zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml

3657 lines
166 KiB
YAML
Raw Blame History

# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_compute_address.nva_static_ip_landing["primary-b"]:
address: 10.64.0.101
address_type: INTERNAL
description: null
ip_version: null
ipv6_endpoint_type: null
labels: null
name: nva-ip-landing-ew1-b
network: null
project: fast2-prod-net-landing-0
region: europe-west1
timeouts: null
google_compute_address.nva_static_ip_landing["primary-c"]:
address: 10.64.0.102
address_type: INTERNAL
description: null
ip_version: null
ipv6_endpoint_type: null
labels: null
name: nva-ip-landing-ew1-c
network: null
project: fast2-prod-net-landing-0
region: europe-west1
timeouts: null
google_compute_address.nva_static_ip_landing["secondary-b"]:
address: 10.80.0.101
address_type: INTERNAL
description: null
ip_version: null
ipv6_endpoint_type: null
labels: null
name: nva-ip-landing-ew4-b
network: null
project: fast2-prod-net-landing-0
region: europe-west4
timeouts: null
google_compute_address.nva_static_ip_landing["secondary-c"]:
address: 10.80.0.102
address_type: INTERNAL
description: null
ip_version: null
ipv6_endpoint_type: null
labels: null
name: nva-ip-landing-ew4-c
network: null
project: fast2-prod-net-landing-0
region: europe-west4
timeouts: null
google_compute_address.nva_static_ip_dmz["primary-b"]:
address: 10.64.128.101
address_type: INTERNAL
description: null
ip_version: null
ipv6_endpoint_type: null
labels: null
name: nva-ip-dmz-ew1-b
network: null
project: fast2-prod-net-landing-0
region: europe-west1
timeouts: null
google_compute_address.nva_static_ip_dmz["primary-c"]:
address: 10.64.128.102
address_type: INTERNAL
description: null
ip_version: null
ipv6_endpoint_type: null
labels: null
name: nva-ip-dmz-ew1-c
network: null
project: fast2-prod-net-landing-0
region: europe-west1
timeouts: null
google_compute_address.nva_static_ip_dmz["secondary-b"]:
address: 10.80.128.101
address_type: INTERNAL
description: null
ip_version: null
ipv6_endpoint_type: null
labels: null
name: nva-ip-dmz-ew4-b
network: null
project: fast2-prod-net-landing-0
region: europe-west4
timeouts: null
google_compute_address.nva_static_ip_dmz["secondary-c"]:
address: 10.80.128.102
address_type: INTERNAL
description: null
ip_version: null
ipv6_endpoint_type: null
labels: null
name: nva-ip-dmz-ew4-c
network: null
project: fast2-prod-net-landing-0
region: europe-west4
timeouts: null
google_monitoring_alert_policy.vpn_tunnel_bandwidth[0]:
alert_strategy: []
combiner: OR
conditions:
- condition_absent: []
condition_matched_log: []
condition_monitoring_query_language:
- duration: 120s
evaluation_missing_data: null
query: fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count;
metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)|
group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition
val() > 187.5 "MBy/s"
trigger:
- count: 1
percent: null
condition_prometheus_query_language: []
condition_threshold: []
display_name: VPN Tunnel Bandwidth usage
display_name: VPN Tunnel Bandwidth usage
documentation: []
enabled: true
notification_channels: []
project: fast2-prod-net-landing-0
severity: null
timeouts: null
user_labels: null
google_monitoring_alert_policy.vpn_tunnel_established[0]:
alert_strategy: []
combiner: OR
conditions:
- condition_absent: []
condition_matched_log: []
condition_monitoring_query_language:
- duration: 120s
evaluation_missing_data: null
query: 'fetch vpn_gateway| metric vpn.googleapis.com/tunnel_established| group_by
5m, [value_tunnel_established_max: max(value.tunnel_established)]| every
5m| condition val() < 1 ''1'''
trigger:
- count: 1
percent: null
condition_prometheus_query_language: []
condition_threshold: []
display_name: VPN Tunnel Established
display_name: VPN Tunnel Established
documentation: []
enabled: true
notification_channels: []
project: fast2-prod-net-landing-0
severity: null
timeouts: null
user_labels: null
google_monitoring_dashboard.dashboard["firewall_insights.json"]:
dashboard_json: '{"displayName":"Firewall Insights Monitoring","gridLayout":{"columns":"2","widgets":[{"title":"Subnet
Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/subnet/firewall_hit_count\"
resource.type=\"gce_subnetwork\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},{"title":"VM
Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/vm/firewall_hit_count\"
resource.type=\"gce_instance\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}}]}}'
project: fast2-prod-net-landing-0
timeouts: null
google_monitoring_dashboard.dashboard["vpc_and_vpc_peering_group_quotas.json"]:
dashboard_json: '{"dashboardFilters":[],"displayName":"VPC \u0026 VPC Peering
Group Quotas","labels":{},"mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Internal
network (L4) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6},{"height":4,"widget":{"title":"Internal
network (L4) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6},{"height":4,"widget":{"title":"Internal
application (L7) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Internal
application (L7) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Instances
per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_vpc_network/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/instances_per_vpc_network/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Instances
per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_peering_group/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/instances_per_peering_group/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Subnet
ranges per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":12},{"height":4,"widget":{"title":"Subnet
ranges per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/usage\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/limit\n |
align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name],
.min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12}]}}'
project: fast2-prod-net-landing-0
timeouts: null
google_monitoring_dashboard.dashboard["vpn.json"]:
dashboard_json: '{"displayName":"VPN Monitoring","mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Number
of connections","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/gateway/connections\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4},{"height":4,"widget":{"title":"Tunnel
established","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/tunnel_established\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4,"xPos":4},{"height":4,"widget":{"title":"VPN
Tunnel Bandwidth usage","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count; metric vpn.googleapis.com/network/received_bytes_count
}| align rate (1m)| group_by [metric.tunnel_name]| outer_join 0,0| value val(0)
+ val(1)| condition val() \u003e 187.5 \"MBy/s\""}}],"thresholds":[{"targetAxis":"Y1","value":187500000}],"timeshiftDuration":"0s","yAxis":{"scale":"LINEAR"}}},"width":4,"xPos":8},{"height":4,"widget":{"title":"Cloud
VPN Gateway - Received bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_bytes_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Cloud
VPN Gateway - Sent bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_bytes_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Cloud
VPN Gateway - Received packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_packets_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Cloud
VPN Gateway - Sent packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_packets_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Incoming
packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_received_packets_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12},{"height":4,"widget":{"title":"Outgoing
packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_sent_packets_count\"
resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":12}]}}'
project: fast2-prod-net-landing-0
timeouts: null
google_network_connectivity_hub.hub_landing:
description: Prod hub landing (trusted)
labels: null
name: prod-hub-landing
project: fast2-prod-net-landing-0
timeouts: null
google_network_connectivity_hub.hub_dmz:
description: Prod hub DMZ (untrusted)
labels: null
name: prod-hub-dmz
project: fast2-prod-net-landing-0
timeouts: null
google_storage_bucket_object.tfvars:
bucket: test
cache_control: null
content_disposition: null
content_encoding: null
content_language: null
customer_encryption: []
detect_md5hash: different hash
event_based_hold: null
metadata: null
name: tfvars/2-networking.auto.tfvars.json
retention: []
source: null
temporary_hold: null
timeouts: null
module.dev-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]:
cloud_logging_config:
- enable_logging: false
description: Terraform managed.
dns_name: 10.in-addr.arpa.
dnssec_config: []
force_destroy: false
forwarding_config: []
labels: null
name: dev-reverse-10-dns-peering
project: fast2-dev-net-spoke-0
reverse_lookup: false
service_directory_config: []
timeouts: null
visibility: private
module.dev-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]:
cloud_logging_config:
- enable_logging: false
description: Terraform managed.
dns_name: .
dnssec_config: []
force_destroy: false
forwarding_config: []
labels: null
name: dev-root-dns-peering
project: fast2-dev-net-spoke-0
reverse_lookup: false
service_directory_config: []
timeouts: null
visibility: private
module.dev-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]:
cloud_logging_config:
- enable_logging: false
description: Terraform managed.
dns_name: dev.gcp.example.com.
dnssec_config: []
force_destroy: false
forwarding_config: []
labels: null
name: dev-gcp-example-com
peering_config: []
project: fast2-dev-net-spoke-0
service_directory_config: []
timeouts: null
visibility: private
module.dev-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]:
managed_zone: dev-gcp-example-com
name: localhost.dev.gcp.example.com.
project: fast2-dev-net-spoke-0
routing_policy: []
rrdatas:
- 127.0.0.1
ttl: 300
type: A
module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-composer-nodes"]:
allow:
- ports:
- '80'
- '443'
- '3306'
- '3307'
protocol: tcp
deny: []
description: Allow traffic to Composer nodes.
direction: INGRESS
disabled: false
log_config: []
name: ingress-allow-composer-nodes
priority: 1000
project: fast2-dev-net-spoke-0
source_ranges: null
source_service_accounts: null
source_tags:
- composer-worker
target_service_accounts: null
target_tags:
- composer-worker
timeouts: null
module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-dataflow-load"]:
allow:
- ports:
- '12345'
- '12346'
protocol: tcp
deny: []
description: Allow traffic to Dataflow nodes.
direction: INGRESS
disabled: false
log_config: []
name: ingress-allow-dataflow-load
priority: 1000
project: fast2-dev-net-spoke-0
source_ranges: null
source_service_accounts: null
source_tags:
- dataflow
target_service_accounts: null
target_tags:
- dataflow
timeouts: null
module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]:
allow: []
deny:
- ports: []
protocol: all
description: Deny and log any unmatched ingress traffic.
direction: INGRESS
disabled: false
log_config:
- metadata: EXCLUDE_ALL_METADATA
name: ingress-default-deny
priority: 65535
project: fast2-dev-net-spoke-0
source_ranges:
- 0.0.0.0/0
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.dev-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
project: fast2-dev-net-spoke-0
timeouts: null
module.dev-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]:
metrics_scope: fast2-prod-net-landing-0
name: fast2-dev-net-spoke-0
timeouts: null
module.dev-spoke-project.google_project.project[0]:
auto_create_network: false
billing_account: 000000-111111-222222
folder_id: null
labels: null
name: fast2-dev-net-spoke-0
org_id: null
project_id: fast2-dev-net-spoke-0
skip_delete: false
timeouts: null
module.dev-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
condition: []
members:
- serviceAccount:string
project: fast2-dev-net-spoke-0
role: roles/dns.admin
module.dev-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]:
condition:
- description: Development host project delegated grants.
expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
title: dev_stage3_sa_delegated_grants
members:
- serviceAccount:string
project: fast2-dev-net-spoke-0
role: roles/resourcemanager.projectIamAdmin
module.dev-spoke-project.google_project_iam_member.servicenetworking[0]:
condition: []
project: fast2-dev-net-spoke-0
role: roles/servicenetworking.serviceAgent
module.dev-spoke-project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-dev-net-spoke-0
service: compute.googleapis.com
timeouts: null
module.dev-spoke-project.google_project_service.project_services["dns.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-dev-net-spoke-0
service: dns.googleapis.com
timeouts: null
module.dev-spoke-project.google_project_service.project_services["iap.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-dev-net-spoke-0
service: iap.googleapis.com
timeouts: null
module.dev-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-dev-net-spoke-0
service: networkmanagement.googleapis.com
timeouts: null
module.dev-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-dev-net-spoke-0
service: servicenetworking.googleapis.com
timeouts: null
module.dev-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-dev-net-spoke-0
service: stackdriver.googleapis.com
timeouts: null
module.dev-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-dev-net-spoke-0
service: vpcaccess.googleapis.com
timeouts: null
module.dev-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
project: fast2-dev-net-spoke-0
service: iap.googleapis.com
timeouts: null
module.dev-spoke-project.google_project_service_identity.servicenetworking[0]:
project: fast2-dev-net-spoke-0
service: servicenetworking.googleapis.com
timeouts: null
module.dev-spoke-vpc.google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: true
description: Terraform-managed.
enable_ula_internal_ipv6: null
mtu: 1500
name: dev-spoke-0
network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
project: fast2-dev-net-spoke-0
routing_mode: GLOBAL
timeouts: null
module.dev-spoke-vpc.google_compute_route.gateway["private-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.8/30
name: dev-spoke-0-private-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: fast2-dev-net-spoke-0
tags: null
timeouts: null
module.dev-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.4/30
name: dev-spoke-0-restricted-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: fast2-dev-net-spoke-0
tags: null
timeouts: null
module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-dataplatform"]:
description: Default subnet for dev Data Platform
ip_cidr_range: 10.68.2.0/24
ipv6_access_type: null
log_config: []
name: dev-dataplatform
private_ip_google_access: true
project: fast2-dev-net-spoke-0
region: europe-west1
role: null
secondary_ip_range:
- ip_cidr_range: 100.69.0.0/16
range_name: pods
- ip_cidr_range: 100.71.2.0/24
range_name: services
timeouts: null
module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-default"]:
description: Default europe-west1 subnet for dev
ip_cidr_range: 10.68.0.0/24
ipv6_access_type: null
log_config: []
name: dev-default
private_ip_google_access: true
project: fast2-dev-net-spoke-0
region: europe-west1
role: null
secondary_ip_range: []
timeouts: null
module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-gke-nodes"]:
description: Default subnet for prod gke nodes
ip_cidr_range: 10.68.1.0/24
ipv6_access_type: null
log_config: []
name: dev-gke-nodes
private_ip_google_access: true
project: fast2-dev-net-spoke-0
region: europe-west1
role: null
secondary_ip_range:
- ip_cidr_range: 100.68.0.0/16
range_name: pods
- ip_cidr_range: 100.71.1.0/24
range_name: services
timeouts: null
module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/dev-default"]:
description: Default europe-west4 subnet for dev
ip_cidr_range: 10.84.0.0/24
ipv6_access_type: null
log_config: []
name: dev-default
private_ip_google_access: true
project: fast2-dev-net-spoke-0
region: europe-west4
role: null
secondary_ip_range: []
timeouts: null
module.dev-spoke-vpc.google_dns_policy.default[0]:
alternative_name_server_config: []
description: Managed by Terraform
enable_inbound_forwarding: null
enable_logging: true
name: dev-spoke-0
networks:
- {}
project: fast2-dev-net-spoke-0
timeouts: null
module.firewall-policy-default.google_compute_firewall_policy.hierarchical[0]:
description: null
short_name: net-default
timeouts: null
module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]:
action: allow
description: Enable HTTP and HTTPS healthchecks
direction: INGRESS
disabled: false
enable_logging: null
match:
- dest_address_groups: null
dest_fqdns: null
dest_ip_ranges: null
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
- ip_protocol: tcp
ports:
- '80'
- '443'
src_address_groups: null
src_fqdns: null
src_ip_ranges:
- 35.191.0.0/16
- 130.211.0.0/22
- 209.85.152.0/22
- 209.85.204.0/22
src_region_codes: null
src_threat_intelligences: null
priority: 1001
target_resources: null
target_service_accounts: null
timeouts: null
module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]:
action: allow
description: Enable ICMP
direction: INGRESS
disabled: false
enable_logging: null
match:
- dest_address_groups: null
dest_fqdns: null
dest_ip_ranges: null
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
- ip_protocol: icmp
ports: []
src_address_groups: null
src_fqdns: null
src_ip_ranges:
- 0.0.0.0/0
src_region_codes: null
src_threat_intelligences: null
priority: 1003
target_resources: null
target_service_accounts: null
timeouts: null
module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]:
action: allow
description: Enable NAT ranges for VPC serverless connector
direction: INGRESS
disabled: false
enable_logging: null
match:
- dest_address_groups: null
dest_fqdns: null
dest_ip_ranges: null
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
- ip_protocol: all
ports: null
src_address_groups: null
src_fqdns: null
src_ip_ranges:
- 107.178.230.64/26
- 35.199.224.0/19
src_region_codes: null
src_threat_intelligences: null
priority: 1004
target_resources: null
target_service_accounts: null
timeouts: null
module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]:
action: allow
description: Enable SSH from IAP
direction: INGRESS
disabled: false
enable_logging: true
match:
- dest_address_groups: null
dest_fqdns: null
dest_ip_ranges: null
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
- ip_protocol: tcp
ports:
- '22'
src_address_groups: null
src_fqdns: null
src_ip_ranges:
- 35.235.240.0/20
src_region_codes: null
src_threat_intelligences: null
priority: 1002
target_resources: null
target_service_accounts: null
timeouts: null
module.folder.google_compute_firewall_policy_association.default[0]:
name: default
timeouts: null
module.folder.google_essential_contacts_contact.contact["gcp-network-admins@fast.example.com"]:
email: gcp-network-admins@fast.example.com
language_tag: en
notification_category_subscriptions:
- ALL
timeouts: null
module.folder.google_folder.folder[0]:
display_name: Networking
parent: organizations/123456789012
timeouts: null
module.landing-dns-fwd-onprem-example[0].google_dns_managed_zone.dns_managed_zone[0]:
cloud_logging_config:
- enable_logging: false
description: Terraform managed.
dns_name: onprem.example.com.
dnssec_config: []
force_destroy: false
forwarding_config:
- target_name_servers:
- forwarding_path: ''
ipv4_address: 10.10.10.10
labels: null
name: example-com
peering_config: []
project: fast2-prod-net-landing-0
reverse_lookup: false
service_directory_config: []
timeouts: null
visibility: private
module.landing-dns-fwd-onprem-rev-10[0].google_dns_managed_zone.dns_managed_zone[0]:
cloud_logging_config:
- enable_logging: false
description: Terraform managed.
dns_name: 10.in-addr.arpa.
dnssec_config: []
force_destroy: false
forwarding_config:
- target_name_servers:
- forwarding_path: ''
ipv4_address: 10.10.10.10
labels: null
name: root-reverse-10
peering_config: []
project: fast2-prod-net-landing-0
reverse_lookup: false
service_directory_config: []
timeouts: null
visibility: private
module.landing-dns-policy-googleapis.google_dns_response_policy.default[0]:
description: Managed by Terraform
gke_clusters: []
networks:
- {}
- {}
project: fast2-prod-net-landing-0
response_policy_name: googleapis
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["accounts"]:
behavior: null
dns_name: accounts.google.com.
local_data:
- local_datas:
- name: accounts.google.com.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: accounts
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud"]:
behavior: null
dns_name: backupdr.cloud.google.com.
local_data:
- local_datas:
- name: backupdr.cloud.google.com.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: backupdr-cloud
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud-all"]:
behavior: null
dns_name: '*.backupdr.cloud.google.com.'
local_data:
- local_datas:
- name: '*.backupdr.cloud.google.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: backupdr-cloud-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu"]:
behavior: null
dns_name: backupdr.googleusercontent.google.com.
local_data:
- local_datas:
- name: backupdr.googleusercontent.google.com.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: backupdr-gu
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu-all"]:
behavior: null
dns_name: '*.backupdr.googleusercontent.google.com.'
local_data:
- local_datas:
- name: '*.backupdr.googleusercontent.google.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: backupdr-gu-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudfunctions"]:
behavior: null
dns_name: '*.cloudfunctions.net.'
local_data:
- local_datas:
- name: '*.cloudfunctions.net.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: cloudfunctions
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudproxy"]:
behavior: null
dns_name: '*.cloudproxy.app.'
local_data:
- local_datas:
- name: '*.cloudproxy.app.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: cloudproxy
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-cloud-all"]:
behavior: null
dns_name: '*.composer.cloud.google.com.'
local_data:
- local_datas:
- name: '*.composer.cloud.google.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: composer-cloud-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-gu-all"]:
behavior: null
dns_name: '*.composer.googleusercontent.com.'
local_data:
- local_datas:
- name: '*.composer.googleusercontent.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: composer-gu-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-all"]:
behavior: null
dns_name: '*.datafusion.cloud.google.com.'
local_data:
- local_datas:
- name: '*.datafusion.cloud.google.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: datafusion-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-gu-all"]:
behavior: null
dns_name: '*.datafusion.googleusercontent.com.'
local_data:
- local_datas:
- name: '*.datafusion.googleusercontent.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: datafusion-gu-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc"]:
behavior: null
dns_name: dataproc.cloud.google.com.
local_data:
- local_datas:
- name: dataproc.cloud.google.com.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: dataproc
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-all"]:
behavior: null
dns_name: '*.dataproc.cloud.google.com.'
local_data:
- local_datas:
- name: '*.dataproc.cloud.google.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: dataproc-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu"]:
behavior: null
dns_name: dataproc.googleusercontent.com.
local_data:
- local_datas:
- name: dataproc.googleusercontent.com.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: dataproc-gu
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu-all"]:
behavior: null
dns_name: '*.dataproc.googleusercontent.com.'
local_data:
- local_datas:
- name: '*.dataproc.googleusercontent.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: dataproc-gu-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dl"]:
behavior: null
dns_name: dl.google.com.
local_data:
- local_datas:
- name: dl.google.com.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: dl
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr"]:
behavior: null
dns_name: gcr.io.
local_data:
- local_datas:
- name: gcr.io.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: gcr
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr-all"]:
behavior: null
dns_name: '*.gcr.io.'
