Allowing multiple on-prem domains (#3219)
* Allowing multiple on-prem domains * added on_prem domain example for tests * Made gcp domains (gcp.example.com) optional and not created if null
This commit is contained in:
Liam Nesteroff
@@ -260,7 +260,9 @@ Spokes can optionally define private zones (e.g. `prod-dns-private-zone`) - gran
|
|||||||
|
|
||||||
#### Cloud to on-prem
|
#### Cloud to on-prem
|
||||||
|
|
||||||
Leveraging the forwarding zones defined on Landing (e.g. `onprem-example-dns-forwarding` and `reverse-10-dns-forwarding`), the cloud environment can resolve `in-addr.arpa.` and `onprem.example.com.` using the on-premises DNS infrastructure. Onprem resolvers IPs are set in variable `dns.onprem`.
|
Leveraging the forwarding zones defined on Landing (e.g. `landing-dns-fwd-onprem` and `landing-dns-fwd-onprem-rev-10`), the cloud environment can resolve `in-addr.arpa.` and domains defined in `var.dns.onprem_domain` using the on-premises DNS infrastructure. Onprem resolvers IPs are set in variable `var.dns.resolvers`.
|
||||||
|
|
||||||
|
Domains defined in `var.dns.onprem_domain` can also optionally overwrite the resolver IPs
|
||||||
|
|
||||||
DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/19` source range, which is only accessible from within a VPC or networks connected to one.
|
DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/19` source range, which is only accessible from within a VPC or networks connected to one.
|
||||||
|
|
||||||
@@ -505,18 +507,18 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||||||
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||||
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domain = optional(string, "onprem.example.com") resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domains = optional(list(object({ domain = string overwrite_resolver = optional(list(string), null) })), []) resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [essential_contacts](variables.tf#L53) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
| [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||||
| [factories_config](variables.tf#L59) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
| [factories_config](variables.tf#L66) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [outputs_location](variables.tf#L80) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L86) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
| [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [regions](variables.tf#L106) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
| [regions](variables.tf#L113) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||||
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
||||||
| [spoke_configs](variables.tf#L118) | Spoke connectivity configurations. | <code title="object({ ncc_configs = optional(object({ export_psc = optional(bool, true) dev = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) prod = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) })) peering_configs = optional(object({ dev = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) prod = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) })) vpn_configs = optional(object({ dev = optional(object({ asn = optional(number, 65501) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) landing = optional(object({ asn = optional(number, 65500) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) prod = optional(object({ asn = optional(number, 65502) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) })) })">object({…})</code> | | <code title="{ peering_configs = {} }">{…}</code> | |
|
| [spoke_configs](variables.tf#L125) | Spoke connectivity configurations. | <code title="object({ ncc_configs = optional(object({ export_psc = optional(bool, true) dev = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) prod = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) })) peering_configs = optional(object({ dev = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) prod = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) })) vpn_configs = optional(object({ dev = optional(object({ asn = optional(number, 65501) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) landing = optional(object({ asn = optional(number, 65500) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) prod = optional(object({ asn = optional(number, 65502) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) })) })">object({…})</code> | | <code title="{ peering_configs = {} }">{…}</code> | |
|
||||||
| [stage_configs](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
| [stage_configs](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||||
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||||
| [vpc_configs](variables.tf#L187) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
| [vpc_configs](variables.tf#L194) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [vpn_onprem_primary_config](variables.tf#L240) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_primary_config](variables.tf#L247) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|||||||
@@ -20,6 +20,7 @@
|
|||||||
|
|
||||||
module "dev-dns-priv-example" {
|
module "dev-dns-priv-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
|
count = var.dns.gcp_domain != null ? 1 : 0
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||||
zone_config = {
|
zone_config = {
|
||||||
|
|||||||
@@ -16,18 +16,25 @@
|
|||||||
|
|
||||||
# tfdoc:file:description Landing DNS zones and peerings setup.
|
# tfdoc:file:description Landing DNS zones and peerings setup.
|
||||||
|
|
||||||
|
locals {
|
||||||
|
onprem_domain_map = { for i in var.dns.onprem_domains : i.domain => i }
|
||||||
|
}
|
||||||
|
|
||||||
# forwarding to on-prem DNS resolvers
|
# forwarding to on-prem DNS resolvers
|
||||||
|
|
||||||
module "landing-dns-fwd-onprem-example" {
|
module "landing-dns-fwd-onprem" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
count = length(var.dns.resolvers) > 0 ? 1 : 0
|
for_each = local.onprem_domain_map
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
name = replace(var.dns.onprem_domain, ".", "-")
|
name = replace(each.key, ".", "-")
|
||||||
zone_config = {
|
zone_config = {
|
||||||
domain = "${var.dns.onprem_domain}."
