Small fixes to FAST Networking stage with NVAs (#1273)

* fix issue with test-resources and internet connectivity from spokes * terraform fmt * removed reference to startup-script in README.md
2023-03-23 09:57:01 +01:00 · 2023-03-23 09:57:01 +01:00 · c4c4688adc
parent a4bc9c613a
commit c4c4688adc
4 changed files with 71 additions and 77 deletions
--- a/fast/stages/2-networking-c-nva/README.md
+++ b/fast/stages/2-networking-c-nva/README.md
@ -23,32 +23,41 @@ The final number of subnets, and their IP addressing will depend on the user-spe

 ## Table of contents

- [Design overview and choices](#design-overview-and-choices)
-  - [Multi-regional deployment](#multi-regional-deployment)
-  - [VPC design](#vpc-design)
-  - [External connectivity](#external-connectivity)
-  - [Internal connectivity](#internal-connectivity)
-  - [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing)
-  - [Internet egress](#internet-egress)
-  - [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall)
-  - [DNS](#dns)
- [Stage structure and files layout](#stage-structure-and-files-layout)
-  - [VPCs](#vpcs)
-  - [VPNs](#vpns)
-  - [Routing and BGP](#routing-and-bgp)
-  - [Firewall](#firewall)
-  - [DNS architecture](#dns-architecture)
-  - [Private Google Access](#private-google-access)
- [How to run this stage](#how-to-run-this-stage)
-  - [Provider and Terraform variables](#provider-and-terraform-variables)
-  - [Impersonating the automation service account](#impersonating-the-automation-service-account)
-  - [Variable configuration](#variable-configuration)
-  - [Running the stage](#running-the-stage)
-  - [Post-deployment activities](#post-deployment-activities)
- [Customizations](#customizations)
-  - [Changing default regions](#changing-default-regions)
-  - [Configuring the VPNs to on prem](#configuring-the-vpns-to-on-prem)
-  - [Adding an environment](#adding-an-environment)
+- [Networking with Network Virtual Appliance](#networking-with-network-virtual-appliance)
+  - [Table of contents](#table-of-contents)
+  - [Design overview and choices](#design-overview-and-choices)
+    - [Multi-regional deployment](#multi-regional-deployment)
+    - [VPC design](#vpc-design)
+    - [External connectivity](#external-connectivity)
+    - [Internal connectivity](#internal-connectivity)
+    - [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing)
+    - [Internet egress](#internet-egress)
+    - [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall)
+    - [DNS](#dns)
+  - [Stage structure and files layout](#stage-structure-and-files-layout)
+    - [VPCs](#vpcs)
+    - [VPNs](#vpns)
+    - [Routing and BGP](#routing-and-bgp)
+    - [Firewall](#firewall)
+    - [DNS architecture](#dns-architecture)
+      - [Cloud environment](#cloud-environment)
+      - [Cloud to on-prem](#cloud-to-on-prem)
+      - [On-prem to cloud](#on-prem-to-cloud)
+  - [How to run this stage](#how-to-run-this-stage)
+    - [Provider and Terraform variables](#provider-and-terraform-variables)
+    - [Impersonating the automation service account](#impersonating-the-automation-service-account)
+    - [Variable configuration](#variable-configuration)
+    - [Using delayed billing association for projects](#using-delayed-billing-association-for-projects)
+    - [Running the stage](#running-the-stage)
+    - [Post-deployment activities](#post-deployment-activities)
+      - [Private Google Access](#private-google-access)
+  - [Customizations](#customizations)
+    - [Changing default regions](#changing-default-regions)
+    - [Configuring the VPNs to on prem](#configuring-the-vpns-to-on-prem)
+    - [Adding an environment](#adding-an-environment)
+  - [Files](#files)
+  - [Variables](#variables)
+  - [Outputs](#outputs)

 ## Design overview and choices

@ -446,8 +455,6 @@ The new VPC requires a set of dedicated CIDRs, one per region, added to variable
 >
 Variables managing L7 Internal Load Balancers (`l7ilb_subnets`) and Private Service Access (`psa_ranges`) should also be adapted, and subnets and firewall rules for the new spoke should be added, as described above.

-Configure the NVAs deployed or update the sample [NVA config file](data/nva-startup-script.tftpl) making sure they support the new subnets.
-
 DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS resolution to Landing through DNS peering, and optionally define a private zone (e.g. `dev.gcp.example.com`) which the landing peers to. To configure DNS for a new environment, copy one of the other environments DNS files [e.g. (dns-dev.tf)](dns-dev.tf) into a new `dns-*.tf` file suffixed with the environment name (e.g. `dns-staging.tf`), and update its content accordingly. Don't forget to add a peering zone from the landing to the newly created environment private zone.

