Switch FAST networking stages to network policies for Google domains (#1352)
* peering stage implementation * vpn stage implementation * tfdoc * tests * add most supported google domains * align all net stages * add support for factory to DNS response policy module * use dns policy factory in network stages * boilerplate
This commit is contained in:
parent
234aa4c55d
commit
efb0ebe689
|
@ -130,13 +130,7 @@ DNS configuration is further centralized by leveraging peering zones, so that
|
||||||
|
|
||||||
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
||||||
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
||||||
- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
|
- Private Google Access is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options)
|
||||||
- `private.googleapis.com`
|
|
||||||
- `restricted.googleapis.com`
|
|
||||||
- `gcr.io`
|
|
||||||
- `packages.cloud.google.com`
|
|
||||||
- `pkg.dev`
|
|
||||||
- `pki.goog`
|
|
||||||
|
|
||||||
To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:
|
To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:
|
||||||
|
|
||||||
|
@ -382,7 +376,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| name | description | modules | resources |
|
| name | description | modules | resources |
|
||||||
|---|---|---|---|
|
|---|---|---|---|
|
||||||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||||
|
@ -403,18 +397,18 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
|---|---|:---:|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|:---:|
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L75) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L76) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [organization](variables.tf#L85) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [organization](variables.tf#L86) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L101) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables.tf#L102) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||||
| [factories_config](variables.tf#L55) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
| [factories_config](variables.tf#L55) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||||
| [outputs_location](variables.tf#L95) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L96) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map(object({ export_local_custom_routes = bool export_peer_custom_routes = bool }))">map(object({…}))</code> | | <code title="{ dev = { export_local_custom_routes = true export_peer_custom_routes = true } prod = { export_local_custom_routes = true export_peer_custom_routes = true } }">{…}</code> | |
|
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map(object({ export_local_custom_routes = bool export_peer_custom_routes = bool }))">map(object({…}))</code> | | <code title="{ dev = { export_local_custom_routes = true export_peer_custom_routes = true } prod = { export_local_custom_routes = true export_peer_custom_routes = true } }">{…}</code> | |
|
||||||
| [psa_ranges](variables.tf#L112) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L113) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [regions](variables.tf#L133) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
| [regions](variables.tf#L134) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L145) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
| [service_accounts](variables.tf#L146) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||||
| [vpn_onprem_primary_config](variables.tf#L159) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_primary_config](variables.tf#L160) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
# skip boilerplate check
|
||||||
|
|
||||||
|
accounts:
|
||||||
|
dns_name: "accounts.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud:
|
||||||
|
dns_name: "backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud-all:
|
||||||
|
dns_name: "*.backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu:
|
||||||
|
dns_name: "backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu-all:
|
||||||
|
dns_name: "*.backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudfunctions:
|
||||||
|
dns_name: "*.cloudfunctions.net."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudproxy:
|
||||||
|
dns_name: "*.cloudproxy.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-cloud-all:
|
||||||
|
dns_name: "*.composer.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-gu-all:
|
||||||
|
dns_name: "*.composer.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-all:
|
||||||
|
dns_name: "*.datafusion.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-gu-all:
|
||||||
|
dns_name: "*.datafusion.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc:
|
||||||
|
dns_name: "dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-all:
|
||||||
|
dns_name: "*.dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu:
|
||||||
|
dns_name: "dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu-all:
|
||||||
|
dns_name: "*.dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dl:
|
||||||
|
dns_name: "dl.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr:
|
||||||
|
dns_name: "gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr-all:
|
||||||
|
dns_name: "*.gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-all:
|
||||||
|
dns_name: "*.googleapis.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-private:
|
||||||
|
dns_name: "private.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.8
|
||||||
|
- 199.36.153.9
|
||||||
|
- 199.36.153.10
|
||||||
|
- 199.36.153.11
|
||||||
|
googleapis-restricted:
|
||||||
|
dns_name: "restricted.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.4
|
||||||
|
- 199.36.153.5
|
||||||
|
- 199.36.153.6
|
||||||
|
- 199.36.153.7
|
||||||
|
gstatic-all:
|
||||||
|
dns_name: "*.gstatic.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-all:
|
||||||
|
dns_name: "*.notebooks.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-gu-all:
|
||||||
|
dns_name: "*.notebooks.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud:
|
||||||
|
dns_name: "packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud-all:
|
||||||
|
dns_name: "*.packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev:
|
||||||
|
dns_name: "pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev-all:
|
||||||
|
dns_name: "*.pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog:
|
||||||
|
dns_name: "pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog-all:
|
||||||
|
dns_name: "*.pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
run-all:
|
||||||
|
dns_name: "*.run.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
source:
|
||||||
|
dns_name: "source.developers.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
|
@ -18,7 +18,12 @@
|
||||||
|
|
||||||
# GCP-specific environment zone
|
# GCP-specific environment zone
|
||||||
|
|
||||||
module "dev-dns-private-zone" {
|
moved {
|
||||||
|
from = module.dev-dns-private-zone
|
||||||
|
to = module.dev-dns-priv-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-priv-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "private"
|
type = "private"
|
||||||
|
@ -32,7 +37,12 @@ module "dev-dns-private-zone" {
|
||||||
|
|
||||||
# root zone peering to landing to centralize configuration; remove if unneeded
|
# root zone peering to landing to centralize configuration; remove if unneeded
|
||||||
|
|
||||||
module "dev-landing-root-dns-peering" {
|
moved {
|
||||||
|
from = module.dev-landing-root-dns-peering
|
||||||
|
to = module.dev-dns-peer-landing-root
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-peer-landing-root" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
@ -42,7 +52,12 @@ module "dev-landing-root-dns-peering" {
|
||||||
peer_network = module.landing-vpc.self_link
|
peer_network = module.landing-vpc.self_link
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-reverse-10-dns-peering" {
|
moved {
|
||||||
|
from = module.dev-reverse-10-dns-peering
|
||||||
|
to = module.dev-dns-peer-landing-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-peer-landing-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
|
|
@ -18,7 +18,12 @@
|
||||||
|
|
||||||
# forwarding to on-prem DNS resolvers
|
# forwarding to on-prem DNS resolvers
|
||||||
|
|
||||||
module "onprem-example-dns-forwarding" {
|
moved {
|
||||||
|
from = module.onprem-example-dns-forwarding
|
||||||
|
to = module.landing-dns-fwd-onprem-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-fwd-onprem-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -28,7 +33,12 @@ module "onprem-example-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.onprem : ip => null }
|
forwarders = { for ip in var.dns.onprem : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "reverse-10-dns-forwarding" {
|
moved {
|
||||||
|
from = module.reverse-10-dns-forwarding
|
||||||
|
to = module.landing-dns-fwd-onprem-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-fwd-onprem-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -38,7 +48,12 @@ module "reverse-10-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.onprem : ip => null }
|
forwarders = { for ip in var.dns.onprem : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "gcp-example-dns-private-zone" {
|
moved {
|
||||||
|
from = module.gcp-example-dns-private-zone
|
||||||
|
to = module.landing-dns-priv-gcp
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-priv-gcp" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "private"
|
type = "private"
|
||||||
|
@ -50,82 +65,14 @@ module "gcp-example-dns-private-zone" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Google APIs
|
# Google APIs via response policies
|
||||||
|
|
||||||
module "googleapis-private-zone" {
|
module "landing-dns-policy-googleapis" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns-response-policy"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "private"
|
name = "googleapis"
|
||||||
name = "googleapis-com"
|
networks = {
|
||||||
domain = "googleapis.com."
|
landing = module.landing-vpc.self_link
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A private" = { records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"A restricted" = { records = [
|
|
||||||
"199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "gcrio-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "gcr-io"
|
|
||||||
domain = "gcr.io."
|
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A gcr.io." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "packages-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "packages-cloud"
|
|
||||||
domain = "packages.cloud.google.com."