|
domain = "${each.key}."
|
||||||
forwarding = {
|
forwarding = {
|
||||||
client_networks = [module.landing-vpc.self_link]
|
client_networks = [module.landing-vpc.self_link]
|
||||||
forwarders = { for ip in var.dns.resolvers : ip => null }
|
forwarders = (each.value.overwrite_resolver == null ?
|
||||||
|
{ for ip in var.dns.resolvers : ip => null }
|
||||||
|
: { for ip in each.value.overwrite_resolver : ip => null }
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -48,6 +55,7 @@ module "landing-dns-fwd-onprem-rev-10" {
|
|||||||
|
|
||||||
module "landing-dns-priv-gcp" {
|
module "landing-dns-priv-gcp" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
|
count = var.dns.gcp_domain != null ? 1 : 0
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
name = replace(var.dns.gcp_domain, ".", "-")
|
name = replace(var.dns.gcp_domain, ".", "-")
|
||||||
zone_config = {
|
zone_config = {
|
||||||
|
|||||||
@@ -20,6 +20,7 @@
|
|||||||
|
|
||||||
module "prod-dns-priv-example" {
|
module "prod-dns-priv-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
|
count = var.dns.gcp_domain != null ? 1 : 0
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||||
zone_config = {
|
zone_config = {
|
||||||
|
|||||||
@@ -42,12 +42,19 @@ variable "alert_config" {
|
|||||||
variable "dns" {
|
variable "dns" {
|
||||||
description = "DNS configuration."
|
description = "DNS configuration."
|
||||||
type = object({
|
type = object({
|
||||||
gcp_domain = optional(string, "gcp.example.com")
|
gcp_domain = optional(string, "gcp.example.com")
|
||||||
onprem_domain = optional(string, "onprem.example.com")
|
onprem_domains = optional(list(object({
|
||||||
resolvers = optional(list(string), [])
|
domain = string
|
||||||
|
overwrite_resolver = optional(list(string), null)
|
||||||
|
})), [])
|
||||||
|
resolvers = optional(list(string), [])
|
||||||
})
|
})
|
||||||
default = {}
|
default = {}
|
||||||
nullable = false
|
nullable = false
|
||||||
|
validation {
|
||||||
|
condition = length(var.dns.onprem_domains) > 0 == length(var.dns.resolvers) > 0
|
||||||
|
error_message = "The 'resolvers' and 'onprem_domains' attributes must be used together. Please provide values for both or leave both empty."
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "essential_contacts" {
|
variable "essential_contacts" {
|
||||||
|
|||||||
@@ -331,9 +331,11 @@ The spokes can optionally define private zones (e.g. `prod-dns-private-zone`). G
|
|||||||
|
|
||||||
#### Cloud to on-prem
|
#### Cloud to on-prem
|
||||||
|
|
||||||
Leveraging the forwarding zone defined in the landing project (e.g. `onprem-example-dns-forwarding` and `reverse-10-dns-forwarding`), the cloud environment can resolve `in-addr.arpa.` and `onprem.example.com.` using the on-premise DNS infrastructure. On-premise resolver IPs are set in the variable `dns.onprem`.
|
Leveraging the forwarding zones defined on Landing (e.g. `landing-dns-fwd-onprem` and `landing-dns-fwd-onprem-rev-10`), the cloud environment can resolve `in-addr.arpa.` and domains defined in `var.dns.onprem_domain` using the on-premises DNS infrastructure. Onprem resolvers IPs are set in variable `var.dns.resolvers`.
|
||||||
|
|
||||||
DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19` source range.
|
Domains defined in `var.dns.onprem_domain` can also optionally overwrite the resolver IPs
|
||||||
|
|
||||||
|
DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/19` source range, which is only accessible from within a VPC or networks connected to one.