local_data:
- local_datas:
- name: '*.gcr.io.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: gcr-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-all"]:
behavior: null
dns_name: '*.googleapis.com.'
local_data:
- local_datas:
- name: '*.googleapis.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: googleapis-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-private"]:
behavior: null
dns_name: private.googleapis.com.
local_data:
- local_datas:
- name: private.googleapis.com.
rrdatas:
- 199.36.153.8
- 199.36.153.9
- 199.36.153.10
- 199.36.153.11
ttl: null
type: A
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: googleapis-private
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-restricted"]:
behavior: null
dns_name: restricted.googleapis.com.
local_data:
- local_datas:
- name: restricted.googleapis.com.
rrdatas:
- 199.36.153.4
- 199.36.153.5
- 199.36.153.6
- 199.36.153.7
ttl: null
type: A
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: googleapis-restricted
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gstatic-all"]:
behavior: null
dns_name: '*.gstatic.com.'
local_data:
- local_datas:
- name: '*.gstatic.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: gstatic-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu"]:
behavior: null
dns_name: kernels.googleusercontent.com.
local_data:
- local_datas:
- name: kernels.googleusercontent.com.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: kernels-gu
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu-all"]:
behavior: null
dns_name: '*.kernels.googleusercontent.com.'
local_data:
- local_datas:
- name: '*.kernels.googleusercontent.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: kernels-gu-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-all"]:
behavior: null
dns_name: '*.notebooks.cloud.google.com.'
local_data:
- local_datas:
- name: '*.notebooks.cloud.google.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: notebooks-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-gu-all"]:
behavior: null
dns_name: '*.notebooks.googleusercontent.com.'
local_data:
- local_datas:
- name: '*.notebooks.googleusercontent.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: notebooks-gu-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud"]:
behavior: null
dns_name: packages.cloud.google.com.
local_data:
- local_datas:
- name: packages.cloud.google.com.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: packages-cloud
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud-all"]:
behavior: null
dns_name: '*.packages.cloud.google.com.'
local_data:
- local_datas:
- name: '*.packages.cloud.google.com.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: packages-cloud-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev"]:
behavior: null
dns_name: pkg.dev.
local_data:
- local_datas:
- name: pkg.dev.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: pkgdev
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev-all"]:
behavior: null
dns_name: '*.pkg.dev.'
local_data:
- local_datas:
- name: '*.pkg.dev.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: pkgdev-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog"]:
behavior: null
dns_name: pki.goog.
local_data:
- local_datas:
- name: pki.goog.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: pkigoog
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog-all"]:
behavior: null
dns_name: '*.pki.goog.'
local_data:
- local_datas:
- name: '*.pki.goog.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: pkigoog-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["run-all"]:
behavior: null
dns_name: '*.run.app.'
local_data:
- local_datas:
- name: '*.run.app.'
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: run-all
timeouts: null
module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["source"]:
behavior: null
dns_name: source.developers.google.com.
local_data:
- local_datas:
- name: source.developers.google.com.
rrdatas:
- private.googleapis.com.
ttl: null
type: CNAME
project: fast2-prod-net-landing-0
response_policy: googleapis
rule_name: source
timeouts: null
module.landing-dns-priv-gcp.google_dns_managed_zone.dns_managed_zone[0]:
cloud_logging_config:
- enable_logging: false
description: Terraform managed.
dns_name: gcp.example.com.
dnssec_config: []
force_destroy: false
forwarding_config: []
labels: null
name: gcp-example-com
peering_config: []
project: fast2-prod-net-landing-0
service_directory_config: []
timeouts: null
visibility: private
module.landing-dns-priv-gcp.google_dns_record_set.dns_record_set["A localhost"]:
managed_zone: gcp-example-com
name: localhost.gcp.example.com.
project: fast2-prod-net-landing-0
routing_policy: []
rrdatas:
- 127.0.0.1
ttl: 300
type: A
module.landing-nat-primary[0].google_compute_router.router[0]:
bgp: []
description: null
encrypted_interconnect_router: null
name: prod-nat-ew1
project: fast2-prod-net-landing-0
region: europe-west1
timeouts: null
module.landing-nat-primary[0].google_compute_router_nat.nat:
drain_nat_ips: null
enable_dynamic_port_allocation: false
enable_endpoint_independent_mapping: true
icmp_idle_timeout_sec: 30
log_config:
- enable: false
filter: ALL
max_ports_per_vm: 65536
min_ports_per_vm: 64
name: ew1
nat_ip_allocate_option: AUTO_ONLY
nat_ips: null
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-nat-ew1
rules: []
source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES
subnetwork: []
tcp_established_idle_timeout_sec: 1200
tcp_time_wait_timeout_sec: 120
tcp_transitory_idle_timeout_sec: 30
timeouts: null
udp_idle_timeout_sec: 30
module.landing-nat-secondary[0].google_compute_router.router[0]:
bgp: []
description: null
encrypted_interconnect_router: null
name: prod-nat-ew4
project: fast2-prod-net-landing-0
region: europe-west4
timeouts: null
module.landing-nat-secondary[0].google_compute_router_nat.nat:
drain_nat_ips: null
enable_dynamic_port_allocation: false
enable_endpoint_independent_mapping: true
icmp_idle_timeout_sec: 30
log_config:
- enable: false
filter: ALL
max_ports_per_vm: 65536
min_ports_per_vm: 64
name: ew4
nat_ip_allocate_option: AUTO_ONLY
nat_ips: null
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-nat-ew4
rules: []
source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES
subnetwork: []
tcp_established_idle_timeout_sec: 1200
tcp_time_wait_timeout_sec: 120
tcp_transitory_idle_timeout_sec: 30
timeouts: null
udp_idle_timeout_sec: 30
module.landing-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
project: fast2-prod-net-landing-0
timeouts: null
module.landing-project.google_project.project[0]:
auto_create_network: false
billing_account: 000000-111111-222222
folder_id: null
labels: null
name: fast2-prod-net-landing-0
org_id: null
project_id: fast2-prod-net-landing-0
skip_delete: false
timeouts: null
module.landing-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/foo"]:
condition: []
members:
- serviceAccount:string
project: fast2-prod-net-landing-0
role: organizations/123456789012/roles/foo
module.landing-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
condition: []
members:
- serviceAccount:string
project: fast2-prod-net-landing-0
role: roles/dns.admin
module.landing-project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-landing-0
service: compute.googleapis.com
timeouts: null
module.landing-project.google_project_service.project_services["dns.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-landing-0
service: dns.googleapis.com
timeouts: null
module.landing-project.google_project_service.project_services["iap.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-landing-0
service: iap.googleapis.com
timeouts: null
module.landing-project.google_project_service.project_services["networkconnectivity.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-landing-0
service: networkconnectivity.googleapis.com
timeouts: null
module.landing-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-landing-0
service: networkmanagement.googleapis.com
timeouts: null
module.landing-project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-landing-0
service: stackdriver.googleapis.com
timeouts: null
module.landing-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
project: fast2-prod-net-landing-0
service: iap.googleapis.com
timeouts: null
module.landing-to-onprem-primary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]:
description: Terraform managed external VPN gateway
interface:
- id: 0
ip_address: 8.8.8.8
labels: null
name: vpn-to-onprem-ew1-default
project: fast2-prod-net-landing-0
redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
timeouts: null
module.landing-to-onprem-primary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]:
description: Terraform managed external VPN gateway
name: vpn-to-onprem-ew1
project: fast2-prod-net-landing-0
region: europe-west1
stack_type: IPV4_ONLY
timeouts: null
module.landing-to-onprem-primary-vpn[0].google_compute_router.router[0]:
bgp:
- advertise_mode: CUSTOM
advertised_groups: []
advertised_ip_ranges:
- description: gcp
range: 10.1.0.0/16
- description: gcp-restricted
range: 199.36.153.4/30
- description: gcp-dns
range: 35.199.192.0/19
asn: 65501
keepalive_interval: 20
description: null
encrypted_interconnect_router: null
name: vpn-vpn-to-onprem-ew1
project: fast2-prod-net-landing-0
region: europe-west1
timeouts: null
module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["0"]:
interconnect_attachment: null
ip_range: 169.254.1.2/30
name: vpn-to-onprem-ew1-0
private_ip_address: null
project: fast2-prod-net-landing-0
region: europe-west1
router: vpn-vpn-to-onprem-ew1
subnetwork: null
timeouts: null
vpn_tunnel: vpn-to-onprem-ew1-0
module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["1"]:
interconnect_attachment: null
ip_range: 169.254.2.2/30
name: vpn-to-onprem-ew1-1
private_ip_address: null
project: fast2-prod-net-landing-0
region: europe-west1
router: vpn-vpn-to-onprem-ew1
subnetwork: null
timeouts: null
vpn_tunnel: vpn-to-onprem-ew1-1
module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["0"]:
advertise_mode: DEFAULT
advertised_groups: []
advertised_ip_ranges: []
advertised_route_priority: 1000
enable: true
enable_ipv6: false
interface: vpn-to-onprem-ew1-0
md5_authentication_key: []
name: vpn-to-onprem-ew1-0
peer_asn: 65500
peer_ip_address: 169.254.1.1
project: fast2-prod-net-landing-0
region: europe-west1
router: vpn-vpn-to-onprem-ew1
router_appliance_instance: null
timeouts: null
module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["1"]:
advertise_mode: DEFAULT
advertised_groups: []
advertised_ip_ranges: []
advertised_route_priority: 1000
enable: true
enable_ipv6: false
interface: vpn-to-onprem-ew1-1
md5_authentication_key: []
name: vpn-to-onprem-ew1-1
peer_asn: 64513
peer_ip_address: 169.254.2.1
project: fast2-prod-net-landing-0
region: europe-west1
router: vpn-vpn-to-onprem-ew1
router_appliance_instance: null
timeouts: null
module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]:
description: null
ike_version: 2
labels: null
name: vpn-to-onprem-ew1-0
peer_external_gateway_interface: null
peer_gcp_gateway: null
project: fast2-prod-net-landing-0