|
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "pkgdev-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pkg-dev"
|
|
||||||
domain = "pkg.dev."
|
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A pkg.dev." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "pkigoog-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pki-goog"
|
|
||||||
domain = "pki.goog."
|
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A pki.goog." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
}
|
||||||
|
rules_file = var.factories_config.dns_policy_rules_file
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,7 +18,12 @@
|
||||||
|
|
||||||
# GCP-specific environment zone
|
# GCP-specific environment zone
|
||||||
|
|
||||||
module "prod-dns-private-zone" {
|
moved {
|
||||||
|
from = module.prod-dns-private-zone
|
||||||
|
to = module.prod-dns-priv-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-priv-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "private"
|
type = "private"
|
||||||
|
@ -32,7 +37,12 @@ module "prod-dns-private-zone" {
|
||||||
|
|
||||||
# root zone peering to landing to centralize configuration; remove if unneeded
|
# root zone peering to landing to centralize configuration; remove if unneeded
|
||||||
|
|
||||||
module "prod-landing-root-dns-peering" {
|
moved {
|
||||||
|
from = module.prod-landing-root-dns-peering
|
||||||
|
to = module.prod-dns-peer-landing-root
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-peer-landing-root" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
@ -42,7 +52,12 @@ module "prod-landing-root-dns-peering" {
|
||||||
peer_network = module.landing-vpc.self_link
|
peer_network = module.landing-vpc.self_link
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-reverse-10-dns-peering" {
|
moved {
|
||||||
|
from = module.prod-reverse-10-dns-peering
|
||||||
|
to = module.prod-dns-peer-landing-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-peer-landing-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
|
|
@ -56,6 +56,7 @@ variable "factories_config" {
|
||||||
description = "Configuration for network resource factories."
|
description = "Configuration for network resource factories."
|
||||||
type = object({
|
type = object({
|
||||||
data_dir = optional(string, "data")
|
data_dir = optional(string, "data")
|
||||||
|
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
|
||||||
firewall_policy_name = optional(string, "factory")
|
firewall_policy_name = optional(string, "factory")
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
|
|
|
@ -136,13 +136,7 @@ DNS configuration is further centralized by leveraging peering zones, so that
|
||||||
|
|
||||||
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
||||||
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
||||||
- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
|
- Private Google Access is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options)
|
||||||
- `private.googleapis.com`
|
|
||||||
- `restricted.googleapis.com`
|
|
||||||
- `gcr.io`
|
|
||||||
- `packages.cloud.google.com`
|
|
||||||
- `pkg.dev`
|
|
||||||
- `pki.goog`
|
|
||||||
|
|
||||||
To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:
|
To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:
|
||||||
|
|
||||||
|
@ -405,7 +399,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| name | description | modules | resources |
|
| name | description | modules | resources |
|
||||||
|---|---|---|---|
|
|---|---|---|---|
|
||||||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||||
|
@ -428,18 +422,18 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
|---|---|:---:|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|:---:|
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L75) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L76) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [organization](variables.tf#L85) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [organization](variables.tf#L86) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L101) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables.tf#L102) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||||
| [factories_config](variables.tf#L55) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
| [factories_config](variables.tf#L55) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||||
| [outputs_location](variables.tf#L95) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L96) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L112) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L113) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [regions](variables.tf#L133) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
| [regions](variables.tf#L134) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L145) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
| [service_accounts](variables.tf#L146) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||||
| [vpn_configs](variables-vpn.tf#L17) | Hub to spokes VPN configurations. | <code title="object({ dev = object({ asn = number custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) landing = object({ asn = number custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) prod = object({ asn = number custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) })">object({…})</code> | | <code title="{ dev = { asn = 65501 } landing = { asn = 65500 } prod = { asn = 65502 } }">{…}</code> | |
|
| [vpn_configs](variables-vpn.tf#L17) | Hub to spokes VPN configurations. | <code title="object({ dev = object({ asn = number custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) landing = object({ asn = number custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) prod = object({ asn = number custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) })">object({…})</code> | | <code title="{ dev = { asn = 65501 } landing = { asn = 65500 } prod = { asn = 65502 } }">{…}</code> | |
|
||||||
| [vpn_onprem_primary_config](variables.tf#L159) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_primary_config](variables.tf#L160) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
# skip boilerplate check
|
||||||
|
|
||||||
|
accounts:
|
||||||
|
dns_name: "accounts.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud:
|
||||||
|
dns_name: "backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud-all:
|
||||||
|
dns_name: "*.backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu:
|
||||||
|
dns_name: "backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu-all:
|
||||||
|
dns_name: "*.backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudfunctions:
|
||||||
|
dns_name: "*.cloudfunctions.net."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudproxy:
|
||||||
|
dns_name: "*.cloudproxy.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-cloud-all:
|
||||||
|
dns_name: "*.composer.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-gu-all:
|
||||||
|
dns_name: "*.composer.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-all:
|
||||||
|
dns_name: "*.datafusion.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-gu-all:
|
||||||
|
dns_name: "*.datafusion.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc:
|
||||||
|
dns_name: "dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-all:
|
||||||
|
dns_name: "*.dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu:
|
||||||
|
dns_name: "dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu-all:
|
||||||
|
dns_name: "*.dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dl:
|
||||||
|
dns_name: "dl.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr:
|
||||||
|
dns_name: "gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr-all:
|
||||||
|
dns_name: "*.gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-all:
|
||||||
|
dns_name: "*.googleapis.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-private:
|
||||||
|
dns_name: "private.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.8
|
||||||
|
- 199.36.153.9
|
||||||
|
- 199.36.153.10
|
||||||
|
- 199.36.153.11
|
||||||
|
googleapis-restricted:
|
||||||
|
dns_name: "restricted.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.4
|
||||||
|
- 199.36.153.5
|
||||||
|
- 199.36.153.6
|
||||||
|
- 199.36.153.7
|
||||||
|
gstatic-all:
|
||||||
|
dns_name: "*.gstatic.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-all:
|
||||||
|
dns_name: "*.notebooks.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-gu-all:
|
||||||
|
dns_name: "*.notebooks.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud:
|
||||||
|
dns_name: "packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud-all:
|
||||||
|
dns_name: "*.packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev:
|
||||||
|
dns_name: "pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev-all:
|
||||||
|
dns_name: "*.pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog:
|
||||||
|
dns_name: "pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog-all:
|
||||||
|
dns_name: "*.pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
run-all:
|
||||||
|
dns_name: "*.run.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
source:
|
||||||
|
dns_name: "source.developers.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
|
@ -18,7 +18,12 @@
|
||||||
|
|
||||||
# GCP-specific environment zone
|
# GCP-specific environment zone
|
||||||
|
|
||||||
module "dev-dns-private-zone" {
|
moved {
|
||||||
|
from = module.dev-dns-private-zone
|
||||||
|
to = module.dev-dns-priv-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-priv-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "private"
|
type = "private"
|
||||||
|
@ -32,7 +37,12 @@ module "dev-dns-private-zone" {
|
||||||
|
|
||||||
# root zone peering to landing to centralize configuration; remove if unneeded
|
# root zone peering to landing to centralize configuration; remove if unneeded
|
||||||
|
|
||||||
module "dev-landing-root-dns-peering" {
|
moved {
|
||||||
|
from = module.dev-landing-root-dns-peering
|
||||||
|
to = module.dev-dns-peer-landing-root
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-peer-landing-root" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
@ -42,7 +52,12 @@ module "dev-landing-root-dns-peering" {
|
||||||
peer_network = module.landing-vpc.self_link
|
peer_network = module.landing-vpc.self_link
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-reverse-10-dns-peering" {
|
moved {
|
||||||
|
from = module.dev-reverse-10-dns-peering
|
||||||
|
to = module.dev-dns-peer-landing-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-peer-landing-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
|
|
@ -18,7 +18,12 @@
|
||||||
|
|
||||||
# forwarding to on-prem DNS resolvers
|
# forwarding to on-prem DNS resolvers
|
||||||
|
|
||||||
module "onprem-example-dns-forwarding" {
|
moved {
|
||||||
|
from = module.onprem-example-dns-forwarding
|
||||||
|
to = module.landing-dns-fwd-onprem-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-fwd-onprem-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -28,7 +33,12 @@ module "onprem-example-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.onprem : ip => null }
|
forwarders = { for ip in var.dns.onprem : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "reverse-10-dns-forwarding" {
|
moved {
|
||||||
|
from = module.reverse-10-dns-forwarding
|
||||||
|
to = module.landing-dns-fwd-onprem-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-fwd-onprem-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -38,7 +48,12 @@ module "reverse-10-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.onprem : ip => null }
|
forwarders = { for ip in var.dns.onprem : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "gcp-example-dns-private-zone" {
|
moved {
|
||||||
|
from = module.gcp-example-dns-private-zone
|
||||||
|
to = module.landing-dns-priv-gcp
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-priv-gcp" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "private"
|
type = "private"
|
||||||
|
@ -50,82 +65,14 @@ module "gcp-example-dns-private-zone" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Google APIs
|
# Google APIs via response policies
|
||||||
|
|
||||||
module "googleapis-private-zone" {
|
module "landing-dns-policy-googleapis" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns-response-policy"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "private"
|
name = "googleapis"
|
||||||
name = "googleapis-com"
|
networks = {
|
||||||
domain = "googleapis.com."
