Allowing multiple on-prem domains (#3219)
* Allowing multiple on-prem domains * added on_prem domain example for tests * Made gcp domains (gcp.example.com) optional and not created if null
This commit is contained in:
Liam Nesteroff
@@ -260,7 +260,9 @@ Spokes can optionally define private zones (e.g. `prod-dns-private-zone`) - gran
|
||||
|
||||
#### Cloud to on-prem
|
||||
|
||||
Leveraging the forwarding zones defined on Landing (e.g. `onprem-example-dns-forwarding` and `reverse-10-dns-forwarding`), the cloud environment can resolve `in-addr.arpa.` and `onprem.example.com.` using the on-premises DNS infrastructure. Onprem resolvers IPs are set in variable `dns.onprem`.
|
||||
Leveraging the forwarding zones defined on Landing (e.g. `landing-dns-fwd-onprem` and `landing-dns-fwd-onprem-rev-10`), the cloud environment can resolve `in-addr.arpa.` and domains defined in `var.dns.onprem_domain` using the on-premises DNS infrastructure. Onprem resolvers IPs are set in variable `var.dns.resolvers`.
|
||||
|
||||
Domains defined in `var.dns.onprem_domain` can also optionally overwrite the resolver IPs
|
||||
|
||||
DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/19` source range, which is only accessible from within a VPC or networks connected to one.
|
||||
|
||||
@@ -505,18 +507,18 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domain = optional(string, "onprem.example.com") resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L53) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L59) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L80) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L86) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L106) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domains = optional(list(object({ domain = string overwrite_resolver = optional(list(string), null) })), []) resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L66) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L113) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
||||
| [spoke_configs](variables.tf#L118) | Spoke connectivity configurations. | <code title="object({ ncc_configs = optional(object({ export_psc = optional(bool, true) dev = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) prod = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) })) peering_configs = optional(object({ dev = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) prod = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) })) vpn_configs = optional(object({ dev = optional(object({ asn = optional(number, 65501) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) landing = optional(object({ asn = optional(number, 65500) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) prod = optional(object({ asn = optional(number, 65502) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) })) })">object({…})</code> | | <code title="{ peering_configs = {} }">{…}</code> | |
|
||||
| [spoke_configs](variables.tf#L125) | Spoke connectivity configurations. | <code title="object({ ncc_configs = optional(object({ export_psc = optional(bool, true) dev = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) prod = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) })) peering_configs = optional(object({ dev = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) prod = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) })) vpn_configs = optional(object({ dev = optional(object({ asn = optional(number, 65501) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) landing = optional(object({ asn = optional(number, 65500) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) prod = optional(object({ asn = optional(number, 65502) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) })) })">object({…})</code> | | <code title="{ peering_configs = {} }">{…}</code> | |
|
||||
| [stage_configs](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [vpc_configs](variables.tf#L187) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_primary_config](variables.tf#L240) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpc_configs](variables.tf#L194) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_primary_config](variables.tf#L247) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
|
||||
module "dev-dns-priv-example" {
|
||||
source = "../../../modules/dns"
|
||||
count = var.dns.gcp_domain != null ? 1 : 0
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
|
||||
@@ -16,18 +16,25 @@
|
||||
|
||||
# tfdoc:file:description Landing DNS zones and peerings setup.
|
||||
|
||||
locals {
|
||||
onprem_domain_map = { for i in var.dns.onprem_domains : i.domain => i }
|
||||
}
|
||||
|
||||
# forwarding to on-prem DNS resolvers
|
||||
|
||||
module "landing-dns-fwd-onprem-example" {
|
||||
module "landing-dns-fwd-onprem" {
|
||||
source = "../../../modules/dns"
|
||||
count = length(var.dns.resolvers) > 0 ? 1 : 0
|
||||
for_each = local.onprem_domain_map
|
||||
project_id = module.landing-project.project_id
|
||||
name = replace(var.dns.onprem_domain, ".", "-")
|
||||
name = replace(each.key, ".", "-")
|
||||
zone_config = {
|
||||
domain = "${var.dns.onprem_domain}."
|
||||
domain = "${each.key}."
|
||||
forwarding = {
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
forwarders = { for ip in var.dns.resolvers : ip => null }
|
||||
forwarders = (each.value.overwrite_resolver == null ?
