kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into fast-dev

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2026-03-26 16:15:17 +00:00
parent 38e885a47c 774ca376e6
commit 2fe082f7d1
426 changed files with 6719 additions and 2239 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
fast/addons/2-networking-test/main.tf
View File

@@ -50,14 +50,14 @@ module "service-accounts" {
}
module "instances" {
source = "../../../modules/compute-vm"
for_each = { for k in local.instances : k.name => k }
project_id = each.value.project_id
zone = each.value.zone
name = each.key
instance_type = each.value.type
source = "../../../modules/compute-vm"
for_each = { for k in local.instances : k.name => k }
project_id = each.value.project_id
zone = each.value.zone
name = each.key
machine_type = each.value.type
boot_disk = {
initialize_params = {
source = {
image = each.value.image
}
}

2
fast/addons/2-networking-test/outputs.tf
View File

@@ -25,7 +25,7 @@ output "instance_ssh" {
description = "Instance SSH commands."
value = {
for k, v in module.instances : k => (
"gcloud compute ssh ${k} --project ${v.instance.project} --zone ${v.instance.zone}"
"gcloud compute ssh ${k} --project ${nonsensitive(v.instance.project)} --zone ${nonsensitive(v.instance.zone)}"
)
}
}

12
fast/extras/0-cicd-gitlab/README.md
View File

@@ -70,7 +70,7 @@ group with source ref:
```hcl
modules_config = {
project_name = "modules"
key_config = {
key_config = {
create_key = true
create_secrets = true
}
@@ -86,7 +86,7 @@ repository:
```hcl
modules_config = {
project_name = "modules"
key_config = {
key_config = {
create_key = true
create_secrets = true
}
@@ -106,11 +106,11 @@ deploy key in the modules project, and as secrets in the stage repositories:
```hcl
modules_config = {
project_name = "modules"
key_config = {
key_config = {
create_key = true
create_secrets = true
}
group = "shared"
group = "shared"
key_config = {
create_key = true
create_secrets = true
@@ -127,11 +127,11 @@ and new repositories need to be created and their corresponding secret set:
```hcl
modules_config = {
project_name = "modules"
key_config = {
key_config = {
create_key = true
create_secrets = true
}
group = "shared"
group = "shared"
key_config = {
create_secrets = true
keypair_path = "~/modules-repository-key"

18
fast/project-templates/devops-azure-wif/self-hosted-agents/main.tf
View File

@@ -68,17 +68,19 @@ module "secret" {
}
module "instance" {
source = "../../../../modules/compute-vm"
count = local.create_instance ? 1 : 0
project_id = var.project_id
zone = "${var.location}-${var.instance_config.zone}"
name = "${var.name}-agent"
instance_type = "e2-micro"
source = "../../../../modules/compute-vm"
count = local.create_instance ? 1 : 0
project_id = var.project_id
zone = "${var.location}-${var.instance_config.zone}"
name = "${var.name}-agent"
machine_type = "e2-micro"
boot_disk = {
auto_delete = false
initialize_params = {
source = {
image = "projects/cos-cloud/global/images/family/cos-117-lts"
size = 10
}
initialize_params = {
size = 10
}
}
network_interfaces = [{

6
fast/project-templates/managed-kafka/versions.tf generated
View File

@@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# Fabric release: v54.0.0
# Fabric release: v54.1.0
terraform {
required_version = ">= 1.12.2"
@@ -27,9 +27,9 @@ terraform {
}
}
provider_meta "google" {
module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v54.0.0-tf"
module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v54.1.0-tf"
}
provider_meta "google-beta" {
module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v54.0.0-tf"
module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v54.1.0-tf"
}
}

2
fast/project-templates/secops-anonymization-pipeline/source/requirements.txt
View File

@@ -14,7 +14,7 @@
# limitations under the License.
google-cloud-pubsub
requests==2.32.4
requests==2.33.0
jwt==1.3.1
google-auth
google-cloud-secret-manager