|
landing = module.landing-vpc.self_link
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A private" = { records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"A restricted" = { records = [
|
|
||||||
"199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "gcrio-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "gcr-io"
|
|
||||||
domain = "gcr.io."
|
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A gcr.io." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "packages-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "packages-cloud"
|
|
||||||
domain = "packages.cloud.google.com."
|
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "pkgdev-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pkg-dev"
|
|
||||||
domain = "pkg.dev."
|
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A pkg.dev." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "pkigoog-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pki-goog"
|
|
||||||
domain = "pki.goog."
|
|
||||||
client_networks = [module.landing-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A pki.goog." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
}
|
||||||
|
rules_file = var.factories_config.dns_policy_rules_file
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,7 +18,12 @@
|
||||||
|
|
||||||
# GCP-specific environment zone
|
# GCP-specific environment zone
|
||||||
|
|
||||||
module "prod-dns-private-zone" {
|
moved {
|
||||||
|
from = module.prod-dns-private-zone
|
||||||
|
to = module.prod-dns-priv-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-priv-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "private"
|
type = "private"
|
||||||
|
@ -32,7 +37,12 @@ module "prod-dns-private-zone" {
|
||||||
|
|
||||||
# root zone peering to landing to centralize configuration; remove if unneeded
|
# root zone peering to landing to centralize configuration; remove if unneeded
|
||||||
|
|
||||||
module "prod-landing-root-dns-peering" {
|
moved {
|
||||||
|
from = module.prod-landing-root-dns-peering
|
||||||
|
to = module.prod-dns-peer-landing-root
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-peer-landing-root" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
@ -42,7 +52,12 @@ module "prod-landing-root-dns-peering" {
|
||||||
peer_network = module.landing-vpc.self_link
|
peer_network = module.landing-vpc.self_link
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-reverse-10-dns-peering" {
|
moved {
|
||||||
|
from = module.prod-reverse-10-dns-peering
|
||||||
|
to = module.prod-dns-peer-landing-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-peer-landing-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
|
|
@ -56,6 +56,7 @@ variable "factories_config" {
|
||||||
description = "Configuration for network resource factories."
|
description = "Configuration for network resource factories."
|
||||||
type = object({
|
type = object({
|
||||||
data_dir = optional(string, "data")
|
data_dir = optional(string, "data")
|
||||||
|
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
|
||||||
firewall_policy_name = optional(string, "factory")
|
firewall_policy_name = optional(string, "factory")
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
|
|
|
@ -210,13 +210,7 @@ DNS configuration is further centralized by leveraging peering zones, so that
|
||||||
|
|
||||||
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
||||||
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
||||||
- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
|
- Private Google Access is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options)
|
||||||
- `private.googleapis.com`
|
|
||||||
- `restricted.googleapis.com`
|
|
||||||
- `gcr.io`
|
|
||||||
- `packages.cloud.google.com`
|
|
||||||
- `pkg.dev`
|
|
||||||
- `pki.goog`
|
|
||||||
|
|
||||||
To complete the configuration, the 35.199.192.0/19 range should be routed to the VPN tunnels from on-premises, and the following names should be configured for DNS forwarding to cloud:
|
To complete the configuration, the 35.199.192.0/19 range should be routed to the VPN tunnels from on-premises, and the following names should be configured for DNS forwarding to cloud:
|
||||||
|
|
||||||
|
@ -464,7 +458,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| name | description | modules | resources |
|
| name | description | modules | resources |
|
||||||
|---|---|---|---|
|
|---|---|---|---|
|
||||||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||||
|
@ -484,20 +478,20 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
|---|---|:---:|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|:---:|
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L75) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L76) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [organization](variables.tf#L108) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [organization](variables.tf#L109) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L124) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables.tf#L125) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||||
| [factories_config](variables.tf#L55) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
| [factories_config](variables.tf#L55) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||||
| [gcp_ranges](variables.tf#L85) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.128.128.0/19" gcp_dev_secondary = "10.128.160.0/19" gcp_landing_trusted_primary = "10.128.64.0/19" gcp_landing_trusted_secondary = "10.128.96.0/19" gcp_landing_untrusted_primary = "10.128.0.0/19" gcp_landing_untrusted_secondary = "10.128.32.0/19" gcp_prod_primary = "10.128.192.0/19" gcp_prod_secondary = "10.128.224.0/19" }">{…}</code> | |
|
| [gcp_ranges](variables.tf#L86) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.128.128.0/19" gcp_dev_secondary = "10.128.160.0/19" gcp_landing_trusted_primary = "10.128.64.0/19" gcp_landing_trusted_secondary = "10.128.96.0/19" gcp_landing_untrusted_primary = "10.128.0.0/19" gcp_landing_untrusted_secondary = "10.128.32.0/19" gcp_prod_primary = "10.128.192.0/19" gcp_prod_secondary = "10.128.224.0/19" }">{…}</code> | |
|
||||||
| [onprem_cidr](variables.tf#L100) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
| [onprem_cidr](variables.tf#L101) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
||||||
| [outputs_location](variables.tf#L118) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L119) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L135) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L136) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [regions](variables.tf#L156) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
| [regions](variables.tf#L157) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L168) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
| [service_accounts](variables.tf#L169) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||||
| [vpn_onprem_primary_config](variables.tf#L182) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_primary_config](variables.tf#L183) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [vpn_onprem_secondary_config](variables.tf#L225) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_secondary_config](variables.tf#L226) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
# skip boilerplate check
|
||||||
|
|
||||||
|
accounts:
|
||||||
|
dns_name: "accounts.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud:
|
||||||
|
dns_name: "backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud-all:
|
||||||
|
dns_name: "*.backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu:
|
||||||
|
dns_name: "backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu-all:
|
||||||
|
dns_name: "*.backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudfunctions:
|
||||||
|
dns_name: "*.cloudfunctions.net."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudproxy:
|
||||||
|
