Align documentation, move glb blueprint (#921)

* aling documentation, move glb blueprint * modules README, sort modules * reorder modules * fix bp links * fix moved blueprint test * use a single cloud shell image in the repo
2022-10-26 14:31:04 +02:00 · 2022-10-26 14:31:04 +02:00 · ed9fd6b08d
parent 39f76b3d4c
commit ed9fd6b08d
29 changed files with 224 additions and 148 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.

 ### BLUEPRINTS

+- [[#915](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/915)] TFE OIDC with GCP WIF blueprint added ([averbuks](https://github.com/averbuks)) <!-- 2022-10-25 19:06:43+00:00 -->
 - [[#899](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/899)] Static routes monitoring metrics added to network dashboard BP ([maunope](https://github.com/maunope)) <!-- 2022-10-25 11:36:39+00:00 -->
 - [[#909](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/909)] GCS2BQ: Move images and templates in sub-folders ([lcaggio](https://github.com/lcaggio)) <!-- 2022-10-25 08:31:25+00:00 -->
 - [[#907](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/907)] Fix CloudSQL blueprint ([lcaggio](https://github.com/lcaggio)) <!-- 2022-10-25 07:08:08+00:00 -->
@ -67,6 +68,8 @@ All notable changes to this project will be documented in this file.

 ### MODULES

+- [[#908](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/908)] GKE module: autopilot fixes ([ludoo](https://github.com/ludoo)) <!-- 2022-10-25 21:33:49+00:00 -->
+- [[#906](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/906)] GKE module: add managed_prometheus to features ([apichick](https://github.com/apichick)) <!-- 2022-10-25 21:18:50+00:00 -->
 - [[#916](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/916)] Add support for DNS routing policies ([juliocc](https://github.com/juliocc)) <!-- 2022-10-25 14:20:53+00:00 -->
 - [[#918](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/918)] Fix race condition in SimpleNVA ([sruffilli](https://github.com/sruffilli)) <!-- 2022-10-25 13:04:38+00:00 -->
 - [[#914](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/914)] **incompatible change:** Update DNS module ([juliocc](https://github.com/juliocc)) <!-- 2022-10-25 10:31:11+00:00 -->
@ -102,6 +105,7 @@ All notable changes to this project will be documented in this file.

 ### TOOLS

+- [[#919](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/919)] Rename workflow names ([juliocc](https://github.com/juliocc)) <!-- 2022-10-25 15:22:51+00:00 -->
 - [[#902](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/902)] Bring back sorted variables check ([juliocc](https://github.com/juliocc)) <!-- 2022-10-20 17:08:17+00:00 -->
 - [[#887](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/887)] Disable parallel execution of tests and plugin cache ([ludoo](https://github.com/ludoo)) <!-- 2022-10-14 17:52:38+00:00 -->
 - [[#886](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/886)] Revert "Improve handling of tf plugin cache in tests" ([ludoo](https://github.com/ludoo)) <!-- 2022-10-14 17:35:31+00:00 -->
--- a/README.md
+++ b/README.md
@ -11,7 +11,7 @@ This repository provides **end-to-end blueprints** and a **suite of Terraform mo

 - organization-wide [landing zone blueprint](fast/) used to bootstrap real-world cloud foundations
 - reference [blueprints](./blueprints/) used to deep dive on network patterns or product features
- a comprehensive source of lean [modules](./modules/dns) that lend themselves well to changes
+- a comprehensive source of lean [modules](./modules/) that lend themselves well to changes

 The whole repository is meant to be cloned as a single unit, and then forked into separate owned repositories to seed production usage, or used as-is and periodically updated as a complete toolkit for prototyping. You can read more on this approach in our [contributing guide](./CONTRIBUTING.md), and a comparison against similar toolkits [here](./FABRIC-AND-CFT.md).

@ -29,16 +29,16 @@ The current list of modules supports most of the core foundational and networkin

 Currently available modules:

- **foundational** - [folder](./modules/folder), [organization](./modules/organization), [project](./modules/project), [service accounts](./modules/iam-service-account), [logging bucket](./modules/logging-bucket), [billing budget](./modules/billing-budget), [projects-data-source](./modules/projects-data-source), [organization-policy](./modules/organization-policy)
- **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN static](./modules/net-vpn-static), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns), [L4 ILB](./modules/net-ilb), [L7 ILB](./modules/net-ilb-l7), [Service Directory](./modules/service-directory), [Cloud Endpoints](./modules/endpoints)
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [GKE hub](./modules/gke-hub), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid)
- **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery-dataset), [Pub/Sub](./modules/pubsub), [Datafusion](./modules/datafusion), [Bigtable instance](./modules/bigtable-instance), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag)
- **development** - [Cloud Source Repository](./modules/source-repository), [Container Registry](./modules/container-registry), [Artifact Registry](./modules/artifact-registry), [Apigee Organization](./modules/apigee-organization), [Apigee X Instance](./modules/apigee-x-instance), [API Gateway](./modules/api-gateway)
- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
+- **foundational** - [billing budget](./modules/billing-budget), [Cloud Identity group](./modules/cloud-identity-group/), [folder](./modules/folder), [service accounts](./modules/iam-service-account), [logging bucket](./modules/logging-bucket), [organization](./modules/organization), [organization-policy](./modules/organization-policy), [project](./modules/project), [projects-data-source](./modules/projects-data-source)
+- **networking** - [DNS](./modules/dns), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [Global Load Balancer (classic)](./modules/net-glb/), [L4 ILB](./modules/net-ilb), [L7 ILB](./modules/net-ilb-l7), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory)
+- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool)
+- **data** - [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Datafusion](./modules/datafusion), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub)
+- **development** - [API Gateway](./modules/api-gateway), [Apigee Organization](./modules/apigee-organization), [Apigee X Instance](./modules/apigee-x-instance), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository)
+- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
 - **serverless** - [Cloud Function](./modules/cloud-function), [Cloud Run](./modules/cloud-run)

 For more information and usage examples see each module's README file.

 ## End-to-end blueprints

-The [blueprints](./blueprints/) in this repository are split in several main sections: **[networking blueprints](./blueprints/networking/)** that implement core patterns or features, **[data solutions blueprints](./blueprints/data-solutions/)** that demonstrate how to integrate data services in complete scenarios, **[cloud operations blueprints](./blueprints/cloud-operations/)** that leverage specific products to meet specific operational needs and **[factories](./blueprints/factories/)** that implement resource factories for the repetitive creation of specific resources, and finally **[GKE](./blueprints/gke)** and **[serverless](./blueprints/serverless)** design blueprints.
+The [blueprints](./blueprints/) in this repository are split in several main sections: **[networking blueprints](./blueprints/networking/)** that implement core patterns or features, **[data solutions blueprints](./blueprints/data-solutions/)** that demonstrate how to integrate data services in complete scenarios, **[cloud operations blueprints](./blueprints/cloud-operations/)** that leverage specific products to meet specific operational needs and **[factories](./blueprints/factories/)** that implement resource factories for the repetitive creation of specific resources, and finally **[GKE](./blueprints/gke)**, **[serverless](./blueprints/serverless)**, and **[third-party solutions](./blueprints/third-party-solutions/)** design blueprints.
--- a/blueprints/cloud-operations/glb_and_armor/shell_button.png
+++ b/blueprints/cloud-operations/glb_and_armor/shell_button.png
--- a/blueprints/README.md
+++ b/blueprints/README.md
@ -4,12 +4,12 @@ This section **[networking blueprints](./networking/)** that implement core patt

