Commit Graph

58 Commits

Author SHA1 Message Date
Ludovico Magnocavallo 6941313c7d
Factories refactor (#1843)
* factories refactor doc

* Adds file schema and filesystem organization

* Update 20231106-factories.md

* move factories out of blueprints and create new factories  README

* align factory in billing-account module

* align factory in dataplex-datascan module

* align factory in billing-account module

* align factory in net-firewall-policy module

* align factory in dns-response-policy module

* align factory in net-vpc-firewall module

* align factory in net-vpc module

* align factory variable names in FAST

* remove decentralized firewall blueprint

* bump terraform version

* bump module versions

* update top-level READMEs

* move project factory to modules

* fix variable names and tests

* tfdoc

* remove changelog link

* add project factory to top-level README

* fix cludrun eventarc diff

* fix README

* fix cludrun eventarc diff

---------

Co-authored-by: Simone Ruffilli <sruffilli@google.com>
2024-02-26 10:16:52 +00:00
Ludovico Magnocavallo 71a64487d5
Extend FAST to support different principal types (#2064)
* add doc draft

* typos

* typo

* typo

* typos

* rewording

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* move iam variables to a separate file

* move billing-account module to iam_principals

* move data-catalog-policy-tag module to iam_principals

* move dataplex-datascan module to iam_principals

* move dataproc module to iam_principals

* move folder module to iam_principals

* copyright

* move organization module to iam_principals

* move project module to iam_principals

* move source-repository module to iam_principals

* update blueprints for iam_principals interface

* FAST bootstrap

* module READMEs fixes

* FAST bootstrap

* FAST networking stages

* FAST security stage

* FAST gke stage

* FAST multitenant bootstrap stage

* FAST multitenant resman stage

* tfdoc

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* fix module test

* Update 0-domainless-iam.md

* Update 0-domainless-iam.md

* Rename iam_principals to iam_by_principals

* Update IAM template to include iam_by_principals

* Update Resman README

* Fix ADR link format

---------

Co-authored-by: Julio Castillo <jccb@google.com>
2024-02-12 14:35:30 +01:00
Ludovico Magnocavallo 5448ab64c4
Leverage net-vpc module for DNS logging in FAST (#2041)
* revert #2023

* leverage net vpc module for dns logging in fast
2024-02-03 08:16:00 +01:00
Julio Castillo 13636ba07b
Make Cloud NAT creation optional in FAST net stages. (#2038)
* Make Cloud NAT creation optional in FAST net stages.

Fixes #2021

* Update READMEs
2024-02-02 10:58:16 +01:00
Julio Castillo 4c68c016a9
Add DNS query logging to FAST net stages (#2033)
* Add DNS query logging to FAST net stages

Fixes #2020

* Update readmes

* Add variable to toggle DNS logging

* Extend DNS logging toggle to other net stages
2024-01-31 13:44:51 +01:00
Ludovico Magnocavallo 01c7f806ce
Selectively enable logging in FAST and firewall policy module rules (#2032)
* use logging in firewall policy module examples

* enable logging for selected hierarchical firewall rules
2024-01-31 09:50:35 +01:00
Julio Castillo da95434308
logging for default ingress rules in FAST (#2030)
* Add default ingress deny rule with logging to FAST net stages.

Fixes #2024

* Allow firewall factory to omit rules key

* Fix tests

* Fix fast tests

* fix fast tests
2024-01-30 16:53:01 +00:00
Ludovico Magnocavallo 6d9b6403dd
add support for essential contacts to FAST (#2010) 2024-01-25 12:20:14 +01:00
simonebruzzechesse c9a8d777ba
Add kernels.googleusercontent.com zone in dns response policy (#1940)
* Add kernels.googleusercontent.com zone in dns response policy
* update fast tests
2023-12-20 11:18:11 +01:00
Simone Ruffilli cf55638f40
FAST: rename VPC-related files to `net-*` (#1818) 2023-10-27 08:23:08 +00:00
Simone Ruffilli 4decc641bb
Stop wrapping yamldecode with try() (#1812) 2023-10-25 16:16:05 +02:00
Simone Ruffilli b015380028 Fix allow-nat-ranges priority 2023-10-25 14:05:15 +02:00
Simone Ruffilli 1836c68990
Hierarchical rules update (#1809) 2023-10-24 19:46:04 +00:00
Ludovico Magnocavallo a93f08e833
improve usage of optionals in FAST stage 2 VPN variables (#1797) 2023-10-23 15:23:30 +02:00
Ludovico Magnocavallo e7e188818a
Add service usage consumer role to IaC SAs, refactor delegated grants in FAST (#1773)
* add serviceusage role to iac sas, refactor delegated grants