dns_name: "*.cloudproxy.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-cloud-all:
|
||||||
|
dns_name: "*.composer.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-gu-all:
|
||||||
|
dns_name: "*.composer.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-all:
|
||||||
|
dns_name: "*.datafusion.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-gu-all:
|
||||||
|
dns_name: "*.datafusion.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc:
|
||||||
|
dns_name: "dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-all:
|
||||||
|
dns_name: "*.dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu:
|
||||||
|
dns_name: "dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu-all:
|
||||||
|
dns_name: "*.dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dl:
|
||||||
|
dns_name: "dl.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr:
|
||||||
|
dns_name: "gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr-all:
|
||||||
|
dns_name: "*.gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-all:
|
||||||
|
dns_name: "*.googleapis.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-private:
|
||||||
|
dns_name: "private.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.8
|
||||||
|
- 199.36.153.9
|
||||||
|
- 199.36.153.10
|
||||||
|
- 199.36.153.11
|
||||||
|
googleapis-restricted:
|
||||||
|
dns_name: "restricted.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.4
|
||||||
|
- 199.36.153.5
|
||||||
|
- 199.36.153.6
|
||||||
|
- 199.36.153.7
|
||||||
|
gstatic-all:
|
||||||
|
dns_name: "*.gstatic.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-all:
|
||||||
|
dns_name: "*.notebooks.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-gu-all:
|
||||||
|
dns_name: "*.notebooks.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud:
|
||||||
|
dns_name: "packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud-all:
|
||||||
|
dns_name: "*.packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev:
|
||||||
|
dns_name: "pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev-all:
|
||||||
|
dns_name: "*.pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog:
|
||||||
|
dns_name: "pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog-all:
|
||||||
|
dns_name: "*.pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
run-all:
|
||||||
|
dns_name: "*.run.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
source:
|
||||||
|
dns_name: "source.developers.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
|
@ -32,7 +32,12 @@ module "dev-dns-private-zone" {
|
||||||
|
|
||||||
# root zone peering to landing to centralize configuration; remove if unneeded
|
# root zone peering to landing to centralize configuration; remove if unneeded
|
||||||
|
|
||||||
module "dev-landing-root-dns-peering" {
|
moved {
|
||||||
|
from = module.dev-landing-root-dns-peering
|
||||||
|
to = module.dev-dns-peer-landing-root
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-peer-landing-root" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
@ -42,7 +47,12 @@ module "dev-landing-root-dns-peering" {
|
||||||
peer_network = module.landing-trusted-vpc.self_link
|
peer_network = module.landing-trusted-vpc.self_link
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-reverse-10-dns-peering" {
|
moved {
|
||||||
|
from = module.dev-reverse-10-dns-peering
|
||||||
|
to = module.dev-dns-peer-landing-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-peer-landing-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
|
|
@ -18,7 +18,12 @@
|
||||||
|
|
||||||
# forwarding to on-prem DNS resolvers
|
# forwarding to on-prem DNS resolvers
|
||||||
|
|
||||||
module "onprem-example-dns-forwarding" {
|
moved {
|
||||||
|
from = module.onprem-example-dns-forwarding
|
||||||
|
to = module.landing-dns-fwd-onprem-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-fwd-onprem-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -31,7 +36,12 @@ module "onprem-example-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.onprem : ip => null }
|
forwarders = { for ip in var.dns.onprem : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "reverse-10-dns-forwarding" {
|
moved {
|
||||||
|
from = module.reverse-10-dns-forwarding
|
||||||
|
to = module.landing-dns-fwd-onprem-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-fwd-onprem-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -44,7 +54,12 @@ module "reverse-10-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.onprem : ip => null }
|
forwarders = { for ip in var.dns.onprem : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "gcp-example-dns-private-zone" {
|
moved {
|
||||||
|
from = module.gcp-example-dns-private-zone
|
||||||
|
to = module.landing-dns-priv-gcp
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-priv-gcp" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "private"
|
type = "private"
|
||||||
|
@ -61,95 +76,13 @@ module "gcp-example-dns-private-zone" {
|
||||||
|
|
||||||
# Google APIs
|
# Google APIs
|
||||||
|
|
||||||
module "googleapis-private-zone" {
|
module "landing-dns-policy-googleapis" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns-response-policy"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "private"
|
name = "googleapis"
|
||||||
name = "googleapis-com"
|
networks = {
|
||||||
domain = "googleapis.com."
|
landing-trusted = module.landing-trusted-vpc.self_link
|
||||||
client_networks = [
|
landing-untrusted = module.landing-untrusted-vpc.self_link
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A private" = { records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"A restricted" = { records = [
|
|
||||||
"199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "gcrio-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "gcr-io"
|
|
||||||
domain = "gcr.io."
|
|
||||||
client_networks = [
|
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A gcr.io." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "packages-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "packages-cloud"
|
|
||||||
domain = "packages.cloud.google.com."
|
|
||||||
client_networks = [
|
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "pkgdev-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pkg-dev"
|
|
||||||
domain = "pkg.dev."
|
|
||||||
client_networks = [
|
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A pkg.dev." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "pkigoog-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pki-goog"
|
|
||||||
domain = "pki.goog."
|
|
||||||
client_networks = [
|
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A pki.goog." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
}
|
||||||
|
rules_file = var.factories_config.dns_policy_rules_file
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,7 +32,12 @@ module "prod-dns-private-zone" {
|
||||||
|
|
||||||
# root zone peering to landing to centralize configuration; remove if unneeded
|
# root zone peering to landing to centralize configuration; remove if unneeded
|
||||||
|
|
||||||
module "prod-landing-root-dns-peering" {
|
moved {
|
||||||
|
from = module.prod-landing-root-dns-peering
|
||||||
|
to = module.prod-dns-peer-landing-root
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-peer-landing-root" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
@ -42,7 +47,12 @@ module "prod-landing-root-dns-peering" {
|
||||||
peer_network = module.landing-trusted-vpc.self_link
|
peer_network = module.landing-trusted-vpc.self_link
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-reverse-10-dns-peering" {
|
moved {
|
||||||
|
from = module.prod-reverse-10-dns-peering
|
||||||
|
to = module.prod-dns-peer-landing-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-peer-landing-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
|
|
@ -56,6 +56,7 @@ variable "factories_config" {
|
||||||
description = "Configuration for network resource factories."
|
description = "Configuration for network resource factories."