 Currently available blueprints:

- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](./cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder), [On-prem SA key management](./cloud-operations/onprem-sa-key-management), [TCP healthcheck for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [HTTP Load Balancer with Cloud Armor](./cloud-operations/glb_and_armor)
- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms/), [Cloud Storage to Bigquery with Cloud Dataflow with least privileges](./data-solutions/gcs-to-bq-with-least-privileges/), [Data Platform Foundations](./data-solutions/data-platform-foundations/), [SQL Server AlwaysOn availability groups blueprint](./data-solutions/sqlserver-alwayson), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion/), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2/)
- **factories** - [The why and the how of resource factories](./factories/README.md)
- **GKE** - [GKE multitenant fleet](./gke/multitenant-fleet/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [Binary Authorization Pipeline](./gke/binauthz/), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api/)
- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [Connecting to on-premise services leveraging PSC and hybrid NEGs](./networking/psc-hybrid/), [decentralized firewall](./networking/decentralized-firewall)
- **serverless** - [Multi-region deployments for API Gateway](./serverless/api-gateway/)
- **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift)
+- **cloud operations** - [Active Directory Federation Services](./cloud-operations/adfs), [Cloud Asset Inventory feeds for resource change tracking and remediation](./cloud-operations/asset-inventory-feed-remediation), [Fine-grained Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Cloud DNS & Shared VPC design](./cloud-operations/dns-shared-vpc), [Delegated Role Grants](./cloud-operations/iam-delegated-role-grants), [Networking Dashboard](./cloud-operations/network-dashboard), [Managing on-prem service account keys by uploading public keys](./cloud-operations/onprem-sa-key-management), [Compute Image builder with Hashicorp Packer](./cloud-operations/packer-image-builder), [Packer example](./cloud-operations/packer-image-builder/packer), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Configuring workload identity federation for Terraform Cloud/Enterprise workflow](./cloud-operations/terraform-enterprise-wif), [TCP healthcheck and restart for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [Migrate for Compute Engine (v5) blueprints](./cloud-operations/vm-migration), [Configuring workload identity federation to access Google Cloud resources from apps running on Azure](./cloud-operations/workload-identity-federation)
+- **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground)
+- **factories** - [[The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory)
+- **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/)
+- **networking** - [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [Nginx-based reverse proxy cluster](./networking/nginx-reverse-proxy-cluster), [On-prem DNS and Google Private Access](./networking/onprem-google-access-dns), [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
+- **serverless** - [Creating multi-region deployments for API Gateway](./serverless/api-gateway)
+- **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun)

 For more information see the individual README files in each section.
--- a/blueprints/cloud-operations/README.md
+++ b/blueprints/cloud-operations/README.md
@ -2,6 +2,12 @@

 The blueprints in this folder show how to wire together different Google Cloud services to simplify operations, and are meant for testing, or as minimal but sufficiently complete starting points for actual use.

+## Active Directory Federation Services
+
+<a href="./adfs/" title="Active Directory Federation Services"><img src="./adfs/architecture.png" align="left" width="280px"></a> This [blueprint](./adfs/) Sets up managed AD, creates a server where AD FS will be installed which will also act as admin workstation for AD, and exposes ADFS using GLB. It can also optionally set up a GCP project and VPC if needed
+
+<br clear="left">
+
 ## Resource tracking and remediation via Cloud Asset feeds

 <a href="./asset-inventory-feed-remediation" title="Resource tracking and remediation via Cloud Asset feeds"><img src="./asset-inventory-feed-remediation/diagram.png" align="left" width="280px"></a> This [blueprint](./asset-inventory-feed-remediation) shows how to leverage [Cloud Asset Inventory feeds](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes) to stream resource changes in real time, and how to programmatically use the feed change notifications for alerting or remediation, via a Cloud Function wired to the feed PubSub queue.
@ -10,12 +16,6 @@ The blueprint's feed tracks changes to Google Compute instances, and the Cloud F

 <br clear="left">

-## Scheduled Cloud Asset Inventory Export to Bigquery
-
-<a href="./scheduled-asset-inventory-export-bq" title="Scheduled Cloud Asset Inventory Export to Bigquery"><img src="./scheduled-asset-inventory-export-bq/diagram.png" align="left" width="280px"></a> This [blueprint](./scheduled-asset-inventory-export-bq) shows how to leverage the [Cloud Asset Inventory Exporting to Bigquery](https://cloud.google.com/asset-inventory/docs/exporting-to-bigquery) feature, to keep track of your organization's assets over time storing information in Bigquery. Data stored in Bigquery can then be used for different purposes like dashboarding or analysis.
-
-<br clear="left">
-
 ## Granular Cloud DNS IAM via Service Directory

 <a href="./dns-fine-grained-iam" title="Fine-grained Cloud DNS IAM with Service Directory"><img src="./dns-fine-grained-iam/diagram.png" align="left" width="280px"></a> This [blueprint](./dns-fine-grained-iam) shows how to leverage [Service Directory](https://cloud.google.com/blog/products/networking/introducing-service-directory) and Cloud DNS Service Directory private zones, to implement fine-grained IAM controls on DNS. The blueprint creates a Service Directory namespace, a Cloud DNS private zone that uses it as its authoritative source, service accounts with different levels of permissions, and VMs to test them.
@ -28,42 +28,62 @@ The blueprint's feed tracks changes to Google Compute instances, and the Cloud F

 <br clear="left">

-## Compute Engine quota monitoring
-
-<a href="./quota-monitoring" title="Compute Engine quota monitoring"><img src="./quota-monitoring/diagram.png" align="left" width="280px"></a> This [blueprint](./quota-monitoring) shows a practical way of collecting and monitoring [Compute Engine resource quotas](https://cloud.google.com/compute/quotas) via Cloud Monitoring metrics as an alternative to the recently released [built-in quota metrics](https://cloud.google.com/monitoring/alerts/using-quota-metrics). A simple alert on quota thresholds is also part of the blueprint.
-
-<br clear="left">
-
 ## Delegated Role Grants

 <a href="./iam-delegated-role-grants" title="Delegated Role Grants"><img src="./iam-delegated-role-grants/diagram.png" align="left" width="280px"></a> This [blueprint](./iam-delegated-role-grants) shows how to use delegated role grants to restrict service usage.

