kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support for net-vlan-attachments in 2-networking (#3789)

Browse Source
This commit is contained in:
Simone Ruffilli
2026-03-16 15:03:14 +01:00
committed by GitHub
parent 761399f055
commit 1caeacec20
60 changed files with 1091 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
fast/stages/2-networking/README.md
View File

@@ -159,18 +159,19 @@ The following diagram shows the canonical paths for the different factory config
```tree
.
├── dns
│ ├── response-policies # Response Policy Rules for DNS.
│ └── zones # DNS zones (private, forwarding, peering).
├── firewall-policies # Hierarchical firewall policies.
├── ncc-hubs # NCC configurations.
├── nvas # NVA configurations.
├── projects # Project definitions.
│ ├── response-policies # Response Policy Rules for DNS.
│ └── zones # DNS zones (private, forwarding, peering).
├── firewall-policies # Hierarchical firewall policies.
├── ncc-hubs # NCC configurations.
├── nvas # NVA configurations.
├── projects # Project definitions.
└── vpcs
└── [vpc-name] # Each subfolder represents a VPC.
├── .config.yaml # Main VPC configuration, peerings, NAT.
├── firewall-rules # VPC-level firewall rules.
├── subnets # Subnet definitions.
── vpns # VPN configurations.
└── [vpc-name] # Each subfolder represents a VPC.
├── .config.yaml # Main VPC configuration, peerings, NAT.
├── firewall-rules # VPC-level firewall rules.
├── subnets # Subnet definitions.
── vlan-attachments # VLAN attachment configurations.
└── vpns # VPN configurations.
```
### Networking projects
@@ -233,9 +234,10 @@ routers:
### VPC Connectivity
This stage supports multiple ways to connect VPCs:
This stage supports multiple ways to connect VPCs to other VPCs or other networks:
- **VPC Peering:** Managed via the `peering_config` section in a VPC's `.config.yaml` file.
- **VLAN Attachments:** Partner or Dedicated Interconnect VLAN attachments are defined in the `vpcs/[vpc-name]/vlan-attachments` directory. By default, they are disabled by passing a non-existing directory via `factories_config`.
- **VPNs:** High-availability VPNs are defined in the `vpcs/[vpc-name]/vpns` directory.
- **Network Connectivity Center (NCC):** Managed via the `ncc_config` section in a VPC's `.config.yaml` file.
@@ -302,6 +304,7 @@ Internally created resources are mapped to context namespaces, and use specific
| [factory-peering.tf](./factory-peering.tf) | VPC Peering factory. | | <code>google_compute_network_peering</code> |
| [factory-projects.tf](./factory-projects.tf) | Projects factory. | <code>project-factory</code> | |
| [factory-routers.tf](./factory-routers.tf) | Routers factory. | | <code>google_compute_router</code> |
| [factory-vlan-attachments.tf](./factory-vlan-attachments.tf) | VLAN attachments factory. | <code>net-vlan-attachment</code> | |
| [factory-vpcs.tf](./factory-vpcs.tf) | VPC and firewall rules factory. | <code>net-vpc</code> · <code>net-vpc-factory</code> | |
| [factory-vpns.tf](./factory-vpns.tf) | VPNs factory. | <code>net-vpn-ha</code> | <code>google_compute_ha_vpn_gateway</code> |
| [main.tf](./main.tf) | Module-level locals and resources. | | |

2
fast/stages/2-networking/datasets/hub-and-spokes-ncc/defaults.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

4
fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/.config.yaml
View File

@@ -8,7 +8,7 @@ project_id: $project_ids:net-core-0
name: hub-0
delete_default_routes_on_create: true
routers:
vpn-router:
hybrid-connectivity-router:
region: $locations:primary
asn: 64514
routes:
@@ -16,3 +16,5 @@ routes:
dest_range: 0.0.0.0/0
next_hop_type: "gateway"
next_hop: "default-internet-gateway"
factories_config:
vlan_attachments: "none"

28
fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vlan-attachments/onprem-0.yaml Normal file
View File

@@ -0,0 +1,28 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-0
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
ncc_spoke_config:
hub: $ncc_hubs:hub
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-0"
vlan_tag: "123"

28
fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vlan-attachments/onprem-1.yaml Normal file
View File

@@ -0,0 +1,28 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-1
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
ncc_spoke_config:
hub: $ncc_hubs:hub
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-1"
vlan_tag: "124"