|
||||||
type = object({
|
type = object({
|
||||||
data_dir = optional(string, "data")
|
data_dir = optional(string, "data")
|
||||||
|
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
|
||||||
firewall_policy_name = optional(string, "factory")
|
firewall_policy_name = optional(string, "factory")
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
|
|
|
@ -95,13 +95,7 @@ DNS often goes hand in hand with networking, especially on GCP where Cloud DNS z
|
||||||
|
|
||||||
- on-prem to cloud via private zones for cloud-managed domains, and an [inbound policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) used as forwarding target or via delegation (requires some extra configuration) from on-prem DNS resolvers
|
- on-prem to cloud via private zones for cloud-managed domains, and an [inbound policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) used as forwarding target or via delegation (requires some extra configuration) from on-prem DNS resolvers
|
||||||
- cloud to on-prem via forwarding zones for the on-prem managed domains
|
- cloud to on-prem via forwarding zones for the on-prem managed domains
|
||||||
- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
|
- Private Google Access is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options)
|
||||||
- `private.googleapis.com`
|
|
||||||
- `restricted.googleapis.com`
|
|
||||||
- `gcr.io`
|
|
||||||
- `packages.cloud.google.com`
|
|
||||||
- `pkg.dev`
|
|
||||||
- `pki.goog`
|
|
||||||
|
|
||||||
To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:
|
To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:
|
||||||
|
|
||||||
|
@ -328,8 +322,8 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|
||||||
|
|
||||||
| name | description | modules | resources |
|
| name | description | modules | resources |
|
||||||
|---|---|---|---|
|
|---|---|---|---|
|
||||||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>google_storage_bucket_object</code> · <code>local_file</code> |
|
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>google_storage_bucket_object</code> · <code>local_file</code> |
|
||||||
|
@ -346,18 +340,18 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|
||||||
|---|---|:---:|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|:---:|
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L76) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L77) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [organization](variables.tf#L86) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [organization](variables.tf#L87) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L102) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables.tf#L103) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ prod = ["10.0.1.1"] dev = ["10.0.2.1"] }">{…}</code> | |
|
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ prod = ["10.0.1.1"] dev = ["10.0.2.1"] }">{…}</code> | |
|
||||||
| [factories_config](variables.tf#L56) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
| [factories_config](variables.tf#L56) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||||
| [outputs_location](variables.tf#L96) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L97) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L113) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L114) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [regions](variables.tf#L134) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
| [regions](variables.tf#L135) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L144) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
| [service_accounts](variables.tf#L145) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||||
| [vpn_onprem_dev_primary_config](variables.tf#L158) | VPN gateway configuration for onprem interconnection from dev in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_dev_primary_config](variables.tf#L159) | VPN gateway configuration for onprem interconnection from dev in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [vpn_onprem_prod_primary_config](variables.tf#L201) | VPN gateway configuration for onprem interconnection from prod in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_prod_primary_config](variables.tf#L202) | VPN gateway configuration for onprem interconnection from prod in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
# skip boilerplate check
|
||||||
|
|
||||||
|
accounts:
|
||||||
|
dns_name: "accounts.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud:
|
||||||
|
dns_name: "backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud-all:
|
||||||
|
dns_name: "*.backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu:
|
||||||
|
dns_name: "backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu-all:
|
||||||
|
dns_name: "*.backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudfunctions:
|
||||||
|
dns_name: "*.cloudfunctions.net."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudproxy:
|
||||||
|
dns_name: "*.cloudproxy.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-cloud-all:
|
||||||
|
dns_name: "*.composer.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-gu-all:
|
||||||
|
dns_name: "*.composer.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-all:
|
||||||
|
dns_name: "*.datafusion.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-gu-all:
|
||||||
|
dns_name: "*.datafusion.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc:
|
||||||
|
dns_name: "dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-all:
|
||||||
|
dns_name: "*.dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu:
|
||||||
|
dns_name: "dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu-all:
|
||||||
|
dns_name: "*.dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dl:
|
||||||
|
dns_name: "dl.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr:
|
||||||
|
dns_name: "gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr-all:
|
||||||
|
dns_name: "*.gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-all:
|
||||||
|
dns_name: "*.googleapis.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-private:
|
||||||
|
dns_name: "private.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.8
|
||||||
|
- 199.36.153.9
|
||||||
|
- 199.36.153.10
|
||||||
|
- 199.36.153.11
|
||||||
|
googleapis-restricted:
|
||||||
|
dns_name: "restricted.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.4
|
||||||
|
- 199.36.153.5
|
||||||
|
- 199.36.153.6
|
||||||
|
- 199.36.153.7
|
||||||
|
gstatic-all:
|
||||||
|
dns_name: "*.gstatic.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-all:
|
||||||
|
dns_name: "*.notebooks.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-gu-all:
|
||||||
|
dns_name: "*.notebooks.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud:
|
||||||
|
dns_name: "packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud-all:
|
||||||
|
dns_name: "*.packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev:
|
||||||
|
dns_name: "pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev-all:
|
||||||
|
dns_name: "*.pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog:
|
||||||
|
dns_name: "pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog-all:
|
||||||
|
dns_name: "*.pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
run-all:
|
||||||
|
dns_name: "*.run.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
source:
|
||||||
|
dns_name: "source.developers.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
|
@ -30,7 +30,12 @@ module "dev-dns-private-zone" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-onprem-example-dns-forwarding" {
|
moved {
|
||||||
|
from = module.dev-onprem-example-dns-forwarding
|
||||||
|
to = module.dev-dns-fwd-onprem-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-fwd-onprem-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -40,7 +45,12 @@ module "dev-onprem-example-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.dev : ip => null }
|
forwarders = { for ip in var.dns.dev : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-reverse-10-dns-forwarding" {
|
moved {
|
||||||
|
from = module.dev-reverse-10-dns-forwarding
|
||||||
|
to = module.dev-dns-fwd-onprem-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-fwd-onprem-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -52,80 +62,12 @@ module "dev-reverse-10-dns-forwarding" {
|
||||||
|
|
||||||
# Google APIs
|
# Google APIs
|
||||||
|
|
||||||
module "dev-googleapis-private-zone" {
|
module "dev-dns-policy-googleapis" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns-response-policy"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "private"
|
name = "googleapis"
|
||||||
name = "googleapis-com"
|
networks = {
|
||||||
domain = "googleapis.com."
|
dev = module.dev-spoke-vpc.self_link
|
||||||
client_networks = [module.dev-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A private" = { records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"A restricted" = { records = [
|
|
||||||
"199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "dev-gcrio-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.dev-spoke-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "gcr-io"
|
|
||||||
domain = "gcr.io."
|
|
||||||
client_networks = [module.dev-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A gcr.io." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "dev-packages-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.dev-spoke-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "packages-cloud"
|
|
||||||
domain = "packages.cloud.google.com."
|
|
||||||
client_networks = [module.dev-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "dev-pkgdev-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.dev-spoke-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pkg-dev"
|
|
||||||
domain = "pkg.dev."
|
|
||||||
client_networks = [module.dev-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A pkg.dev." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "dev-pkigoog-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.dev-spoke-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pki-goog"
|
|
||||||
domain = "pki.goog."
|
|
||||||
client_networks = [module.dev-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A pki.goog." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
}
|
||||||
|
rules_file = var.factories_config.dns_policy_rules_file
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,7 +30,12 @@ module "prod-dns-private-zone" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-onprem-example-dns-forwarding" {
|
moved {
|
||||||
|
from = module.prod-onprem-example-dns-forwarding
|
||||||
|
to = module.prod-dns-fwd-onprem-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-fwd-onprem-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -40,7 +45,12 @@ module "prod-onprem-example-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.prod : ip => null }
|
forwarders = { for ip in var.dns.prod : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-reverse-10-dns-forwarding" {
|
moved {
|
||||||
|
from = module.prod-reverse-10-dns-forwarding
|
||||||
|
to = module.prod-dns-fwd-onprem-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-fwd-onprem-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -52,80 +62,12 @@ module "prod-reverse-10-dns-forwarding" {
|
||||||
|
|
||||||
# Google APIs
|
# Google APIs
|
||||||
|
|
||||||
module "prod-googleapis-private-zone" {
|
module "prod-dns-policy-googleapis" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns-response-policy"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "private"
|
name = "googleapis"
|
||||||
name = "googleapis-com"
|
networks = {
|
||||||
domain = "googleapis.com."
|
prod = module.prod-spoke-vpc.self_link
|
||||||
client_networks = [module.prod-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A private" = { records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"A restricted" = { records = [
|
|
||||||
"199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "prod-gcrio-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.prod-spoke-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "gcr-io"
|
|
||||||
domain = "gcr.io."
|
|
||||||
client_networks = [module.prod-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A gcr.io." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "prod-packages-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.prod-spoke-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "packages-cloud"
|
|
||||||
domain = "packages.cloud.google.com."
|
|
||||||
client_networks = [module.prod-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "prod-pkgdev-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.prod-spoke-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pkg-dev"
|
|
||||||
domain = "pkg.dev."
|
|
||||||
client_networks = [module.prod-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A pkg.dev." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "prod-pkigoog-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.prod-spoke-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pki-goog"
|
|
||||||
domain = "pki.goog."
|
|
||||||
client_networks = [module.prod-spoke-vpc.self_link]
|
|
||||||
recordsets = {
|
|
||||||
"A pki.goog." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
}
|
||||||
|
rules_file = var.factories_config.dns_policy_rules_file
|
||||||
}
|
}
|
||||||
|
|
|
@ -57,6 +57,7 @@ variable "factories_config" {
|
||||||
description = "Configuration for network resource factories."
|
description = "Configuration for network resource factories."