|
||||||
|
|
||||||
#### On-prem to cloud
|
#### On-prem to cloud
|
||||||
|
|
||||||
@@ -566,20 +568,20 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||||||
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||||
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domain = optional(string, "onprem.example.com") resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domains = optional(list(object({ domain = string overwrite_resolver = optional(list(string), null) })), []) resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [essential_contacts](variables.tf#L53) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
| [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||||
| [factories_config](variables.tf#L59) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
| [factories_config](variables.tf#L66) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [gcp_ranges](variables.tf#L80) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.68.0.0/16" gcp_dev_secondary = "10.84.0.0/16" gcp_regional_vpc_primary = "10.65.0.0/17" gcp_regional_vpc_secondary = "10.81.0.0/17" gcp_landing_primary = "10.64.0.0/17" gcp_landing_secondary = "10.80.0.0/17" gcp_dmz_primary = "10.64.128.0/17" gcp_dmz_secondary = "10.80.128.0/17" gcp_prod_primary = "10.72.0.0/16" gcp_prod_secondary = "10.88.0.0/16" }">{…}</code> | |
|
| [gcp_ranges](variables.tf#L87) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.68.0.0/16" gcp_dev_secondary = "10.84.0.0/16" gcp_regional_vpc_primary = "10.65.0.0/17" gcp_regional_vpc_secondary = "10.81.0.0/17" gcp_landing_primary = "10.64.0.0/17" gcp_landing_secondary = "10.80.0.0/17" gcp_dmz_primary = "10.64.128.0/17" gcp_dmz_secondary = "10.80.128.0/17" gcp_prod_primary = "10.72.0.0/16" gcp_prod_secondary = "10.88.0.0/16" }">{…}</code> | |
|
||||||
| [network_mode](variables.tf#L97) | Selection of the network design to deploy. | <code>string</code> | | <code>"simple"</code> | |
|
| [network_mode](variables.tf#L104) | Selection of the network design to deploy. | <code>string</code> | | <code>"simple"</code> | |
|
||||||
| [outputs_location](variables.tf#L108) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L115) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L114) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [regions](variables.tf#L134) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
| [regions](variables.tf#L141) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||||
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
||||||
| [stage_configs](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
| [stage_configs](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||||
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||||
| [vpc_configs](variables.tf#L146) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) dmz = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_primary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_secondary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
| [vpc_configs](variables.tf#L153) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) dmz = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_primary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_secondary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [vpn_onprem_primary_config](variables.tf#L229) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_primary_config](variables.tf#L236) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [vpn_onprem_secondary_config](variables.tf#L272) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_secondary_config](variables.tf#L279) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|||||||
@@ -20,6 +20,7 @@
|
|||||||
|
|
||||||
module "dev-dns-priv-example" {
|
module "dev-dns-priv-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
|
count = var.dns.gcp_domain != null ? 1 : 0
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||||
zone_config = {
|
zone_config = {
|
||||||
|
|||||||
@@ -16,15 +16,19 @@
|
|||||||
|
|
||||||
# tfdoc:file:description Landing DNS zones and peerings setup.
|
# tfdoc:file:description Landing DNS zones and peerings setup.
|
||||||
|
|
||||||
|
locals {
|
||||||
|
onprem_domain_map = { for i in var.dns.onprem_domains : i.domain => i }
|
||||||
|
}
|
||||||
|
|
||||||
# forwarding to on-prem DNS resolvers
|
# forwarding to on-prem DNS resolvers
|
||||||
|
|
||||||
module "landing-dns-fwd-onprem-example" {
|
module "landing-dns-fwd-onprem" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
count = length(var.dns.resolvers) > 0 ? 1 : 0
|
for_each = local.onprem_domain_map
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
name = replace(var.dns.onprem_domain, ".", "-")
|
name = replace(each.key, ".", "-")
|
||||||
zone_config = {
|
zone_config = {
|
||||||
domain = "${var.dns.onprem_domain}."
|
domain = "${each.key}."
|
||||||
forwarding = {
|
forwarding = {
|
||||||
client_networks = concat(
|
client_networks = concat(
|
||||||
[
|
[
|
||||||
@@ -37,7 +41,10 @@ module "landing-dns-fwd-onprem-example" {
|
|||||||
module.regional-secondary-vpc[0].self_link
|
module.regional-secondary-vpc[0].self_link
|
||||||
] : []
|
] : []
|
||||||
)
|
)
|
||||||
forwarders = { for ip in var.dns.resolvers : ip => null }
|
forwarders = (each.value.overwrite_resolver == null ?