* fix test

* tfdoc
2023-10-18 12:18:31 +00:00
Ludovico Magnocavallo 6fd58e33c9
Add support for psa peered domains to fast stages (#1760)
* add support for psa peered domains

* tfdoc
2023-10-16 06:57:18 +00:00
Ludovico Magnocavallo 28e19ab180
Minor edits to FAST network stage READMEs (#1759)
* PSA section

* VPC description, ranges
2023-10-15 16:14:48 +00:00
Alejandro Leal 8c4cd8548c
Update README.md 2023-10-04 14:04:04 -04:00
Julio Castillo 9082bbcc48
Fix indentation in FAST hierarchical firewall rules (#1715)
Fixes #1712
2023-09-29 13:37:41 +00:00
Julio Castillo 1dfa72cadf
Define and adopt standard IP ranges for FAST networking (#1697)
* Define and adopt standard IP ranges for FAST networking

This PR documents and adopts a consistent IP address plan for FAST
networking stages

Fixes #1644

* Fix documented aggregated ranges for FAST

* Fix tests

* Fix ip ranges in documentation

* Fix NVA stages README
2023-09-21 14:27:53 +00:00
Ludovico Magnocavallo 82fcd5a7d3
rename FAST globals output file (#1695) 2023-09-20 10:36:06 +02:00
Ludovico Magnocavallo d3d77d17fb
fix psa routing variable in FAST net stages (#1685) 2023-09-16 10:31:02 +02:00
Julio Castillo f3be29cbc9 Fix tests 2023-09-15 00:27:55 +02:00
Julio Castillo 949e98d375 Increase size of pod range for default GKE subnets in FAST
Related to the issues reported in #1644
2023-09-11 10:28:42 +02:00
Luca Prete c63884d52e
Remove unused ASN numbers in CloudNAT to avoid FAST provider errors 2023-08-28 15:32:30 +00:00
Julio Castillo 5e9829373c Fix FAST hfw policies 2023-08-28 16:00:48 +02:00
Luca Prete 4c64c15871
Revert "Remove unused ASN numbers from CloudNAT to avoid provider errors" (#1626)
This reverts commit 311bed8e83.
2023-08-28 09:33:52 +02:00
Luca Prete 8ca60881f1
Fix: use existing variable to optionally name fw policies (#1610) 2023-08-22 08:55:56 +02:00
Ludovico Magnocavallo 79373721df
Remove firewall policy management from resource management modules (#1581)
* rename firewall policy module, fix outputs

* add TOC to firewall policy module

* don't depend policy on parent id

* remove firewall policy from resource management modules

* remove factory conditionals

* fast net a and b

* fast stages

* fast tfdoc

* fast tfdoc

* remove unused test

* fix shielded folder blueprint

* fix shielded folder blueprint
2023-08-09 11:23:07 +00:00
Luca Prete 311bed8e83
Remove unused ASN numbers from CloudNAT to avoid provider errors 2023-08-04 08:02:11 +00:00
Miren Esnaola cacb0c02e2 Refactoring of dns module 2023-07-19 12:57:44 +02:00
Aurélien Legrand 623c886e95
Peering dashboard (#1492)
* Adding dashboard to monitor VPC and VPC peering group quotas

* Adding 1 ressource to the tests (dashboard)

* Adding dashboard and tests for other networking architecture

* Update test
2023-07-05 18:25:31 +02:00
Julio Castillo d49a5c0fbb Fix primary gke/dp ranges in FAST subnets 2023-06-30 19:28:21 +02:00
Arvind Ganesh d3e4864b57 Making the changes as suggested in https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1477#issuecomment-1612846907 2023-06-29 12:24:29 -04:00
Arvind Ganesh 0b19a16593 Changing the IP ranges in all networking stages 2023-06-28 14:45:33 -04:00
Ludovico Magnocavallo 638841c8d1
Rename network load balancer modules (#1466)
* update LB modules to new names

* update LB modules names

* update test paths
2023-06-26 07:50:10 +00:00
Wiktor Niesiobędzki 6b4bca10bd Use RFC6598 addresses for pods and subnets
10.128.0.0/9 is public network.

