = try(each.value.labels, {})
|
labels = try(each.value.labels, {})
|
||||||
org_policies = try(each.value.org_policies, null)
|
org_policies = try(each.value.org_policies, null)
|
||||||
service_accounts = try(each.value.service_accounts, {})
|
prefix = var.prefix
|
||||||
services = try(each.value.services, [])
|
service_accounts = try(each.value.service_accounts, {})
|
||||||
services_iam = try(each.value.services_iam, {})
|
services = try(each.value.services, [])
|
||||||
vpc = try(each.value.vpc, null)
|
service_identities_iam = try(each.value.services_iam, {})
|
||||||
|
vpc = try(each.value.vpc, null)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -41,6 +41,12 @@ variable "defaults_file" {
|
||||||
default = "data/defaults.yaml"
|
default = "data/defaults.yaml"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "prefix" {
|
||||||
|
# tfdoc:variable:source 00-bootstrap
|
||||||
|
description = "Prefix used for resources that need unique names."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
variable "shared_vpc_self_link" {
|
variable "shared_vpc_self_link" {
|
||||||
# tfdoc:variable:source 02-networking
|
# tfdoc:variable:source 02-networking
|
||||||
description = "Self link for the shared VPC."
|
description = "Self link for the shared VPC."
|
||||||
|
|
Loading…
Reference in New Issue