|
||||||
type = object({
|
type = object({
|
||||||
data_dir = optional(string, "data")
|
data_dir = optional(string, "data")
|
||||||
|
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
|
||||||
firewall_policy_name = optional(string, "factory")
|
firewall_policy_name = optional(string, "factory")
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
|
|
|
@ -230,13 +230,7 @@ DNS configuration is further centralized by leveraging peering zones, so that
|
||||||
|
|
||||||
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
||||||
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
||||||
- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
|
- Private Google Access is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options)
|
||||||
- `private.googleapis.com`
|
|
||||||
- `restricted.googleapis.com`
|
|
||||||
- `gcr.io`
|
|
||||||
- `packages.cloud.google.com`
|
|
||||||
- `pkg.dev`
|
|
||||||
- `pki.goog`
|
|
||||||
|
|
||||||
To complete the configuration, the 35.199.192.0/19 range should be routed to the VPN tunnels from on-premises, and the following names should be configured for DNS forwarding to cloud:
|
To complete the configuration, the 35.199.192.0/19 range should be routed to the VPN tunnels from on-premises, and the following names should be configured for DNS forwarding to cloud:
|
||||||
|
|
||||||
|
@ -488,7 +482,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
| name | description | modules | resources |
|
| name | description | modules | resources |
|
||||||
|---|---|---|---|
|
|---|---|---|---|
|
||||||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||||
|
@ -509,22 +503,22 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||||
|---|---|:---:|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|:---:|
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L75) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L76) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code title="object({ networking = string networking-dev = string networking-prod = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [organization](variables.tf#L119) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [organization](variables.tf#L120) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L135) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables.tf#L136) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
| [dns](variables.tf#L47) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||||
| [factories_config](variables.tf#L55) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
| [factories_config](variables.tf#L55) | Configuration for network resource factories. | <code title="object({ data_dir = optional(string, "data") dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml") firewall_policy_name = optional(string, "factory") })">object({…})</code> | | <code title="{ data_dir = "data" }">{…}</code> | |
|
||||||
| [gcp_ranges](variables.tf#L85) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.128.128.0/19" gcp_dev_secondary = "10.128.160.0/19" gcp_landing_trusted_primary = "10.128.64.0/19" gcp_landing_trusted_secondary = "10.128.96.0/19" gcp_landing_untrusted_primary = "10.128.0.0/19" gcp_landing_untrusted_secondary = "10.128.32.0/19" gcp_prod_primary = "10.128.192.0/19" gcp_prod_secondary = "10.128.224.0/19" }">{…}</code> | |
|
| [gcp_ranges](variables.tf#L86) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.128.128.0/19" gcp_dev_secondary = "10.128.160.0/19" gcp_landing_trusted_primary = "10.128.64.0/19" gcp_landing_trusted_secondary = "10.128.96.0/19" gcp_landing_untrusted_primary = "10.128.0.0/19" gcp_landing_untrusted_secondary = "10.128.32.0/19" gcp_prod_primary = "10.128.192.0/19" gcp_prod_secondary = "10.128.224.0/19" }">{…}</code> | |
|
||||||
| [ncc_asn](variables.tf#L100) | The NCC Cloud Routers ASN configuration. | <code>map(number)</code> | | <code title="{ nva_primary = 64513 nva_secondary = 64514 trusted = 64515 untrusted = 64512 }">{…}</code> | |
|
| [ncc_asn](variables.tf#L101) | The NCC Cloud Routers ASN configuration. | <code>map(number)</code> | | <code title="{ nva_primary = 64513 nva_secondary = 64514 trusted = 64515 untrusted = 64512 }">{…}</code> | |
|
||||||
| [onprem_cidr](variables.tf#L111) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
| [onprem_cidr](variables.tf#L112) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
||||||
| [outputs_location](variables.tf#L129) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L130) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L146) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
| [psa_ranges](variables.tf#L147) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [regions](variables.tf#L167) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
| [regions](variables.tf#L168) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||||
| [service_accounts](variables.tf#L179) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
| [service_accounts](variables.tf#L180) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string gke-dev = string gke-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>1-resman</code> |
|
||||||
| [vpn_onprem_primary_config](variables.tf#L193) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_primary_config](variables.tf#L194) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [vpn_onprem_secondary_config](variables.tf#L236) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_secondary_config](variables.tf#L237) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [zones](variables.tf#L279) | Zones in which NVAs are deployed. | <code>list(string)</code> | | <code>["b", "c"]</code> | |
|
| [zones](variables.tf#L280) | Zones in which NVAs are deployed. | <code>list(string)</code> | | <code>["b", "c"]</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
# skip boilerplate check
|
||||||
|
|
||||||
|
accounts:
|
||||||
|
dns_name: "accounts.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud:
|
||||||
|
dns_name: "backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-cloud-all:
|
||||||
|
dns_name: "*.backupdr.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu:
|
||||||
|
dns_name: "backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
backupdr-gu-all:
|
||||||
|
dns_name: "*.backupdr.googleusercontent.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudfunctions:
|
||||||
|
dns_name: "*.cloudfunctions.net."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
cloudproxy:
|
||||||
|
dns_name: "*.cloudproxy.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-cloud-all:
|
||||||
|
dns_name: "*.composer.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
composer-gu-all:
|
||||||
|
dns_name: "*.composer.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-all:
|
||||||
|
dns_name: "*.datafusion.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
datafusion-gu-all:
|
||||||
|
dns_name: "*.datafusion.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc:
|
||||||
|
dns_name: "dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-all:
|
||||||
|
dns_name: "*.dataproc.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu:
|
||||||
|
dns_name: "dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dataproc-gu-all:
|
||||||
|
dns_name: "*.dataproc.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
dl:
|
||||||
|
dns_name: "dl.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr:
|
||||||
|
dns_name: "gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
gcr-all:
|
||||||
|
dns_name: "*.gcr.io."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-all:
|
||||||
|
dns_name: "*.googleapis.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
googleapis-private:
|
||||||
|
dns_name: "private.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.8
|
||||||
|
- 199.36.153.9
|
||||||
|
- 199.36.153.10
|
||||||
|
- 199.36.153.11
|
||||||
|
googleapis-restricted:
|
||||||
|
dns_name: "restricted.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.4
|
||||||
|
- 199.36.153.5
|
||||||
|
- 199.36.153.6
|
||||||
|
- 199.36.153.7
|
||||||
|
gstatic-all:
|
||||||
|
dns_name: "*.gstatic.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-all:
|
||||||
|
dns_name: "*.notebooks.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
notebooks-gu-all:
|
||||||
|
dns_name: "*.notebooks.googleusercontent.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud:
|
||||||
|
dns_name: "packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
packages-cloud-all:
|
||||||
|
dns_name: "*.packages.cloud.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev:
|
||||||
|
dns_name: "pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkgdev-all:
|
||||||
|
dns_name: "*.pkg.dev."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog:
|
||||||
|
dns_name: "pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
pkigoog-all:
|
||||||
|
dns_name: "*.pki.goog."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
run-all:
|
||||||
|
dns_name: "*.run.app."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||||
|
source:
|
||||||
|
dns_name: "source.developers.google.com."