 <!-- TFDOC OPTS files:1 show_extra:1 -->
--- a/fast/stages/2-networking-c-nva/data/nva-startup-script.tftpl
+++ b/fast/stages/2-networking-c-nva/data/nva-startup-script.tftpl
@ -1,30 +0,0 @@
-#!/bin/bash
-
-echo 'Enabling IP forwarding'
-sed '/net.ipv4.ip_forward=1/s/^#//g' -i /etc/sysctl.conf &&
-sysctl -p /etc/sysctl.conf &&
-/etc/init.d/procps restart
-
-echo 'Setting Routes'
-ip route add ${landing-untrusted-other-region} via ${gateway-untrusted} dev ens4
-ip route add ${landing-trusted-other-region} via ${gateway-trusted} dev ens5
-ip route add ${dev-default-ew1-cidr} via ${gateway-trusted} dev ens5
-ip route add ${dev-default-ew4-cidr} via ${gateway-trusted} dev ens5
-ip route add ${prod-default-ew1-cidr} via ${gateway-trusted} dev ens5
-ip route add ${prod-default-ew4-cidr} via ${gateway-trusted} dev ens5
-ip route add ${onprem-main-cidr} via ${gateway-trusted} dev ens5
-
-echo 'Adding PBR rules to answer HCs also from the secondary nic'
-grep -qxF '200 hc' /etc/iproute2/rt_tables || echo '200     hc' >> /etc/iproute2/rt_tables
-ip_addr_ens5=$(ip route ls table local | awk '/ens5 proto 66 scope host/ {print $2}')
-while [ -z $ip_addr_ens5 ]; do
-  echo 'Waiting for networking stack to be ready'
-  sleep 2
-  ip_addr_ens5=$(ip route ls table local | awk '/ens5 proto 66 scope host/ {print $2}')
-done
-ip rule add from $ip_addr_ens5 lookup hc
-ip route add default via ${gateway-trusted} dev ens5 table hc
-
-echo 'Setting NAT masquerade (for Internet connectivity)'
-iptables --append FORWARD --in-interface ens5 -j ACCEPT
-iptables --table nat --append POSTROUTING --out-interface ens4 -j MASQUERADE
--- a/fast/stages/2-networking-c-nva/nva.tf
+++ b/fast/stages/2-networking-c-nva/nva.tf
@ -19,7 +19,8 @@ locals {
  # local.routing_config[0] sets up the first interface, and so on.
  routing_config = [
    {
-      name = "untrusted"
+      name                = "untrusted"
+      enable_masquerading = true
      routes = [
        var.gcp_ranges.gcp_landing_untrusted_primary,
        var.gcp_ranges.gcp_landing_untrusted_secondary,
--- a/fast/stages/2-networking-c-nva/test-resources.tf
+++ b/fast/stages/2-networking-c-nva/test-resources.tf
@ -22,7 +22,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.landing-project.project_id
 #   zone       = "${var.regions.primary}-b"
-#   name       = "test-vm-lnd-unt-primary-0"
+#   name       = "test-vm-lnd-unt-pri-0"
 #   network_interfaces = [{
 #     network    = module.landing-untrusted-vpc.self_link
 #     subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.primary}/landing-untrusted-default-${local.region_shortnames[var.regions.primary]}"]
@ -30,7 +30,9 @@
 #   tags                   = ["primary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@ -48,7 +50,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.landing-project.project_id
 #   zone       = "${var.regions.secondary}-a"
-#   name       = "test-vm-lnd-unt-secondary-0"
+#   name       = "test-vm-lnd-unt-sec-0"
 #   network_interfaces = [{
 #     network    = module.landing-untrusted-vpc.self_link
 #     subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.secondary}/landing-untrusted-default-${local.region_shortnames[var.regions.secondary]}"]
@ -56,7 +58,9 @@
 #   tags                   = ["secondary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@ -76,7 +80,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.landing-project.project_id
 #   zone       = "${var.regions.primary}-b"
-#   name       = "test-vm-lnd-tru-primary-0"
+#   name       = "test-vm-lnd-tru-pri-0"
 #   network_interfaces = [{
 #     network    = module.landing-trusted-vpc.self_link
 #     subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.primary}/landing-trusted-default-${local.region_shortnames[var.regions.primary]}"]
@ -84,7 +88,9 @@
 #   tags                   = ["primary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@ -102,7 +108,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.landing-project.project_id
 #   zone       = "${var.regions.secondary}-a"
-#   name       = "test-vm-lnd-tru-secondary-0"
+#   name       = "test-vm-lnd-tru-sec-0"
 #   network_interfaces = [{
 #     network    = module.landing-trusted-vpc.self_link
 #     subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.secondary}/landing-trusted-default-${local.region_shortnames[var.regions.secondary]}"]
@ -110,7 +116,9 @@
 #   tags                   = ["secondary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@ -130,7 +138,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.dev-spoke-project.project_id
 #   zone       = "${var.regions.primary}-b"
-#   name       = "test-vm-dev-primary-0"
+#   name       = "test-vm-dev-pri-0"
 #   network_interfaces = [{
 #     network = module.dev-spoke-vpc.self_link
 #     # change the subnet name to match the values you are actually using
@ -139,7 +147,9 @@
 #   tags                   = ["primary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@ -157,7 +167,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.dev-spoke-project.project_id
 #   zone       = "${var.regions.secondary}-a"
-#   name       = "test-vm-dev-secondary-0"
+#   name       = "test-vm-dev-sec-0"
 #   network_interfaces = [{
 #     network = module.dev-spoke-vpc.self_link
 #     # change the subnet name to match the values you are actually using
@ -166,7 +176,9 @@
 #   tags                   = ["secondary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@ -186,7 +198,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.prod-spoke-project.project_id
 #   zone       = "${var.regions.primary}-b"
-#   name       = "test-vm-prod-primary-0"
+#   name       = "test-vm-prod-pri-0"
 #   network_interfaces = [{
 #     network = module.prod-spoke-vpc.self_link
 #     # change the subnet name to match the values you are actually using
@ -195,9 +207,11 @@
 #   tags                   = ["primary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
-#     type  = "pd-balanced"
-#     size  = 10
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#         type  = "pd-balanced"
+#         size  = 10
+#     }
 #   }
 #   options = {
 #     spot               = true
@ -215,7 +229,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.prod-spoke-project.project_id
 #   zone       = "${var.regions.secondary}-a"
-#   name       = "test-vm-prod-secondary-0"
+#   name       = "test-vm-prod-sec-0"
 #   network_interfaces = [{
 #     network = module.prod-spoke-vpc.self_link
 #     # change the subnet name to match the values you are actually using
@ -224,7 +238,9 @@
 #   tags                   = ["secondary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true