region: europe-west1
router: vpn-vpn-to-onprem-ew1
shared_secret: foo
target_vpn_gateway: null
timeouts: null
vpn_gateway_interface: 0
module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]:
description: null
ike_version: 2
labels: null
name: vpn-to-onprem-ew1-1
peer_external_gateway_interface: null
peer_gcp_gateway: null
project: fast2-prod-net-landing-0
region: europe-west1
router: vpn-vpn-to-onprem-ew1
shared_secret: foo
target_vpn_gateway: null
timeouts: null
vpn_gateway_interface: 1
module.landing-to-onprem-primary-vpn[0].random_id.secret:
byte_length: 8
keepers: null
prefix: null
module.landing-to-onprem-secondary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]:
description: Terraform managed external VPN gateway
interface:
- id: 0
ip_address: 8.8.4.4
labels: null
name: vpn-to-onprem-ew4-default
project: fast2-prod-net-landing-0
redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
timeouts: null
module.landing-to-onprem-secondary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]:
description: Terraform managed external VPN gateway
name: vpn-to-onprem-ew4
project: fast2-prod-net-landing-0
region: europe-west4
stack_type: IPV4_ONLY
timeouts: null
module.landing-to-onprem-secondary-vpn[0].google_compute_router.router[0]:
bgp:
- advertise_mode: CUSTOM
advertised_groups: []
advertised_ip_ranges:
- description: gcp
range: 10.1.0.0/16
- description: gcp-restricted
range: 199.36.153.4/30
- description: gcp-dns
range: 35.199.192.0/19
asn: 65501
keepalive_interval: 20
description: null
encrypted_interconnect_router: null
name: vpn-vpn-to-onprem-ew4
project: fast2-prod-net-landing-0
region: europe-west4
timeouts: null
module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["0"]:
interconnect_attachment: null
ip_range: 169.254.3.2/30
name: vpn-to-onprem-ew4-0
private_ip_address: null
project: fast2-prod-net-landing-0
region: europe-west4
router: vpn-vpn-to-onprem-ew4
subnetwork: null
timeouts: null
vpn_tunnel: vpn-to-onprem-ew4-0
module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["1"]:
interconnect_attachment: null
ip_range: 169.254.4.2/30
name: vpn-to-onprem-ew4-1
private_ip_address: null
project: fast2-prod-net-landing-0
region: europe-west4
router: vpn-vpn-to-onprem-ew4
subnetwork: null
timeouts: null
vpn_tunnel: vpn-to-onprem-ew4-1
module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["0"]:
advertise_mode: DEFAULT
advertised_groups: []
advertised_ip_ranges: []
advertised_route_priority: 1000
enable: true
enable_ipv6: false
interface: vpn-to-onprem-ew4-0
md5_authentication_key: []
name: vpn-to-onprem-ew4-0
peer_asn: 65500
peer_ip_address: 169.254.1.1
project: fast2-prod-net-landing-0
region: europe-west4
router: vpn-vpn-to-onprem-ew4
router_appliance_instance: null
timeouts: null
module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["1"]:
advertise_mode: DEFAULT
advertised_groups: []
advertised_ip_ranges: []
advertised_route_priority: 1000
enable: true
enable_ipv6: false
interface: vpn-to-onprem-ew4-1
md5_authentication_key: []
name: vpn-to-onprem-ew4-1
peer_asn: 64513
peer_ip_address: 169.254.2.1
project: fast2-prod-net-landing-0
region: europe-west4
router: vpn-vpn-to-onprem-ew4
router_appliance_instance: null
timeouts: null
module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]:
description: null
ike_version: 2
labels: null
name: vpn-to-onprem-ew4-0
peer_external_gateway_interface: null
peer_gcp_gateway: null
project: fast2-prod-net-landing-0
region: europe-west4
router: vpn-vpn-to-onprem-ew4
shared_secret: foo
target_vpn_gateway: null
timeouts: null
vpn_gateway_interface: 0
module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]:
description: null
ike_version: 2
labels: null
name: vpn-to-onprem-ew4-1
peer_external_gateway_interface: null
peer_gcp_gateway: null
project: fast2-prod-net-landing-0
region: europe-west4
router: vpn-vpn-to-onprem-ew4
shared_secret: foo
target_vpn_gateway: null
timeouts: null
vpn_gateway_interface: 1
module.landing-to-onprem-secondary-vpn[0].random_id.secret:
byte_length: 8
keepers: null
prefix: null
module.landing-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-landing"]:
allow:
- ports:
- '22'
protocol: tcp
deny: []
description: Allow traffic from Google healthchecks to NVA appliances
direction: INGRESS
disabled: false
log_config: []
name: allow-hc-nva-ssh-landing
priority: 1000
project: fast2-prod-net-landing-0
source_ranges:
- 130.211.0.0/22
- 209.85.152.0/22
- 209.85.204.0/22
- 35.191.0.0/16
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.landing-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-landing"]:
allow:
- ports:
- '179'
protocol: tcp
deny: []
description: Allow BGP traffic from NCC Cloud Routers to NVAs
direction: INGRESS
disabled: false
log_config: []
name: allow-ncc-nva-bgp-landing
priority: 1000
project: fast2-prod-net-landing-0
source_ranges:
- 10.128.64.201/32
- 10.128.64.202/32
- 10.128.96.201/32
- 10.128.96.202/32
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags:
- nva
timeouts: null
module.landing-firewall.google_compute_firewall.custom-rules["allow-onprem-probes-landing-example"]:
allow:
- ports:
- '12345'
protocol: tcp
deny: []
description: Allow traffic from onprem probes
direction: INGRESS
disabled: false
log_config: []
name: allow-onprem-probes-landing-example
priority: 1000
project: fast2-prod-net-landing-0
source_ranges:
- 10.255.255.254/32
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.landing-firewall.google_compute_firewall.custom-rules["landing-ingress-default-deny"]:
allow: []
deny:
- ports: []
protocol: all
description: Deny and log any unmatched ingress traffic.
direction: INGRESS
disabled: false
log_config:
- metadata: EXCLUDE_ALL_METADATA
name: landing-ingress-default-deny
priority: 65535
project: fast2-prod-net-landing-0
source_ranges:
- 0.0.0.0/0
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.landing-vpc.google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: true
description: Terraform-managed.
enable_ula_internal_ipv6: null
mtu: 1500
name: prod-landing-0
network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
project: fast2-prod-net-landing-0
routing_mode: GLOBAL
timeouts: null
module.landing-vpc.google_compute_route.gateway["private-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.8/30
name: prod-landing-0-private-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: fast2-prod-net-landing-0
tags: null
timeouts: null
module.landing-vpc.google_compute_route.gateway["restricted-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.4/30
name: prod-landing-0-restricted-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: fast2-prod-net-landing-0
tags: null
timeouts: null
module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west1/landing-default"]:
description: Default europe-west1 subnet for landing
ip_cidr_range: 10.64.0.0/24
ipv6_access_type: null
log_config: []
name: landing-default
private_ip_google_access: true
project: fast2-prod-net-landing-0
region: europe-west1
role: null
secondary_ip_range: []
timeouts: null
module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west4/landing-default"]:
description: Default europe-west4 subnet for landing
ip_cidr_range: 10.80.0.0/24
ipv6_access_type: null
log_config: []
name: landing-default
private_ip_google_access: true
project: fast2-prod-net-landing-0
region: europe-west4
role: null
secondary_ip_range: []
timeouts: null
module.landing-vpc.google_dns_policy.default[0]:
alternative_name_server_config: []
description: Managed by Terraform
enable_inbound_forwarding: true
enable_logging: null
name: prod-landing-0
networks:
- {}
project: fast2-prod-net-landing-0
timeouts: null
module.dmz-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-dmz"]:
allow:
- ports:
- '22'
protocol: tcp
deny: []
description: Allow traffic from Google healthchecks to NVA appliances
direction: INGRESS
disabled: false
log_config: []
name: allow-hc-nva-ssh-dmz
priority: 1000
project: fast2-prod-net-landing-0
source_ranges:
- 130.211.0.0/22
- 209.85.152.0/22
- 209.85.204.0/22
- 35.191.0.0/16
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.dmz-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-dmz"]:
allow:
- ports:
- '179'
protocol: tcp
deny: []
description: Allow BGP traffic from NCC Cloud Routers to NVAs
direction: INGRESS
disabled: false
log_config: []
name: allow-ncc-nva-bgp-dmz
priority: 1000
project: fast2-prod-net-landing-0
source_ranges:
- 10.128.0.201/32
- 10.128.0.202/32
- 10.128.32.201/32
- 10.128.32.202/32
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags:
- nva
timeouts: null
module.dmz-firewall.google_compute_firewall.custom-rules["allow-nva-nva-bgp-dmz"]:
allow:
- ports:
- '179'
protocol: tcp
deny: []
description: Allow BGP traffic from cross-regional NVAs
direction: INGRESS
disabled: false
log_config: []
name: allow-nva-nva-bgp-dmz
priority: 1000
project: fast2-prod-net-landing-0
source_ranges: null
source_service_accounts: null
source_tags:
- nva
target_service_accounts: null
target_tags:
- nva
timeouts: null
module.dmz-firewall.google_compute_firewall.custom-rules["dmz-ingress-default-deny"]:
allow: []
deny:
- ports: []
protocol: all
description: Deny and log any unmatched ingress traffic.
direction: INGRESS
disabled: false
log_config:
- metadata: EXCLUDE_ALL_METADATA
name: dmz-ingress-default-deny
priority: 65535
project: fast2-prod-net-landing-0
source_ranges:
- 0.0.0.0/0
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.dmz-vpc.google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
description: Terraform-managed.
enable_ula_internal_ipv6: null
mtu: 1500
name: prod-dmz-0
network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
project: fast2-prod-net-landing-0
routing_mode: GLOBAL
timeouts: null
module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west1/dmz-default"]:
description: Default europe-west1 subnet for DMZ
ip_cidr_range: 10.64.128.0/24
ipv6_access_type: null
log_config: []
name: dmz-default
private_ip_google_access: true
project: fast2-prod-net-landing-0
region: europe-west1
role: null
secondary_ip_range: []
timeouts: null
module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west4/dmz-default"]:
description: Default europe-west4 subnet for DMZ
ip_cidr_range: 10.80.128.0/24
ipv6_access_type: null
log_config: []
name: dmz-default
private_ip_google_access: true
project: fast2-prod-net-landing-0
region: europe-west4
role: null
secondary_ip_range: []
timeouts: null
module.dmz-vpc.google_dns_policy.default[0]:
alternative_name_server_config: []
description: Managed by Terraform
enable_inbound_forwarding: true
enable_logging: true
name: prod-dmz-0
networks:
- {}
project: fast2-prod-net-landing-0
timeouts: null
module.nva["primary-b"].google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
boot_disk:
- auto_delete: true
disk_encryption_key_raw: null
initialize_params:
- enable_confidential_compute: null
image: projects/cos-cloud/global/images/family/cos-stable
resource_manager_tags: null
size: 10
type: pd-balanced
mode: READ_WRITE
can_ip_forward: true
deletion_protection: false
description: Managed by the compute-vm Terraform module.