 <br clear="left">

+## Network Dashboard
+
+<a href="./network-dashboard" title="Network Dashboard"><img src="./network-dashboard/metric.png" align="left" width="280px"></a> This [blueprint](./network-dashboard/) provides an end-to-end solution to gather some GCP Networking quotas and limits (that cannot be seen in the GCP console today) and display them in a dashboard. The goal is to allow for better visibility of these limits, facilitating capacity planning and avoiding hitting these limits..
+
+<br clear="left">
+
+## On-prem Service Account key management
+
+This [blueprint](./onprem-sa-key-management) shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP.
+
+<br clear="left">
+
 ## Packer image builder

 <a href="./packer-image-builder" title="Packer image builder"><img src="./packer-image-builder/diagram.png" align="left" width="280px"></a> This [blueprint](./packer-image-builder) shows how to deploy infrastructure for a Compute Engine image builder based on [Hashicorp's Packer tool](https://www.packer.io).

 <br clear="left">

-## On-prem Service Account key management
+## Compute Engine quota monitoring

-
-This [blueprint](./onprem-sa-key-management) shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP.
+<a href="./quota-monitoring" title="Compute Engine quota monitoring"><img src="./quota-monitoring/diagram.png" align="left" width="280px"></a> This [blueprint](./quota-monitoring) shows a practical way of collecting and monitoring [Compute Engine resource quotas](https://cloud.google.com/compute/quotas) via Cloud Monitoring metrics as an alternative to the recently released [built-in quota metrics](https://cloud.google.com/monitoring/alerts/using-quota-metrics). A simple alert on quota thresholds is also part of the blueprint.

 <br clear="left">

-## Migrate for Compute Engine (v5)
-<a href="./vm-migration" title="Packer image builder"><img src="./vm-migration/host-target-projects/diagram.png" align="left" width="280px"></a> This set of [blueprints](./vm-migration) shows how to deploy Migrate for Compute Engine (v5) on top of existing Cloud Foundations on different scenarios. An blueprint on how to deploy the M4CE connector on VMWare ESXi is also part of the blueprints.
+## Scheduled Cloud Asset Inventory Export to Bigquery

-<br clear="left">
-
-## TCP healthcheck for unmanaged GCE instances
-<a href="./unmanaged-instances-healthcheck" title="Unmanaged GCE Instance healthchecker"><img src="./unmanaged-instances-healthcheck/diagram.png" align="left" width="280px"></a> This [blueprint](./unmanaged-instances-healthcheck) shows how to leverage [Serverless VPC Access](https://cloud.google.com/vpc/docs/configure-serverless-vpc-access) and Cloud Functions to organize a highly performant TCP healtheck for unmanaged GCE instances.
+<a href="./scheduled-asset-inventory-export-bq" title="Scheduled Cloud Asset Inventory Export to Bigquery"><img src="./scheduled-asset-inventory-export-bq/diagram.png" align="left" width="280px"></a> This [blueprint](./scheduled-asset-inventory-export-bq) shows how to leverage the [Cloud Asset Inventory Exporting to Bigquery](https://cloud.google.com/asset-inventory/docs/exporting-to-bigquery) feature, to keep track of your organization's assets over time storing information in Bigquery. Data stored in Bigquery can then be used for different purposes like dashboarding or analysis.

 <br clear="left">

 ## Workload identity federation for Terraform Enterprise workflow
+
 <a href="./terraform-enterprise-wif" title="Workload identity federation for Terraform Cloud/Enterprise workflow"><img src="./terraform-enterprise-wif/diagram.png" align="left" width="280px"></a> This [blueprint](./terraform-enterprise-wif) shows how to configure [Wokload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) between [Terraform Cloud/Enterprise](https://developer.hashicorp.com/terraform/enterprise) instance and Google Cloud.

 <br clear="left">
+
+## TCP healthcheck for unmanaged GCE instances
+
+<a href="./unmanaged-instances-healthcheck" title="Unmanaged GCE Instance healthchecker"><img src="./unmanaged-instances-healthcheck/diagram.png" align="left" width="280px"></a> This [blueprint](./unmanaged-instances-healthcheck) shows how to leverage [Serverless VPC Access](https://cloud.google.com/vpc/docs/configure-serverless-vpc-access) and Cloud Functions to organize a highly performant TCP healtheck for unmanaged GCE instances.
+
+<br clear="left">
+
+## Migrate for Compute Engine (v5)
+
+<a href="./vm-migration" title="Packer image builder"><img src="./vm-migration/host-target-projects/diagram.png" align="left" width="280px"></a> This set of [blueprints](./vm-migration) shows how to deploy Migrate for Compute Engine (v5) on top of existing Cloud Foundations on different scenarios. An blueprint on how to deploy the M4CE connector on VMWare ESXi is also part of the blueprints.
+
+<br clear="left">
+
+## Configuring Workload Identity Federation from apps running on Azure
+
+<a href="./workload-identity-federation" title="Configuring Workload Identity Federation from apps running on Azure"><img src="./workload-identity-federation/host-target-projects/architecture.png" align="left" width="280px"></a> This [blueprint](./workload-identity-federation) shows how to set up everything, both in Azure and Google Cloud, so a workload in Azure can access Google Cloud resources without a service account key. This will be possible by configuring workload identity federation to trust access tokens generated for a specific application in an Azure Active Directory (AAD) tenant.
+
+<br clear="left">
--- a/blueprints/cloud-operations/adfs/README.md
+++ b/blueprints/cloud-operations/adfs/README.md
@ -1,19 +1,19 @@
-# AD FS
+# Active Directory Federation Services

-This blueprint does the following: 
+This blueprint does the following:

 Terraform:

 - (Optional) Creates a project.
 - (Optional) Creates a VPC.
 - Sets up managed AD
- Creates a server where AD FS will be installed. This machine will also act as admin workstation for AD. 
+- Creates a server where AD FS will be installed. This machine will also act as admin workstation for AD.
 - Exposes AD FS using GLB.

 Ansible:

 - Installs the required Windows features and joins the computer to the AD domain.
- Provisions some tests users, groups and group memberships in AD. The data to provision is in the files directory of the ad-provisioning ansible role. There is script available in the scripts/ad-provisioning folder that you can use to generate an alternative users or memberships file. 
+- Provisions some tests users, groups and group memberships in AD. The data to provision is in the files directory of the ad-provisioning ansible role. There is script available in the scripts/ad-provisioning folder that you can use to generate an alternative users or memberships file.
 - Installs AD FS

 In addition to this, we also include a Powershell script that facilitates the configuration required for Anthos when authenticating users with AD FS as IdP.
@ -26,8 +26,8 @@ The diagram below depicts the architecture of the blueprint:

 Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=blueprints%2Fcloud-operations%2Fadfs), then go through the following steps to create resources:

-* `terraform init`
-* `terraform apply -var project_id=my-project-id -var ad_dns_domain_name=my-domain.org -var adfs_dns_domain_name=adfs.my-domain.org`
+- `terraform init`
+- `terraform apply -var project_id=my-project-id -var ad_dns_domain_name=my-domain.org -var adfs_dns_domain_name=adfs.my-domain.org`

 Once the resources have been created, do the following:

--- a/blueprints/cloud-operations/workload-identity-federation/README.md
+++ b/blueprints/cloud-operations/workload-identity-federation/README.md
@ -1,9 +1,9 @@
-# Configuring workload identity federation to access Google Cloud resources from apps running on Azure
+# Configuring Workload Identity Federation to access Google Cloud resources from apps running on Azure

 The most straightforward way for workloads running outside of Google Cloud to call Google Cloud APIs is by using a downloaded service account key. However, this approach has 2 major pain points:

 * A management hassle,  keys need to be stored securely and rotated often.
-* A security risk, keys are long term credentials that could be compromised. 
+* A security risk, keys are long term credentials that could be compromised.