30
fast/stages/0-org-setup/README.md
View File

@@ -681,7 +681,7 @@ CI/CD support is implemented via two different sets of configurations:
The default approach is to define a Workload Identity provider in the `iac-0` project, or in an additional project dedicated to this task. This is achieved by adding a `workload_identity_pools` block to the project configuration, like in the following example.
```yaml
# projects/iac-0.yaml
# projects/core/iac-0.yaml
workload_identity_pools:
default:
@@ -703,6 +703,34 @@ workload_identity_pools:
The above configuration can be easily extended to support multiple pools and providers, and is not limited to OpenId Connect but can also leverage other provider types. Check the project module or project schema for the full interface.
In the `iac-0` project you can find a sample configuration for 0-org-setup stage service accounts dedicated for CI/CD operations:
```yaml
# projects/core/iac-0.yaml
service_accounts:
# IaC service accounts for this stage
iac-org-ro:
display_name: IaC service account for org setup (read-only).
iac-org-rw:
display_name: IaC service account for org setup (read-write).
# CI/CD service accounts for this stage
iac-org-cicd-ro:
display_name: IaC service account for org setup CI/CD (read-only).
iam_sa_roles:
$service_account_ids:iac-0/iac-org-ro:
- roles/iam.workloadIdentityUser
- roles/iam.serviceAccountTokenCreator
iac-org-cicd-rw:
display_name: IaC service account for org setup CI/CD (read-write).
iam_sa_roles:
$service_account_ids:iac-0/iac-org-rw:
- roles/iam.workloadIdentityUser
- roles/iam.serviceAccountTokenCreator
```
You need to extend this configuration to all other stages that you plan to use in your deployment and add permissions to IaC service account dedicated for specific stage.
Once one or more providers have been defined they can be referenced in the CI/CD configuration file. The following example defines a workflow configuration for this stage.
```yaml

3
fast/stages/0-org-setup/datasets/classic/organization/org-policies/compute.yaml
View File

@@ -84,7 +84,8 @@ compute.trustedImageProjects:
- "is:projects/gke-node-images"
- "is:projects/gke-windows-node-images"
- "is:projects/ubuntu-os-gke-cloud"
- "is:projects/rocky-linux-accelerator-cloud"
- "is:projects/ubuntu-os-accelerator-images"
compute.vmExternalIpAccess:
rules:

15
fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml
View File

@@ -15,10 +15,11 @@
# yaml-language-server: $schema=../../../../schemas/folder.schema.json
name: Data Platform
org_policies:
custom.iamDisableAdminServiceAccount:
rules:
- enforce: false
custom.iamDisableProjectServiceAccountImpersonationRoles:
rules:
- enforce: false
# To enforce once the constraints are provisionned
# org_policies:
# custom.iamDisableAdminServiceAccount:
# rules:
# - enforce: false
# custom.iamDisableProjectServiceAccountImpersonationRoles:
# rules:
# - enforce: false

2
fast/stages/0-org-setup/datasets/hardened/observability/storageIamChanges.yaml
View File

@@ -48,7 +48,7 @@ alerts:
mime_type: text/markdown
logging_metrics:
storageIamChanges:
bucket_name: l$log_buckets:log-0/audit-logs
bucket_name: $log_buckets:log-0/audit-logs
description: Cloud Storage IAM Permission Changes
filter: resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"
label_extractors:

2
fast/stages/0-org-setup/datasets/hardened/organization/org-policies/compute.yaml
View File

@@ -118,6 +118,8 @@ compute.trustedImageProjects:
- "is:projects/gke-node-images"
- "is:projects/gke-windows-node-images"
- "is:projects/ubuntu-os-gke-cloud"
- "is:projects/rocky-linux-accelerator-cloud"
- "is:projects/ubuntu-os-accelerator-images"
compute.vmExternalIpAccess:
rules:

7
fast/stages/0-org-setup/datasets/hardened/projects/core/log-0.yaml
View File

@@ -71,6 +71,7 @@ org_policies:
rules:
- allow:
all: true
custom.storageRequireBucketObjectVersionning:
rules:
- enforce: true
# To enforce once the constraints are provisionned
# custom.storageRequireBucketObjectVersionning:
# rules:
# - enforce: true

