# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. values: google_compute_address.nva_static_ip_landing["primary-b"]: address: 10.64.0.101 address_type: INTERNAL description: null ip_version: null ipv6_endpoint_type: null labels: null name: nva-ip-landing-ew1-b network: null project: fast2-prod-net-landing-0 region: europe-west1 timeouts: null google_compute_address.nva_static_ip_landing["primary-c"]: address: 10.64.0.102 address_type: INTERNAL description: null ip_version: null ipv6_endpoint_type: null labels: null name: nva-ip-landing-ew1-c network: null project: fast2-prod-net-landing-0 region: europe-west1 timeouts: null google_compute_address.nva_static_ip_landing["secondary-b"]: address: 10.80.0.101 address_type: INTERNAL description: null ip_version: null ipv6_endpoint_type: null labels: null name: nva-ip-landing-ew4-b network: null project: fast2-prod-net-landing-0 region: europe-west4 timeouts: null google_compute_address.nva_static_ip_landing["secondary-c"]: address: 10.80.0.102 address_type: INTERNAL description: null ip_version: null ipv6_endpoint_type: null labels: null name: nva-ip-landing-ew4-c network: null project: fast2-prod-net-landing-0 region: europe-west4 timeouts: null google_compute_address.nva_static_ip_dmz["primary-b"]: address: 10.64.128.101 address_type: INTERNAL description: null ip_version: null ipv6_endpoint_type: null labels: null name: nva-ip-dmz-ew1-b network: null project: fast2-prod-net-landing-0 region: europe-west1 timeouts: null google_compute_address.nva_static_ip_dmz["primary-c"]: address: 10.64.128.102 address_type: INTERNAL description: null ip_version: null ipv6_endpoint_type: null labels: null name: nva-ip-dmz-ew1-c network: null project: fast2-prod-net-landing-0 region: europe-west1 timeouts: null google_compute_address.nva_static_ip_dmz["secondary-b"]: address: 10.80.128.101 address_type: INTERNAL description: null ip_version: null ipv6_endpoint_type: null labels: null name: nva-ip-dmz-ew4-b network: null project: fast2-prod-net-landing-0 region: europe-west4 timeouts: null google_compute_address.nva_static_ip_dmz["secondary-c"]: address: 10.80.128.102 address_type: INTERNAL description: null ip_version: null ipv6_endpoint_type: null labels: null name: nva-ip-dmz-ew4-c network: null project: fast2-prod-net-landing-0 region: europe-west4 timeouts: null google_monitoring_alert_policy.vpn_tunnel_bandwidth[0]: alert_strategy: [] combiner: OR conditions: - condition_absent: [] condition_matched_log: [] condition_monitoring_query_language: - duration: 120s evaluation_missing_data: null query: fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count; metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)| group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition val() > 187.5 "MBy/s" trigger: - count: 1 percent: null condition_prometheus_query_language: [] condition_threshold: [] display_name: VPN Tunnel Bandwidth usage display_name: VPN Tunnel Bandwidth usage documentation: [] enabled: true notification_channels: [] project: fast2-prod-net-landing-0 severity: null timeouts: null user_labels: null google_monitoring_alert_policy.vpn_tunnel_established[0]: alert_strategy: [] combiner: OR conditions: - condition_absent: [] condition_matched_log: [] condition_monitoring_query_language: - duration: 120s evaluation_missing_data: null query: 'fetch vpn_gateway| metric vpn.googleapis.com/tunnel_established| group_by 5m, [value_tunnel_established_max: max(value.tunnel_established)]| every 5m| condition val() < 1 ''1''' trigger: - count: 1 percent: null condition_prometheus_query_language: [] condition_threshold: [] display_name: VPN Tunnel Established display_name: VPN Tunnel Established documentation: [] enabled: true notification_channels: [] project: fast2-prod-net-landing-0 severity: null timeouts: null user_labels: null google_monitoring_dashboard.dashboard["firewall_insights.json"]: dashboard_json: '{"displayName":"Firewall Insights Monitoring","gridLayout":{"columns":"2","widgets":[{"title":"Subnet Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/subnet/firewall_hit_count\" resource.type=\"gce_subnetwork\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},{"title":"VM Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/vm/firewall_hit_count\" resource.type=\"gce_instance\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}}]}}' project: fast2-prod-net-landing-0 timeouts: null google_monitoring_dashboard.dashboard["vpc_and_vpc_peering_group_quotas.json"]: dashboard_json: '{"dashboardFilters":[],"displayName":"VPC \u0026 VPC Peering Group Quotas","labels":{},"mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Internal network (L4) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6},{"height":4,"widget":{"title":"Internal network (L4) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6},{"height":4,"widget":{"title":"Internal application (L7) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Internal application (L7) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Instances per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_vpc_network/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/instances_per_vpc_network/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Instances per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_peering_group/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/instances_per_peering_group/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Subnet ranges per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":12},{"height":4,"widget":{"title":"Subnet ranges per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12}]}}' project: fast2-prod-net-landing-0 timeouts: null google_monitoring_dashboard.dashboard["vpn.json"]: dashboard_json: '{"displayName":"VPN Monitoring","mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Number of connections","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/gateway/connections\" resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4},{"height":4,"widget":{"title":"Tunnel established","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/tunnel_established\" resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4,"xPos":4},{"height":4,"widget":{"title":"VPN Tunnel Bandwidth usage","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count; metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)| group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition val() \u003e 187.5 \"MBy/s\""}}],"thresholds":[{"targetAxis":"Y1","value":187500000}],"timeshiftDuration":"0s","yAxis":{"scale":"LINEAR"}}},"width":4,"xPos":8},{"height":4,"widget":{"title":"Cloud VPN Gateway - Received bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_bytes_count\" resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Cloud VPN Gateway - Sent bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_bytes_count\" resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Cloud VPN Gateway - Received packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_packets_count\" resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Cloud VPN Gateway - Sent packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_packets_count\" resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Incoming packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_received_packets_count\" resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12},{"height":4,"widget":{"title":"Outgoing packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_sent_packets_count\" resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":12}]}}' project: fast2-prod-net-landing-0 timeouts: null google_network_connectivity_hub.hub_landing: description: Prod hub landing (trusted) labels: null name: prod-hub-landing project: fast2-prod-net-landing-0 timeouts: null google_network_connectivity_hub.hub_dmz: description: Prod hub DMZ (untrusted) labels: null name: prod-hub-dmz project: fast2-prod-net-landing-0 timeouts: null google_storage_bucket_object.tfvars: bucket: test cache_control: null content_disposition: null content_encoding: null content_language: null customer_encryption: [] detect_md5hash: different hash event_based_hold: null metadata: null name: tfvars/2-networking.auto.tfvars.json retention: [] source: null temporary_hold: null timeouts: null module.dev-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]: cloud_logging_config: - enable_logging: false description: Terraform managed. dns_name: 10.in-addr.arpa. dnssec_config: [] force_destroy: false forwarding_config: [] labels: null name: dev-reverse-10-dns-peering project: fast2-dev-net-spoke-0 reverse_lookup: false service_directory_config: [] timeouts: null visibility: private module.dev-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]: cloud_logging_config: - enable_logging: false description: Terraform managed. dns_name: . dnssec_config: [] force_destroy: false forwarding_config: [] labels: null name: dev-root-dns-peering project: fast2-dev-net-spoke-0 reverse_lookup: false service_directory_config: [] timeouts: null visibility: private module.dev-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]: cloud_logging_config: - enable_logging: false description: Terraform managed. dns_name: dev.gcp.example.com. dnssec_config: [] force_destroy: false forwarding_config: [] labels: null name: dev-gcp-example-com peering_config: [] project: fast2-dev-net-spoke-0 service_directory_config: [] timeouts: null visibility: private module.dev-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]: managed_zone: dev-gcp-example-com name: localhost.dev.gcp.example.com. project: fast2-dev-net-spoke-0 routing_policy: [] rrdatas: - 127.0.0.1 ttl: 300 type: A module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-composer-nodes"]: allow: - ports: - '80' - '443' - '3306' - '3307' protocol: tcp deny: [] description: Allow traffic to Composer nodes. direction: INGRESS disabled: false log_config: [] name: ingress-allow-composer-nodes priority: 1000 project: fast2-dev-net-spoke-0 source_ranges: null source_service_accounts: null source_tags: - composer-worker target_service_accounts: null target_tags: - composer-worker timeouts: null module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-dataflow-load"]: allow: - ports: - '12345' - '12346' protocol: tcp deny: [] description: Allow traffic to Dataflow nodes. direction: INGRESS disabled: false log_config: [] name: ingress-allow-dataflow-load priority: 1000 project: fast2-dev-net-spoke-0 source_ranges: null source_service_accounts: null source_tags: - dataflow target_service_accounts: null target_tags: - dataflow timeouts: null module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]: allow: [] deny: - ports: [] protocol: all description: Deny and log any unmatched ingress traffic. direction: INGRESS disabled: false log_config: - metadata: EXCLUDE_ALL_METADATA name: ingress-default-deny priority: 65535 project: fast2-dev-net-spoke-0 source_ranges: - 0.0.0.0/0 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: null timeouts: null module.dev-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]: project: fast2-dev-net-spoke-0 timeouts: null module.dev-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]: metrics_scope: fast2-prod-net-landing-0 name: fast2-dev-net-spoke-0 timeouts: null module.dev-spoke-project.google_project.project[0]: auto_create_network: false billing_account: 000000-111111-222222 folder_id: null labels: null name: fast2-dev-net-spoke-0 org_id: null project_id: fast2-dev-net-spoke-0 skip_delete: false timeouts: null module.dev-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]: condition: [] members: - serviceAccount:string project: fast2-dev-net-spoke-0 role: roles/dns.admin module.dev-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]: condition: - description: Development host project delegated grants. expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']) title: dev_stage3_sa_delegated_grants members: - serviceAccount:string project: fast2-dev-net-spoke-0 role: roles/resourcemanager.projectIamAdmin module.dev-spoke-project.google_project_iam_member.servicenetworking[0]: condition: [] project: fast2-dev-net-spoke-0 role: roles/servicenetworking.serviceAgent module.dev-spoke-project.google_project_service.project_services["compute.