4
fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vpns/onprem.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@ peer_gateways:
- 8.8.8.8
router_config:
create: false
name: $routers:hub/vpn-router
name: $routers:hub/hybrid-connectivity-router
ncc_spoke_config:
hub: $ncc_hubs:hub
tunnels:

2
fast/stages/2-networking/datasets/hub-and-spokes-nva/defaults.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

4
fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/.config.yaml
View File

@@ -9,7 +9,7 @@ name: dmz
delete_default_routes_on_create: true
mtu: 1500
routers:
vpn-router:
hybrid-connectivity-router:
region: $locations:primary
asn: 64514
custom_advertise:
@@ -47,3 +47,5 @@ routes:
priority: 100
next_hop_type: "gateway"
next_hop: "default-internet-gateway"
factories_config:
vlan_attachments: "none"

26
fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/vlan-attachments/onprem-0.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-0
region: $locations:primary
router_config:
create: false
name: $routers:dmz/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-0"
vlan_tag: "123"

26
fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/vlan-attachments/onprem-1.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-1
region: $locations:primary
router_config:
create: false
name: $routers:dmz/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-1"
vlan_tag: "124"

2
fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/vpns/onprem.yaml
View File

@@ -14,7 +14,7 @@ peer_gateways:
- 8.8.8.8
router_config:
create: false
name: $routers:dmz/vpn-router
name: $routers:dmz/hybrid-connectivity-router
tunnels:
remote-0:
bgp_peer:

2
fast/stages/2-networking/datasets/hub-and-spokes-peerings/defaults.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

4
fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/.config.yaml
View File

@@ -16,7 +16,7 @@ peering_config:
to-dev:
peer_network: $networks:dev
routers:
vpn-router:
hybrid-connectivity-router:
region: $locations:primary
asn: 64514
# Uncomment to enable custom route advertisement. (see https://docs.cloud.google.com/network-connectivity/docs/router/how-to/advertising-custom-ip)
@@ -36,3 +36,5 @@ routes:
next_hop: "default-internet-gateway"
# dns_policy:
# logging: true
factories_config:
vlan_attachments: "none"

26
fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/vlan-attachments/onprem-0.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-0
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-0"
vlan_tag: "123"

26
fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/vlan-attachments/onprem-1.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-1
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-1"
vlan_tag: "124"

2
fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/vpns/onprem.yaml
View File

@@ -14,7 +14,7 @@ peer_gateways:
- 8.8.8.8
router_config:
create: false
name: $routers:hub/vpn-router
name: $routers:hub/hybrid-connectivity-router
tunnels:
remote-0:
bgp_peer:

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/defaults.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/vpns/to-hub.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

10
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/.config.yaml
View File

@@ -19,8 +19,18 @@ routers:
"10.0.0.0/8": "rfc1918-10"
"172.16.0.0/12": "rfc1918-172"
"192.168.0.0/16": "rfc1918-192"
hybrid-connectivity-router:
region: $locations:primary
asn: 64515
custom_advertise:
ip_ranges:
"10.0.0.0/8": "rfc1918-10"
"172.16.0.0/12": "rfc1918-172"
"192.168.0.0/16": "rfc1918-192"
routes:
default:
dest_range: 0.0.0.0/0
next_hop_type: "gateway"
next_hop: "default-internet-gateway"
factories_config:
vlan_attachments: "none"

26
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vlan-attachments/onprem-0.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-0
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-0"
vlan_tag: "123"

26
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vlan-attachments/onprem-1.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-1
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-1"
vlan_tag: "124"

4
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/onprem.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@ peer_gateways:
- 8.8.8.8
router_config:
create: false
name: $routers:hub/vpn-router
name: $routers:hub/hybrid-connectivity-router
tunnels:
remote-0:
bgp_peer:

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-dev.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-prod.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/vpns/to-hub.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-cloudnat.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-dns.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-firewall-policies.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