 Workload identity federation enables applications running outside of Google Cloud to replace long-lived service account keys with short-lived access tokens. This is achieved by configuring Google Cloud to trust an external identity provider, so applications can use the credentials issued by the external identity provider to impersonate a service account.

@ -19,17 +19,17 @@ The provided terraform configuration will set up the following architecture:

 * On Azure:

-    * An Azure Active Directory application and a service principal. By default, the new application grants all users in the Azure AD tenant permission to obtain access tokens. So an app role assignment will be required to restrict which identities can obtain access tokens for the application.
+  * An Azure Active Directory application and a service principal. By default, the new application grants all users in the Azure AD tenant permission to obtain access tokens. So an app role assignment will be required to restrict which identities can obtain access tokens for the application.

-    * Optionally, all the resources required to have a VM configured to run with a system-assigned managed identity and accessible via SSH on a public IP using public key authentication, so we can log in to the machine and run the `gcloud` command to verify that everything works as expected.
+  * Optionally, all the resources required to have a VM configured to run with a system-assigned managed identity and accessible via SSH on a public IP using public key authentication, so we can log in to the machine and run the `gcloud` command to verify that everything works as expected.

 * On Google Cloud:

-    * A Google Cloud project with: 
+  * A Google Cloud project with:

-        * A workload identity pool and provider configured to trust the AAD application 
+    * A workload identity pool and provider configured to trust the AAD application

-        * A service account with the Viewer role granted on the project. The external identities in the workload identity pool would be assigned the Workload Identity User role on that service account.
+    * A service account with the Viewer role granted on the project. The external identities in the workload identity pool would be assigned the Workload Identity User role on that service account.

 ## Running the blueprint

@ -42,7 +42,7 @@ Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/c

 Once the resources have been created, do the following to verify that everything works as expected:

-1. Log in to the VM. 
+1. Log in to the VM.

    If you have created the VM using this terraform configuration proceed the following way:

@ -72,7 +72,6 @@ Once the resources have been created, do the following to verify that everything

    `gcloud projects describe PROJECT_ID`

-
 Once done testing, you can clean up resources by running `terraform destroy`.
 <!-- BEGIN TFDOC -->

--- a/blueprints/data-solutions/README.md
+++ b/blueprints/data-solutions/README.md
@ -6,32 +6,32 @@ They are meant to be used as minimal but complete starting points to create actu

 ## Blueprints

+### Cloud SQL instance with multi-region read replicas
+
+<a href="./cloudsql-multiregion/" title="Cloud SQL instance with multi-region read replicas"><img src="./cloudsql-multiregion/images/diagram.png" align="left" width="280px"></a>
+This [blueprint](./cloudsql-multiregion/) creates a [Cloud SQL instance](https://cloud.google.com/sql) with multi-region read replicas as described in the [Cloud SQL for PostgreSQL disaster recovery](https://cloud.google.com/architecture/cloud-sql-postgres-disaster-recovery-complete-failover-fallback) article.
+
+<br clear="left">
+
 ### GCE and GCS CMEK via centralized Cloud KMS

 <a href="./cmek-via-centralized-kms/" title="CMEK on Cloud Storage and Compute Engine via centralized Cloud KMS"><img src="./cmek-via-centralized-kms/diagram.png" align="left" width="280px"></a> This [blueprint](./cmek-via-centralized-kms/) implements [CMEK](https://cloud.google.com/kms/docs/cmek) for GCS and GCE, via keys hosted in KMS running in a centralized project. The blueprint shows the basic resources and permissions for the typical use case of application projects implementing encryption at rest via a centrally managed KMS service.
+
 <br clear="left">

-### Cloud Storage to Bigquery with Cloud Dataflow with least privileges
+### Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key
+
+<a href="./composer-2/" title="# Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key
+"><img src="./composer-2/diagram.png" align="left" width="280px"></a>
+This [blueprint](./composer-2/) creates a [Cloud Composer](https://cloud.google.com/composer/) version 2 instance on a VPC with a dedicated service account. The solution supports as inputs: a Shared VPC and Cloud KMS CMEK keys.

-<a href="./gcs-to-bq-with-least-privileges/" title="Cloud Storage to Bigquery with Cloud Dataflow with least privileges"><img src="./gcs-to-bq-with-least-privileges/images/diagram.png" align="left" width="280px"></a> This [blueprint](./gcs-to-bq-with-least-privileges/) implements resources required to run GCS to BigQuery Dataflow pipelines. The solution rely on a set of Services account created with the least privileges principle.
 <br clear="left">

 ### Data Platform Foundations

 <a href="./data-platform-foundations/" title="Data Platform Foundations"><img src="./data-platform-foundations/images/overview_diagram.png" align="left" width="280px"></a>
 This [blueprint](./data-platform-foundations/) implements a robust and flexible Data Foundation on GCP that provides opinionated defaults, allowing customers to build and scale out additional data pipelines quickly and reliably.
-<br clear="left">

-### SQL Server Always On Availability Groups
-
-<a href="./sqlserver-alwayson/" title="SQL Server Always On Availability Groups"><img src="https://cloud.google.com/compute/images/sqlserver-ag-architecture.svg" align="left" width="280px"></a>
-This [blueprint](./data-platform-foundations/) implements SQL Server Always On Availability Groups using Fabric modules. It builds a two node cluster with a fileshare witness instance in an existing VPC and adds the necessary firewalling. The actual setup process (apart from Active Directory operations) has been scripted, so that least amount of manual works needs to performed.
-<br clear="left">
-
-### Cloud SQL instance with multi-region read replicas
-
-<a href="./cloudsql-multiregion/" title="Cloud SQL instance with multi-region read replicas"><img src="./cloudsql-multiregion/images/diagram.png" align="left" width="280px"></a>
-This [blueprint](./cloudsql-multiregion/) creates a [Cloud SQL instance](https://cloud.google.com/sql) with multi-region read replicas as described in the [Cloud SQL for PostgreSQL disaster recovery](https://cloud.google.com/architecture/cloud-sql-postgres-disaster-recovery-complete-failover-fallback) article.
 <br clear="left">

 ### Data Playground starter with Cloud Vertex AI Notebook and GCS
@ -40,11 +40,18 @@ This [blueprint](./cloudsql-multiregion/) creates a [Cloud SQL instance](https:/
 This [blueprint](./data-playground/) creates a [Vertex AI
 Notebook](https://cloud.google.com/vertex-ai/docs/workbench/introduction)
 running on a VPC with a private IP and a dedicated Service Account. A GCS bucket and a BigQuery dataset are created to store inputs and outputs of data experiments.
+
 <br clear="left">

-### Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key
+### Cloud Storage to Bigquery with Cloud Dataflow with least privileges