|
||||
{ for ip in var.dns.resolvers : ip => null }
|
||||
: { for ip in each.value.overwrite_resolver : ip => null }
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -48,6 +55,7 @@ module "landing-dns-fwd-onprem-rev-10" {
|
||||
|
||||
module "landing-dns-priv-gcp" {
|
||||
source = "../../../modules/dns"
|
||||
count = var.dns.gcp_domain != null ? 1 : 0
|
||||
project_id = module.landing-project.project_id
|
||||
name = replace(var.dns.gcp_domain, ".", "-")
|
||||
zone_config = {
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
|
||||
module "prod-dns-priv-example" {
|
||||
source = "../../../modules/dns"
|
||||
count = var.dns.gcp_domain != null ? 1 : 0
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
|
||||
@@ -42,12 +42,19 @@ variable "alert_config" {
|
||||
variable "dns" {
|
||||
description = "DNS configuration."
|
||||
type = object({
|
||||
gcp_domain = optional(string, "gcp.example.com")
|
||||
onprem_domain = optional(string, "onprem.example.com")
|
||||
resolvers = optional(list(string), [])
|
||||
gcp_domain = optional(string, "gcp.example.com")
|
||||
onprem_domains = optional(list(object({
|
||||
domain = string
|
||||
overwrite_resolver = optional(list(string), null)
|
||||
})), [])
|
||||
resolvers = optional(list(string), [])
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
validation {
|
||||
condition = length(var.dns.onprem_domains) > 0 == length(var.dns.resolvers) > 0
|
||||
error_message = "The 'resolvers' and 'onprem_domains' attributes must be used together. Please provide values for both or leave both empty."
|
||||
}
|
||||
}
|
||||
|
||||
variable "essential_contacts" {
|
||||
|
||||
@@ -331,9 +331,11 @@ The spokes can optionally define private zones (e.g. `prod-dns-private-zone`). G
|
||||
|
||||
#### Cloud to on-prem
|
||||
|
||||
Leveraging the forwarding zone defined in the landing project (e.g. `onprem-example-dns-forwarding` and `reverse-10-dns-forwarding`), the cloud environment can resolve `in-addr.arpa.` and `onprem.example.com.` using the on-premise DNS infrastructure. On-premise resolver IPs are set in the variable `dns.onprem`.
|
||||
Leveraging the forwarding zones defined on Landing (e.g. `landing-dns-fwd-onprem` and `landing-dns-fwd-onprem-rev-10`), the cloud environment can resolve `in-addr.arpa.` and domains defined in `var.dns.onprem_domain` using the on-premises DNS infrastructure. Onprem resolvers IPs are set in variable `var.dns.resolvers`.
|
||||
|
||||
DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19` source range.
|
||||
Domains defined in `var.dns.onprem_domain` can also optionally overwrite the resolver IPs
|
||||
|
||||
DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/19` source range, which is only accessible from within a VPC or networks connected to one.
|
||||
|
||||
#### On-prem to cloud
|
||||
|
||||
@@ -566,20 +568,20 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domain = optional(string, "onprem.example.com") resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L53) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L59) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [gcp_ranges](variables.tf#L80) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.68.0.0/16" gcp_dev_secondary = "10.84.0.0/16" gcp_regional_vpc_primary = "10.65.0.0/17" gcp_regional_vpc_secondary = "10.81.0.0/17" gcp_landing_primary = "10.64.0.0/17" gcp_landing_secondary = "10.80.0.0/17" gcp_dmz_primary = "10.64.128.0/17" gcp_dmz_secondary = "10.80.128.0/17" gcp_prod_primary = "10.72.0.0/16" gcp_prod_secondary = "10.88.0.0/16" }">{…}</code> | |
|
||||
| [network_mode](variables.tf#L97) | Selection of the network design to deploy. | <code>string</code> | | <code>"simple"</code> | |
|
||||
| [outputs_location](variables.tf#L108) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L114) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L134) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domains = optional(list(object({ domain = string overwrite_resolver = optional(list(string), null) })), []) resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L66) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [gcp_ranges](variables.tf#L87) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.68.0.0/16" gcp_dev_secondary = "10.84.0.0/16" gcp_regional_vpc_primary = "10.65.0.0/17" gcp_regional_vpc_secondary = "10.81.0.0/17" gcp_landing_primary = "10.64.0.0/17" gcp_landing_secondary = "10.80.0.0/17" gcp_dmz_primary = "10.64.128.0/17" gcp_dmz_secondary = "10.80.128.0/17" gcp_prod_primary = "10.72.0.0/16" gcp_prod_secondary = "10.88.0.0/16" }">{…}</code> | |
|
||||
| [network_mode](variables.tf#L104) | Selection of the network design to deploy. | <code>string</code> | | <code>"simple"</code> | |
|
||||
| [outputs_location](variables.tf#L115) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L141) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
||||
| [stage_configs](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [vpc_configs](variables.tf#L146) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) dmz = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_primary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_secondary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_primary_config](variables.tf#L229) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_secondary_config](variables.tf#L272) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpc_configs](variables.tf#L153) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) dmz = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_primary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_secondary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_primary_config](variables.tf#L236) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_secondary_config](variables.tf#L279) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
|
||||
module "dev-dns-priv-example" {
|
||||
source = "../../../modules/dns"