desired_status: null
enable_display: false
hostname: null
labels: null
machine_type: e2-standard-2
metadata:
user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
\ file except in compliance with the License.\n# You may obtain a copy of\
\ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\
# Unless required by applicable law or agreed to in writing, software\n# distributed\
\ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\
\ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\
\ for the specific language governing permissions and\n# limitations under\
\ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\
\ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\
\ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\
);\n # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n zebra=no\n\
\ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\
\ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\
\ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \
\ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\
\ script automatically loads\n # the config via \"vtysh -b\" when the\
\ servers are started.\n # Check /etc/pam.d/frr if you intend to use\
\ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\
\ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\
\ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \
\ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\
\ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\
\ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\
\n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\
\ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\
\n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\
\ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\
\n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\
\ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\
\ of daemons to watch is automatically generated by the init script.\n \
\ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\
\ specify a \"wrap\" command to start instead\n # of starting the daemon\
\ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\
\n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\
\ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\
\ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\
\ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\
\ template\n \n log syslog informational\n no ipv6 forwarding\n\
\ service integrated-vtysh-config\n \n interface lo\n \
\ ip address 10.64.128.101/32\n \n ip prefix-list DEFAULT seq 10\
\ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\
\ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\
\ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\
\ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\
\ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\
\ \n route-map TO-DMZ permit 10\n match ip address\
\ prefix-list PRIMARY\n set metric 100\n !\n route-map TO-DMZ\
\ permit 20\n match ip address prefix-list SECONDARY\n set metric\
\ 10100\n !\n route-map TO-LANDING permit 10\n match ip address\
\ prefix-list DEFAULT\n set metric 100\n !\n route-map TO-NVA\
\ permit 10\n match ip address prefix-list PRIMARY\n set metric\
\ 50\n \n router bgp 64513\n bgp router-id 10.64.128.101\n\
\ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\
\ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \
\ no bgp network import-check\n !\n neighbor 10.64.128.201\
\ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\
\ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\
\ update-source 10.64.0.101\n neighbor 10.64.0.202 remote-as 64515\n\
\ neighbor 10.64.0.202 update-source 10.64.0.101\n !\n neighbor\
\ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\
\ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\
\ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\
\ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201\
\ soft-reconfiguration inbound\n !\n neighbor 10.64.128.202 route-map\
\ TO-DMZ out\n neighbor 10.64.128.202 soft-reconfiguration inbound\n\
\ !\n neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor\
\ 10.64.0.201 soft-reconfiguration inbound\n !\n neighbor 10.64.0.202\
\ route-map TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration\
\ inbound\n !\n neighbor 10.80.128.101 route-map TO-NVA out\n\
\ neighbor 10.80.128.101 soft-reconfiguration inbound\n !\n \
\ neighbor 10.80.128.102 route-map TO-NVA out\n neighbor 10.80.128.102\
\ soft-reconfiguration inbound\n exit-address-family\n \n\n -\
\ path: /etc/frr/vtysh.conf\n owner: root\n permissions: 0644\n content:\
\ |\n # Copyright 2023 Google LLC\n #\n # Licensed under the\
\ Apache License, Version 2.0 (the \"License\");\n # you may not use\
\ this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ This is a sample file used to remove warnings\n # when users open the\
\ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\
\ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\
\ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\
\ owner: root\n permissions: 0644\n content: |\n # Copyright\
\ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n [Unit]\n Description=Start\
\ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\
\ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\
HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\
\ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\
\ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \
\ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\
\ owner: root\n permissions: 0644\n content: |\n {\n\
\ \"live-restore\": true,\n \"storage-driver\"\
: \"overlay2\",\n \"log-opts\": {\n \"max-size\"\
: \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\
\ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\
\ \n # Copyright 2023 Google LLC\n #\n # Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n # you may not\
\ use this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\
\ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \
\ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\
\ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\
\ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\
\ Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\
\ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\
\ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\
\ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\
\ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\
\ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\
\ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\
\ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\
n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\
\ do\n # Configure hc routing table if not available for this\
\ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\
\ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\
\ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\
\ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\
\ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\
\ configure PBR for old LB removed from network interface\n # first\
\ get list of PBR on this network interface and retrieve LB IP addresses\n\
\ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\
\ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\
\ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\
\n do\n # check if the PBR LB IP belongs to the current array\
\ of LB IPs attached to the\n # network interface, if not delete\
\ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\
\ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\
\ fi\n done\n sleep 2\n done\n \n\n\n -\
\ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\
\ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\
\ [Unit]\n Description=Start routing\n After=network-online.target\n\
\ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\
\ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\
\ permissions: 0744\n owner: root\n content: |\n iptables --policy\
\ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
\ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\
\ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\
\ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\
\ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\
\nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\
\ systemctl start routing\n - systemctl start frr\n"
metadata_startup_script: null
name: nva-ew1-b
network_interface:
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network_ip: 10.64.128.101
nic_type: null
queue_count: null
security_policy: null
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network_ip: 10.64.0.101
nic_type: null
queue_count: null
security_policy: null
network_performance_config: []
params: []
project: fast2-prod-net-landing-0
resource_policies: null
scheduling:
- automatic_restart: true
instance_termination_action: null
local_ssd_recovery_timeout: []
maintenance_interval: null
max_run_duration: []
min_node_cpus: null
node_affinities: []
on_host_maintenance: MIGRATE
preemptible: false
provisioning_model: STANDARD
scratch_disk: []
service_account:
- scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
shielded_instance_config: []
tags:
- nva
timeouts: null
zone: europe-west1-b
module.nva["primary-c"].google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
boot_disk:
- auto_delete: true
disk_encryption_key_raw: null
initialize_params:
- enable_confidential_compute: null
image: projects/cos-cloud/global/images/family/cos-stable
resource_manager_tags: null
size: 10
type: pd-balanced
mode: READ_WRITE
can_ip_forward: true
deletion_protection: false
description: Managed by the compute-vm Terraform module.
desired_status: null
enable_display: false
hostname: null
labels: null
machine_type: e2-standard-2
metadata:
user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
\ file except in compliance with the License.\n# You may obtain a copy of\
\ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\
# Unless required by applicable law or agreed to in writing, software\n# distributed\
\ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\
\ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\
\ for the specific language governing permissions and\n# limitations under\
\ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\
\ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\
\ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\
);\n # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n zebra=no\n\
\ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\
\ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\
\ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \
\ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\
\ script automatically loads\n # the config via \"vtysh -b\" when the\
\ servers are started.\n # Check /etc/pam.d/frr if you intend to use\
\ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\
\ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\
\ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \
\ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\
\ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\
\ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\
\n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\
\ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\
\n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\
\ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\
\n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\
\ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\
\ of daemons to watch is automatically generated by the init script.\n \
\ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\
\ specify a \"wrap\" command to start instead\n # of starting the daemon\
\ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\
\n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\
\ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\
\ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\
\ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\
\ template\n \n log syslog informational\n no ipv6 forwarding\n\
\ service integrated-vtysh-config\n \n interface lo\n \
\ ip address 10.64.128.102/32\n \n ip prefix-list DEFAULT seq 10\
\ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\
\ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\
\ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\
\ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\
\ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\
\ \n route-map TO-DMZ permit 10\n match ip address\
\ prefix-list PRIMARY\n set metric 100\n !\n route-map TO-DMZ\
\ permit 20\n match ip address prefix-list SECONDARY\n set metric\
\ 10100\n !\n route-map TO-LANDING permit 10\n match ip address\
\ prefix-list DEFAULT\n set metric 100\n !\n route-map TO-NVA\
\ permit 10\n match ip address prefix-list PRIMARY\n set metric\
\ 50\n \n router bgp 64513\n bgp router-id 10.64.128.102\n\
\ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\
\ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \
\ no bgp network import-check\n !\n neighbor 10.64.128.201\
\ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\
\ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\
\ update-source 10.64.0.102\n neighbor 10.64.0.202 remote-as 64515\n\
\ neighbor 10.64.0.202 update-source 10.64.0.102\n !\n neighbor\
\ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\
\ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\
\ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\
\ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201\
\ soft-reconfiguration inbound\n !\n neighbor 10.64.128.202 route-map\
\ TO-DMZ out\n neighbor 10.64.128.202 soft-reconfiguration inbound\n\
\ !\n neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor\
\ 10.64.0.201 soft-reconfiguration inbound\n !\n neighbor 10.64.0.202\
\ route-map TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration\
\ inbound\n !\n neighbor 10.80.128.101 route-map TO-NVA out\n\
\ neighbor 10.80.128.101 soft-reconfiguration inbound\n !\n \
\ neighbor 10.80.128.102 route-map TO-NVA out\n neighbor 10.80.128.102\
\ soft-reconfiguration inbound\n exit-address-family\n \n\n -\
\ path: /etc/frr/vtysh.conf\n owner: root\n permissions: 0644\n content:\
\ |\n # Copyright 2023 Google LLC\n #\n # Licensed under the\
\ Apache License, Version 2.0 (the \"License\");\n # you may not use\
\ this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ This is a sample file used to remove warnings\n # when users open the\
\ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\
\ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\
\ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\
\ owner: root\n permissions: 0644\n content: |\n # Copyright\
\ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n [Unit]\n Description=Start\
\ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\
\ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\
HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\
\ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\
\ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \
\ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\
\ owner: root\n permissions: 0644\n content: |\n {\n\
\ \"live-restore\": true,\n \"storage-driver\"\
: \"overlay2\",\n \"log-opts\": {\n \"max-size\"\
: \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\
\ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\
\ \n # Copyright 2023 Google LLC\n #\n # Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n # you may not\
\ use this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\
\ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \
\ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\
\ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\
\ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\
\ Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\
\ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\
\ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\
\ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\
\ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\
\ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\
\ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\
\ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\
n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\
\ do\n # Configure hc routing table if not available for this\
\ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\
\ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\
\ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\
\ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\
\ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\
\ configure PBR for old LB removed from network interface\n # first\
\ get list of PBR on this network interface and retrieve LB IP addresses\n\
\ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\
\ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\
\ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\
\n do\n # check if the PBR LB IP belongs to the current array\
\ of LB IPs attached to the\n # network interface, if not delete\
\ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\
\ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\
\ fi\n done\n sleep 2\n done\n \n\n\n -\
\ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\
\ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\
\ [Unit]\n Description=Start routing\n After=network-online.target\n\
\ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\
\ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\
\ permissions: 0744\n owner: root\n content: |\n iptables --policy\
\ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
\ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\
\ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\
\ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\
\ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\
\nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\
\ systemctl start routing\n - systemctl start frr\n"
metadata_startup_script: null
name: nva-ew1-c
network_interface:
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network_ip: 10.64.128.102
nic_type: null
queue_count: null
security_policy: null
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network_ip: 10.64.0.102
nic_type: null
queue_count: null
security_policy: null
network_performance_config: []
params: []
project: fast2-prod-net-landing-0
resource_policies: null
scheduling:
- automatic_restart: true
instance_termination_action: null
local_ssd_recovery_timeout: []
maintenance_interval: null
max_run_duration: []
min_node_cpus: null
node_affinities: []
on_host_maintenance: MIGRATE
preemptible: false
provisioning_model: STANDARD
scratch_disk: []
service_account:
- scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
shielded_instance_config: []
tags:
- nva
timeouts: null
zone: europe-west1-c
module.nva["secondary-b"].google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
boot_disk:
- auto_delete: true
disk_encryption_key_raw: null
initialize_params:
- enable_confidential_compute: null
image: projects/cos-cloud/global/images/family/cos-stable
resource_manager_tags: null
size: 10
type: pd-balanced
mode: READ_WRITE
can_ip_forward: true
deletion_protection: false
description: Managed by the compute-vm Terraform module.