|
||||||
|
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
|
@ -32,7 +32,12 @@ module "dev-dns-private-zone" {
|
||||||
|
|
||||||
# root zone peering to landing to centralize configuration; remove if unneeded
|
# root zone peering to landing to centralize configuration; remove if unneeded
|
||||||
|
|
||||||
module "dev-landing-root-dns-peering" {
|
moved {
|
||||||
|
from = module.dev-landing-root-dns-peering
|
||||||
|
to = module.dev-dns-peer-landing-root
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-peer-landing-root" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
@ -42,7 +47,12 @@ module "dev-landing-root-dns-peering" {
|
||||||
peer_network = module.landing-trusted-vpc.self_link
|
peer_network = module.landing-trusted-vpc.self_link
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-reverse-10-dns-peering" {
|
moved {
|
||||||
|
from = module.dev-reverse-10-dns-peering
|
||||||
|
to = module.dev-dns-peer-landing-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "dev-dns-peer-landing-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
|
|
@ -18,7 +18,12 @@
|
||||||
|
|
||||||
# forwarding to on-prem DNS resolvers
|
# forwarding to on-prem DNS resolvers
|
||||||
|
|
||||||
module "onprem-example-dns-forwarding" {
|
moved {
|
||||||
|
from = module.onprem-example-dns-forwarding
|
||||||
|
to = module.landing-dns-fwd-onprem-example
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-fwd-onprem-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -31,7 +36,12 @@ module "onprem-example-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.onprem : ip => null }
|
forwarders = { for ip in var.dns.onprem : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "reverse-10-dns-forwarding" {
|
moved {
|
||||||
|
from = module.reverse-10-dns-forwarding
|
||||||
|
to = module.landing-dns-fwd-onprem-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-fwd-onprem-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "forwarding"
|
type = "forwarding"
|
||||||
|
@ -44,7 +54,12 @@ module "reverse-10-dns-forwarding" {
|
||||||
forwarders = { for ip in var.dns.onprem : ip => null }
|
forwarders = { for ip in var.dns.onprem : ip => null }
|
||||||
}
|
}
|
||||||
|
|
||||||
module "gcp-example-dns-private-zone" {
|
moved {
|
||||||
|
from = module.gcp-example-dns-private-zone
|
||||||
|
to = module.landing-dns-priv-gcp
|
||||||
|
}
|
||||||
|
|
||||||
|
module "landing-dns-priv-gcp" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "private"
|
type = "private"
|
||||||
|
@ -61,95 +76,13 @@ module "gcp-example-dns-private-zone" {
|
||||||
|
|
||||||
# Google APIs
|
# Google APIs
|
||||||
|
|
||||||
module "googleapis-private-zone" {
|
module "landing-dns-policy-googleapis" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns-response-policy"
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
type = "private"
|
name = "googleapis"
|
||||||
name = "googleapis-com"
|
networks = {
|
||||||
domain = "googleapis.com."
|
landing-trusted = module.landing-trusted-vpc.self_link
|
||||||
client_networks = [
|
landing-untrusted = module.landing-untrusted-vpc.self_link
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A private" = { records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"A restricted" = { records = [
|
|
||||||
"199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "gcrio-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "gcr-io"
|
|
||||||
domain = "gcr.io."
|
|
||||||
client_networks = [
|
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A gcr.io." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "packages-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "packages-cloud"
|
|
||||||
domain = "packages.cloud.google.com."
|
|
||||||
client_networks = [
|
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "pkgdev-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pkg-dev"
|
|
||||||
domain = "pkg.dev."
|
|
||||||
client_networks = [
|
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A pkg.dev." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module "pkigoog-private-zone" {
|
|
||||||
source = "../../../modules/dns"
|
|
||||||
project_id = module.landing-project.project_id
|
|
||||||
type = "private"
|
|
||||||
name = "pki-goog"
|
|
||||||
domain = "pki.goog."
|
|
||||||
client_networks = [
|
|
||||||
module.landing-untrusted-vpc.self_link,
|
|
||||||
module.landing-trusted-vpc.self_link
|
|
||||||
]
|
|
||||||
recordsets = {
|
|
||||||
"A pki.goog." = { ttl = 300, records = [
|
|
||||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
|
||||||
] }
|
|
||||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
|
||||||
}
|
}
|
||||||
|
rules_file = var.factories_config.dns_policy_rules_file
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,7 +32,12 @@ module "prod-dns-private-zone" {
|
||||||
|
|
||||||
# root zone peering to landing to centralize configuration; remove if unneeded
|
# root zone peering to landing to centralize configuration; remove if unneeded
|
||||||
|
|
||||||
module "prod-landing-root-dns-peering" {
|
moved {
|
||||||
|
from = module.prod-landing-root-dns-peering
|
||||||
|
to = module.prod-dns-peer-landing-root
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-peer-landing-root" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
@ -42,7 +47,12 @@ module "prod-landing-root-dns-peering" {
|
||||||
peer_network = module.landing-trusted-vpc.self_link
|
peer_network = module.landing-trusted-vpc.self_link
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-reverse-10-dns-peering" {
|
moved {
|
||||||
|
from = module.prod-reverse-10-dns-peering
|
||||||
|
to = module.prod-dns-peer-landing-rev-10
|
||||||
|
}
|
||||||
|
|
||||||
|
module "prod-dns-peer-landing-rev-10" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
type = "peering"
|
type = "peering"
|
||||||
|
|
|
@ -56,6 +56,7 @@ variable "factories_config" {
|
||||||
description = "Configuration for network resource factories."
|
description = "Configuration for network resource factories."
|
||||||
type = object({
|
type = object({
|
||||||
data_dir = optional(string, "data")
|
data_dir = optional(string, "data")
|
||||||
|
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
|
||||||
firewall_policy_name = optional(string, "factory")
|
firewall_policy_name = optional(string, "factory")
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
|
|
|
@ -2,6 +2,8 @@
|
||||||
|
|
||||||
This module allows management of a [Google Cloud DNS policy and its rules](https://cloud.google.com/dns/docs/zones/manage-response-policies). The policy can already exist and be referenced by name by setting the `policy_create` variable to `false`.
|
This module allows management of a [Google Cloud DNS policy and its rules](https://cloud.google.com/dns/docs/zones/manage-response-policies). The policy can already exist and be referenced by name by setting the `policy_create` variable to `false`.
|
||||||
|
|
||||||
|
The module also allows setting rules via a factory. An example is given below.
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
### Manage policy and override resolution for specific names
|
### Manage policy and override resolution for specific names
|
||||||
|
@ -44,7 +46,15 @@ module "dns-policy" {
|
||||||
landing = var.vpc.self_link
|
landing = var.vpc.self_link
|
||||||
}
|
}
|
||||||
rules = {
|
rules = {
|
||||||
default = {
|
gcr = {
|
||||||
|
dns_name = "gcr.io."
|
||||||
|
local_data = {
|
||||||
|
CNAME = {
|
||||||
|
rrdatas = ["restricted.googleapis.com."]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
googleapis-all = {
|
||||||
dns_name = "*.googleapis.com."
|
dns_name = "*.googleapis.com."
|
||||||
local_data = {
|
local_data = {
|
||||||
CNAME = {
|
CNAME = {
|
||||||
|
@ -59,13 +69,59 @@ module "dns-policy" {
|
||||||
dns_name = "restricted.googleapis.com."
|
dns_name = "restricted.googleapis.com."
|
||||||
local_data = {
|
local_data = {
|
||||||
A = {
|
A = {
|
||||||
rrdatas = ["199.36.153.4", "199.36.153.5"]
|
rrdatas = [
|
||||||
|
"199.36.153.4",
|
||||||
|
"199.36.153.5",
|
||||||
|
"199.36.153.6",
|
||||||
|
"199.36.153.7"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=3 inventory=nocreate.yaml
|
# tftest modules=1 resources=4 inventory=complex.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
### Define policy rules via a factory file
|
||||||
|
|
||||||
|
This example shows how to define rules in a factory file, that mirrors the rules defined via variables in the previous example. Rules defined via the variable are merged with factory rules and take precedence over them when using the same rule names. The YAML syntax closely follows the `rules` variable type.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "dns-policy" {
|
||||||
|
source = "./fabric/modules/dns-response-policy"
|
||||||
|
project_id = "myproject"
|
||||||
|
name = "googleapis"
|
||||||
|
policy_create = false
|
||||||
|
networks = {
|
||||||
|
landing = var.vpc.self_link
|
||||||
|
}
|
||||||
|
rules_file = "config/rules.yaml"
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=4 files=rules-file inventory=complex.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
gcr:
|
||||||
|
dns_name: "gcr.io."
|
||||||
|
local_data:
|
||||||
|
CNAME: {rrdatas: ["restricted.googleapis.com."]}
|
||||||
|
googleapis-all:
|
||||||
|
dns_name: "*.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
CNAME: {rrdatas: ["restricted.googleapis.com."]}
|
||||||
|
pubsub:
|
||||||
|
dns_name: "pubsub.googleapis.com."