-<a href="./composer-2/" title="# Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key
-"><img src="./composer-2/diagram.png" align="left" width="280px"></a>
-This [blueprint](./composer-2/) creates a [Cloud Composer](https://cloud.google.com/composer/) version 2 instance on a VPC with a dedicated service account. The solution supports as inputs: a Shared VPC and Cloud KMS CMEK keys.
-<br clear="left">
+<a href="./gcs-to-bq-with-least-privileges/" title="Cloud Storage to Bigquery with Cloud Dataflow with least privileges"><img src="./gcs-to-bq-with-least-privileges/images/diagram.png" align="left" width="280px"></a> This [blueprint](./gcs-to-bq-with-least-privileges/) implements resources required to run GCS to BigQuery Dataflow pipelines. The solution rely on a set of Services account created with the least privileges principle.
+
+<br clear="left">
+
+### SQL Server Always On Availability Groups
+
+<a href="./sqlserver-alwayson/" title="SQL Server Always On Availability Groups"><img src="https://cloud.google.com/compute/images/sqlserver-ag-architecture.svg" align="left" width="280px"></a>
+This [blueprint](./data-platform-foundations/) implements SQL Server Always On Availability Groups using Fabric modules. It builds a two node cluster with a fileshare witness instance in an existing VPC and adds the necessary firewalling. The actual setup process (apart from Active Directory operations) has been scripted, so that least amount of manual works needs to performed.
+
+<br clear="left">
--- a/blueprints/data-solutions/cloudsql-multiregion/README.md
+++ b/blueprints/data-solutions/cloudsql-multiregion/README.md
@ -39,7 +39,7 @@ If `project_create` is left to `null`, the identity performing the deployment ne

 Click on the image below, sign in if required and when the prompt appears, click on “confirm”.

-[![Open Cloudshell](images/button.png)](https://goo.gle/GoCloudSQL)
+[![Open Cloudshell](../../../assets/images/cloud-shell-button.png)](https://goo.gle/GoCloudSQL)

 This will clone the repository to your cloud shell and a screen like this one will appear:

@ -81,7 +81,8 @@ This implementation is intentionally minimal and easy to read. A real world use
 - Using VPC-SC to mitigate data exfiltration

 ### Shared VPC
-The example supports the configuration of a Shared VPC as an input variable. 
+
+The example supports the configuration of a Shared VPC as an input variable.
 To deploy the solution on a Shared VPC, you have to configure the `network_config` variable:

 ```
@ -94,12 +95,14 @@ network_config = {
 ```

 To run this example, the Shared VPC project needs to have:
- - A Private Service Connect with a range of `/24` (example: `10.60.0.0/24`) to deploy the Cloud SQL instance.
- - Internet access configured (for example Cloud NAT) to let the Test VM download packages. 
+
+- A Private Service Connect with a range of `/24` (example: `10.60.0.0/24`) to deploy the Cloud SQL instance.
+- Internet access configured (for example Cloud NAT) to let the Test VM download packages.

 In order to run the example and deploy Cloud SQL on a shared VPC the identity running Terraform must have the following IAM role on the Shared VPC Host project.
- - Compute Network Admin (roles/compute.networkAdmin)
- - Compute Shared VPC Admin (roles/compute.xpnAdmin)
+
+- Compute Network Admin (roles/compute.networkAdmin)
+- Compute Shared VPC Admin (roles/compute.xpnAdmin)

 ## Test your environment

--- a/blueprints/data-solutions/cloudsql-multiregion/images/button.png
+++ b/blueprints/data-solutions/cloudsql-multiregion/images/button.png
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md
@ -60,8 +60,7 @@ __Note__: To grant a user a role, take a look at the [Granting and Revoking Acce

 Click on the button below, sign in if required and when the prompt appears, click on “confirm”.

-
-[![Open Cloudshell](images/shell_button.png)](https://goo.gle/GoDataPipe)
+[![Open Cloudshell](../../../assets/images/cloud-shell-button.png)](https://goo.gle/GoDataPipe)

 This will clone the repository to your cloud shell and a screen like this one will appear:

--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/images/cloud_shell.png
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/images/cloud_shell.png
--- a/blueprints/gke/README.md
+++ b/blueprints/gke/README.md
@ -6,6 +6,18 @@ They are meant to be used as minimal but complete starting points to create actu

 ## Blueprints

+### Binary Authorization Pipeline
+
+<a href="../gke/binauthz/" title="Binary Authorization Pipeline"><img src="../gke/binauthz/diagram.png" align="left" width="280px"></a> This [blueprint](../gke/binauthz/) shows how to create a CI and a CD pipeline in Cloud Build for the deployment of an application to a private GKE cluster with unrestricted access to a public endpoint. The blueprint enables a Binary Authorization policy in the project so only images that have been attested can be deployed to the cluster. The attestations are created using a cryptographic key pair that has been provisioned in KMS.
+
+<br clear="left">
+
+### Multi-cluster mesh on GKE (fleet API)
+
+<a href="../gke/multi-cluster-mesh-gke-fleet-api/" title="Binary Authorization Pipeline"><img src="../gke/multi-cluster-mesh-gke-fleet-api/diagram.png" align="left" width="280px"></a> This [blueprint](../gke/multi-cluster-mesh-gke-fleet-api/) shows how to create a multi-cluster mesh for two private clusters on GKE. Anthos Service Mesh with automatic control plane management is set up for clusters using the Fleet API. This can only be done if the clusters are in a single project and in the same VPC. In this particular case both clusters having being deployed to different subnets in a shared VPC.
+
+<br clear="left">
+
 ### Multitenant GKE fleet

 <a href="./multitenant-fleet/" title="GKE multitenant fleet"><img src="./multitenant-fleet/diagram.png" align="left" width="280px"></a> This [blueprint](./multitenant-fleet/) allows simple centralized management of similar sets of GKE clusters and their nodepools in a single project, and optional fleet management via GKE Hub templated configurations.
@ -16,14 +28,5 @@ They are meant to be used as minimal but complete starting points to create actu
 <a href="../networking/shared-vpc-gke/" title="Shared VPC with GKE"><img src="../networking/shared-vpc-gke/diagram.png" align="left" width="280px"></a> This [blueprint](../networking/shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities.

 It is meant to be used as a starting point for most Shared VPC configurations, and to be integrated to the above blueprints where Shared VPC is needed in more complex network topologies.
-<br clear="left">
-
-### Binary Authorization Pipeline
-
-<a href="../gke/binauthz/" title="Binary Authorization Pipeline"><img src="../gke/binauthz/diagram.png" align="left" width="280px"></a> This [blueprint](../gke/binauthz/) shows how to create a CI and a CD pipeline in Cloud Build for the deployment of an application to a private GKE cluster with unrestricted access to a public endpoint. The blueprint enables a Binary Authorization policy in the project so only images that have been attested can be deployed to the cluster. The attestations are created using a cryptographic key pair that has been provisioned in KMS.
-<br clear="left">
-
-### Multi-cluster mesh on GKE (fleet API)
-
-<a href="../gke/multi-cluster-mesh-gke-fleet-api/" title="Binary Authorization Pipeline"><img src="../gke/multi-cluster-mesh-gke-fleet-api/diagram.png" align="left" width="280px"></a> This [blueprint](../gke/multi-cluster-mesh-gke-fleet-api/) shows how to create a multi-cluster mesh for two private clusters on GKE. Anthos Service Mesh with automatic control plane management is set up for clusters using the Fleet API. This can only be done if the clusters are in a single project and in the same VPC. In this particular case both clusters having being deployed to different subnets in a shared VPC.
+
 <br clear="left">
--- a/blueprints/networking/README.md
+++ b/blueprints/networking/README.md
@ -6,11 +6,30 @@ They are meant to be used as minimal but complete starting points to create actu