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-dev-net-spoke-0 service: compute.googleapis.com timeouts: null module.dev-spoke-project.google_project_service.project_services["dns.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-dev-net-spoke-0 service: dns.googleapis.com timeouts: null module.dev-spoke-project.google_project_service.project_services["iap.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-dev-net-spoke-0 service: iap.googleapis.com timeouts: null module.dev-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-dev-net-spoke-0 service: networkmanagement.googleapis.com timeouts: null module.dev-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-dev-net-spoke-0 service: servicenetworking.googleapis.com timeouts: null module.dev-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-dev-net-spoke-0 service: stackdriver.googleapis.com timeouts: null module.dev-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-dev-net-spoke-0 service: vpcaccess.googleapis.com timeouts: null module.dev-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]: project: fast2-dev-net-spoke-0 service: iap.googleapis.com timeouts: null module.dev-spoke-project.google_project_service_identity.servicenetworking[0]: project: fast2-dev-net-spoke-0 service: servicenetworking.googleapis.com timeouts: null module.dev-spoke-vpc.google_compute_network.network[0]: auto_create_subnetworks: false delete_default_routes_on_create: true description: Terraform-managed. enable_ula_internal_ipv6: null mtu: 1500 name: dev-spoke-0 network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL project: fast2-dev-net-spoke-0 routing_mode: GLOBAL timeouts: null module.dev-spoke-vpc.google_compute_route.gateway["private-googleapis"]: description: Terraform-managed. dest_range: 199.36.153.8/30 name: dev-spoke-0-private-googleapis next_hop_gateway: default-internet-gateway next_hop_ilb: null next_hop_instance: null next_hop_vpn_tunnel: null priority: 1000 project: fast2-dev-net-spoke-0 tags: null timeouts: null module.dev-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]: description: Terraform-managed. dest_range: 199.36.153.4/30 name: dev-spoke-0-restricted-googleapis next_hop_gateway: default-internet-gateway next_hop_ilb: null next_hop_instance: null next_hop_vpn_tunnel: null priority: 1000 project: fast2-dev-net-spoke-0 tags: null timeouts: null module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-dataplatform"]: description: Default subnet for dev Data Platform ip_cidr_range: 10.68.2.0/24 ipv6_access_type: null log_config: [] name: dev-dataplatform private_ip_google_access: true project: fast2-dev-net-spoke-0 region: europe-west1 role: null secondary_ip_range: - ip_cidr_range: 100.69.0.0/16 range_name: pods - ip_cidr_range: 100.71.2.0/24 range_name: services timeouts: null module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-default"]: description: Default europe-west1 subnet for dev ip_cidr_range: 10.68.0.0/24 ipv6_access_type: null log_config: [] name: dev-default private_ip_google_access: true project: fast2-dev-net-spoke-0 region: europe-west1 role: null secondary_ip_range: [] timeouts: null module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-gke-nodes"]: description: Default subnet for prod gke nodes ip_cidr_range: 10.68.1.0/24 ipv6_access_type: null log_config: [] name: dev-gke-nodes private_ip_google_access: true project: fast2-dev-net-spoke-0 region: europe-west1 role: null secondary_ip_range: - ip_cidr_range: 100.68.0.0/16 range_name: pods - ip_cidr_range: 100.71.1.0/24 range_name: services timeouts: null module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/dev-default"]: description: Default europe-west4 subnet for dev ip_cidr_range: 10.84.0.0/24 ipv6_access_type: null log_config: [] name: dev-default private_ip_google_access: true project: fast2-dev-net-spoke-0 region: europe-west4 role: null secondary_ip_range: [] timeouts: null module.dev-spoke-vpc.google_dns_policy.default[0]: alternative_name_server_config: [] description: Managed by Terraform enable_inbound_forwarding: null enable_logging: true name: dev-spoke-0 networks: - {} project: fast2-dev-net-spoke-0 timeouts: null module.firewall-policy-default.google_compute_firewall_policy.hierarchical[0]: description: null short_name: net-default timeouts: null module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]: action: allow description: Enable HTTP and HTTPS healthchecks direction: INGRESS disabled: false enable_logging: null match: - dest_address_groups: null dest_fqdns: null dest_ip_ranges: null dest_region_codes: null dest_threat_intelligences: null layer4_configs: - ip_protocol: tcp ports: - '80' - '443' src_address_groups: null src_fqdns: null src_ip_ranges: - 35.191.0.0/16 - 130.211.0.0/22 - 209.85.152.0/22 - 209.85.204.0/22 src_region_codes: null src_threat_intelligences: null priority: 1001 target_resources: null target_service_accounts: null timeouts: null module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]: action: allow description: Enable ICMP direction: INGRESS disabled: false enable_logging: null match: - dest_address_groups: null dest_fqdns: null dest_ip_ranges: null dest_region_codes: null dest_threat_intelligences: null layer4_configs: - ip_protocol: icmp ports: [] src_address_groups: null src_fqdns: null src_ip_ranges: - 0.0.0.0/0 src_region_codes: null src_threat_intelligences: null priority: 1003 target_resources: null target_service_accounts: null timeouts: null module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]: action: allow description: Enable NAT ranges for VPC serverless connector direction: INGRESS disabled: false enable_logging: null match: - dest_address_groups: null dest_fqdns: null dest_ip_ranges: null dest_region_codes: null dest_threat_intelligences: null layer4_configs: - ip_protocol: all ports: null src_address_groups: null src_fqdns: null src_ip_ranges: - 107.178.230.64/26 - 35.199.224.0/19 src_region_codes: null src_threat_intelligences: null priority: 1004 target_resources: null target_service_accounts: null timeouts: null module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]: action: allow description: Enable SSH from IAP direction: INGRESS disabled: false enable_logging: true match: - dest_address_groups: null dest_fqdns: null dest_ip_ranges: null dest_region_codes: null dest_threat_intelligences: null layer4_configs: - ip_protocol: tcp ports: - '22' src_address_groups: null src_fqdns: null src_ip_ranges: - 35.235.240.0/20 src_region_codes: null src_threat_intelligences: null priority: 1002 target_resources: null target_service_accounts: null timeouts: null module.folder.google_compute_firewall_policy_association.default[0]: name: default timeouts: null module.folder.google_essential_contacts_contact.contact["gcp-network-admins@fast.example.com"]: email: gcp-network-admins@fast.example.com language_tag: en notification_category_subscriptions: - ALL timeouts: null module.folder.google_folder.folder[0]: display_name: Networking parent: organizations/123456789012 timeouts: null module.landing-dns-fwd-onprem-example[0].google_dns_managed_zone.dns_managed_zone[0]: cloud_logging_config: - enable_logging: false description: Terraform managed. dns_name: onprem.example.com. dnssec_config: [] force_destroy: false forwarding_config: - target_name_servers: - forwarding_path: '' ipv4_address: 10.10.10.10 labels: null name: example-com peering_config: [] project: fast2-prod-net-landing-0 reverse_lookup: false service_directory_config: [] timeouts: null visibility: private module.landing-dns-fwd-onprem-rev-10[0].google_dns_managed_zone.dns_managed_zone[0]: cloud_logging_config: - enable_logging: false description: Terraform managed. dns_name: 10.in-addr.arpa. dnssec_config: [] force_destroy: false forwarding_config: - target_name_servers: - forwarding_path: '' ipv4_address: 10.10.10.10 labels: null name: root-reverse-10 peering_config: [] project: fast2-prod-net-landing-0 reverse_lookup: false service_directory_config: [] timeouts: null visibility: private module.landing-dns-policy-googleapis.google_dns_response_policy.default[0]: description: Managed by Terraform gke_clusters: [] networks: - {} - {} project: fast2-prod-net-landing-0 response_policy_name: googleapis timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["accounts"]: behavior: null dns_name: accounts.google.com. local_data: - local_datas: - name: accounts.google.com. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: accounts timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud"]: behavior: null dns_name: backupdr.cloud.google.com. local_data: - local_datas: - name: backupdr.cloud.google.com. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: backupdr-cloud timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud-all"]: behavior: null dns_name: '*.backupdr.cloud.google.com.' local_data: - local_datas: - name: '*.backupdr.cloud.google.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: backupdr-cloud-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu"]: behavior: null dns_name: backupdr.googleusercontent.google.com. local_data: - local_datas: - name: backupdr.googleusercontent.google.com. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: backupdr-gu timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu-all"]: behavior: null dns_name: '*.backupdr.googleusercontent.google.com.' local_data: - local_datas: - name: '*.backupdr.googleusercontent.google.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: backupdr-gu-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudfunctions"]: behavior: null dns_name: '*.cloudfunctions.net.' local_data: - local_datas: - name: '*.cloudfunctions.net.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: cloudfunctions timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudproxy"]: behavior: null dns_name: '*.cloudproxy.app.' local_data: - local_datas: - name: '*.cloudproxy.app.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: cloudproxy timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-cloud-all"]: behavior: null dns_name: '*.composer.cloud.google.com.' local_data: - local_datas: - name: '*.composer.cloud.google.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: composer-cloud-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-gu-all"]: behavior: null dns_name: '*.composer.googleusercontent.com.' local_data: - local_datas: - name: '*.composer.googleusercontent.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: composer-gu-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-all"]: behavior: null dns_name: '*.datafusion.cloud.google.com.' local_data: - local_datas: - name: '*.datafusion.cloud.google.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: datafusion-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-gu-all"]: behavior: null dns_name: '*.datafusion.googleusercontent.com.' local_data: - local_datas: - name: '*.datafusion.googleusercontent.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: datafusion-gu-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc"]: behavior: null dns_name: dataproc.cloud.google.com. local_data: - local_datas: - name: dataproc.cloud.google.com. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: dataproc timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-all"]: behavior: null dns_name: '*.dataproc.cloud.google.com.' local_data: - local_datas: - name: '*.dataproc.cloud.google.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: dataproc-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu"]: behavior: null dns_name: dataproc.googleusercontent.com. local_data: - local_datas: - name: dataproc.googleusercontent.com. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: dataproc-gu timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu-all"]: behavior: null dns_name: '*.dataproc.googleusercontent.com.' local_data: - local_datas: - name: '*.dataproc.googleusercontent.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: dataproc-gu-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dl"]: behavior: null dns_name: dl.google.com. local_data: - local_datas: - name: dl.google.com. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: dl timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr"]: behavior: null dns_name: gcr.io. local_data: - local_datas: - name: gcr.io. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: gcr timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr-all"]: behavior: null dns_name: '*.gcr.io.' local_data: - local_datas: - name: '*.gcr.io.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: gcr-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-all"]: behavior: null dns_name: '*.googleapis.com.' local_data: - local_datas: - name: '*.googleapis.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: googleapis-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-private"]: behavior: null dns_name: private.googleapis.com. local_data: - local_datas: - name: private.googleapis.com. rrdatas: - 199.36.153.8 - 199.36.153.9 - 199.36.153.10 - 199.36.153.11 ttl: null type: A project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: googleapis-private timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-restricted"]: behavior: null dns_name: restricted.googleapis.com. local_data: - local_datas: - name: restricted.googleapis.com. rrdatas: - 199.36.153.4 - 199.36.153.5 - 199.36.153.6 - 199.36.153.7 ttl: null type: A project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: googleapis-restricted timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gstatic-all"]: behavior: null dns_name: '*.gstatic.com.' local_data: - local_datas: - name: '*.gstatic.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: gstatic-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu"]: behavior: null dns_name: kernels.googleusercontent.com. local_data: - local_datas: - name: kernels.googleusercontent.com. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: kernels-gu timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu-all"]: behavior: null dns_name: '*.kernels.googleusercontent.com.' local_data: - local_datas: - name: '*.kernels.googleusercontent.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: kernels-gu-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-all"]: behavior: null dns_name: '*.notebooks.cloud.google.com.' local_data: - local_datas: - name: '*.notebooks.cloud.google.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: notebooks-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-gu-all"]: behavior: null dns_name: '*.notebooks.googleusercontent.com.' local_data: - local_datas: - name: '*.notebooks.googleusercontent.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: notebooks-gu-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud"]: behavior: null dns_name: packages.cloud.google.com. local_data: - local_datas: - name: packages.cloud.google.com. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: packages-cloud timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud-all"]: behavior: null dns_name: '*.packages.cloud.google.com.' local_data: - local_datas: - name: '*.packages.cloud.google.com.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: packages-cloud-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev"]: behavior: null dns_name: pkg.dev. local_data: - local_datas: - name: pkg.dev. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: pkgdev timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev-all"]: behavior: null dns_name: '*.pkg.dev.' local_data: - local_datas: - name: '*.pkg.dev.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: pkgdev-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog"]: behavior: null dns_name: pki.goog. local_data: - local_datas: - name: pki.goog. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: pkigoog timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog-all"]: behavior: null dns_name: '*.pki.goog.' local_data: - local_datas: - name: '*.pki.goog.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: pkigoog-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["run-all"]: behavior: null dns_name: '*.run.app.' local_data: - local_datas: - name: '*.run.app.' rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: run-all timeouts: null module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["source"]: behavior: null dns_name: source.developers.google.com. local_data: - local_datas: - name: source.developers.google.com. rrdatas: - private.googleapis.com. ttl: null type: CNAME project: fast2-prod-net-landing-0 response_policy: googleapis rule_name: source timeouts: null module.landing-dns-priv-gcp.google_dns_managed_zone.dns_managed_zone[0]: cloud_logging_config: - enable_logging: false description: Terraform managed. dns_name: gcp.example.com. dnssec_config: [] force_destroy: false forwarding_config: [] labels: null name: gcp-example-com peering_config: [] project: fast2-prod-net-landing-0 service_directory_config: [] timeouts: null visibility: private module.landing-dns-priv-gcp.google_dns_record_set.dns_record_set["A localhost"]: managed_zone: gcp-example-com name: localhost.gcp.example.com. project: fast2-prod-net-landing-0 routing_policy: [] rrdatas: - 127.0.0.1 ttl: 300 type: A module.landing-nat-primary[0].google_compute_router.router[0]: bgp: [] description: null encrypted_interconnect_router: null name: prod-nat-ew1 project: fast2-prod-net-landing-0 region: europe-west1 timeouts: null module.landing-nat-primary[0].google_compute_router_nat.nat: drain_nat_ips: null enable_dynamic_port_allocation: false enable_endpoint_independent_mapping: true icmp_idle_timeout_sec: 30 log_config: - enable: false filter: ALL max_ports_per_vm: 65536 min_ports_per_vm: 64 name: ew1 nat_ip_allocate_option: AUTO_ONLY nat_ips: null project: fast2-prod-net-landing-0 region: europe-west1 router: prod-nat-ew1 rules: [] source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES subnetwork: [] tcp_established_idle_timeout_sec: 1200 tcp_time_wait_timeout_sec: 120 tcp_transitory_idle_timeout_sec: 30 timeouts: null udp_idle_timeout_sec: 30 module.landing-nat-secondary[0].google_compute_router.router[0]: bgp: [] description: null encrypted_interconnect_router: null name: prod-nat-ew4 project: fast2-prod-net-landing-0 region: europe-west4 timeouts: null module.landing-nat-secondary[0].google_compute_router_nat.nat: drain_nat_ips: null enable_dynamic_port_allocation: false enable_endpoint_independent_mapping: true icmp_idle_timeout_sec: 30 log_config: - enable: false filter: ALL max_ports_per_vm: 65536 min_ports_per_vm: 64 name: ew4 nat_ip_allocate_option: AUTO_ONLY nat_ips: null project: fast2-prod-net-landing-0 region: europe-west4 router: prod-nat-ew4 rules: [] source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES subnetwork: [] tcp_established_idle_timeout_sec: 1200 tcp_time_wait_timeout_sec: 120 tcp_transitory_idle_timeout_sec: 30 timeouts: null udp_idle_timeout_sec: 30 module.landing-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]: project: fast2-prod-net-landing-0 timeouts: null module.landing-project.google_project.project[0]: auto_create_network: false billing_account: 000000-111111-222222 folder_id: null labels: null name: fast2-prod-net-landing-0 org_id: null project_id: fast2-prod-net-landing-0 skip_delete: false timeouts: null module.landing-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/foo"]: condition: [] members: - serviceAccount:string project: fast2-prod-net-landing-0 role: organizations/123456789012/roles/foo module.landing-project.google_project_iam_binding.authoritative["roles/dns.admin"]: condition: [] members: - serviceAccount:string project: fast2-prod-net-landing-0 role: roles/dns.admin module.landing-project.google_project_service.project_services["compute.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-landing-0 service: compute.googleapis.com timeouts: null module.landing-project.google_project_service.project_services["dns.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-landing-0 service: dns.googleapis.com timeouts: null module.landing-project.google_project_service.project_services["iap.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-landing-0 service: iap.googleapis.com timeouts: null module.landing-project.google_project_service.project_services["networkconnectivity.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-landing-0 service: networkconnectivity.googleapis.com timeouts: null module.landing-project.google_project_service.project_services["networkmanagement.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-landing-0 service: networkmanagement.googleapis.com timeouts: null module.landing-project.google_project_service.project_services["stackdriver.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-landing-0 service: stackdriver.googleapis.com timeouts: null module.landing-project.google_project_service_identity.jit_si["iap.googleapis.com"]: project: fast2-prod-net-landing-0 service: iap.googleapis.com timeouts: null module.landing-to-onprem-primary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]: description: Terraform managed external VPN gateway interface: - id: 0 ip_address: 8.8.8.8 labels: null name: vpn-to-onprem-ew1-default project: fast2-prod-net-landing-0 redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT timeouts: null module.landing-to-onprem-primary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]: description: Terraform managed external VPN gateway name: vpn-to-onprem-ew1 project: fast2-prod-net-landing-0 region: europe-west1 stack_type: IPV4_ONLY timeouts: null module.landing-to-onprem-primary-vpn[0].google_compute_router.router[0]: bgp: - advertise_mode: CUSTOM advertised_groups: [] advertised_ip_ranges: - description: gcp range: 10.1.0.0/16 - description: gcp-restricted range: 199.36.153.4/30 - description: gcp-dns range: 35.199.192.0/19 asn: 65501 keepalive_interval: 20 description: null encrypted_interconnect_router: null name: vpn-vpn-to-onprem-ew1 project: fast2-prod-net-landing-0 region: europe-west1 timeouts: null module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["0"]: interconnect_attachment: null ip_range: 169.254.1.2/30 name: vpn-to-onprem-ew1-0 private_ip_address: null project: fast2-prod-net-landing-0 region: europe-west1 router: vpn-vpn-to-onprem-ew1 subnetwork: null timeouts: null vpn_tunnel: vpn-to-onprem-ew1-0 module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["1"]: interconnect_attachment: null ip_range: 169.254.2.2/30 name: vpn-to-onprem-ew1-1 private_ip_address: null project: fast2-prod-net-landing-0 region: europe-west1 router: vpn-vpn-to-onprem-ew1 subnetwork: null timeouts: null vpn_tunnel: vpn-to-onprem-ew1-1 module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["0"]: advertise_mode: DEFAULT advertised_groups: [] advertised_ip_ranges: [] advertised_route_priority: 1000 enable: true enable_ipv6: false interface: vpn-to-onprem-ew1-0 md5_authentication_key: [] name: vpn-to-onprem-ew1-0 peer_asn: 65500 peer_ip_address: 169.254.1.1 project: fast2-prod-net-landing-0 region: europe-west1 router: vpn-vpn-to-onprem-ew1 router_appliance_instance: null timeouts: null module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["1"]: advertise_mode: DEFAULT advertised_groups: [] advertised_ip_ranges: [] advertised_route_priority: 1000 enable: true enable_ipv6: false interface: vpn-to-onprem-ew1-1 md5_authentication_key: [] name: vpn-to-onprem-ew1-1 peer_asn: 64513 peer_ip_address: 169.254.2.1 project: fast2-prod-net-landing-0 region: europe-west1 router: vpn-vpn-to-onprem-ew1 router_appliance_instance: null timeouts: null module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]: description: null ike_version: 2 labels: null name: vpn-to-onprem-ew1-0 peer_external_gateway_interface: null peer_gcp_gateway: null project: fast2-prod-net-landing-0 region: europe-west1 router: vpn-vpn-to-onprem-ew1 shared_secret: foo target_vpn_gateway: null timeouts: null vpn_gateway_interface: 0 module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]: description: null ike_version: 2 labels: null name: vpn-to-onprem-ew1-1 peer_external_gateway_interface: null peer_gcp_gateway: null project: fast2-prod-net-landing-0 region: europe-west1 router: vpn-vpn-to-onprem-ew1 shared_secret: foo target_vpn_gateway: null timeouts: null vpn_gateway_interface: 1 module.landing-to-onprem-primary-vpn[0].random_id.secret: byte_length: 8 keepers: null prefix: null module.landing-to-onprem-secondary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]: description: Terraform managed external VPN gateway interface: - id: 0 ip_address: 8.8.4.4 labels: null name: vpn-to-onprem-ew4-default project: fast2-prod-net-landing-0 redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT timeouts: null module.landing-to-onprem-secondary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]: description: Terraform managed external VPN gateway name: vpn-to-onprem-ew4 project: fast2-prod-net-landing-0 region: europe-west4 stack_type: IPV4_ONLY timeouts: null module.landing-to-onprem-secondary-vpn[0].google_compute_router.router[0]: bgp: - advertise_mode: CUSTOM advertised_groups: [] advertised_ip_ranges: - description: gcp range: 10.1.0.0/16 - description: gcp-restricted range: 199.36.153.4/30 - description: gcp-dns range: 35.199.192.0/19 asn: 65501 keepalive_interval: 20 description: null encrypted_interconnect_router: null name: vpn-vpn-to-onprem-ew4 project: fast2-prod-net-landing-0 region: europe-west4 timeouts: null module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["0"]: interconnect_attachment: null ip_range: 169.254.3.2/30 name: vpn-to-onprem-ew4-0 private_ip_address: null project: fast2-prod-net-landing-0 region: europe-west4 router: vpn-vpn-to-onprem-ew4 subnetwork: null timeouts: null vpn_tunnel: vpn-to-onprem-ew4-0 module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["1"]: interconnect_attachment: null ip_range: 169.254.4.2/30 name: vpn-to-onprem-ew4-1 private_ip_address: null project: fast2-prod-net-landing-0 region: europe-west4 router: vpn-vpn-to-onprem-ew4 subnetwork: null timeouts: null vpn_tunnel: vpn-to-onprem-ew4-1 module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["0"]: advertise_mode: DEFAULT advertised_groups: [] advertised_ip_ranges: [] advertised_route_priority: 1000 enable: true enable_ipv6: false interface: vpn-to-onprem-ew4-0 md5_authentication_key: [] name: vpn-to-onprem-ew4-0 peer_asn: 65500 peer_ip_address: 169.254.1.1 project: fast2-prod-net-landing-0 region: europe-west4 router: vpn-vpn-to-onprem-ew4 router_appliance_instance: null timeouts: null module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["1"]: advertise_mode: DEFAULT advertised_groups: [] advertised_ip_ranges: [] advertised_route_priority: 1000 enable: true enable_ipv6: false interface: vpn-to-onprem-ew4-1 md5_authentication_key: [] name: vpn-to-onprem-ew4-1 peer_asn: 64513 peer_ip_address: 169.254.2.1 project: fast2-prod-net-landing-0 region: europe-west4 router: vpn-vpn-to-onprem-ew4 router_appliance_instance: null timeouts: null module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]: description: null ike_version: 2 labels: null name: vpn-to-onprem-ew4-0 peer_external_gateway_interface: null peer_gcp_gateway: null project: fast2-prod-net-landing-0 region: europe-west4 router: vpn-vpn-to-onprem-ew4 shared_secret: foo target_vpn_gateway: null timeouts: null vpn_gateway_interface: 0 module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]: description: null ike_version: 2 labels: null name: vpn-to-onprem-ew4-1 peer_external_gateway_interface: null peer_gcp_gateway: null project: fast2-prod-net-landing-0 region: europe-west4 router: vpn-vpn-to-onprem-ew4 shared_secret: foo target_vpn_gateway: null timeouts: null vpn_gateway_interface: 1 module.landing-to-onprem-secondary-vpn[0].random_id.secret: byte_length: 8 keepers: null prefix: null module.landing-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-landing"]: allow: - ports: - '22' protocol: tcp deny: [] description: Allow traffic from Google healthchecks to NVA appliances direction: INGRESS disabled: false log_config: [] name: allow-hc-nva-ssh-landing priority: 1000 project: fast2-prod-net-landing-0 source_ranges: - 130.211.0.0/22 - 209.85.152.0/22 - 209.85.204.0/22 - 35.191.0.0/16 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: null timeouts: null module.landing-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-landing"]: allow: - ports: - '179' protocol: tcp deny: [] description: Allow BGP traffic from NCC Cloud Routers to NVAs direction: INGRESS disabled: false log_config: [] name: allow-ncc-nva-bgp-landing priority: 1000 project: fast2-prod-net-landing-0 source_ranges: - 10.128.64.201/32 - 10.128.64.202/32 - 10.128.96.201/32 - 10.128.96.202/32 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: - nva timeouts: null module.landing-firewall.google_compute_firewall.custom-rules["allow-onprem-probes-landing-example"]: allow: - ports: - '12345' protocol: tcp deny: [] description: Allow traffic from onprem probes direction: INGRESS disabled: false log_config: [] name: allow-onprem-probes-landing-example priority: 1000 project: fast2-prod-net-landing-0 source_ranges: - 10.255.255.254/32 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: null timeouts: null module.landing-firewall.google_compute_firewall.custom-rules["landing-ingress-default-deny"]: allow: [] deny: - ports: [] protocol: all description: Deny and log any unmatched ingress traffic. direction: INGRESS disabled: false log_config: - metadata: EXCLUDE_ALL_METADATA name: landing-ingress-default-deny priority: 65535 project: fast2-prod-net-landing-0 source_ranges: - 0.0.0.0/0 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: null timeouts: null module.landing-vpc.google_compute_network.network[0]: auto_create_subnetworks: false delete_default_routes_on_create: true description: Terraform-managed. enable_ula_internal_ipv6: null mtu: 1500 name: prod-landing-0 network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL project: fast2-prod-net-landing-0 routing_mode: GLOBAL timeouts: null module.landing-vpc.google_compute_route.gateway["private-googleapis"]: description: Terraform-managed. dest_range: 199.36.153.8/30 name: prod-landing-0-private-googleapis next_hop_gateway: default-internet-gateway next_hop_ilb: null next_hop_instance: null next_hop_vpn_tunnel: null priority: 1000 project: fast2-prod-net-landing-0 tags: null timeouts: null module.landing-vpc.google_compute_route.gateway["restricted-googleapis"]: description: Terraform-managed. dest_range: 199.36.153.4/30 name: prod-landing-0-restricted-googleapis next_hop_gateway: default-internet-gateway next_hop_ilb: null next_hop_instance: null next_hop_vpn_tunnel: null priority: 1000 project: fast2-prod-net-landing-0 tags: null timeouts: null module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west1/landing-default"]: description: Default europe-west1 subnet for landing ip_cidr_range: 10.64.0.0/24 ipv6_access_type: null log_config: [] name: landing-default private_ip_google_access: true project: fast2-prod-net-landing-0 region: europe-west1 role: null secondary_ip_range: [] timeouts: null module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west4/landing-default"]: description: Default europe-west4 subnet for landing ip_cidr_range: 10.80.0.0/24 ipv6_access_type: null log_config: [] name: landing-default private_ip_google_access: true project: fast2-prod-net-landing-0 region: europe-west4 role: null secondary_ip_range: [] timeouts: null module.landing-vpc.google_dns_policy.default[0]: alternative_name_server_config: [] description: Managed by Terraform enable_inbound_forwarding: true enable_logging: null name: prod-landing-0 networks: - {} project: fast2-prod-net-landing-0 timeouts: null module.dmz-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-dmz"]: allow: - ports: - '22' protocol: tcp deny: [] description: Allow traffic from Google healthchecks to NVA appliances direction: INGRESS disabled: false log_config: [] name: allow-hc-nva-ssh-dmz priority: 1000 project: fast2-prod-net-landing-0 source_ranges: - 130.211.0.0/22 - 209.85.152.0/22 - 209.85.204.0/22 - 35.191.0.0/16 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: null timeouts: null module.dmz-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-dmz"]: allow: - ports: - '179' protocol: tcp deny: [] description: Allow BGP traffic from NCC Cloud Routers to NVAs direction: INGRESS disabled: false log_config: [] name: allow-ncc-nva-bgp-dmz priority: 1000 project: fast2-prod-net-landing-0 source_ranges: - 10.128.0.201/32 - 10.128.0.202/32 - 10.128.32.201/32 - 10.128.32.202/32 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: - nva timeouts: null module.dmz-firewall.google_compute_firewall.custom-rules["allow-nva-nva-bgp-dmz"]: allow: - ports: - '179' protocol: tcp deny: [] description: Allow BGP traffic from cross-regional NVAs direction: INGRESS disabled: false log_config: [] name: allow-nva-nva-bgp-dmz priority: 1000 project: fast2-prod-net-landing-0 source_ranges: null source_service_accounts: null source_tags: - nva target_service_accounts: null target_tags: - nva timeouts: null module.dmz-firewall.google_compute_firewall.custom-rules["dmz-ingress-default-deny"]: allow: [] deny: - ports: [] protocol: all description: Deny and log any unmatched ingress traffic. direction: INGRESS disabled: false log_config: - metadata: EXCLUDE_ALL_METADATA name: dmz-ingress-default-deny priority: 65535 project: fast2-prod-net-landing-0 source_ranges: - 0.0.0.0/0 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: null timeouts: null module.dmz-vpc.google_compute_network.network[0]: auto_create_subnetworks: false delete_default_routes_on_create: false description: Terraform-managed. enable_ula_internal_ipv6: null mtu: 1500 name: prod-dmz-0 network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL project: fast2-prod-net-landing-0 routing_mode: GLOBAL timeouts: null module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west1/dmz-default"]: description: Default europe-west1 subnet for DMZ ip_cidr_range: 10.64.128.0/24 ipv6_access_type: null log_config: [] name: dmz-default private_ip_google_access: true project: fast2-prod-net-landing-0 region: europe-west1 role: null secondary_ip_range: [] timeouts: null module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west4/dmz-default"]: description: Default europe-west4 subnet for DMZ ip_cidr_range: 10.80.128.0/24 ipv6_access_type: null log_config: [] name: dmz-default private_ip_google_access: true project: fast2-prod-net-landing-0 region: europe-west4 role: null secondary_ip_range: [] timeouts: null module.dmz-vpc.google_dns_policy.default[0]: alternative_name_server_config: [] description: Managed by Terraform enable_inbound_forwarding: true enable_logging: true name: prod-dmz-0 networks: - {} project: fast2-prod-net-landing-0 timeouts: null module.nva["primary-b"].google_compute_instance.default[0]: advanced_machine_features: [] allow_stopping_for_update: true attached_disk: [] boot_disk: - auto_delete: true disk_encryption_key_raw: null initialize_params: - enable_confidential_compute: null image: projects/cos-cloud/global/images/family/cos-stable resource_manager_tags: null size: 10 type: pd-balanced mode: READ_WRITE can_ip_forward: true deletion_protection: false description: Managed by the compute-vm Terraform module. desired_status: null enable_display: false hostname: null labels: null machine_type: e2-standard-2 metadata: user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\ \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ \ file except in compliance with the License.\n# You may obtain a copy of\ \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ # Unless required by applicable law or agreed to in writing, software\n# distributed\ \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ \ for the specific language governing permissions and\n# limitations under\ \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ );\n # you may not use this file except in compliance with the License.\n\ \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n zebra=no\n\ \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ \ script automatically loads\n # the config via \"vtysh -b\" when the\ \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ \ of daemons to watch is automatically generated by the init script.\n \ \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ \ specify a \"wrap\" command to start instead\n # of starting the daemon\ \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ \ template\n \n log syslog informational\n no ipv6 forwarding\n\ \ service integrated-vtysh-config\n \n interface lo\n \ \ ip address 10.64.128.101/32\n \n ip prefix-list DEFAULT seq 10\ \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ \ \n route-map TO-DMZ permit 10\n match ip address\ \ prefix-list PRIMARY\n set metric 100\n !