|
||||||
|
{ for ip in var.dns.resolvers : ip => null }
|
||||||
|
: { for ip in each.value.overwrite_resolver : ip => null }
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -68,6 +75,7 @@ module "landing-dns-fwd-onprem-rev-10" {
|
|||||||
|
|
||||||
module "landing-dns-priv-gcp" {
|
module "landing-dns-priv-gcp" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
|
count = var.dns.gcp_domain != null ? 1 : 0
|
||||||
project_id = module.landing-project.project_id
|
project_id = module.landing-project.project_id
|
||||||
name = replace(var.dns.gcp_domain, ".", "-")
|
name = replace(var.dns.gcp_domain, ".", "-")
|
||||||
zone_config = {
|
zone_config = {
|
||||||
|
|||||||
@@ -20,6 +20,7 @@
|
|||||||
|
|
||||||
module "prod-dns-priv-example" {
|
module "prod-dns-priv-example" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
|
count = var.dns.gcp_domain != null ? 1 : 0
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||||
zone_config = {
|
zone_config = {
|
||||||
|
|||||||
@@ -42,12 +42,19 @@ variable "alert_config" {
|
|||||||
variable "dns" {
|
variable "dns" {
|
||||||
description = "DNS configuration."
|
description = "DNS configuration."
|
||||||
type = object({
|
type = object({
|
||||||
gcp_domain = optional(string, "gcp.example.com")
|
gcp_domain = optional(string, "gcp.example.com")
|
||||||
onprem_domain = optional(string, "onprem.example.com")
|
onprem_domains = optional(list(object({
|
||||||
resolvers = optional(list(string), [])
|
domain = string
|
||||||
|
overwrite_resolver = optional(list(string), null)
|
||||||
|
})), [])
|
||||||
|
resolvers = optional(list(string), [])
|
||||||
})
|
})
|
||||||
default = {}
|
default = {}
|
||||||
nullable = false
|
nullable = false
|
||||||
|
validation {
|
||||||
|
condition = length(var.dns.onprem_domains) > 0 == length(var.dns.resolvers) > 0
|
||||||
|
error_message = "The 'resolvers' and 'onprem_domains' attributes must be used together. Please provide values for both or leave both empty."
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "essential_contacts" {
|
variable "essential_contacts" {
|
||||||
|
|||||||
@@ -364,18 +364,18 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|
|||||||
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||||
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domain = optional(string, "onprem.example.com") dev_resolvers = optional(list(string), []) prod_resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domains = optional(list(object({ domain = string overwrite_resolver = optional(list(string), null) })), []) dev_resolvers = optional(list(string), []) prod_resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [essential_contacts](variables.tf#L54) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
| [essential_contacts](variables.tf#L75) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||||
| [factories_config](variables.tf#L60) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
| [factories_config](variables.tf#L81) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [outputs_location](variables.tf#L81) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L102) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [psa_ranges](variables.tf#L87) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
| [psa_ranges](variables.tf#L108) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [regions](variables.tf#L107) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
| [regions](variables.tf#L128) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
||||||
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
||||||
| [stage_configs](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
| [stage_configs](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||||
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||||
| [vpc_configs](variables.tf#L117) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
| [vpc_configs](variables.tf#L138) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||||
| [vpn_onprem_dev_primary_config](variables.tf#L155) | VPN gateway configuration for onprem interconnection from dev in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_dev_primary_config](variables.tf#L176) | VPN gateway configuration for onprem interconnection from dev in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [vpn_onprem_prod_primary_config](variables.tf#L198) | VPN gateway configuration for onprem interconnection from prod in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
| [vpn_onprem_prod_primary_config](variables.tf#L219) | VPN gateway configuration for onprem interconnection from prod in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|||||||
@@ -20,6 +20,7 @@
|
|||||||
|
|
||||||
module "dev-dns-private-zone" {
|
module "dev-dns-private-zone" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
|
count = var.dns.gcp_domain != null ? 1 : 0
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||||
zone_config = {
|
zone_config = {
|
||||||
@@ -33,16 +34,19 @@ module "dev-dns-private-zone" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "dev-dns-fwd-onprem-example" {
|
module "dev-dns-fwd-onprem" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
count = length(var.dns.dev_resolvers) > 0 ? 1 : 0
|
for_each = local.onprem_domain_map
|
||||||
project_id = module.dev-spoke-project.project_id
|
project_id = module.dev-spoke-project.project_id
|
||||||
name = "example-com"
|
name = replace(each.key, ".", "-")
|
||||||
zone_config = {
|
zone_config = {
|
||||||
domain = "onprem.example.com."
|
domain = "${each.key}."