53
fast/stages/2-networking/factory-ncc.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -72,7 +72,7 @@ locals {
"${vpn_key}/${replace(vpn_config.ncc_spoke_config.hub, "$ncc_hubs:", "")}" => merge(
vpn_config.ncc_spoke_config,
{
name = replace("${vpn_key}/${vpn_config.ncc_spoke_config.hub}", "$ncc_hubs:", "") # TODO: eww
name = replace("${vpn_key}/${vpn_config.ncc_spoke_config.hub}", "$ncc_hubs:", "")
project_id = vpn_config.project_id
hub = vpn_config.ncc_spoke_config.hub
group = try(vpn_config.ncc_spoke_config.group, null)
@@ -83,6 +83,22 @@ locals {
}
) if try(vpn_config.ncc_spoke_config != null, false)
}
ncc_vlan_attachment_spokes = {
for va_key, va_config in local.vlan_attachments :
"${va_key}/${replace(va_config.ncc_spoke_config.hub, "$ncc_hubs:", "")}" => merge(
va_config.ncc_spoke_config,
{
name = replace("${va_key}/${va_config.ncc_spoke_config.hub}", "$ncc_hubs:", "")
project_id = va_config.project_id
hub = va_config.ncc_spoke_config.hub
group = try(va_config.ncc_spoke_config.group, null)
location = va_config.region
description = lookup(va_config.ncc_spoke_config, "description", "Terraform-managed.")
labels = lookup(va_config.ncc_spoke_config, "labels", {})
attachment_uri = module.vlan-attachments[va_key].id
}
) if try(va_config.ncc_spoke_config != null, false)
}
}
resource "google_network_connectivity_hub" "default" {
@@ -192,4 +208,35 @@ resource "google_network_connectivity_spoke" "tunnels" {
depends_on = [module.vpn-ha]
}
resource "google_network_connectivity_spoke" "vlan_attachments" {
for_each = local.ncc_vlan_attachment_spokes
project = lookup(
local.ctx_projects.project_ids,
replace(each.value.project_id, "$project_ids:", ""),
each.value.project_id
)
name = replace(each.key, "/", "-")
location = lookup(
local.ctx.locations,
replace(each.value.location, "$locations:", ""),
each.value.location
)
description = each.value.description
labels = each.value.labels
hub = lookup(
local.ctx_ncc_hubs,
replace(each.value.hub, "$ncc_hubs:", ""),
each.value.hub
)
group = each.value.group == null ? null : lookup(
local.ctx_ncc_groups,
replace(each.value.group, "$ncc_groups:", ""),
each.value.group
)
linked_interconnect_attachments {
uris = [each.value.attachment_uri]
site_to_site_data_transfer = true
include_import_ranges = ["ALL_IPV4_RANGES"]
}
depends_on = [module.vlan-attachments]
}

2
fast/stages/2-networking/factory-nva.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-peering.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-projects.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-routers.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

96
fast/stages/2-networking/factory-vlan-attachments.tf Normal file
View File

@@ -0,0 +1,96 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# tfdoc:file:description VLAN attachments factory.
locals {
# Discover YAML files that define VLAN attachments across all VPCs.
# It checks each VPC's configured `vlan_attachments` factory path (defaulting to
# `<factory_basepath>/vlan-attachments`).
# Returns a flattened map of all discovered files keyed by `<vpc_key>-<filename>`.
_vlan_attachments_files = try(
merge([
for vpc_key, vpc in local.vpcs : {
for f in try(fileset(
try(
startswith(vpc.factories_config.vlan_attachments, "/") || startswith(vpc.factories_config.vlan_attachments, ".") ? vpc.factories_config.vlan_attachments :
"${vpc.factory_basepath}/${vpc.factories_config.vlan_attachments}",
"${vpc.factory_basepath}/vlan-attachments"
),
"**/*.yaml"
), []) :
"${vpc_key}-${replace(f, ".yaml", "")}" => {
vpc_key = vpc_key
filename = f
path = try(
startswith(vpc.factories_config.vlan_attachments, "/") || startswith(vpc.factories_config.vlan_attachments, ".")
? "${vpc.factories_config.vlan_attachments}/${f}"
: "${vpc.factory_basepath}/${vpc.factories_config.vlan_attachments}/${f}",
"${vpc.factory_basepath}/vlan-attachments/${f}"
)
}
}
]...),
{}
)
# Read and decode the discovered YAML files. This step also injects VPC-level
# inferred attributes into each configuration, such as the `project_id` and
# `network`, ensuring each attachment is correctly associated with its parent VPC.
_vlan_attachments_preprocess = {
for k, v in local._vlan_attachments_files : k => merge(
try(yamldecode(file(v.path)), {}),
{
key = k
vpc_key = v.vpc_key
project_id = local.vpcs[v.vpc_key].project_id
network = local.vpcs[v.vpc_key].name
}
)
}
vlan_attachments = {
for k, v in local._vlan_attachments_preprocess : k => merge(v, {
region = try(v.region, local.vpc_defaults.region, null)
mtu = try(v.mtu, local.vpcs[v.vpc_key].mtu, local.vpc_defaults.mtu, 1500)
})
}
}
module "vlan-attachments" {
source = "../../../modules/net-vlan-attachment"
for_each = local.vlan_attachments
admin_enabled = try(each.value.admin_enabled, true)
dedicated_interconnect_config = try(each.value.dedicated_interconnect_config, null)
description = try(each.value.description, "Terraform managed.")
ipsec_gateway_ip_ranges = try(each.value.ipsec_gateway_ip_ranges, {})
mtu = each.value.mtu
name = try(each.value.name, each.value.key)
network = each.value.network
partner_interconnect_config = try(each.value.partner_interconnect_config, null)
peer_asn = each.value.peer_asn
project_id = try(each.value.project_id, local.project_defaults.defaults.parent)
region = each.value.region
router_config = each.value.router_config
vpn_gateways_ip_range = try(each.value.vpn_gateways_ip_range, null)
context = {
locations = local.ctx.locations
networks = local.ctx_vpcs.self_links
project_ids = local.ctx_projects.project_ids
routers = local.ctx_routers.names
}
depends_on = [module.vpc-factory]
}