\n route-map TO-DMZ\ \ permit 20\n match ip address prefix-list SECONDARY\n set metric\ \ 10100\n !\n route-map TO-LANDING permit 10\n match ip address\ \ prefix-list DEFAULT\n set metric 100\n !\n route-map TO-NVA\ \ permit 10\n match ip address prefix-list PRIMARY\n set metric\ \ 50\n \n router bgp 64513\n bgp router-id 10.64.128.101\n\ \ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\ \ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \ \ no bgp network import-check\n !\n neighbor 10.64.128.201\ \ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\ \ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\ \ update-source 10.64.0.101\n neighbor 10.64.0.202 remote-as 64515\n\ \ neighbor 10.64.0.202 update-source 10.64.0.101\n !\n neighbor\ \ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\ \ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\ \ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\ \ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201\ \ soft-reconfiguration inbound\n !\n neighbor 10.64.128.202 route-map\ \ TO-DMZ out\n neighbor 10.64.128.202 soft-reconfiguration inbound\n\ \ !\n neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor\ \ 10.64.0.201 soft-reconfiguration inbound\n !\n neighbor 10.64.0.202\ \ route-map TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration\ \ inbound\n !\n neighbor 10.80.128.101 route-map TO-NVA out\n\ \ neighbor 10.80.128.101 soft-reconfiguration inbound\n !\n \ \ neighbor 10.80.128.102 route-map TO-NVA out\n neighbor 10.80.128.102\ \ soft-reconfiguration inbound\n exit-address-family\n \n\n -\ \ path: /etc/frr/vtysh.conf\n owner: root\n permissions: 0644\n content:\ \ |\n # Copyright 2023 Google LLC\n #\n # Licensed under the\ \ Apache License, Version 2.0 (the \"License\");\n # you may not use\ \ this file except in compliance with the License.\n # You may obtain\ \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n #\ \ This is a sample file used to remove warnings\n # when users open the\ \ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\ \ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\ \ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\ \ owner: root\n permissions: 0644\n content: |\n # Copyright\ \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ \ with the License.\n # You may obtain a copy of the License at\n \ \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ \ # Unless required by applicable law or agreed to in writing, software\n\ \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ \ # See the License for the specific language governing permissions and\n\ \ # limitations under the License.\n \n [Unit]\n Description=Start\ \ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\ \ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\ HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\ \ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\ \ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \ \ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\ \ owner: root\n permissions: 0644\n content: |\n {\n\ \ \"live-restore\": true,\n \"storage-driver\"\ : \"overlay2\",\n \"log-opts\": {\n \"max-size\"\ : \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\ \ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\ \ \n # Copyright 2023 Google LLC\n #\n # Licensed under\ \ the Apache License, Version 2.0 (the \"License\");\n # you may not\ \ use this file except in compliance with the License.\n # You may obtain\ \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n #\ \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ \ Google LLC\n #\n # Licensed under the Apache License, Version\ \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ \ with the License.\n # You may obtain a copy of the License at\n \ \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ \ # Unless required by applicable law or agreed to in writing, software\n\ \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ \ # See the License for the specific language governing permissions and\n\ \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ \ do\n # Configure hc routing table if not available for this\ \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ \ configure PBR for old LB removed from network interface\n # first\ \ get list of PBR on this network interface and retrieve LB IP addresses\n\ \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ \n do\n # check if the PBR LB IP belongs to the current array\ \ of LB IPs attached to the\n # network interface, if not delete\ \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ \ fi\n done\n sleep 2\n done\n \n\n\n -\ \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ \ [Unit]\n Description=Start routing\n After=network-online.target\n\ \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ \ systemctl start routing\n - systemctl start frr\n" metadata_startup_script: null name: nva-ew1-b network_interface: - access_config: [] alias_ip_range: [] ipv6_access_config: [] network_ip: 10.64.128.101 nic_type: null queue_count: null security_policy: null - access_config: [] alias_ip_range: [] ipv6_access_config: [] network_ip: 10.64.0.101 nic_type: null queue_count: null security_policy: null network_performance_config: [] params: [] project: fast2-prod-net-landing-0 resource_policies: null scheduling: - automatic_restart: true instance_termination_action: null local_ssd_recovery_timeout: [] maintenance_interval: null max_run_duration: [] min_node_cpus: null node_affinities: [] on_host_maintenance: MIGRATE preemptible: false provisioning_model: STANDARD scratch_disk: [] service_account: - scopes: - https://www.googleapis.com/auth/devstorage.read_only - https://www.googleapis.com/auth/logging.write - https://www.googleapis.com/auth/monitoring.write shielded_instance_config: [] tags: - nva timeouts: null zone: europe-west1-b module.nva["primary-c"].google_compute_instance.default[0]: advanced_machine_features: [] allow_stopping_for_update: true attached_disk: [] boot_disk: - auto_delete: true disk_encryption_key_raw: null initialize_params: - enable_confidential_compute: null image: projects/cos-cloud/global/images/family/cos-stable resource_manager_tags: null size: 10 type: pd-balanced mode: READ_WRITE can_ip_forward: true deletion_protection: false description: Managed by the compute-vm Terraform module. desired_status: null enable_display: false hostname: null labels: null machine_type: e2-standard-2 metadata: user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\ \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ \ file except in compliance with the License.\n# You may obtain a copy of\ \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ # Unless required by applicable law or agreed to in writing, software\n# distributed\ \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ \ for the specific language governing permissions and\n# limitations under\ \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ );\n # you may not use this file except in compliance with the License.\n\ \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n zebra=no\n\ \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ \ script automatically loads\n # the config via \"vtysh -b\" when the\ \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ \ of daemons to watch is automatically generated by the init script.\n \ \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ \ specify a \"wrap\" command to start instead\n # of starting the daemon\ \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ \ template\n \n log syslog informational\n no ipv6 forwarding\n\ \ service integrated-vtysh-config\n \n interface lo\n \ \ ip address 10.64.128.102/32\n \n ip prefix-list DEFAULT seq 10\ \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ \ \n route-map TO-DMZ permit 10\n match ip address\ \ prefix-list PRIMARY\n set metric 100\n !\n route-map TO-DMZ\ \ permit 20\n match ip address prefix-list SECONDARY\n set metric\ \ 10100\n !\n route-map TO-LANDING permit 10\n match ip address\ \ prefix-list DEFAULT\n set metric 100\n !\n route-map TO-NVA\ \ permit 10\n match ip address prefix-list PRIMARY\n set metric\ \ 50\n \n router bgp 64513\n bgp router-id 10.64.128.102\n\ \ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\ \ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \ \ no bgp network import-check\n !\n neighbor 10.64.128.201\ \ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\ \ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\ \ update-source 10.64.0.102\n neighbor 10.64.0.202 remote-as 64515\n\ \ neighbor 10.64.0.202 update-source 10.64.0.102\n !\n neighbor\ \ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\ \ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\ \ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\ \ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201\ \ soft-reconfiguration inbound\n !\n neighbor 10.64.128.202 route-map\ \ TO-DMZ out\n neighbor 10.64.128.202 soft-reconfiguration inbound\n\ \ !\n neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor\ \ 10.64.0.201 soft-reconfiguration inbound\n !\n neighbor 10.64.0.202\ \ route-map TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration\ \ inbound\n !\n neighbor 10.80.128.101 route-map TO-NVA out\n\ \ neighbor 10.80.128.101 soft-reconfiguration inbound\n !\n \ \ neighbor 10.80.128.102 route-map TO-NVA out\n neighbor 10.80.128.102\ \ soft-reconfiguration inbound\n exit-address-family\n \n\n -\ \ path: /etc/frr/vtysh.conf\n owner: root\n permissions: 0644\n content:\ \ |\n # Copyright 2023 Google LLC\n #\n # Licensed under the\ \ Apache License, Version 2.0 (the \"License\");\n # you may not use\ \ this file except in compliance with the License.\n # You may obtain\ \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n #\ \ This is a sample file used to remove warnings\n # when users open the\ \ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\ \ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\ \ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\ \ owner: root\n permissions: 0644\n content: |\n # Copyright\ \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ \ with the License.\n # You may obtain a copy of the License at\n \ \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ \ # Unless required by applicable law or agreed to in writing, software\n\ \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ \ # See the License for the specific language governing permissions and\n\ \ # limitations under the License.\n \n [Unit]\n Description=Start\ \ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\ \ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\ HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\ \ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\ \ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \ \ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\ \ owner: root\n permissions: 0644\n content: |\n {\n\ \ \"live-restore\": true,\n \"storage-driver\"\ : \"overlay2\",\n \"log-opts\": {\n \"max-size\"\ : \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\ \ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\ \ \n # Copyright 2023 Google LLC\n #\n # Licensed under\ \ the Apache License, Version 2.0 (the \"License\");\n # you may not\ \ use this file except in compliance with the License.\n # You may obtain\ \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n #\ \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ \ Google LLC\n #\n # Licensed under the Apache License, Version\ \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ \ with the License.