desired_status: null
enable_display: false
hostname: null
labels: null
machine_type: e2-standard-2
metadata:
user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
\ file except in compliance with the License.\n# You may obtain a copy of\
\ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\
# Unless required by applicable law or agreed to in writing, software\n# distributed\
\ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\
\ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\
\ for the specific language governing permissions and\n# limitations under\
\ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\
\ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\
\ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\
);\n # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n zebra=no\n\
\ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\
\ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\
\ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \
\ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\
\ script automatically loads\n # the config via \"vtysh -b\" when the\
\ servers are started.\n # Check /etc/pam.d/frr if you intend to use\
\ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\
\ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\
\ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \
\ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\
\ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\
\ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\
\n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\
\ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\
\n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\
\ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\
\n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\
\ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\
\ of daemons to watch is automatically generated by the init script.\n \
\ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\
\ specify a \"wrap\" command to start instead\n # of starting the daemon\
\ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\
\n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\
\ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\
\ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\
\ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\
\ template\n \n log syslog informational\n no ipv6 forwarding\n\
\ service integrated-vtysh-config\n \n interface lo\n \
\ ip address 10.80.128.101/32\n \n ip prefix-list DEFAULT seq 10\
\ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\
\ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\
\ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\
\ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\
\ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\
\ \n route-map TO-DMZ permit 10\n match ip address\
\ prefix-list PRIMARY\n set metric 10100\n !\n route-map\
\ TO-DMZ permit 20\n match ip address prefix-list SECONDARY\n\
\ set metric 100\n !\n route-map TO-LANDING permit 10\n \
\ match ip address prefix-list DEFAULT\n set metric 100\n \
\ !\n route-map TO-NVA permit 10\n match ip address prefix-list\
\ SECONDARY\n set metric 50\n \n router bgp 64514\n \
\ bgp router-id 10.80.128.101\n bgp bestpath as-path ignore\n \
\ bgp disable-ebgp-connected-route-check\n bgp timers 20 60\n \
\ !\n no bgp ebgp-requires-policy\n no bgp network import-check\n\
\ !\n neighbor 10.80.128.201 remote-as 64512\n neighbor 10.80.128.202\
\ remote-as 64512\n !\n neighbor 10.80.0.201 remote-as 64515\n\
\ neighbor 10.80.0.201 update-source 10.80.0.101\n neighbor 10.80.0.202\
\ remote-as 64515\n neighbor 10.80.0.202 update-source 10.80.0.101\n\
\ !\n neighbor 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101\
\ ebgp-multihop 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor\
\ 10.64.128.102 ebgp-multihop 2\n !\n address-family ipv4 unicast\n\
\ neighbor 10.80.128.201 route-map TO-DMZ out\n neighbor\
\ 10.80.128.201 soft-reconfiguration inbound\n !\n neighbor 10.80.128.202\
\ route-map TO-DMZ out\n neighbor 10.80.128.202 soft-reconfiguration\
\ inbound\n !\n neighbor 10.80.0.201 route-map TO-LANDING out\n\
\ neighbor 10.80.0.201 soft-reconfiguration inbound\n !\n \
\ neighbor 10.80.0.202 route-map TO-LANDING out\n neighbor 10.80.0.202\
\ soft-reconfiguration inbound\n !\n neighbor 10.64.128.101 route-map\
\ TO-NVA out\n neighbor 10.64.128.101 soft-reconfiguration inbound\n\
\ !\n neighbor 10.64.128.102 route-map TO-NVA out\n neighbor\
\ 10.64.128.102 soft-reconfiguration inbound\n exit-address-family\n\
\ \n\n - path: /etc/frr/vtysh.conf\n owner: root\n permissions:\
\ 0644\n content: |\n # Copyright 2023 Google LLC\n #\n \
\ # Licensed under the Apache License, Version 2.0 (the \"License\");\n \
\ # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ This is a sample file used to remove warnings\n # when users open the\
\ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\
\ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\
\ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\
\ owner: root\n permissions: 0644\n content: |\n # Copyright\
\ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n [Unit]\n Description=Start\
\ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\
\ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\
HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\
\ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\
\ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \
\ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\
\ owner: root\n permissions: 0644\n content: |\n {\n\
\ \"live-restore\": true,\n \"storage-driver\"\
: \"overlay2\",\n \"log-opts\": {\n \"max-size\"\
: \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\
\ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\
\ \n # Copyright 2023 Google LLC\n #\n # Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n # you may not\
\ use this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\
\ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \
\ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\
\ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\
\ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\
\ Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\
\ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\
\ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\
\ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\
\ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\
\ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\
\ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\
\ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\
n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\
\ do\n # Configure hc routing table if not available for this\
\ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\
\ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\
\ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\
\ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\
\ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\
\ configure PBR for old LB removed from network interface\n # first\
\ get list of PBR on this network interface and retrieve LB IP addresses\n\
\ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\
\ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\
\ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\
\n do\n # check if the PBR LB IP belongs to the current array\
\ of LB IPs attached to the\n # network interface, if not delete\
\ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\
\ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\
\ fi\n done\n sleep 2\n done\n \n\n\n -\
\ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\
\ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\
\ [Unit]\n Description=Start routing\n After=network-online.target\n\
\ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\
\ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\
\ permissions: 0744\n owner: root\n content: |\n iptables --policy\
\ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
\ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\
\ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\
\ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\
\ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\
\nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\
\ systemctl start routing\n - systemctl start frr\n"
metadata_startup_script: null
name: nva-ew4-b
network_interface:
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network_ip: 10.80.128.101
nic_type: null
queue_count: null
security_policy: null
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network_ip: 10.80.0.101
nic_type: null
queue_count: null
security_policy: null
network_performance_config: []
params: []
project: fast2-prod-net-landing-0
resource_policies: null
scheduling:
- automatic_restart: true
instance_termination_action: null
local_ssd_recovery_timeout: []
maintenance_interval: null
max_run_duration: []
min_node_cpus: null
node_affinities: []
on_host_maintenance: MIGRATE
preemptible: false
provisioning_model: STANDARD
scratch_disk: []
service_account:
- scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
shielded_instance_config: []
tags:
- nva
timeouts: null
zone: europe-west4-b
module.nva["secondary-c"].google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
boot_disk:
- auto_delete: true
disk_encryption_key_raw: null
initialize_params:
- enable_confidential_compute: null
image: projects/cos-cloud/global/images/family/cos-stable
resource_manager_tags: null
size: 10
type: pd-balanced
mode: READ_WRITE
can_ip_forward: true
deletion_protection: false
description: Managed by the compute-vm Terraform module.
desired_status: null
enable_display: false
hostname: null
labels: null
machine_type: e2-standard-2
metadata:
user-data: "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
\ file except in compliance with the License.\n# You may obtain a copy of\
\ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\
# Unless required by applicable law or agreed to in writing, software\n# distributed\
\ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\
\ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\
\ for the specific language governing permissions and\n# limitations under\
\ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\
\ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\
\ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\
);\n # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n zebra=no\n\
\ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\
\ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\
\ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \
\ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\
\ script automatically loads\n # the config via \"vtysh -b\" when the\
\ servers are started.\n # Check /etc/pam.d/frr if you intend to use\
\ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\
\ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\
\ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \
\ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\
\ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\
\ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\
\n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\
\ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\
\n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\
\ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\
\n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\
\ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\
\ of daemons to watch is automatically generated by the init script.\n \
\ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\
\ specify a \"wrap\" command to start instead\n # of starting the daemon\
\ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\
\n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\
\ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\
\ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\
\ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\
\ template\n \n log syslog informational\n no ipv6 forwarding\n\
\ service integrated-vtysh-config\n \n interface lo\n \
\ ip address 10.80.128.102/32\n \n ip prefix-list DEFAULT seq 10\
\ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\
\ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\
\ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\
\ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\
\ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\
\ \n route-map TO-DMZ permit 10\n match ip address\
\ prefix-list PRIMARY\n set metric 10100\n !\n route-map\
\ TO-DMZ permit 20\n match ip address prefix-list SECONDARY\n\
\ set metric 100\n !\n route-map TO-LANDING permit 10\n \
\ match ip address prefix-list DEFAULT\n set metric 100\n \
\ !\n route-map TO-NVA permit 10\n match ip address prefix-list\
\ SECONDARY\n set metric 50\n \n router bgp 64514\n \
\ bgp router-id 10.80.128.102\n bgp bestpath as-path ignore\n \
\ bgp disable-ebgp-connected-route-check\n bgp timers 20 60\n \
\ !\n no bgp ebgp-requires-policy\n no bgp network import-check\n\
\ !\n neighbor 10.80.128.201 remote-as 64512\n neighbor 10.80.128.202\
\ remote-as 64512\n !\n neighbor 10.80.0.201 remote-as 64515\n\
\ neighbor 10.80.0.201 update-source 10.80.0.102\n neighbor 10.80.0.202\
\ remote-as 64515\n neighbor 10.80.0.202 update-source 10.80.0.102\n\
\ !\n neighbor 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101\
\ ebgp-multihop 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor\
\ 10.64.128.102 ebgp-multihop 2\n !\n address-family ipv4 unicast\n\
\ neighbor 10.80.128.201 route-map TO-DMZ out\n neighbor\
\ 10.80.128.201 soft-reconfiguration inbound\n !\n neighbor 10.80.128.202\
\ route-map TO-DMZ out\n neighbor 10.80.128.202 soft-reconfiguration\
\ inbound\n !\n neighbor 10.80.0.201 route-map TO-LANDING out\n\
\ neighbor 10.80.0.201 soft-reconfiguration inbound\n !\n \