 ## Blueprints

+### Decentralized firewall management
+
+<a href="./decentralized-firewall/" title="Decentralized firewall management"><img src="./decentralized-firewall/diagram.png" align="left" width="280px"></a> This [blueprint](./decentralized-firewall/) shows how a decentralized firewall management can be organized using the [firewall factory](../factories/net-vpc-firewall-yaml/).
+
+<br clear="left">
+
+### Network filtering with Squid
+
+<a href="./filtering-proxy/" title="Network filtering with Squid"><img src="./filtering-proxy/squid.png" align="left" width="280px"></a> This [blueprint](./filtering-proxy/) how to deploy a filtering HTTP proxy to restrict Internet access, in a simplified setup using a VPC with two subnets and a Cloud DNS zone, and an optional MIG for scaling.
+
+<br clear="left">
+
+## HTTP Load Balancer with Cloud Armor
+
+<a href="./glb-and-armor/" title="HTTP Load Balancer with Cloud Armor"><img src="./glb-and-armor/architecture.png" align="left" width="280px"></a> This [blueprint](./glb-and-armor/) contains all necessary Terraform modules to build a multi-regional infrastructure with horizontally scalable managed instance group backends, HTTP load balancing and Google’s advanced WAF security tool (Cloud Armor) on top to securely deploy an application at global scale.
+
+<br clear="left">
+
 ### Hub and Spoke via Peering

 <a href="./hub-and-spoke-peering/" title="Hub and spoke via peering blueprint"><img src="./hub-and-spoke-peering/diagram.png" align="left" width="280px"></a> This [blueprint](./hub-and-spoke-peering/) implements a hub and spoke topology via VPC peering, a common design where a landing zone VPC (hub) is connected to on-premises, and then peered with satellite VPCs (spokes) to further partition the infrastructure.

 The sample highlights the lack of transitivity in peering: the absence of connectivity between spokes, and the need create workarounds for private service access to managed services. One such workaround is shown for private GKE, allowing access from hub and all spokes to GKE masters via a dedicated VPN.
+
 <br clear="left">

 ### Hub and Spoke via Dynamic VPN
@ -18,6 +37,19 @@ The sample highlights the lack of transitivity in peering: the absence of connec
 <a href="./hub-and-spoke-vpn/" title="Hub and spoke via dynamic VPN"><img src="./hub-and-spoke-vpn/diagram.png" align="left" width="280px"></a> This [blueprint](./hub-and-spoke-vpn/) implements a hub and spoke topology via dynamic VPN tunnels, a common design where peering cannot be used due to limitations on the number of spokes or connectivity to managed services.

 The blueprint shows how to implement spoke transitivity via BGP advertisements, how to expose hub DNS zones to spokes via DNS peering, and allows easy testing of different VPN and BGP configurations.
+
+<br clear="left">
+
+### ILB as next hop
+
+<a href="./ilb-next-hop/" title="ILB as next hop"><img src="./ilb-next-hop/diagram.png" align="left" width="280px"></a> This [blueprint](./ilb-next-hop/) allows testing [ILB as next hop](https://cloud.google.com/load-balancing/docs/internal/ilb-next-hop-overview) using simple Linux gateway VMS between two VPCs, to emulate virtual appliances. An optional additional ILB can be enabled to test multiple load balancer configurations and hashing.
+
+<br clear="left">
+
+### Nginx-based reverse proxy cluster
+
+<a href="./nginx-reverse-proxy-cluster/" title="Nginx-based reverse proxy cluster"><img src="./nginx-reverse-proxy-cluster/reverse-proxy.png" align="left" width="280px"></a> This [blueprint](./nginx-reverse-proxy-cluster/) how to deploy an autoscaling reverse proxy cluster using Nginx, based on regional Managed Instance Groups. The autoscaling is driven by Nginx current connections metric, sent by Cloud Ops Agent.
+
 <br clear="left">

 ### DNS and Private Access for On-premises
@ -25,6 +57,19 @@ The blueprint shows how to implement spoke transitivity via BGP advertisements,
 <a href="./onprem-google-access-dns/" title="DNS and Private Access for On-premises"><img src="./onprem-google-access-dns/diagram.png" align="left" width="280px"></a> This [blueprint](./onprem-google-access-dns/) uses an emulated on-premises environment running in Docker containers inside a GCE instance, to allow testing specific features like DNS policies, DNS forwarding zones across VPN, and Private Access for On-premises hosts.

 The emulated on-premises environment can be used to test access to different services from outside Google Cloud, by implementing a VPN connection and BGP to Google CLoud via Strongswan and Bird.
+
+<br clear="left">
+
+### Calling a private Cloud Function from on-premises
+
+<a href="./private-cloud-function-from-onprem/" title="Private Cloud Function from On-premises"><img src="./private-cloud-function-from-onprem/diagram.png" align="left" width="280px"></a> This [blueprint](./private-cloud-function-from-onprem/) shows how to invoke a [private Google Cloud Function](https://cloud.google.com/functions/docs/networking/network-settings) from the on-prem environment via a [Private Service Connect endpoint](https://cloud.google.com/vpc/docs/private-service-connect#benefits-apis).
+
+<br clear="left">
+
+### Calling on-premise services through PSC and hybrid NEGs
+
+<a href="./psc-hybrid/" title="Hybrid connectivity to on-premise services thrugh PSC"><img src="./psc-hybrid/diagram.png" align="left" width="280px"></a> This [blueprint](./psc-hybrid/) shows how to privately connect to on-premise services (IP + port) from GCP, leveraging [Private Service Connect (PSC)](https://cloud.google.com/vpc/docs/private-service-connect) and [Hybrid Network Endpoint Groups](https://cloud.google.com/load-balancing/docs/negs/hybrid-neg-concepts).
+
 <br clear="left">

 ### Shared VPC with GKE and per-subnet support
@ -32,24 +77,5 @@ The emulated on-premises environment can be used to test access to different ser
 <a href="./shared-vpc-gke/" title="Shared VPC with GKE"><img src="./shared-vpc-gke/diagram.png" align="left" width="280px"></a> This [blueprint](./shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities.