\n # You may obtain a copy of the License at\n \ \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ \ # Unless required by applicable law or agreed to in writing, software\n\ \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ \ # See the License for the specific language governing permissions and\n\ \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ \ do\n # Configure hc routing table if not available for this\ \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ \ configure PBR for old LB removed from network interface\n # first\ \ get list of PBR on this network interface and retrieve LB IP addresses\n\ \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ \n do\n # check if the PBR LB IP belongs to the current array\ \ of LB IPs attached to the\n # network interface, if not delete\ \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ \ fi\n done\n sleep 2\n done\n \n\n\n -\ \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ \ [Unit]\n Description=Start routing\n After=network-online.target\n\ \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ \ systemctl start routing\n - systemctl start frr\n" metadata_startup_script: null name: nva-ew1-c network_interface: - access_config: [] alias_ip_range: [] ipv6_access_config: [] network_ip: 10.64.128.102 nic_type: null queue_count: null security_policy: null - access_config: [] alias_ip_range: [] ipv6_access_config: [] network_ip: 10.64.0.102 nic_type: null queue_count: null security_policy: null network_performance_config: [] params: [] project: fast2-prod-net-landing-0 resource_policies: null scheduling: - automatic_restart: true instance_termination_action: null local_ssd_recovery_timeout: [] maintenance_interval: null max_run_duration: [] min_node_cpus: null node_affinities: [] on_host_maintenance: MIGRATE preemptible: false provisioning_model: STANDARD scratch_disk: [] service_account: - scopes: - https://www.googleapis.com/auth/devstorage.read_only - https://www.googleapis.com/auth/logging.write - https://www.googleapis.com/auth/monitoring.write shielded_instance_config: [] tags: - nva timeouts: null zone: europe-west1-c module.nva["secondary-b"].google_compute_instance.default[0]: advanced_machine_features: [] allow_stopping_for_update: true attached_disk: [] boot_disk: - auto_delete: true disk_encryption_key_raw: null initialize_params: - enable_confidential_compute: null image: projects/cos-cloud/global/images/family/cos-stable resource_manager_tags: null size: 10 type: pd-balanced mode: READ_WRITE can_ip_forward: true deletion_protection: false description: Managed by the compute-vm Terraform module. desired_status: null enable_display: false hostname: null labels: null machine_type: e2-standard-2 metadata: user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\ \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ \ file except in compliance with the License.\n# You may obtain a copy of\ \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ # Unless required by applicable law or agreed to in writing, software\n# distributed\ \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ \ for the specific language governing permissions and\n# limitations under\ \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ );\n # you may not use this file except in compliance with the License.\n\ \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n zebra=no\n\ \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ \ script automatically loads\n # the config via \"vtysh -b\" when the\ \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ \ of daemons to watch is automatically generated by the init script.\n \ \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ \ specify a \"wrap\" command to start instead\n # of starting the daemon\ \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ \ template\n \n log syslog informational\n no ipv6 forwarding\n\ \ service integrated-vtysh-config\n \n interface lo\n \ \ ip address 10.80.128.101/32\n \n ip prefix-list DEFAULT seq 10\ \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ \ \n route-map TO-DMZ permit 10\n match ip address\ \ prefix-list PRIMARY\n set metric 10100\n !\n route-map\ \ TO-DMZ permit 20\n match ip address prefix-list SECONDARY\n\ \ set metric 100\n !\n route-map TO-LANDING permit 10\n \ \ match ip address prefix-list DEFAULT\n set metric 100\n \ \ !\n route-map TO-NVA permit 10\n match ip address prefix-list\ \ SECONDARY\n set metric 50\n \n router bgp 64514\n \ \ bgp router-id 10.80.128.101\n bgp bestpath as-path ignore\n \ \ bgp disable-ebgp-connected-route-check\n bgp timers 20 60\n \ \ !\n no bgp ebgp-requires-policy\n no bgp network import-check\n\ \ !\n neighbor 10.80.128.201 remote-as 64512\n neighbor 10.80.128.202\ \ remote-as 64512\n !\n neighbor 10.80.0.201 remote-as 64515\n\ \ neighbor 10.80.0.201 update-source 10.80.0.101\n neighbor 10.80.0.202\ \ remote-as 64515\n neighbor 10.80.0.202 update-source 10.80.0.101\n\ \ !\n neighbor 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101\ \ ebgp-multihop 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor\ \ 10.64.128.102 ebgp-multihop 2\n !\n address-family ipv4 unicast\n\ \ neighbor 10.80.128.201 route-map TO-DMZ out\n neighbor\ \ 10.80.128.201 soft-reconfiguration inbound\n !\n neighbor 10.80.128.202\ \ route-map TO-DMZ out\n neighbor 10.80.128.202 soft-reconfiguration\ \ inbound\n !\n neighbor 10.80.0.201 route-map TO-LANDING out\n\ \ neighbor 10.80.0.201 soft-reconfiguration inbound\n !\n \ \ neighbor 10.80.0.202 route-map TO-LANDING out\n neighbor 10.80.0.202\ \ soft-reconfiguration inbound\n !\n neighbor 10.64.128.101 route-map\ \ TO-NVA out\n neighbor 10.64.128.101 soft-reconfiguration inbound\n\ \ !\n neighbor 10.64.128.102 route-map TO-NVA out\n neighbor\ \ 10.64.128.102 soft-reconfiguration inbound\n exit-address-family\n\ \ \n\n - path: /etc/frr/vtysh.conf\n owner: root\n permissions:\ \ 0644\n content: |\n # Copyright 2023 Google LLC\n #\n \ \ # Licensed under the Apache License, Version 2.0 (the \"License\");\n \ \ # you may not use this file except in compliance with the License.\n\ \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n #\ \ This is a sample file used to remove warnings\n # when users open the\ \ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\ \ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\ \ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\ \ owner: root\n permissions: 0644\n content: |\n # Copyright\ \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ \ with the License.\n # You may obtain a copy of the License at\n \ \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ \ # Unless required by applicable law or agreed to in writing, software\n\ \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ \ # See the License for the specific language governing permissions and\n\ \ # limitations under the License.\n \n [Unit]\n Description=Start\ \ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\ \ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\ HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\ \ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\ \ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \ \ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\ \ owner: root\n permissions: 0644\n content: |\n {\n\ \ \"live-restore\": true,\n \"storage-driver\"\ : \"overlay2\",\n \"log-opts\": {\n \"max-size\"\ : \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\ \ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\ \ \n # Copyright 2023 Google LLC\n #\n # Licensed under\ \ the Apache License, Version 2.0 (the \"License\");\n # you may not\ \ use this file except in compliance with the License.\n # You may obtain\ \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n #\ \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ \ Google LLC\n #\n # Licensed under the Apache License, Version\ \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ \ with the License.\n # You may obtain a copy of the License at\n \ \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ \ # Unless required by applicable law or agreed to in writing, software\n\ \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ \ # See the License for the specific language governing permissions and\n\ \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ \ do\n # Configure hc routing table if not available for this\ \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ \ configure PBR for old LB removed from network interface\n # first\ \ get list of PBR on this network interface and retrieve LB IP addresses\n\ \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ \n do\n # check if the PBR LB IP belongs to the current array\ \ of LB IPs attached to the\n # network interface, if not delete\ \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ \ fi\n done\n sleep 2\n done\n \n\n\n -\ \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ \ [Unit]\n Description=Start routing\n After=network-online.target\n\ \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ \ systemctl start routing\n - systemctl start frr\n" metadata_startup_script: null name: nva-ew4-b network_interface: - access_config: [] alias_ip_range: [] ipv6_access_config: [] network_ip: 10.80.128.101 nic_type: null queue_count: null security_policy: null - access_config: [] alias_ip_range: [] ipv6_access_config: [] network_ip: 10.80.0.101 nic_type: null queue_count: null security_policy: null network_performance_config: [] params: [] project: fast2-prod-net-landing-0 resource_policies: null scheduling: - automatic_restart: true instance_termination_action: null local_ssd_recovery_timeout: [] maintenance_interval: null max_run_duration: [] min_node_cpus: null node_affinities: [] on_host_maintenance: MIGRATE preemptible: false provisioning_model: STANDARD scratch_disk: [] service_account: - scopes: - https://www.googleapis.com/auth/devstorage.read_only - https://www.googleapis.com/auth/logging.write - https://www.googleapis.com/auth/monitoring.write shielded_instance_config: [] tags: - nva timeouts: null zone: europe-west4-b module.nva["secondary-c"].google_compute_instance.default[0]: advanced_machine_features: [] allow_stopping_for_update: true attached_disk: [] boot_disk: - auto_delete: true disk_encryption_key_raw: null initialize_params: - enable_confidential_compute: null image: projects/cos-cloud/global/images/family/cos-stable resource_manager_tags: null size: 10 type: pd-balanced mode: READ_WRITE can_ip_forward: true deletion_protection: false description: Managed by the compute-vm Terraform module. desired_status: null enable_display: false hostname: null labels: null machine_type: e2-standard-2 metadata: user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\ \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ \ file except in compliance with the License.\n# You may obtain a copy of\ \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ # Unless required by applicable law or agreed to in writing, software\n# distributed\ \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ \ for the specific language governing permissions and\n# limitations under\ \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ );\n # you may not use this file except in compliance with the License.\n\ \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n zebra=no\n\ \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ \ script automatically loads\n # the config via \"vtysh -b\" when the\ \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ \ of daemons to watch is automatically generated by the init script.\n \ \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ \ specify a \"wrap\" command to start instead\n # of starting the daemon\ \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ \ template\n \n log syslog informational\n no ipv6 forwarding\n\ \ service integrated-vtysh-config\n \n interface lo\n \ \ ip address 10.80.128.102/32\n \n ip prefix-list DEFAULT seq 10\ \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ \ \n route-map TO-DMZ permit 10\n match ip address\ \ prefix-list PRIMARY\n set metric 10100\n !\n route-map\ \ TO-DMZ permit 20\n match ip address prefix-list SECONDARY\n\ \ set metric 100\n !\n route-map TO-LANDING permit 10\n \ \ match ip address prefix-list DEFAULT\n set metric 100\n \ \ !\n route-map TO-NVA permit 10\n match ip address prefix-list\ \ SECONDARY\n set metric 50\n \n router bgp 64514\n \ \ bgp router-id 10.80.128.102\n bgp bestpath as-path ignore\n \ \ bgp disable-ebgp-connected-route-check\n bgp timers 20 60\n \ \ !\n no bgp ebgp-requires-policy\n no bgp network import-check\n\ \ !\n neighbor 10.80.128.201 remote-as 64512\n neighbor 10.80.128.202\ \ remote-as 64512\n !