|
||||
count = var.dns.gcp_domain != null ? 1 : 0
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
|
||||
@@ -16,15 +16,19 @@
|
||||
|
||||
# tfdoc:file:description Landing DNS zones and peerings setup.
|
||||
|
||||
locals {
|
||||
onprem_domain_map = { for i in var.dns.onprem_domains : i.domain => i }
|
||||
}
|
||||
|
||||
# forwarding to on-prem DNS resolvers
|
||||
|
||||
module "landing-dns-fwd-onprem-example" {
|
||||
module "landing-dns-fwd-onprem" {
|
||||
source = "../../../modules/dns"
|
||||
count = length(var.dns.resolvers) > 0 ? 1 : 0
|
||||
for_each = local.onprem_domain_map
|
||||
project_id = module.landing-project.project_id
|
||||
name = replace(var.dns.onprem_domain, ".", "-")
|
||||
name = replace(each.key, ".", "-")
|
||||
zone_config = {
|
||||
domain = "${var.dns.onprem_domain}."
|
||||
domain = "${each.key}."
|
||||
forwarding = {
|
||||
client_networks = concat(
|
||||
[
|
||||
@@ -37,7 +41,10 @@ module "landing-dns-fwd-onprem-example" {
|
||||
module.regional-secondary-vpc[0].self_link
|
||||
] : []
|
||||
)
|
||||
forwarders = { for ip in var.dns.resolvers : ip => null }
|
||||
forwarders = (each.value.overwrite_resolver == null ?
|
||||
{ for ip in var.dns.resolvers : ip => null }
|
||||
: { for ip in each.value.overwrite_resolver : ip => null }
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -68,6 +75,7 @@ module "landing-dns-fwd-onprem-rev-10" {
|
||||
|
||||
module "landing-dns-priv-gcp" {
|
||||
source = "../../../modules/dns"
|
||||
count = var.dns.gcp_domain != null ? 1 : 0
|
||||
project_id = module.landing-project.project_id
|
||||
name = replace(var.dns.gcp_domain, ".", "-")
|
||||
zone_config = {
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
|
||||
module "prod-dns-priv-example" {
|
||||
source = "../../../modules/dns"
|
||||
count = var.dns.gcp_domain != null ? 1 : 0
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
|
||||
@@ -42,12 +42,19 @@ variable "alert_config" {
|
||||
variable "dns" {
|
||||
description = "DNS configuration."
|
||||
type = object({
|
||||
gcp_domain = optional(string, "gcp.example.com")
|
||||
onprem_domain = optional(string, "onprem.example.com")
|
||||
resolvers = optional(list(string), [])
|
||||
gcp_domain = optional(string, "gcp.example.com")
|
||||
onprem_domains = optional(list(object({
|
||||
domain = string
|
||||
overwrite_resolver = optional(list(string), null)
|
||||
})), [])
|
||||
resolvers = optional(list(string), [])
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
validation {
|
||||
condition = length(var.dns.onprem_domains) > 0 == length(var.dns.resolvers) > 0
|
||||
error_message = "The 'resolvers' and 'onprem_domains' attributes must be used together. Please provide values for both or leave both empty."