19
fast/stages/2-networking/factory-vpcs.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -55,13 +55,22 @@ locals {
subnets_psc = try(v.subnets_psc, [])
subnets = try(v.subnets, [])
subnets_factory_config = {
subnets_folder = "${v.factory_basepath}/subnets"
subnets_folder = try(
startswith(v.factories_config.subnets, "/") || startswith(v.factories_config.subnets, ".") ? v.factories_config.subnets :
"${v.factory_basepath}/${v.factories_config.subnets}",
"${v.factory_basepath}/subnets"
)
}
firewall_factory_config = {
rules_folder = "${v.factory_basepath}/firewall-rules"
rules_folder = try(
startswith(v.factories_config.firewall_rules, "/") || startswith(v.factories_config.firewall_rules, ".") ? v.factories_config.firewall_rules :
"${v.factory_basepath}/${v.factories_config.firewall_rules}",
"${v.factory_basepath}/firewall-rules"
)
}
peering_config = try(v.peering_config, {})
vpn_config = try(v.vpn_config, {})
factories_config = try(v.factories_config, {})
peering_config = try(v.peering_config, {})
vpn_config = try(v.vpn_config, {})
}
)
}

45
fast/stages/2-networking/factory-vpns.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -18,24 +18,45 @@
locals {
_vpns_files = try(
fileset(local.paths.vpcs, "**/vpns/*.yaml"),
[]
merge([
for vpc_key, vpc in local.vpcs : {
for f in try(fileset(
try(
startswith(vpc.factories_config.vpns, "/") || startswith(vpc.factories_config.vpns, ".") ? vpc.factories_config.vpns :
"${vpc.factory_basepath}/${vpc.factories_config.vpns}",
"${vpc.factory_basepath}/vpns"
),
"**/*.yaml"
), []) :
"${vpc_key}-${replace(f, ".yaml", "")}" => {
vpc_key = vpc_key
filename = f
path = try(
startswith(vpc.factories_config.vpns, "/") || startswith(vpc.factories_config.vpns, ".")
? "${vpc.factories_config.vpns}/${f}"
: "${vpc.factory_basepath}/${vpc.factories_config.vpns}/${f}",
"${vpc.factory_basepath}/vpns/${f}"
)
}
}
]...),
{}
)
_vpns_preprocess = [
for f in local._vpns_files : merge(
yamldecode(file("${coalesce(local.paths.vpcs, "-")}/${f}")),
_vpns_preprocess = {
for k, v in local._vpns_files : k => merge(
yamldecode(file(v.path)),
{
factory_basepath = dirname(dirname(f))
vpc_name = v.vpc_key
}
)
]
}
ctx_gateways = { for k, v in google_compute_ha_vpn_gateway.default : k => v.id }
vpns = {
for v in local._vpns_preprocess : "${v.factory_basepath}/${v.name}" => merge(v, {
vpc_name = v.factory_basepath
for k, v in local._vpns_preprocess : "${v.vpc_name}/${v.name}" => merge(v, {
vpc_name = v.vpc_name
# TODO: discuss - this is pushing context at any cost, as project could be easily resolved
# as module.vpcs[v.factory_basepath].project_id
project_id = local.vpcs[v.factory_basepath].project_id
# as module.vpcs[v.vpc_name].project_id
project_id = local.vpcs[v.vpc_name].project_id
router_config = try(v.router_config, {})
region = try(v.region, local.defaults.vpcs.region)
peer_gateways = try(v.peer_gateways, {})