|
||||||
forwarding = {
|
forwarding = {
|
||||||
client_networks = [module.dev-spoke-vpc.self_link]
|
client_networks = [module.dev-spoke-vpc.self_link]
|
||||||
forwarders = { for ip in var.dns.dev_resolvers : ip => null }
|
forwarders = (each.value.overwrite_resolver == null ?
|
||||||
|
{ for ip in var.dns.dev_resolvers : ip => null }
|
||||||
|
: { for ip in each.value.overwrite_resolver : ip => null }
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -20,6 +20,7 @@
|
|||||||
|
|
||||||
module "prod-dns-private-zone" {
|
module "prod-dns-private-zone" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
|
count = var.dns.gcp_domain != null ? 1 : 0
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||||
zone_config = {
|
zone_config = {
|
||||||
@@ -33,16 +34,19 @@ module "prod-dns-private-zone" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod-dns-fwd-onprem-example" {
|
module "prod-dns-fwd-onprem" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
count = length(var.dns.prod_resolvers) > 0 ? 1 : 0
|
for_each = local.onprem_domain_map
|
||||||
project_id = module.prod-spoke-project.project_id
|
project_id = module.prod-spoke-project.project_id
|
||||||
name = "example-com"
|
name = replace(each.key, ".", "-")
|
||||||
zone_config = {
|
zone_config = {
|
||||||
domain = "onprem.example.com."
|
domain = "${each.key}."
|
||||||
forwarding = {
|
forwarding = {
|
||||||
client_networks = [module.prod-spoke-vpc.self_link]
|
client_networks = [module.prod-spoke-vpc.self_link]
|
||||||
forwarders = { for ip in var.dns.prod_resolvers : ip => null }
|
forwarders = (each.value.overwrite_resolver == null ?
|
||||||
|
{ for ip in var.dns.prod_resolvers : ip => null }
|
||||||
|
: { for ip in each.value.overwrite_resolver : ip => null }
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -36,6 +36,7 @@ locals {
|
|||||||
iam_viewer = try(
|
iam_viewer = try(
|
||||||
var.stage_configs["networking"].iam_viewer, {}
|
var.stage_configs["networking"].iam_viewer, {}
|
||||||
)
|
)
|
||||||
|
onprem_domain_map = { for i in var.dns.onprem_domains : i.domain => i }
|
||||||
# combine all regions from variables and subnets
|
# combine all regions from variables and subnets
|
||||||
regions = distinct(concat(
|
regions = distinct(concat(
|
||||||
values(var.regions),
|
values(var.regions),
|
||||||
|
|||||||
@@ -42,13 +42,34 @@ variable "alert_config" {
|
|||||||
variable "dns" {
|
variable "dns" {
|
||||||
description = "DNS configuration."
|
description = "DNS configuration."
|
||||||
type = object({
|
type = object({
|
||||||
gcp_domain = optional(string, "gcp.example.com")
|
gcp_domain = optional(string, "gcp.example.com")
|
||||||
onprem_domain = optional(string, "onprem.example.com")
|
onprem_domains = optional(list(object({
|
||||||
|
domain = string
|
||||||
|
overwrite_resolver = optional(list(string), null)
|
||||||
|
})), [])
|
||||||
dev_resolvers = optional(list(string), [])
|
dev_resolvers = optional(list(string), [])
|
||||||
prod_resolvers = optional(list(string), [])
|
prod_resolvers = optional(list(string), [])
|
||||||
})
|
})
|
||||||
default = {}
|
default = {}
|
||||||
nullable = false
|
nullable = false
|
||||||
|
validation {
|
||||||
|
condition = !contains(
|
||||||
|
[
|
||||||
|
length(var.dns.onprem_domains) > 0,
|
||||||
|
length(var.dns.dev_resolvers) > 0,
|
||||||
|
length(var.dns.prod_resolvers) > 0
|
||||||
|
],
|
||||||
|
true
|
||||||
|
) || !contains(
|
||||||
|
[
|
||||||
|
length(var.dns.onprem_domains) > 0,
|
||||||
|
length(var.dns.dev_resolvers) > 0,
|
||||||
|
length(var.dns.prod_resolvers) > 0
|
||||||
|
],
|
||||||
|
false
|
||||||
|
)
|
||||||
|
error_message = "The 'onprem_domains', 'dev_resolvers', and 'prod_resolvers' attributes must all be specified together. Please provide values for all three, or leave all three empty."