|
||||
}
|
||||
}
|
||||
|
||||
variable "essential_contacts" {
|
||||
|
||||
@@ -364,18 +364,18 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|
||||
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domain = optional(string, "onprem.example.com") dev_resolvers = optional(list(string), []) prod_resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L54) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L60) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L81) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L87) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L107) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domains = optional(list(object({ domain = string overwrite_resolver = optional(list(string), null) })), []) dev_resolvers = optional(list(string), []) prod_resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L75) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L81) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L102) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L108) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L128) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
||||
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
||||
| [stage_configs](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [vpc_configs](variables.tf#L117) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_dev_primary_config](variables.tf#L155) | VPN gateway configuration for onprem interconnection from dev in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_prod_primary_config](variables.tf#L198) | VPN gateway configuration for onprem interconnection from prod in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpc_configs](variables.tf#L138) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_dev_primary_config](variables.tf#L176) | VPN gateway configuration for onprem interconnection from dev in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_prod_primary_config](variables.tf#L219) | VPN gateway configuration for onprem interconnection from prod in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
|
||||
module "dev-dns-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
count = var.dns.gcp_domain != null ? 1 : 0
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
@@ -33,16 +34,19 @@ module "dev-dns-private-zone" {
|
||||
}
|
||||
}
|
||||
|
||||
module "dev-dns-fwd-onprem-example" {
|
||||
module "dev-dns-fwd-onprem" {
|
||||
source = "../../../modules/dns"
|
||||
count = length(var.dns.dev_resolvers) > 0 ? 1 : 0
|
||||
for_each = local.onprem_domain_map
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "example-com"
|
||||
name = replace(each.key, ".", "-")
|
||||
zone_config = {
|
||||
domain = "onprem.example.com."
|
||||
domain = "${each.key}."
|
||||
forwarding = {
|
||||
client_networks = [module.dev-spoke-vpc.self_link]
|
||||
forwarders = { for ip in var.dns.dev_resolvers : ip => null }
|
||||
forwarders = (each.value.overwrite_resolver == null ?
|
||||
{ for ip in var.dns.dev_resolvers : ip => null }
|
||||
: { for ip in each.value.overwrite_resolver : ip => null }
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
|
||||
module "prod-dns-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
count = var.dns.gcp_domain != null ? 1 : 0
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
@@ -33,16 +34,19 @@ module "prod-dns-private-zone" {
|
||||
}
|
||||
}
|
||||
|
||||
module "prod-dns-fwd-onprem-example" {
|
||||
module "prod-dns-fwd-onprem" {
|
||||
source = "../../../modules/dns"
|
||||
count = length(var.dns.prod_resolvers) > 0 ? 1 : 0
|
||||
for_each = local.onprem_domain_map
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "example-com"
|
||||
name = replace(each.key, ".", "-")
|
||||
zone_config = {
|
||||
domain = "onprem.example.com."
|
||||
domain = "${each.key}."
|
||||
forwarding = {
|
||||
client_networks = [module.prod-spoke-vpc.self_link]
|
||||
forwarders = { for ip in var.dns.prod_resolvers : ip => null }
|
||||
forwarders = (each.value.overwrite_resolver == null ?
|
||||
{ for ip in var.dns.prod_resolvers : ip => null }
|
||||
: { for ip in each.value.overwrite_resolver : ip => null }
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -36,6 +36,7 @@ locals {
|
||||
iam_viewer = try(
|
||||
var.stage_configs["networking"].iam_viewer, {}
|
||||
)
|
||||
onprem_domain_map = { for i in var.dns.onprem_domains : i.domain => i }
|
||||
# combine all regions from variables and subnets
|
||||
regions = distinct(concat(
|
||||
values(var.regions),
|
||||
|
||||
@@ -42,13 +42,34 @@ variable "alert_config" {
|
||||
variable "dns" {
|
||||
description = "DNS configuration."
|
||||
type = object({
|
||||
gcp_domain = optional(string, "gcp.example.com")
|
||||
onprem_domain = optional(string, "onprem.example.com")
|
||||
gcp_domain = optional(string, "gcp.example.com")
|
||||
onprem_domains = optional(list(object({
|
||||
domain = string
|
||||
overwrite_resolver = optional(list(string), null)
|
||||
})), [])
|
||||
dev_resolvers = optional(list(string), [])
|
||||
prod_resolvers = optional(list(string), [])
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
validation {
|
||||
condition = !contains(
|
||||
[
|
||||
length(var.dns.onprem_domains) > 0,
|
||||
length(var.dns.dev_resolvers) > 0,
|
||||
length(var.dns.prod_resolvers) > 0
|
||||
],
|
||||
true
|
||||
) || !contains(
|
||||
[
|
||||
length(var.dns.onprem_domains) > 0,
|
||||
length(var.dns.dev_resolvers) > 0,
|
||||
length(var.dns.prod_resolvers) > 0
|
||||
],
|
||||
false
|
||||
)
|
||||
error_message = "The 'onprem_domains', 'dev_resolvers', and 'prod_resolvers' attributes must all be specified together. Please provide values for all three, or leave all three empty."
|
||||
}
|
||||
}
|
||||
|
||||
variable "essential_contacts" {
|
||||
|
||||
Reference in New Issue
Block a user