3
fast/stages/2-networking/main.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -85,4 +85,3 @@ locals {
try(local._defaults.vpcs, {})
)
}

2
fast/stages/2-networking/outputs.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

27
fast/stages/2-networking/schemas/folder.schema.md
View File

@@ -6,6 +6,13 @@
*additional properties: false*
- **asset_search**: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *object*
<br>*additional properties: false*
- ⁺**asset_types**: *array*
- items: *string*
- **query**: *string*
- **asset_feeds**: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *object*
@@ -75,6 +82,26 @@
- **exempted_members**: *array*
- items: *string*
- **deletion_protection**: *boolean*
- **id**: *string*
<br>*pattern: ^(folders/[0-9]+|\$folder_ids:[a-z0-9_/-]+)$*
- **firewall_policy**: *object*
<br>*additional properties: false*
- ⁺**name**: *string*
- ⁺**policy**: *string*
- **logging**: *object*
<br>*additional properties: false*
- **kms_key_name**: *string*
- **storage_location**: *string*
- **sinks**: *object*
<br>*additional properties: false*
- **`^[a-z][a-z0-9-_]+$`**: *object*
<br>*additional properties: false*
- **description**: *string*
- **destination**: *string*
- **exclusions**: *object*
- **filter**: *string*
- **type**: *string*
<br>*default: logging*, *enum: ['bigquery', 'logging', 'project', 'pubsub', 'storage']*
- **factories_config**: *object*
<br>*additional properties: false*
- **org_policies**: *string*

209
fast/stages/2-networking/schemas/vlan-attachments.schema.json Normal file
View File

@@ -0,0 +1,209 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/fast/stages/2-networking/schemas/vlan-attachments.schema.json",
"title": "VLAN Attachments schema",
"type": "object",
"additionalProperties": false,
"required": [
"peer_asn",
"router_config"
],
"properties": {
"admin_enabled": {
"type": "boolean",
"default": true
},
"dedicated_interconnect_config": {
"type": "object",
"additionalProperties": false,
"required": [
"interconnect",
"vlan_tag"
],
"properties": {
"bandwidth": {
"type": "string",
"enum": [
"BPS_50M",
"BPS_100M",
"BPS_200M",
"BPS_300M",
"BPS_400M",
"BPS_500M",
"BPS_1G",
"BPS_2G",
"BPS_5G",
"BPS_10G",
"BPS_20G",
"BPS_50G",
"BPS_100G",
"BPS_400G"
]
},
"bgp_range": {
"type": "string"
},
"bgp_priority": {
"type": "number"
},
"interconnect": {
"type": "string"
},
"vlan_tag": {
"type": "string"
}
}
},
"description": {
"type": "string"
},
"ipsec_gateway_ip_ranges": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"mtu": {
"type": "number",
"default": 1500
},
"name": {
"type": "string"
},
"partner_interconnect_config": {
"type": "object",
"additionalProperties": false,
"required": [
"edge_availability_domain"
],
"properties": {
"edge_availability_domain": {
"type": "string",
"enum": [
"AVAILABILITY_DOMAIN_1",
"AVAILABILITY_DOMAIN_2",
"AVAILABILITY_DOMAIN_ANY"
]
}
}
},
"peer_asn": {
"type": "string"
},
"region": {
"type": "string"
},
"router_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"create": {
"type": "boolean",
"default": true
},
"asn": {
"type": "number"
},
"bfd": {
"type": "object",
"additionalProperties": false,
"properties": {
"min_receive_interval": {
"type": "number"
},
"min_transmit_interval": {
"type": "number"
},
"multiplier": {
"type": "number"
},
"session_initialization_mode": {
"type": "string",
"enum": [
"ACTIVE",
"PASSIVE"
]
}
}
},
"custom_advertise": {
"type": "object",
"additionalProperties": false,
"required": [
"all_subnets",
"ip_ranges"
],
"properties": {
"all_subnets": {
"type": "boolean"
},
"ip_ranges": {
"type": "object",
"additionalProperties": {
"type": "string"
}
}
}
},
"md5_authentication_key": {
"type": "object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"keepalive": {
"type": "number"
},
"name": {
"type": "string"
}
}
},
"vpn_gateways_ip_range": {
"type": "string"
},
"ncc_spoke_config": {
"$ref": "#/$defs/ncc_spoke_config"
}
},
"$defs": {
"ncc_spoke_config": {
"type": "object",
"properties": {
"hub": {
"type": "string"
},
"description": {
"type": "string"
},
"labels": {
"type": "object"
},
"exclude_export_ranges": {
"type": "array",
"items": {
"type": "string"
}
},
"include_export_ranges": {
"type": "array",
"items": {
"type": "string"
}
},
"group": {
"type": "string"
}
}
}
}
}