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "essential_contacts" {
|
variable "essential_contacts" {
|
||||||
|
|||||||
@@ -9,6 +9,9 @@ custom_roles = {
|
|||||||
service_project_network_admin = "organizations/123456789012/roles/foo"
|
service_project_network_admin = "organizations/123456789012/roles/foo"
|
||||||
}
|
}
|
||||||
dns = {
|
dns = {
|
||||||
|
onprem_domains = [
|
||||||
|
{ domain = "onprem.example.com" }
|
||||||
|
]
|
||||||
resolvers = ["10.10.10.10"]
|
resolvers = ["10.10.10.10"]
|
||||||
}
|
}
|
||||||
environments = {
|
environments = {
|
||||||
|
|||||||
@@ -9,6 +9,9 @@ custom_roles = {
|
|||||||
service_project_network_admin = "organizations/123456789012/roles/foo"
|
service_project_network_admin = "organizations/123456789012/roles/foo"
|
||||||
}
|
}
|
||||||
dns = {
|
dns = {
|
||||||
|
onprem_domains = [
|
||||||
|
{ domain = "onprem.example.com" }
|
||||||
|
]
|
||||||
resolvers = ["10.10.10.10"]
|
resolvers = ["10.10.10.10"]
|
||||||
}
|
}
|
||||||
environments = {
|
environments = {
|
||||||
|
|||||||
@@ -9,6 +9,9 @@ custom_roles = {
|
|||||||
service_project_network_admin = "organizations/123456789012/roles/foo"
|
service_project_network_admin = "organizations/123456789012/roles/foo"
|
||||||
}
|
}
|
||||||
dns = {
|
dns = {
|
||||||
|
onprem_domains = [
|
||||||
|
{ domain = "onprem.example.com" }
|
||||||
|
]
|
||||||
resolvers = ["10.10.10.10"]
|
resolvers = ["10.10.10.10"]
|
||||||
}
|
}
|
||||||
environments = {
|
environments = {
|
||||||
|
|||||||
@@ -9,6 +9,9 @@ custom_roles = {
|
|||||||
service_project_network_admin = "organizations/123456789012/roles/foo"
|
service_project_network_admin = "organizations/123456789012/roles/foo"
|
||||||
}
|
}
|
||||||
dns = {
|
dns = {
|
||||||
|
onprem_domains = [
|
||||||
|
{ domain = "onprem.example.com" }
|
||||||
|
]
|
||||||
resolvers = ["10.10.10.10"]
|
resolvers = ["10.10.10.10"]
|
||||||
}
|
}
|
||||||
enable_test_instances = true
|
enable_test_instances = true
|
||||||
|
|||||||
@@ -9,6 +9,9 @@ custom_roles = {
|
|||||||
service_project_network_admin = "organizations/123456789012/roles/foo"
|
service_project_network_admin = "organizations/123456789012/roles/foo"
|
||||||
}
|
}
|
||||||
dns = {
|
dns = {
|
||||||
|
onprem_domains = [
|
||||||
|
{ domain = "onprem.example.com" }
|
||||||
|
]
|
||||||
resolvers = ["10.10.10.10"]
|
resolvers = ["10.10.10.10"]
|
||||||
}
|
}
|
||||||
enable_test_instances = true
|
enable_test_instances = true
|
||||||
|
|||||||
@@ -9,6 +9,9 @@ custom_roles = {
|
|||||||
service_project_network_admin = "organizations/123456789012/roles/foo"
|
service_project_network_admin = "organizations/123456789012/roles/foo"
|
||||||
}
|
}
|
||||||
dns = {
|
dns = {
|
||||||
|
onprem_domains = [
|
||||||
|
{ domain = "onprem.example.com" }
|
||||||
|
]
|
||||||
resolvers = ["10.10.10.10"]
|
resolvers = ["10.10.10.10"]
|
||||||
}
|
}
|
||||||
enable_test_instances = true
|
enable_test_instances = true
|
||||||
|
|||||||
@@ -9,6 +9,9 @@ custom_roles = {
|
|||||||
service_project_network_admin = "organizations/123456789012/roles/foo"
|
service_project_network_admin = "organizations/123456789012/roles/foo"
|
||||||
}
|
}
|
||||||
dns = {
|
dns = {
|
||||||
|
onprem_domains = [
|
||||||
|
{ domain = "onprem.example.com" }
|
||||||
|
]
|
||||||
dev_resolvers = ["10.10.10.10"]
|
dev_resolvers = ["10.10.10.10"]
|
||||||
prod_resolvers = ["10.20.10.10"]
|
prod_resolvers = ["10.20.10.10"]
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user