|
||||||
|
restricted:
|
||||||
|
dns_name: "restricted.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
A:
|
||||||
|
rrdatas:
|
||||||
|
- 199.36.153.4
|
||||||
|
- 199.36.153.5
|
||||||
|
- 199.36.153.6
|
||||||
|
- 199.36.153.7
|
||||||
|
# tftest-file id=rules-file path=config/rules.yaml
|
||||||
```
|
```
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
|
|
||||||
|
@ -80,6 +136,7 @@ module "dns-policy" {
|
||||||
| [networks](variables.tf#L35) | Map of VPC self links to which this policy is applied in name => self link format. | <code>map(string)</code> | | <code>{}</code> |
|
| [networks](variables.tf#L35) | Map of VPC self links to which this policy is applied in name => self link format. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
| [policy_create](variables.tf#L42) | Set to false to use the existing policy matching name and only manage rules. | <code>bool</code> | | <code>true</code> |
|
| [policy_create](variables.tf#L42) | Set to false to use the existing policy matching name and only manage rules. | <code>bool</code> | | <code>true</code> |
|
||||||
| [rules](variables.tf#L54) | Map of policy rules in name => rule format. Local data takes precedence over behavior and is in the form record type => attributes. | <code title="map(object({ dns_name = string behavior = optional(string, "bypassResponsePolicy") local_data = optional(map(object({ ttl = optional(number) rrdatas = optional(list(string), []) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [rules](variables.tf#L54) | Map of policy rules in name => rule format. Local data takes precedence over behavior and is in the form record type => attributes. | <code title="map(object({ dns_name = string behavior = optional(string, "bypassResponsePolicy") local_data = optional(map(object({ ttl = optional(number) rrdatas = optional(list(string), []) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
|
| [rules_file](variables.tf#L68) | Optional data file in YAML format listing rules that will be combined with those passed in via the `rules` variable. | <code>string</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,17 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
|
_factory_rules = try(yamldecode(file(var.rules_file)), {})
|
||||||
|
factory_rules = {
|
||||||
|
for k, v in local._factory_rules : k => {
|
||||||
|
dns_name = v.dns_name
|
||||||
|
behavior = lookup(v, "behavior", "bypassResponsePolicy")
|
||||||
|
local_data = {
|
||||||
|
for kk, vv in lookup(v, "local_data", {}) :
|
||||||
|
kk => merge({ ttl = null, rrdatas = [] }, vv)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
policy_name = (
|
policy_name = (
|
||||||
var.policy_create
|
var.policy_create
|
||||||
? google_dns_response_policy.default.0.response_policy_name
|
? google_dns_response_policy.default.0.response_policy_name
|
||||||
|
@ -43,7 +54,7 @@ resource "google_dns_response_policy" "default" {
|
||||||
|
|
||||||
resource "google_dns_response_policy_rule" "default" {
|
resource "google_dns_response_policy_rule" "default" {
|
||||||
provider = google-beta
|
provider = google-beta
|
||||||
for_each = var.rules
|
for_each = merge(local.factory_rules, var.rules)
|
||||||
project = var.project_id
|
project = var.project_id
|
||||||
response_policy = local.policy_name
|
response_policy = local.policy_name
|
||||||
rule_name = each.key
|
rule_name = each.key
|
||||||
|
|
|
@ -64,3 +64,9 @@ variable "rules" {
|
||||||
default = {}
|
default = {}
|
||||||
nullable = false
|
nullable = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "rules_file" {
|
||||||
|
description = "Optional data file in YAML format listing rules that will be combined with those passed in via the `rules` variable."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
|
@ -13,5 +13,5 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
modules: 31
|
modules: 27
|
||||||
resources: 122
|
resources: 139
|
||||||
|
|
|
@ -13,5 +13,5 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
modules: 33
|
modules: 29
|
||||||
resources: 159
|
resources: 176
|
||||||
|
|
|
@ -13,5 +13,5 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
modules: 45
|
modules: 41
|
||||||
resources: 168
|
resources: 185
|
||||||
|
|
|
@ -13,5 +13,5 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
modules: 28
|
modules: 20
|
||||||
resources: 122
|
resources: 156
|
||||||
|
|
|
@ -13,5 +13,5 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
modules: 39
|
modules: 35
|
||||||
resources: 181
|
resources: 198
|
||||||
|
|
|
@ -13,19 +13,34 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
values:
|
values:
|
||||||
module.dns-policy.google_dns_response_policy_rule.default["default"]:
|
module.dns-policy.google_dns_response_policy_rule.default["gcr"]:
|
||||||
behavior: null
|
behavior: null
|
||||||
dns_name: '*.googleapis.com.'
|
dns_name: gcr.io.
|
||||||
local_data:
|
local_data:
|
||||||
- local_datas:
|
- local_datas:
|
||||||
- name: '*.googleapis.com.'
|
- name: gcr.io.
|
||||||
rrdatas:
|
rrdatas:
|
||||||
- restricted.googleapis.com.
|
- restricted.googleapis.com.
|
||||||
ttl: null
|
ttl: null
|
||||||
type: CNAME
|
type: CNAME
|
||||||
project: myproject
|
project: myproject
|
||||||
response_policy: googleapis
|
response_policy: googleapis
|
||||||
rule_name: default
|
rule_name: gcr
|
||||||
|
timeouts: null
|
||||||
|
module.dns-policy.google_dns_response_policy_rule.default["googleapis-all"]:
|
||||||
|
behavior: null
|
||||||
|
dns_name: "*.googleapis.com."
|
||||||
|
local_data:
|
||||||
|
- local_datas:
|
||||||
|
- name: "*.googleapis.com."
|
||||||
|
rrdatas:
|
||||||
|
- restricted.googleapis.com.
|
||||||
|
ttl: null
|
||||||
|
type: CNAME
|
||||||
|
project: myproject
|
||||||
|
response_policy: googleapis
|
||||||
|
rule_name: googleapis-all
|
||||||
|
timeouts: null
|
||||||
module.dns-policy.google_dns_response_policy_rule.default["pubsub"]:
|
module.dns-policy.google_dns_response_policy_rule.default["pubsub"]:
|
||||||
behavior: bypassResponsePolicy
|
behavior: bypassResponsePolicy
|
||||||
dns_name: pubsub.googleapis.com.
|
dns_name: pubsub.googleapis.com.
|
||||||
|
@ -33,6 +48,7 @@ values:
|
||||||
project: myproject
|
project: myproject
|
||||||
response_policy: googleapis
|
response_policy: googleapis
|
||||||
rule_name: pubsub
|
rule_name: pubsub
|
||||||
|
timeouts: null
|
||||||
module.dns-policy.google_dns_response_policy_rule.default["restricted"]:
|
module.dns-policy.google_dns_response_policy_rule.default["restricted"]:
|
||||||
behavior: null
|
behavior: null
|
||||||
dns_name: restricted.googleapis.com.
|
dns_name: restricted.googleapis.com.
|
||||||
|
@ -42,11 +58,18 @@ values:
|
||||||
rrdatas:
|
rrdatas:
|
||||||
- 199.36.153.4
|
- 199.36.153.4
|
||||||
- 199.36.153.5
|
- 199.36.153.5
|
||||||
|
- 199.36.153.6
|
||||||
|
- 199.36.153.7
|
||||||
ttl: null
|
ttl: null
|
||||||
type: A
|
type: A
|
||||||
project: myproject
|
project: myproject
|
||||||
response_policy: googleapis
|
response_policy: googleapis
|
||||||
rule_name: restricted
|
rule_name: restricted
|
||||||
|
timeouts: null
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
google_dns_response_policy_rule: 3
|
google_dns_response_policy_rule: 4
|
||||||
|
modules: 1
|
||||||
|
resources: 4
|
||||||
|
|
||||||
|
outputs: {}
|
Loading…
Reference in New Issue