\n neighbor 10.80.0.201 remote-as 64515\n\ \ neighbor 10.80.0.201 update-source 10.80.0.102\n neighbor 10.80.0.202\ \ remote-as 64515\n neighbor 10.80.0.202 update-source 10.80.0.102\n\ \ !\n neighbor 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101\ \ ebgp-multihop 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor\ \ 10.64.128.102 ebgp-multihop 2\n !\n address-family ipv4 unicast\n\ \ neighbor 10.80.128.201 route-map TO-DMZ out\n neighbor\ \ 10.80.128.201 soft-reconfiguration inbound\n !\n neighbor 10.80.128.202\ \ route-map TO-DMZ out\n neighbor 10.80.128.202 soft-reconfiguration\ \ inbound\n !\n neighbor 10.80.0.201 route-map TO-LANDING out\n\ \ neighbor 10.80.0.201 soft-reconfiguration inbound\n !\n \ \ neighbor 10.80.0.202 route-map TO-LANDING out\n neighbor 10.80.0.202\ \ soft-reconfiguration inbound\n !\n neighbor 10.64.128.101 route-map\ \ TO-NVA out\n neighbor 10.64.128.101 soft-reconfiguration inbound\n\ \ !\n neighbor 10.64.128.102 route-map TO-NVA out\n neighbor\ \ 10.64.128.102 soft-reconfiguration inbound\n exit-address-family\n\ \ \n\n - path: /etc/frr/vtysh.conf\n owner: root\n permissions:\ \ 0644\n content: |\n # Copyright 2023 Google LLC\n #\n \ \ # Licensed under the Apache License, Version 2.0 (the \"License\");\n \ \ # you may not use this file except in compliance with the License.\n\ \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n #\ \ This is a sample file used to remove warnings\n # when users open the\ \ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\ \ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\ \ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\ \ owner: root\n permissions: 0644\n content: |\n # Copyright\ \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ \ with the License.\n # You may obtain a copy of the License at\n \ \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ \ # Unless required by applicable law or agreed to in writing, software\n\ \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ \ # See the License for the specific language governing permissions and\n\ \ # limitations under the License.\n \n [Unit]\n Description=Start\ \ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\ \ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\ HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\ \ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\ \ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \ \ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\ \ owner: root\n permissions: 0644\n content: |\n {\n\ \ \"live-restore\": true,\n \"storage-driver\"\ : \"overlay2\",\n \"log-opts\": {\n \"max-size\"\ : \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\ \ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\ \ \n # Copyright 2023 Google LLC\n #\n # Licensed under\ \ the Apache License, Version 2.0 (the \"License\");\n # you may not\ \ use this file except in compliance with the License.\n # You may obtain\ \ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ \ #\n # Unless required by applicable law or agreed to in writing,\ \ software\n # distributed under the License is distributed on an \"\ AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ \ express or implied.\n # See the License for the specific language governing\ \ permissions and\n # limitations under the License.\n \n #\ \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ \ Google LLC\n #\n # Licensed under the Apache License, Version\ \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ \ with the License.\n # You may obtain a copy of the License at\n \ \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ \ # Unless required by applicable law or agreed to in writing, software\n\ \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ \ # See the License for the specific language governing permissions and\n\ \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ \ do\n # Configure hc routing table if not available for this\ \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ \ configure PBR for old LB removed from network interface\n # first\ \ get list of PBR on this network interface and retrieve LB IP addresses\n\ \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ \n do\n # check if the PBR LB IP belongs to the current array\ \ of LB IPs attached to the\n # network interface, if not delete\ \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ \ fi\n done\n sleep 2\n done\n \n\n\n -\ \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ \ [Unit]\n Description=Start routing\n After=network-online.target\n\ \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ \ systemctl start routing\n - systemctl start frr\n" metadata_startup_script: null name: nva-ew4-c network_interface: - access_config: [] alias_ip_range: [] ipv6_access_config: [] network_ip: 10.80.128.102 nic_type: null queue_count: null security_policy: null - access_config: [] alias_ip_range: [] ipv6_access_config: [] network_ip: 10.80.0.102 nic_type: null queue_count: null security_policy: null network_performance_config: [] params: [] project: fast2-prod-net-landing-0 resource_policies: null scheduling: - automatic_restart: true instance_termination_action: null local_ssd_recovery_timeout: [] maintenance_interval: null max_run_duration: [] min_node_cpus: null node_affinities: [] on_host_maintenance: MIGRATE preemptible: false provisioning_model: STANDARD scratch_disk: [] service_account: - scopes: - https://www.googleapis.com/auth/devstorage.read_only - https://www.googleapis.com/auth/logging.write - https://www.googleapis.com/auth/monitoring.write shielded_instance_config: [] tags: - nva timeouts: null zone: europe-west4-c module.peering-dev.google_compute_network_peering.local_network_peering: export_custom_routes: true export_subnet_routes_with_public_ip: true import_custom_routes: true import_subnet_routes_with_public_ip: null stack_type: IPV4_ONLY timeouts: null module.peering-dev.google_compute_network_peering.peer_network_peering[0]: export_custom_routes: true export_subnet_routes_with_public_ip: true import_custom_routes: true import_subnet_routes_with_public_ip: null stack_type: IPV4_ONLY timeouts: null module.peering-prod.google_compute_network_peering.local_network_peering: export_custom_routes: true export_subnet_routes_with_public_ip: true import_custom_routes: true import_subnet_routes_with_public_ip: null stack_type: IPV4_ONLY timeouts: null module.peering-prod.google_compute_network_peering.peer_network_peering[0]: export_custom_routes: true export_subnet_routes_with_public_ip: true import_custom_routes: true import_subnet_routes_with_public_ip: null stack_type: IPV4_ONLY timeouts: null module.prod-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]: cloud_logging_config: - enable_logging: false description: Terraform managed. dns_name: 10.in-addr.arpa. dnssec_config: [] force_destroy: false forwarding_config: [] labels: null name: prod-reverse-10-dns-peering project: fast2-prod-net-spoke-0 reverse_lookup: false service_directory_config: [] timeouts: null visibility: private module.prod-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]: cloud_logging_config: - enable_logging: false description: Terraform managed. dns_name: . dnssec_config: [] force_destroy: false forwarding_config: [] labels: null name: prod-root-dns-peering project: fast2-prod-net-spoke-0 reverse_lookup: false service_directory_config: [] timeouts: null visibility: private module.prod-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]: cloud_logging_config: - enable_logging: false description: Terraform managed. dns_name: prod.gcp.example.com. dnssec_config: [] force_destroy: false forwarding_config: [] labels: null name: prod-gcp-example-com peering_config: [] project: fast2-prod-net-spoke-0 service_directory_config: [] timeouts: null visibility: private module.prod-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]: managed_zone: prod-gcp-example-com name: localhost.prod.gcp.example.com. project: fast2-prod-net-spoke-0 routing_policy: [] rrdatas: - 127.0.0.1 ttl: 300 type: A module.prod-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]: allow: [] deny: - ports: [] protocol: all description: Deny and log any unmatched ingress traffic. direction: INGRESS disabled: false log_config: - metadata: EXCLUDE_ALL_METADATA name: ingress-default-deny priority: 65535 project: fast2-prod-net-spoke-0 source_ranges: - 0.0.0.0/0 source_service_accounts: null source_tags: null target_service_accounts: null target_tags: null timeouts: null module.prod-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]: project: fast2-prod-net-spoke-0 timeouts: null module.prod-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]: metrics_scope: fast2-prod-net-landing-0 name: fast2-prod-net-spoke-0 timeouts: null module.prod-spoke-project.google_project.project[0]: auto_create_network: false billing_account: 000000-111111-222222 folder_id: null labels: null name: fast2-prod-net-spoke-0 org_id: null project_id: fast2-prod-net-spoke-0 skip_delete: false timeouts: null module.prod-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]: condition: [] members: - serviceAccount:string project: fast2-prod-net-spoke-0 role: roles/dns.admin module.prod-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]: condition: - description: Production host project delegated grants. expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']) title: prod_stage3_sa_delegated_grants members: - serviceAccount:string project: fast2-prod-net-spoke-0 role: roles/resourcemanager.projectIamAdmin module.prod-spoke-project.google_project_iam_member.servicenetworking[0]: condition: [] project: fast2-prod-net-spoke-0 role: roles/servicenetworking.serviceAgent module.prod-spoke-project.google_project_service.project_services["compute.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-spoke-0 service: compute.googleapis.com timeouts: null module.prod-spoke-project.google_project_service.project_services["dns.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-spoke-0 service: dns.googleapis.com timeouts: null module.prod-spoke-project.google_project_service.project_services["iap.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-spoke-0 service: iap.googleapis.com timeouts: null module.prod-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-spoke-0 service: networkmanagement.googleapis.com timeouts: null module.prod-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-spoke-0 service: servicenetworking.googleapis.com timeouts: null module.prod-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-spoke-0 service: stackdriver.googleapis.com timeouts: null module.prod-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: fast2-prod-net-spoke-0 service: vpcaccess.googleapis.com timeouts: null module.prod-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]: project: fast2-prod-net-spoke-0 service: iap.googleapis.com timeouts: null module.prod-spoke-project.google_project_service_identity.servicenetworking[0]: project: fast2-prod-net-spoke-0 service: servicenetworking.googleapis.com timeouts: null module.prod-spoke-vpc.google_compute_network.network[0]: auto_create_subnetworks: false delete_default_routes_on_create: true description: Terraform-managed. enable_ula_internal_ipv6: null mtu: 1500 name: prod-spoke-0 network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL project: fast2-prod-net-spoke-0 routing_mode: GLOBAL timeouts: null module.prod-spoke-vpc.google_compute_route.gateway["private-googleapis"]: description: Terraform-managed. dest_range: 199.36.153.8/30 name: prod-spoke-0-private-googleapis next_hop_gateway: default-internet-gateway next_hop_ilb: null next_hop_instance: null next_hop_vpn_tunnel: null priority: 1000 project: fast2-prod-net-spoke-0 tags: null timeouts: null module.prod-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]: description: Terraform-managed. dest_range: 199.36.153.4/30 name: prod-spoke-0-restricted-googleapis next_hop_gateway: default-internet-gateway next_hop_ilb: null next_hop_instance: null next_hop_vpn_tunnel: null priority: 1000 project: fast2-prod-net-spoke-0 tags: null timeouts: null module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/prod-default"]: description: Default europe-west1 subnet for prod ip_cidr_range: 10.72.0.0/24 ipv6_access_type: null log_config: [] name: prod-default private_ip_google_access: true project: fast2-prod-net-spoke-0 region: europe-west1 role: null secondary_ip_range: [] timeouts: null module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/prod-default"]: description: Default europe-west4 subnet for prod ip_cidr_range: 10.88.0.0/24 ipv6_access_type: null log_config: [] name: prod-default private_ip_google_access: true project: fast2-prod-net-spoke-0 region: europe-west4 role: null secondary_ip_range: [] timeouts: null module.prod-spoke-vpc.google_dns_policy.default[0]: alternative_name_server_config: [] description: Managed by Terraform enable_inbound_forwarding: null enable_logging: true name: prod-spoke-0 networks: - {} project: fast2-prod-net-spoke-0 timeouts: null module.spokes-landing["primary"].google_compute_router.cr: bgp: - advertise_mode: CUSTOM advertised_groups: [] advertised_ip_ranges: - description: GCP landing primary. range: 10.64.0.0/17 - description: GCP dev primary. range: 10.68.0.0/16 - description: GCP prod primary. range: 10.72.0.0/16 - description: GCP landing secondary. range: 10.80.0.0/17 - description: GCP dev secondary. range: 10.84.0.0/16 - description: GCP prod secondary. range: 10.88.0.0/16 asn: 64515 keepalive_interval: 20 description: null encrypted_interconnect_router: null name: prod-spoke-landing-ew1-cr project: fast2-prod-net-landing-0 region: europe-west1 timeouts: null module.spokes-landing["primary"].google_compute_router_interface.intf_0: interconnect_attachment: null name: prod-spoke-landing-ew1-cr-intf0 private_ip_address: 10.64.0.201 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-landing-ew1-cr timeouts: null vpn_tunnel: null module.spokes-landing["primary"].google_compute_router_interface.intf_1: interconnect_attachment: null name: prod-spoke-landing-ew1-cr-intf1 private_ip_address: 10.64.0.202 project: fast2-prod-net-landing-0 redundant_interface: prod-spoke-landing-ew1-cr-intf0 region: europe-west1 router: prod-spoke-landing-ew1-cr timeouts: null vpn_tunnel: null module.spokes-landing["primary"].google_compute_router_peer.peer_0["0"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-landing-ew1-cr-intf0 md5_authentication_key: [] peer_asn: 64513 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-landing-ew1-cr timeouts: null module.spokes-landing["primary"].google_compute_router_peer.peer_0["1"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-landing-ew1-cr-intf0 md5_authentication_key: [] peer_asn: 64513 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-landing-ew1-cr timeouts: null module.spokes-landing["primary"].google_compute_router_peer.peer_1["0"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-landing-ew1-cr-intf1 md5_authentication_key: [] peer_asn: 64513 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-landing-ew1-cr timeouts: null module.spokes-landing["primary"].google_compute_router_peer.peer_1["1"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-landing-ew1-cr-intf1 md5_authentication_key: [] peer_asn: 64513 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-landing-ew1-cr timeouts: null module.spokes-landing["primary"].google_network_connectivity_spoke.spoke-ra: description: null labels: null linked_interconnect_attachments: [] linked_router_appliance_instances: - instances: - {} - {} site_to_site_data_transfer: false linked_vpc_network: [] linked_vpn_tunnels: [] location: europe-west1 name: prod-spoke-landing-ew1 project: fast2-prod-net-landing-0 timeouts: null module.spokes-landing["secondary"].google_compute_router.cr: bgp: - advertise_mode: CUSTOM advertised_groups: [] advertised_ip_ranges: - description: GCP landing primary. range: 10.64.0.0/17 - description: GCP dev primary. range: 10.68.0.0/16 - description: GCP prod primary. range: 10.72.0.0/16 - description: GCP landing secondary. range: 10.80.0.0/17 - description: GCP dev secondary. range: 10.84.0.0/16 - description: GCP prod secondary. range: 10.88.0.0/16 asn: 64515 keepalive_interval: 20 description: null encrypted_interconnect_router: null name: prod-spoke-landing-ew4-cr project: fast2-prod-net-landing-0 region: europe-west4 timeouts: null module.spokes-landing["secondary"].google_compute_router_interface.intf_0: interconnect_attachment: null name: prod-spoke-landing-ew4-cr-intf0 private_ip_address: 10.80.0.201 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-landing-ew4-cr timeouts: null vpn_tunnel: null module.spokes-landing["secondary"].google_compute_router_interface.intf_1: interconnect_attachment: null name: prod-spoke-landing-ew4-cr-intf1 private_ip_address: 10.80.0.202 project: fast2-prod-net-landing-0 redundant_interface: prod-spoke-landing-ew4-cr-intf0 region: europe-west4 router: prod-spoke-landing-ew4-cr timeouts: null vpn_tunnel: null module.spokes-landing["secondary"].google_compute_router_peer.peer_0["0"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-landing-ew4-cr-intf0 md5_authentication_key: [] peer_asn: 64514 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-landing-ew4-cr timeouts: null module.spokes-landing["secondary"].google_compute_router_peer.peer_0["1"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-landing-ew4-cr-intf0 md5_authentication_key: [] peer_asn: 64514 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-landing-ew4-cr timeouts: null module.spokes-landing["secondary"].google_compute_router_peer.peer_1["0"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-landing-ew4-cr-intf1 md5_authentication_key: [] peer_asn: 64514 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-landing-ew4-cr timeouts: null module.spokes-landing["secondary"].google_compute_router_peer.peer_1["1"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-landing-ew4-cr-intf1 md5_authentication_key: [] peer_asn: 64514 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-landing-ew4-cr timeouts: null module.spokes-landing["secondary"].google_network_connectivity_spoke.spoke-ra: description: null labels: null linked_interconnect_attachments: [] linked_router_appliance_instances: - instances: - {} - {} site_to_site_data_transfer: false linked_vpc_network: [] linked_vpn_tunnels: [] location: europe-west4 name: prod-spoke-landing-ew4 project: fast2-prod-net-landing-0 timeouts: null module.spokes-dmz["primary"].google_compute_router.cr: bgp: - advertise_mode: CUSTOM advertised_groups: [] advertised_ip_ranges: - description: Default route. range: 0.0.0.0/0 asn: 64512 keepalive_interval: 20 description: null encrypted_interconnect_router: null name: prod-spoke-dmz-ew1-cr project: fast2-prod-net-landing-0 region: europe-west1 timeouts: null module.spokes-dmz["primary"].google_compute_router_interface.intf_0: interconnect_attachment: null name: prod-spoke-dmz-ew1-cr-intf0 private_ip_address: 10.64.128.201 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-dmz-ew1-cr timeouts: null vpn_tunnel: null module.spokes-dmz["primary"].google_compute_router_interface.intf_1: interconnect_attachment: null name: prod-spoke-dmz-ew1-cr-intf1 private_ip_address: 10.64.128.202 project: fast2-prod-net-landing-0 redundant_interface: prod-spoke-dmz-ew1-cr-intf0 region: europe-west1 router: prod-spoke-dmz-ew1-cr timeouts: null vpn_tunnel: null module.spokes-dmz["primary"].google_compute_router_peer.peer_0["0"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-dmz-ew1-cr-intf0 md5_authentication_key: [] peer_asn: 64513 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-dmz-ew1-cr timeouts: null module.spokes-dmz["primary"].google_compute_router_peer.peer_0["1"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-dmz-ew1-cr-intf0 md5_authentication_key: [] peer_asn: 64513 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-dmz-ew1-cr timeouts: null module.spokes-dmz["primary"].google_compute_router_peer.peer_1["0"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-dmz-ew1-cr-intf1 md5_authentication_key: [] peer_asn: 64513 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-dmz-ew1-cr timeouts: null module.spokes-dmz["primary"].google_compute_router_peer.peer_1["1"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-dmz-ew1-cr-intf1 md5_authentication_key: [] peer_asn: 64513 project: fast2-prod-net-landing-0 region: europe-west1 router: prod-spoke-dmz-ew1-cr timeouts: null module.spokes-dmz["primary"].google_network_connectivity_spoke.spoke-ra: description: null labels: null linked_interconnect_attachments: [] linked_router_appliance_instances: - instances: - {} - {} site_to_site_data_transfer: false linked_vpc_network: [] linked_vpn_tunnels: [] location: europe-west1 name: prod-spoke-dmz-ew1 project: fast2-prod-net-landing-0 timeouts: null module.spokes-dmz["secondary"].google_compute_router.cr: bgp: - advertise_mode: CUSTOM advertised_groups: [] advertised_ip_ranges: - description: Default route. range: 0.0.0.0/0 asn: 64512 keepalive_interval: 20 description: null encrypted_interconnect_router: null name: prod-spoke-dmz-ew4-cr project: fast2-prod-net-landing-0 region: europe-west4 timeouts: null module.spokes-dmz["secondary"].google_compute_router_interface.intf_0: interconnect_attachment: null name: prod-spoke-dmz-ew4-cr-intf0 private_ip_address: 10.80.128.201 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-dmz-ew4-cr timeouts: null vpn_tunnel: null module.spokes-dmz["secondary"].google_compute_router_interface.intf_1: interconnect_attachment: null name: prod-spoke-dmz-ew4-cr-intf1 private_ip_address: 10.80.128.202 project: fast2-prod-net-landing-0 redundant_interface: prod-spoke-dmz-ew4-cr-intf0 region: europe-west4 router: prod-spoke-dmz-ew4-cr timeouts: null vpn_tunnel: null module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["0"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-dmz-ew4-cr-intf0 md5_authentication_key: [] peer_asn: 64514 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-dmz-ew4-cr timeouts: null module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["1"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-dmz-ew4-cr-intf0 md5_authentication_key: [] peer_asn: 64514 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-dmz-ew4-cr timeouts: null module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["0"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-dmz-ew4-cr-intf1 md5_authentication_key: [] peer_asn: 64514 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-dmz-ew4-cr timeouts: null module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["1"]: advertise_mode: DEFAULT advertised_groups: null advertised_ip_ranges: [] advertised_route_priority: 100 enable: true enable_ipv6: false interface: prod-spoke-dmz-ew4-cr-intf1 md5_authentication_key: [] peer_asn: 64514 project: fast2-prod-net-landing-0 region: europe-west4 router: prod-spoke-dmz-ew4-cr timeouts: null module.spokes-dmz["secondary"].google_network_connectivity_spoke.spoke-ra: description: null labels: null linked_interconnect_attachments: [] linked_router_appliance_instances: - instances: - {} - {} site_to_site_data_transfer: false linked_vpc_network: [] linked_vpn_tunnels: [] location: europe-west4 name: prod-spoke-dmz-ew4 project: fast2-prod-net-landing-0 timeouts: null counts: google_compute_address: 8 google_compute_external_vpn_gateway: 2 google_compute_firewall: 12 google_compute_firewall_policy: 1 google_compute_firewall_policy_association: 1 google_compute_firewall_policy_rule: 4 google_compute_ha_vpn_gateway: 2 google_compute_instance: 4 google_compute_network: 4 google_compute_network_peering: 4 google_compute_route: 6 google_compute_router: 8 google_compute_router_interface: 12 google_compute_router_nat: 2 google_compute_router_peer: 20 google_compute_shared_vpc_host_project: 3 google_compute_subnetwork: 10 google_compute_vpn_tunnel: 4 google_dns_managed_zone: 9 google_dns_policy: 4 google_dns_record_set: 3 google_dns_response_policy: 1 google_dns_response_policy_rule: 34 google_essential_contacts_contact: 1 google_folder: 1 google_monitoring_alert_policy: 2 google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 google_network_connectivity_hub: 2 google_network_connectivity_spoke: 4 google_project: 3 google_project_iam_binding: 6 google_project_iam_member: 2 google_project_service: 20 google_project_service_identity: 5 google_storage_bucket_object: 1 modules: 37 random_id: 2 resources: 212