65
fast/stages/2-networking/schemas/vlan-attachments.schema.md Normal file
View File

@@ -0,0 +1,65 @@
# VLAN Attachments schema
<!-- markdownlint-disable MD036 -->
## Properties
*additional properties: false*
- **admin_enabled**: *boolean*
- **dedicated_interconnect_config**: *object*
<br>*additional properties: false*
- **bandwidth**: *string*
<br>*enum: ['BPS_50M', 'BPS_100M', 'BPS_200M', 'BPS_300M', 'BPS_400M', 'BPS_500M', 'BPS_1G', 'BPS_2G', 'BPS_5G', 'BPS_10G', 'BPS_20G', 'BPS_50G', 'BPS_100G', 'BPS_400G']*
- **bgp_range**: *string*
- **bgp_priority**: *number*
- ⁺**interconnect**: *string*
- ⁺**vlan_tag**: *string*
- **description**: *string*
- **ipsec_gateway_ip_ranges**: *object*
<br>*additional properties: string*
- **mtu**: *number*
<br>*default: 1500*
- **name**: *string*
- **partner_interconnect_config**: *object*
<br>*additional properties: false*
- ⁺**edge_availability_domain**: *string*
<br>*enum: ['AVAILABILITY_DOMAIN_1', 'AVAILABILITY_DOMAIN_2', 'AVAILABILITY_DOMAIN_ANY']*
- ⁺**peer_asn**: *string*
- **region**: *string*
- ⁺**router_config**: *object*
<br>*additional properties: false*
- **create**: *boolean*
- **asn**: *number*
- **bfd**: *object*
<br>*additional properties: false*
- **min_receive_interval**: *number*
- **min_transmit_interval**: *number*
- **multiplier**: *number*
- **session_initialization_mode**: *string*
<br>*enum: ['ACTIVE', 'PASSIVE']*
- **custom_advertise**: *object*
<br>*additional properties: false*
- ⁺**all_subnets**: *boolean*
- ⁺**ip_ranges**: *object*
<br>*additional properties: string*
- **md5_authentication_key**: *object*
<br>*additional properties: false*
- ⁺**name**: *string*
- **key**: *string*
- **keepalive**: *number*
- **name**: *string*
- **vpn_gateways_ip_range**: *string*
- **ncc_spoke_config**: *reference([ncc_spoke_config](#refs-ncc_spoke_config))*
## Definitions
- **ncc_spoke_config**<a name="refs-ncc_spoke_config"></a>: *object*
- **hub**: *string*
- **description**: *string*
- **labels**: *object*
- **exclude_export_ranges**: *array*
- items: *string*
- **include_export_ranges**: *array*
- items: *string*
- **group**: *string*

18
fast/stages/2-networking/schemas/vpc.schema.json
View File

@@ -18,6 +18,24 @@
"description": {
"type": "string"
},
"factories_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"firewall_rules": {
"type": "string"
},
"subnets": {
"type": "string"
},
"vlan_attachments": {
"type": "string"
},
"vpns": {
"type": "string"
}
}
},
"auto_create_subnetworks": {
"type": "boolean"
},

6
fast/stages/2-networking/schemas/vpc.schema.md
View File

@@ -16,6 +16,12 @@
<br>*enum: ['GLOBAL', 'REGIONAL']*
- **firewall_policy_enforcement_order**: *string*
<br>*enum: ['BEFORE_CLASSIC_FIREWALL', 'AFTER_CLASSIC_FIREWALL']*
- **factories_config**: *object*
<br>*additional properties: false*
- **firewall_rules**: *string*
- **subnets**: *string*
- **vlan_attachments**: *string*
- **vpns**: *string*
- **create_googleapis_routes**: *reference([create_googleapis_routes](#refs-create_googleapis_routes))*
- **dns_policy**: *reference([dns_policy](#refs-dns_policy))*
- **ipv6_config**: *reference([ipv6_config](#refs-ipv6_config))*

2
fast/stages/2-networking/variables.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.