 It is meant to be used as a starting point for most Shared VPC configurations, and to be integrated to the above blueprints where Shared VPC is needed in more complex network topologies.
-<br clear="left">
-
-### ILB as next hop
-
-<a href="./ilb-next-hop/" title="ILB as next hop"><img src="./ilb-next-hop/diagram.png" align="left" width="280px"></a> This [blueprint](./ilb-next-hop/) allows testing [ILB as next hop](https://cloud.google.com/load-balancing/docs/internal/ilb-next-hop-overview) using simple Linux gateway VMS between two VPCs, to emulate virtual appliances. An optional additional ILB can be enabled to test multiple load balancer configurations and hashing.
-<br clear="left">
-
-### Calling a private Cloud Function from on-premises
-
-<a href="./private-cloud-function-from-onprem/" title="Private Cloud Function from On-premises"><img src="./private-cloud-function-from-onprem/diagram.png" align="left" width="280px"></a> This [blueprint](./private-cloud-function-from-onprem/) shows how to invoke a [private Google Cloud Function](https://cloud.google.com/functions/docs/networking/network-settings) from the on-prem environment via a [Private Service Connect endpoint](https://cloud.google.com/vpc/docs/private-service-connect#benefits-apis).
-<br clear="left">
-
-### Calling on-premise services through PSC and hybrid NEGs
-
-<a href="./psc-hybrid/" title="Hybrid connectivity to on-premise services thrugh PSC"><img src="./psc-hybrid/diagram.png" align="left" width="280px"></a> This [blueprint](./psc-hybrid/) shows how to privately connect to on-premise services (IP + port) from GCP, leveraging [Private Service Connect (PSC)](https://cloud.google.com/vpc/docs/private-service-connect) and [Hybrid Network Endpoint Groups](https://cloud.google.com/load-balancing/docs/negs/hybrid-neg-concepts).
-<br clear="left">
-
-### Decentralized firewall management
-
-<a href="./decentralized-firewall/" title="Decentralized firewall management"><img src="./decentralized-firewall/diagram.png" align="left" width="280px"></a> This [blueprint](./decentralized-firewall/) shows how a decentralized firewall management can be organized using the [firewall factory](../factories/net-vpc-firewall-yaml/).
+
 <br clear="left">
--- a/blueprints/cloud-operations/glb_and_armor/README.md
+++ b/blueprints/cloud-operations/glb_and_armor/README.md
@ -2,7 +2,7 @@

 ## Introduction

-This repository contains all necessary Terraform modules to build a multi-regional infrastructure with horizontally scalable managed instance group backends, HTTP load balancing and Google’s advanced WAF security tool (Cloud Armor) on top to securely deploy an application at global scale.
+This blueprint contains all necessary Terraform modules to build a multi-regional infrastructure with horizontally scalable managed instance group backends, HTTP load balancing and Google’s advanced WAF security tool (Cloud Armor) on top to securely deploy an application at global scale.

 This tutorial is general enough to fit in a variety of use-cases, from hosting a mobile app's backend to deploy proprietary workloads at scale.

@ -62,7 +62,7 @@ Note: To grant a user a role, take a look at the [Granting and Revoking Access](

 Click on the button below, sign in if required and when the prompt appears, click on “confirm”.

-[![Open Cloudshell](shell_button.png)](https://goo.gle/GoCloudArmor)
+[![Open Cloudshell](../../../assets/images/cloud-shell-button.png)](https://goo.gle/GoCloudArmor)

 This will clone the repository to your cloud shell and a screen like this one will appear:

--- a/blueprints/cloud-operations/glb_and_armor/architecture.png
+++ b/blueprints/cloud-operations/glb_and_armor/architecture.png
--- a/blueprints/cloud-operations/glb_and_armor/cloud_shell.png
+++ b/blueprints/cloud-operations/glb_and_armor/cloud_shell.png
--- a/blueprints/cloud-operations/glb_and_armor/main.tf
+++ b/blueprints/cloud-operations/glb_and_armor/main.tf
--- a/blueprints/cloud-operations/glb_and_armor/outputs.tf
+++ b/blueprints/cloud-operations/glb_and_armor/outputs.tf
--- a/blueprints/cloud-operations/glb_and_armor/variables.tf
+++ b/blueprints/cloud-operations/glb_and_armor/variables.tf
--- a/blueprints/networking/nginx-reverse-proxy-cluster/README.md
+++ b/blueprints/networking/nginx-reverse-proxy-cluster/README.md
@ -1,20 +1,17 @@
 # Nginx-based reverse proxy cluster

-This blueprint shows how to deploy an autoscaling reverse proxy cluster using Nginx, based on regional
-Managed Instance Groups.
+This blueprint shows how to deploy an autoscaling reverse proxy cluster using Nginx, based on regional Managed Instance Groups.

 ![High-level diagram](reverse-proxy.png "High-level diagram")

-The autoscaling is driven by Nginx current connections metric, sent by Cloud Ops Agent. 
+The autoscaling is driven by Nginx current connections metric, sent by Cloud Ops Agent.

-The example is for Nginx, but it could be easily adapted to any other reverse proxy software (eg. 
-Squid, Varnish, etc).
+The example is for Nginx, but it could be easily adapted to any other reverse proxy software (eg. Squid, Varnish, etc).

 ## Ops Agent image

-There is a simple [`Dockerfile`](Dockerfile) available for building Ops Agent to be run
-inside the ContainerOS instance. Build the container, push it to your Container/Artifact
-Repository and set the `ops_agent_image` to point to the image you built.
+There is a simple [`Dockerfile`](Dockerfile) available for building Ops Agent to be run inside the ContainerOS instance. Build the container, push it to your Container/Artifact Repository and set the `ops_agent_image` to point to the image you built.
+
 <!-- BEGIN TFDOC -->

 ## Variables
--- a/blueprints/third-party-solutions/README.md
+++ b/blueprints/third-party-solutions/README.md
@ -7,3 +7,11 @@ The blueprints in this folder show how to automate installation of specific thir
 ### OpenShift cluster bootstrap on Shared VPC

 <a href="./openshift/" title="HubOpenShift boostrap example"><img src="./openshift/diagram.png" align="left" width="280px"></a> This [example](./openshift/) shows how to quickly bootstrap an OpenShift 4.7 cluster on GCP, using typical enterprise features like Shared VPC and CMEK for instance disks.
+
+<br clear="left">
+
+### Wordpress deployment on Cloud Run
+
+<a href="./wordpress/cloudrun/" title="Wordpress deployment on Cloud Run"><img src="./wordpress/cloudrun/architecture.png" align="left" width="280px"></a> This [example](./wordpress/cloudrun/) shows how to deploy a functioning new Wordpress website exposed to the public internet via CloudRun and Cloud SQL, with minimal technical overhead.
+
+<br clear="left">
--- a/blueprints/third-party-solutions/wordpress/cloudrun/README.md
+++ b/blueprints/third-party-solutions/wordpress/cloudrun/README.md
@ -36,11 +36,11 @@ If `project_create` is left to null, the identity performing the deployment need

 If you want to deploy from your Cloud Shell, click on the image below, sign in if required and when the prompt appears, click on “confirm”.