\ neighbor 10.80.0.202 route-map TO-LANDING out\n neighbor 10.80.0.202\
\ soft-reconfiguration inbound\n !\n neighbor 10.64.128.101 route-map\
\ TO-NVA out\n neighbor 10.64.128.101 soft-reconfiguration inbound\n\
\ !\n neighbor 10.64.128.102 route-map TO-NVA out\n neighbor\
\ 10.64.128.102 soft-reconfiguration inbound\n exit-address-family\n\
\ \n\n - path: /etc/frr/vtysh.conf\n owner: root\n permissions:\
\ 0644\n content: |\n # Copyright 2023 Google LLC\n #\n \
\ # Licensed under the Apache License, Version 2.0 (the \"License\");\n \
\ # you may not use this file except in compliance with the License.\n\
\ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ This is a sample file used to remove warnings\n # when users open the\
\ vtysh console.\n \n\n - path: /etc/profile.d/00-aliases.sh\n owner:\
\ root\n permissions: 0644\n content: |\n alias vtysh='sudo docker\
\ exec -it frr sh -c vtysh'\n\n - path: /etc/systemd/system/frr.service\n\
\ owner: root\n permissions: 0644\n content: |\n # Copyright\
\ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n [Unit]\n Description=Start\
\ FRR container\n After=gcr-online.target docker.socket\n Wants=gcr-online.target\
\ docker.socket docker-events-collector.service\n [Service]\n Environment=\"\
HOME=/home/frr\"\n ExecStart=/usr/bin/docker run --rm --name=frr \\\n\
\ --privileged \\\n --network host \\\n -v /etc/frr:/etc/frr\
\ \\\n frrouting/frr\n ExecStop=/usr/bin/docker stop frr\n \
\ ExecStopPost=/usr/bin/docker rm frr\n \n\n - path: /var/lib/docker/daemon.json\n\
\ owner: root\n permissions: 0644\n content: |\n {\n\
\ \"live-restore\": true,\n \"storage-driver\"\
: \"overlay2\",\n \"log-opts\": {\n \"max-size\"\
: \"1024m\"\n }\n }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n\
\ owner: root\n permissions: 0744\n content: |\n #!/bin/bash\n\
\ \n # Copyright 2023 Google LLC\n #\n # Licensed under\
\ the Apache License, Version 2.0 (the \"License\");\n # you may not\
\ use this file except in compliance with the License.\n # You may obtain\
\ a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\
\ #\n # Unless required by applicable law or agreed to in writing,\
\ software\n # distributed under the License is distributed on an \"\
AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\
\ express or implied.\n # See the License for the specific language governing\
\ permissions and\n # limitations under the License.\n \n #\
\ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\
\ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \
\ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\
\ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\
\ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\
\ Google LLC\n #\n # Licensed under the Apache License, Version\
\ 2.0 (the \"License\");\n # you may not use this file except in compliance\
\ with the License.\n # You may obtain a copy of the License at\n \
\ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\
\ # Unless required by applicable law or agreed to in writing, software\n\
\ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\
\ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\
\ # See the License for the specific language governing permissions and\n\
\ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\
\ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\
\ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\
\ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\
\ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\
\ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\
\ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\
\ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\
n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\
\ do\n # Configure hc routing table if not available for this\
\ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\
\ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\
\ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\
\ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\
\ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\
\ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\
\ configure PBR for old LB removed from network interface\n # first\
\ get list of PBR on this network interface and retrieve LB IP addresses\n\
\ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\
\ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\
\ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\
\n do\n # check if the PBR LB IP belongs to the current array\
\ of LB IPs attached to the\n # network interface, if not delete\
\ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\
\ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\
\ fi\n done\n sleep 2\n done\n \n\n\n -\
\ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\
\ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\
\ [Unit]\n Description=Start routing\n After=network-online.target\n\
\ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\
\ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\
\ permissions: 0744\n owner: root\n content: |\n iptables --policy\
\ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
\ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\
\ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\
\ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\
\ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\
\ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\
\ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\
\nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\
\ systemctl start routing\n - systemctl start frr\n"
metadata_startup_script: null
name: nva-ew4-c
network_interface:
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network_ip: 10.80.128.102
nic_type: null
queue_count: null
security_policy: null
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network_ip: 10.80.0.102
nic_type: null
queue_count: null
security_policy: null
network_performance_config: []
params: []
project: fast2-prod-net-landing-0
resource_policies: null
scheduling:
- automatic_restart: true
instance_termination_action: null
local_ssd_recovery_timeout: []
maintenance_interval: null
max_run_duration: []
min_node_cpus: null
node_affinities: []
on_host_maintenance: MIGRATE
preemptible: false
provisioning_model: STANDARD
scratch_disk: []
service_account:
- scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
shielded_instance_config: []
tags:
- nva
timeouts: null
zone: europe-west4-c
module.peering-dev.google_compute_network_peering.local_network_peering:
export_custom_routes: true
export_subnet_routes_with_public_ip: true
import_custom_routes: true
import_subnet_routes_with_public_ip: null
stack_type: IPV4_ONLY
timeouts: null
module.peering-dev.google_compute_network_peering.peer_network_peering[0]:
export_custom_routes: true
export_subnet_routes_with_public_ip: true
import_custom_routes: true
import_subnet_routes_with_public_ip: null
stack_type: IPV4_ONLY
timeouts: null
module.peering-prod.google_compute_network_peering.local_network_peering:
export_custom_routes: true
export_subnet_routes_with_public_ip: true
import_custom_routes: true
import_subnet_routes_with_public_ip: null
stack_type: IPV4_ONLY
timeouts: null
module.peering-prod.google_compute_network_peering.peer_network_peering[0]:
export_custom_routes: true
export_subnet_routes_with_public_ip: true
import_custom_routes: true
import_subnet_routes_with_public_ip: null
stack_type: IPV4_ONLY
timeouts: null
module.prod-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]:
cloud_logging_config:
- enable_logging: false
description: Terraform managed.
dns_name: 10.in-addr.arpa.
dnssec_config: []
force_destroy: false
forwarding_config: []
labels: null
name: prod-reverse-10-dns-peering
project: fast2-prod-net-spoke-0
reverse_lookup: false
service_directory_config: []
timeouts: null
visibility: private
module.prod-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]:
cloud_logging_config:
- enable_logging: false
description: Terraform managed.
dns_name: .
dnssec_config: []
force_destroy: false
forwarding_config: []
labels: null
name: prod-root-dns-peering
project: fast2-prod-net-spoke-0
reverse_lookup: false
service_directory_config: []
timeouts: null
visibility: private
module.prod-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]:
cloud_logging_config:
- enable_logging: false
description: Terraform managed.
dns_name: prod.gcp.example.com.
dnssec_config: []
force_destroy: false
forwarding_config: []
labels: null
name: prod-gcp-example-com
peering_config: []
project: fast2-prod-net-spoke-0
service_directory_config: []
timeouts: null
visibility: private
module.prod-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]:
managed_zone: prod-gcp-example-com
name: localhost.prod.gcp.example.com.
project: fast2-prod-net-spoke-0
routing_policy: []
rrdatas:
- 127.0.0.1
ttl: 300
type: A
module.prod-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]:
allow: []
deny:
- ports: []
protocol: all
description: Deny and log any unmatched ingress traffic.
direction: INGRESS
disabled: false
log_config:
- metadata: EXCLUDE_ALL_METADATA
name: ingress-default-deny
priority: 65535
project: fast2-prod-net-spoke-0
source_ranges:
- 0.0.0.0/0
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.prod-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
project: fast2-prod-net-spoke-0
timeouts: null
module.prod-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]:
metrics_scope: fast2-prod-net-landing-0
name: fast2-prod-net-spoke-0
timeouts: null
module.prod-spoke-project.google_project.project[0]:
auto_create_network: false
billing_account: 000000-111111-222222
folder_id: null
labels: null
name: fast2-prod-net-spoke-0
org_id: null
project_id: fast2-prod-net-spoke-0
skip_delete: false
timeouts: null
module.prod-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
condition: []
members:
- serviceAccount:string
project: fast2-prod-net-spoke-0
role: roles/dns.admin
module.prod-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]:
condition:
- description: Production host project delegated grants.
expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
title: prod_stage3_sa_delegated_grants
members:
- serviceAccount:string
project: fast2-prod-net-spoke-0
role: roles/resourcemanager.projectIamAdmin
module.prod-spoke-project.google_project_iam_member.servicenetworking[0]:
condition: []
project: fast2-prod-net-spoke-0
role: roles/servicenetworking.serviceAgent
module.prod-spoke-project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-spoke-0
service: compute.googleapis.com
timeouts: null
module.prod-spoke-project.google_project_service.project_services["dns.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-spoke-0
service: dns.googleapis.com
timeouts: null
module.prod-spoke-project.google_project_service.project_services["iap.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-spoke-0
service: iap.googleapis.com
timeouts: null
module.prod-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-spoke-0
service: networkmanagement.googleapis.com
timeouts: null
module.prod-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-spoke-0
service: servicenetworking.googleapis.com
timeouts: null
module.prod-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-spoke-0
service: stackdriver.googleapis.com
timeouts: null
module.prod-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: fast2-prod-net-spoke-0
service: vpcaccess.googleapis.com
timeouts: null
module.prod-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
project: fast2-prod-net-spoke-0
service: iap.googleapis.com
timeouts: null
module.prod-spoke-project.google_project_service_identity.servicenetworking[0]:
project: fast2-prod-net-spoke-0
service: servicenetworking.googleapis.com
timeouts: null
module.prod-spoke-vpc.google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: true
description: Terraform-managed.
enable_ula_internal_ipv6: null
mtu: 1500
name: prod-spoke-0
network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
project: fast2-prod-net-spoke-0
routing_mode: GLOBAL
timeouts: null
module.prod-spoke-vpc.google_compute_route.gateway["private-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.8/30
name: prod-spoke-0-private-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: fast2-prod-net-spoke-0
tags: null
timeouts: null
module.prod-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.4/30
name: prod-spoke-0-restricted-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: fast2-prod-net-spoke-0
tags: null
timeouts: null
module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/prod-default"]:
description: Default europe-west1 subnet for prod
ip_cidr_range: 10.72.0.0/24
ipv6_access_type: null
log_config: []
name: prod-default
private_ip_google_access: true
project: fast2-prod-net-spoke-0
region: europe-west1
role: null
secondary_ip_range: []
timeouts: null
module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/prod-default"]:
description: Default europe-west4 subnet for prod
ip_cidr_range: 10.88.0.0/24
ipv6_access_type: null
log_config: []
name: prod-default
private_ip_google_access: true
project: fast2-prod-net-spoke-0
region: europe-west4
role: null
secondary_ip_range: []
timeouts: null
module.prod-spoke-vpc.google_dns_policy.default[0]:
alternative_name_server_config: []
description: Managed by Terraform
enable_inbound_forwarding: null
enable_logging: true
name: prod-spoke-0
networks:
- {}
project: fast2-prod-net-spoke-0
timeouts: null
module.spokes-landing["primary"].google_compute_router.cr:
bgp:
- advertise_mode: CUSTOM
advertised_groups: []
advertised_ip_ranges:
- description: GCP landing primary.
range: 10.64.0.0/17
- description: GCP dev primary.
range: 10.68.0.0/16
- description: GCP prod primary.
range: 10.72.0.0/16
- description: GCP landing secondary.
range: 10.80.0.0/17
- description: GCP dev secondary.
range: 10.84.0.0/16
- description: GCP prod secondary.