Closes: #1424
2023-06-08 07:56:31 +02:00
Ana Fernandez del Alamo 0fe3f165ed Add VPN monitoring alerts to 2-networking and VPN usage chart
The Fast stage 2-networking-* currently adds a monitoring dashboard
for VPN metrics. This change adds an additional chart to monitor the
usage of the VPN bandwidth.

This change also adds the following monitoring alerts:

* VPN tunnel established
*
[VPN bandwidth](https://cloud.google.com/network-connectivity/docs/vpn/how-to/viewing-logs-metrics#define-bandwidth-alerts)

To configure the alerts, there is a new `alert_config` variable with
defined default values.

The alerts are created in the stage `b` by default. In the stages a,
c, d, and e, the alerts are created if the user creates the On-prem
VPN.

To disable the creation of alerts, add the following to
`terraform.tfvars`:

```
alert_config = {
  vpn_tunnel_established = null
  vpn_tunnel_bandwidth = null
}
```
2023-06-06 13:49:21 +01:00
Julio Castillo 0888cce3a5 Rename to `create_googleapis_routes` 2023-05-26 16:43:43 +02:00
Julio Castillo 7a91a7e41c Add default googleapi route creation to net-vpc 2023-05-26 10:55:35 +02:00
Alejandro Leal 87cd83f5c0 Several updates
Several updates
2023-05-13 23:51:46 -04:00
Ludovico Magnocavallo efb0ebe689
Switch FAST networking stages to network policies for Google domains (#1352)
* peering stage implementation

* vpn stage implementation

* tfdoc

* tests

* add most supported google domains

* align all net stages

* add support for factory to DNS response policy module

* use dns policy factory in network stages

* boilerplate
2023-05-04 07:38:40 +02:00
Julio Castillo 016a4e08ae fix fast tftest directives 2023-04-21 17:51:20 +02:00
Luca Prete a9cba47ce8
Add FAST stage 2-networking-e-nva-bgp (NVA+NCC)
Co-authored-by: Luca Prete <lucaprete@google.com>
Co-authored-by: Simone Bruzzechesse <bruzzechesse@google.com>
Co-authored-by: Simone Ruffilli <sruffilli@google.com>
2023-04-04 20:41:04 +02:00
Ludovico Magnocavallo 3d41d01efc
FAST plugin system (#1266)
* plugin folder, gitignore, serverless connector example

* add support to fast plugin variables and outputs to tfdoc

* rename folder, READMEs

* add variable description

* show diffs

* check documentation, use multiple files

* debug check doc

* try a different glob

* debug tfdoc names

* more debug

* and even more debug

* fix gitignore

* fix links

* support extra files in tests

* fix fixture, switch stage 2 peering to new tests

* tfdoc

* Allow globs in extra files

---------

Co-authored-by: Julio Castillo <jccb@google.com>
2023-03-24 12:28:32 +00:00
Ludovico Magnocavallo 5edc931bf9
add missing secret to spoke tunnels (#1265) 2023-03-17 20:52:40 +01:00
Ludovico Magnocavallo 5fb17cb3ac
Widen scope for prod project factory SA to dev (#1263)
* restrict storage role on outputs bucket for stage SAs

* grant prod project factory SA authority over prod and dev org policies

* network stages delegated grants on dev to prod pf SA

* security grants to prod pf SA on dev

* tfdoc

* tests
2023-03-17 16:24:55 +00:00
Ludo 367f4b6670
remove debug output 2023-03-17 15:35:18 +01:00
Ludovico Magnocavallo 2794cb6f24
Fix #1139 (#1249) 2023-03-15 11:43:43 +01:00
Ludovico Magnocavallo 6e70b4216f
add missing attribute to FAST onprem VPN examples (#1237) 2023-03-10 14:58:33 +00:00