-[![Open Cloudshell](images/button.png)](https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2FGoogleCloudPlatform%2Fcloud-foundation-fabric&cloudshell_workspace=blueprints%2Fthird-party-solutions%2Fwordpress%2Fcloudrun)
-
+[![Open Cloudshell](../../../../assets/images/cloud-shell-button.png)](https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2FGoogleCloudPlatform%2Fcloud-foundation-fabric&cloudshell_workspace=blueprints%2Fthird-party-solutions%2Fwordpress%2Fcloudrun)

 Otherwise, in your console of choice:
-``` {shell}
+
+```bash
 git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric
 ```

@ -70,6 +70,7 @@ Once you have the required information, head back to your cloned repository. Mak
 Configure the Terraform variables in your `terraform.tfvars` file. See [terraform.tfvars.sample](terraform.tfvars.sample) as starting point - just copy it to `terraform.tfvars` and edit the latter. See the variables documentation below.

 **Notes**:
+
 1. If you will want to change your admin password later on, please note that it will only work in the admin interface of Wordpress, but not with redeploying with Terraform, since Wordpress writes that password into the database upon installation and ignores the environment variables (that you can change with Terraform) after that.
 2. If you have the [domain restriction org. policy](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains) on your organization, you have to edit the `cloud_run_invoker` variable and give it a value that will be accepted in accordance to your policy.

@ -81,22 +82,27 @@ Initialize your Terraform environment and deploy the resources:
 terraform init
 terraform apply
 ```
+
 The resource creation will take a few minutes.

 **Note**: you might get the following error (or a similar one):
+
 ``` {shell}
 │ Error: resource is in failed state "Ready:False", message: Revision '...' is not ready and cannot serve traffic.│
 ```
+
 You might try to reapply at this point, the Cloud Run service just needs several minutes.

 ### Step 4: Use the created resources

 Upon completion, you will see the output with the values for the Cloud Run service and the user and password to access the `/admin` part of the website. You can also view it later with:
+
 ``` {shell}
 terraform output
 # or for the concrete variable:
 terraform output cloud_run_service
 ```
+
 1. Open your browser at the URL that you get with that last command, and you will see your Wordpress installation.
 2. Add "/admin" in the end of the URL and log in to the admin interface, using the outputs "wp_user" and "wp_password".

--- a/blueprints/third-party-solutions/wordpress/cloudrun/images/button.png
+++ b/blueprints/third-party-solutions/wordpress/cloudrun/images/button.png
--- a/modules/README.md
+++ b/modules/README.md
@ -13,11 +13,12 @@ These modules are not necessarily backward compatible. Changes breaking compatib
 These modules are used in the examples included in this repository. If you are using any of those examples in your own Terraform configuration, make sure that you are using the same version for all the modules, and switch module sources to GitHub format using references. The recommended approach to working with Fabric modules is the following:

 - Fork the repository and own the fork. This will allow you to:
-    - Evolve the existing modules.
-    - Create your own modules.
-    - Sync from the upstream repository to get all the updates.
- 
+  - Evolve the existing modules.
+  - Create your own modules.
+  - Sync from the upstream repository to get all the updates.
+
 - Use GitHub sources with refs to reference the modules. See an example below:
+
    ```terraform
    module "project" {
        source              = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/project?ref=v13.0.0"
@ -30,62 +31,65 @@ These modules are used in the examples included in this repository. If you are u
 ## Foundational modules

 - [billing budget](./billing-budget)
+- [Cloud Identity group](./cloud-identity-group/)
 - [folder](./folder)
+- [service accounts](./iam-service-account)
 - [logging bucket](./logging-bucket)
 - [organization](./organization)
+- [organization-policy](./organization-policy)
 - [project](./project)
 - [projects-data-source](./projects-data-source)
- [service account](./iam-service-account)
- [organization policy](./organization-policy)

 ## Networking modules

- [address reservation](./net-address)
- [Cloud DNS](./dns)
- [Cloud NAT](./net-cloudnat)
+- [DNS](./dns)
 - [Cloud Endpoints](./endpoints)
- [L4 Internal Load Balancer](./net-ilb)
- [Service Directory](./service-directory)
+- [address reservation](./net-address)
+- [NAT](./net-cloudnat)
+- [Global Load Balancer (classic)](./net-glb/)
+- [L4 ILB](./net-ilb)
+- [L7 ILB](./net-ilb-l7)
 - [VPC](./net-vpc)
 - [VPC firewall](./net-vpc-firewall)
 - [VPC peering](./net-vpc-peering)
- [VPN static](./net-vpn-static)
 - [VPN dynamic](./net-vpn-dynamic)
 - [HA VPN](./net-vpn-ha)
- [ ] TODO: xLB modules
+- [VPN static](./net-vpn-static)
+- [Service Directory](./service-directory)

 ## Compute/Container

- [COS container](./cloud-config-container/onprem/) (coredns, mysql, onprem, squid)
- [GKE cluster](./gke-cluster)
- [GKE nodepool](./gke-nodepool)
- [GKE hub](./gke-hub)
- [Managed Instance Group](./compute-mig)
 - [VM/VM group](./compute-vm)
+- [MIG](./compute-mig)
+- [COS container](./cloud-config-container/cos-generic-metadata/) (coredns/mysql/nva/onprem/squid)
+- [GKE cluster](./gke-cluster)
+- [GKE hub](./gke-hub)
+- [GKE nodepool](./gke-nodepool)

 ## Data

 - [BigQuery dataset](./bigquery-dataset)
- [Datafusion](./datafusion)
- [GCS](./gcs)
- [Pub/Sub](./pubsub)
 - [Bigtable instance](./bigtable-instance)
 - [Cloud SQL instance](./cloudsql-instance)
 - [Data Catalog Policy Tag](./data-catalog-policy-tag)
+- [Datafusion](./datafusion)
+- [GCS](./gcs)
+- [Pub/Sub](./pubsub)

 ## Development

- [Artifact Registry](./artifact-registry)
- [Container Registry](./container-registry)
- [Source Repository](./source-repository)
+- [API Gateway](./api-gateway)
 - [Apigee Organization](./apigee-organization)
 - [Apigee X Instance](./apigee-x-instance)
- [API Gateway](./api-gateway)
+- [Artifact Registry](./artifact-registry)
+- [Container Registry](./container-registry)
+- [Cloud Source Repository](./source-repository)

 ## Security

- [Cloud KMS](./kms)
- [Secret Manager](./secret-manager)
+- [Binauthz](./binauthz/)
+- [KMS](./kms)
+- [SecretManager](./secret-manager)
 - [VPC Service Control](./vpc-sc)

 ## Serverless
--- a/tests/blueprints/cloud_operations/glb_and_armor/init.py
+++ b/tests/blueprints/cloud_operations/glb_and_armor/init.py
--- a/tests/blueprints/cloud_operations/glb_and_armor/fixture/main.tf
+++ b/tests/blueprints/cloud_operations/glb_and_armor/fixture/main.tf
@ -13,7 +13,7 @@
 # limitations under the License.

 module "test" {
-  source                  = "../../../../../blueprints/cloud-operations/glb_and_armor"
+  source                  = "../../../../../blueprints/networking/glb-and-armor"
  project_create          = var.project_create
  project_id              = var.project_id
  enforce_security_policy = var.enforce_security_policy
--- a/tests/blueprints/cloud_operations/glb_and_armor/fixture/variables.tf
+++ b/tests/blueprints/cloud_operations/glb_and_armor/fixture/variables.tf
--- a/tests/blueprints/cloud_operations/glb_and_armor/test_plan.py
+++ b/tests/blueprints/cloud_operations/glb_and_armor/test_plan.py