range: 10.88.0.0/16
asn: 64515
keepalive_interval: 20
description: null
encrypted_interconnect_router: null
name: prod-spoke-landing-ew1-cr
project: fast2-prod-net-landing-0
region: europe-west1
timeouts: null
module.spokes-landing["primary"].google_compute_router_interface.intf_0:
interconnect_attachment: null
name: prod-spoke-landing-ew1-cr-intf0
private_ip_address: 10.64.0.201
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-landing-ew1-cr
timeouts: null
vpn_tunnel: null
module.spokes-landing["primary"].google_compute_router_interface.intf_1:
interconnect_attachment: null
name: prod-spoke-landing-ew1-cr-intf1
private_ip_address: 10.64.0.202
project: fast2-prod-net-landing-0
redundant_interface: prod-spoke-landing-ew1-cr-intf0
region: europe-west1
router: prod-spoke-landing-ew1-cr
timeouts: null
vpn_tunnel: null
module.spokes-landing["primary"].google_compute_router_peer.peer_0["0"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-landing-ew1-cr-intf0
md5_authentication_key: []
peer_asn: 64513
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-landing-ew1-cr
timeouts: null
module.spokes-landing["primary"].google_compute_router_peer.peer_0["1"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-landing-ew1-cr-intf0
md5_authentication_key: []
peer_asn: 64513
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-landing-ew1-cr
timeouts: null
module.spokes-landing["primary"].google_compute_router_peer.peer_1["0"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-landing-ew1-cr-intf1
md5_authentication_key: []
peer_asn: 64513
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-landing-ew1-cr
timeouts: null
module.spokes-landing["primary"].google_compute_router_peer.peer_1["1"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-landing-ew1-cr-intf1
md5_authentication_key: []
peer_asn: 64513
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-landing-ew1-cr
timeouts: null
module.spokes-landing["primary"].google_network_connectivity_spoke.spoke-ra:
description: null
labels: null
linked_interconnect_attachments: []
linked_router_appliance_instances:
- instances:
- {}
- {}
site_to_site_data_transfer: false
linked_vpc_network: []
linked_vpn_tunnels: []
location: europe-west1
name: prod-spoke-landing-ew1
project: fast2-prod-net-landing-0
timeouts: null
module.spokes-landing["secondary"].google_compute_router.cr:
bgp:
- advertise_mode: CUSTOM
advertised_groups: []
advertised_ip_ranges:
- description: GCP landing primary.
range: 10.64.0.0/17
- description: GCP dev primary.
range: 10.68.0.0/16
- description: GCP prod primary.
range: 10.72.0.0/16
- description: GCP landing secondary.
range: 10.80.0.0/17
- description: GCP dev secondary.
range: 10.84.0.0/16
- description: GCP prod secondary.
range: 10.88.0.0/16
asn: 64515
keepalive_interval: 20
description: null
encrypted_interconnect_router: null
name: prod-spoke-landing-ew4-cr
project: fast2-prod-net-landing-0
region: europe-west4
timeouts: null
module.spokes-landing["secondary"].google_compute_router_interface.intf_0:
interconnect_attachment: null
name: prod-spoke-landing-ew4-cr-intf0
private_ip_address: 10.80.0.201
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-landing-ew4-cr
timeouts: null
vpn_tunnel: null
module.spokes-landing["secondary"].google_compute_router_interface.intf_1:
interconnect_attachment: null
name: prod-spoke-landing-ew4-cr-intf1
private_ip_address: 10.80.0.202
project: fast2-prod-net-landing-0
redundant_interface: prod-spoke-landing-ew4-cr-intf0
region: europe-west4
router: prod-spoke-landing-ew4-cr
timeouts: null
vpn_tunnel: null
module.spokes-landing["secondary"].google_compute_router_peer.peer_0["0"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-landing-ew4-cr-intf0
md5_authentication_key: []
peer_asn: 64514
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-landing-ew4-cr
timeouts: null
module.spokes-landing["secondary"].google_compute_router_peer.peer_0["1"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-landing-ew4-cr-intf0
md5_authentication_key: []
peer_asn: 64514
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-landing-ew4-cr
timeouts: null
module.spokes-landing["secondary"].google_compute_router_peer.peer_1["0"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-landing-ew4-cr-intf1
md5_authentication_key: []
peer_asn: 64514
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-landing-ew4-cr
timeouts: null
module.spokes-landing["secondary"].google_compute_router_peer.peer_1["1"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-landing-ew4-cr-intf1
md5_authentication_key: []
peer_asn: 64514
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-landing-ew4-cr
timeouts: null
module.spokes-landing["secondary"].google_network_connectivity_spoke.spoke-ra:
description: null
labels: null
linked_interconnect_attachments: []
linked_router_appliance_instances:
- instances:
- {}
- {}
site_to_site_data_transfer: false
linked_vpc_network: []
linked_vpn_tunnels: []
location: europe-west4
name: prod-spoke-landing-ew4
project: fast2-prod-net-landing-0
timeouts: null
module.spokes-dmz["primary"].google_compute_router.cr:
bgp:
- advertise_mode: CUSTOM
advertised_groups: []
advertised_ip_ranges:
- description: Default route.
range: 0.0.0.0/0
asn: 64512
keepalive_interval: 20
description: null
encrypted_interconnect_router: null
name: prod-spoke-dmz-ew1-cr
project: fast2-prod-net-landing-0
region: europe-west1
timeouts: null
module.spokes-dmz["primary"].google_compute_router_interface.intf_0:
interconnect_attachment: null
name: prod-spoke-dmz-ew1-cr-intf0
private_ip_address: 10.64.128.201
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-dmz-ew1-cr
timeouts: null
vpn_tunnel: null
module.spokes-dmz["primary"].google_compute_router_interface.intf_1:
interconnect_attachment: null
name: prod-spoke-dmz-ew1-cr-intf1
private_ip_address: 10.64.128.202
project: fast2-prod-net-landing-0
redundant_interface: prod-spoke-dmz-ew1-cr-intf0
region: europe-west1
router: prod-spoke-dmz-ew1-cr
timeouts: null
vpn_tunnel: null
module.spokes-dmz["primary"].google_compute_router_peer.peer_0["0"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-dmz-ew1-cr-intf0
md5_authentication_key: []
peer_asn: 64513
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-dmz-ew1-cr
timeouts: null
module.spokes-dmz["primary"].google_compute_router_peer.peer_0["1"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-dmz-ew1-cr-intf0
md5_authentication_key: []
peer_asn: 64513
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-dmz-ew1-cr
timeouts: null
module.spokes-dmz["primary"].google_compute_router_peer.peer_1["0"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-dmz-ew1-cr-intf1
md5_authentication_key: []
peer_asn: 64513
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-dmz-ew1-cr
timeouts: null
module.spokes-dmz["primary"].google_compute_router_peer.peer_1["1"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-dmz-ew1-cr-intf1
md5_authentication_key: []
peer_asn: 64513
project: fast2-prod-net-landing-0
region: europe-west1
router: prod-spoke-dmz-ew1-cr
timeouts: null
module.spokes-dmz["primary"].google_network_connectivity_spoke.spoke-ra:
description: null
labels: null
linked_interconnect_attachments: []
linked_router_appliance_instances:
- instances:
- {}
- {}
site_to_site_data_transfer: false
linked_vpc_network: []
linked_vpn_tunnels: []
location: europe-west1
name: prod-spoke-dmz-ew1
project: fast2-prod-net-landing-0
timeouts: null
module.spokes-dmz["secondary"].google_compute_router.cr:
bgp:
- advertise_mode: CUSTOM
advertised_groups: []
advertised_ip_ranges:
- description: Default route.
range: 0.0.0.0/0
asn: 64512
keepalive_interval: 20
description: null
encrypted_interconnect_router: null
name: prod-spoke-dmz-ew4-cr
project: fast2-prod-net-landing-0
region: europe-west4
timeouts: null
module.spokes-dmz["secondary"].google_compute_router_interface.intf_0:
interconnect_attachment: null
name: prod-spoke-dmz-ew4-cr-intf0
private_ip_address: 10.80.128.201
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-dmz-ew4-cr
timeouts: null
vpn_tunnel: null
module.spokes-dmz["secondary"].google_compute_router_interface.intf_1:
interconnect_attachment: null
name: prod-spoke-dmz-ew4-cr-intf1
private_ip_address: 10.80.128.202
project: fast2-prod-net-landing-0
redundant_interface: prod-spoke-dmz-ew4-cr-intf0
region: europe-west4
router: prod-spoke-dmz-ew4-cr
timeouts: null
vpn_tunnel: null
module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["0"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-dmz-ew4-cr-intf0
md5_authentication_key: []
peer_asn: 64514
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-dmz-ew4-cr
timeouts: null
module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["1"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-dmz-ew4-cr-intf0
md5_authentication_key: []
peer_asn: 64514
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-dmz-ew4-cr
timeouts: null
module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["0"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-dmz-ew4-cr-intf1
md5_authentication_key: []
peer_asn: 64514
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-dmz-ew4-cr
timeouts: null
module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["1"]:
advertise_mode: DEFAULT
advertised_groups: null
advertised_ip_ranges: []
advertised_route_priority: 100
enable: true
enable_ipv6: false
interface: prod-spoke-dmz-ew4-cr-intf1
md5_authentication_key: []
peer_asn: 64514
project: fast2-prod-net-landing-0
region: europe-west4
router: prod-spoke-dmz-ew4-cr
timeouts: null
module.spokes-dmz["secondary"].google_network_connectivity_spoke.spoke-ra:
description: null
labels: null
linked_interconnect_attachments: []
linked_router_appliance_instances:
- instances:
- {}
- {}
site_to_site_data_transfer: false
linked_vpc_network: []
linked_vpn_tunnels: []
location: europe-west4
name: prod-spoke-dmz-ew4
project: fast2-prod-net-landing-0
timeouts: null
counts:
google_compute_address: 8
google_compute_external_vpn_gateway: 2
google_compute_firewall: 12
google_compute_firewall_policy: 1
google_compute_firewall_policy_association: 1
google_compute_firewall_policy_rule: 4
google_compute_ha_vpn_gateway: 2
google_compute_instance: 4
google_compute_network: 4
google_compute_network_peering: 4
google_compute_route: 6
google_compute_router: 8
google_compute_router_interface: 12
google_compute_router_nat: 2
google_compute_router_peer: 20
google_compute_shared_vpc_host_project: 3
google_compute_subnetwork: 10
google_compute_vpn_tunnel: 4
google_dns_managed_zone: 9
google_dns_policy: 4
google_dns_record_set: 3
google_dns_response_policy: 1
google_dns_response_policy_rule: 34
google_essential_contacts_contact: 1
google_folder: 1
google_monitoring_alert_policy: 2
google_monitoring_dashboard: 3
google_monitoring_monitored_project: 2
google_network_connectivity_hub: 2
google_network_connectivity_spoke: 4
google_project: 3
google_project_iam_binding: 6
google_project_iam_member: 2
google_project_service: 20
google_project_service_identity: 5
google_storage_bucket_object: 1
modules: 37
random_id: 2
resources: 212
Reference in New Issue View Git Blame Copy Permalink