2
fast/stages/0-org-setup/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v54.0.0
# FAST release: v54.1.0

25
fast/stages/0-org-setup/schemas/folder.schema.json
View File

@@ -871,27 +871,48 @@
"enum": [
"ASSURED_WORKLOADS_FOR_PARTNERS",
"AU_REGIONS_AND_US_SUPPORT",
"AUSTRALIA_DATA_BOUNDARY_AND_SUPPORT",
"CA_PROTECTED_B",
"CA_REGIONS_AND_SUPPORT",
"CANADA_CONTROLLED_GOODS",
"CANADA_DATA_BOUNDARY_AND_SUPPORT",
"CJIS",
"COMPLIANCE_REGIME_UNSPECIFIED",
"DATA_BOUNDARY_FOR_CANADA_CONTROLLED_GOODS",
"DATA_BOUNDARY_FOR_CANADA_PROTECTED_B",
"DATA_BOUNDARY_FOR_CJIS",
"DATA_BOUNDARY_FOR_FEDRAMP_HIGH",
"DATA_BOUNDARY_FOR_FEDRAMP_MODERATE",
"DATA_BOUNDARY_FOR_IL2",
"DATA_BOUNDARY_FOR_IL4",
"DATA_BOUNDARY_FOR_IL5",
"DATA_BOUNDARY_FOR_IRS_PUBLICATION_1075",
"DATA_BOUNDARY_FOR_ITAR",
"EU_DATA_BOUNDARY_AND_SUPPORT",
"EU_REGIONS_AND_SUPPORT",
"FEDRAMP_HIGH",
"FEDRAMP_MODERATE",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
"HIPAA",
"HITRUST",
"IL2",
"IL4",
"IL5",
"IRS_1075",
"ISR_REGIONS_AND_SUPPORT",
"ISR_REGIONS",
"ISR_REGIONS_AND_SUPPORT",
"ISRAEL_DATA_BOUNDARY_AND_SUPPORT",
"ITAR",
"JAPAN_DATA_BOUNDARY",
"JP_REGIONS_AND_SUPPORT",
"KSA_DATA_BOUNDARY_WITH_ACCESS_JUSTIFICATIONS",
"KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
"REGIONAL_CONTROLS",
"REGIONAL_DATA_BOUNDARY",
"US_DATA_BOUNDARY_AND_SUPPORT",
"US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES",
"US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES_WITH_SUPPORT",
"US_REGIONAL_ACCESS"
]
},

2
fast/stages/0-org-setup/schemas/folder.schema.md
View File

@@ -253,7 +253,7 @@
- **assured_workload_config**<a name="refs-assured_workload_config"></a>: *object*
<br>*additional properties: false*
- ⁺**compliance_regime**: *string*
<br>*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS_AND_SUPPORT', 'ISR_REGIONS', 'ITAR', 'JP_REGIONS_AND_SUPPORT', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'US_REGIONAL_ACCESS']*
<br>*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'AUSTRALIA_DATA_BOUNDARY_AND_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CANADA_CONTROLLED_GOODS', 'CANADA_DATA_BOUNDARY_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'DATA_BOUNDARY_FOR_CANADA_CONTROLLED_GOODS', 'DATA_BOUNDARY_FOR_CANADA_PROTECTED_B', 'DATA_BOUNDARY_FOR_CJIS', 'DATA_BOUNDARY_FOR_FEDRAMP_HIGH', 'DATA_BOUNDARY_FOR_FEDRAMP_MODERATE', 'DATA_BOUNDARY_FOR_IL2', 'DATA_BOUNDARY_FOR_IL4', 'DATA_BOUNDARY_FOR_IL5', 'DATA_BOUNDARY_FOR_IRS_PUBLICATION_1075', 'DATA_BOUNDARY_FOR_ITAR', 'EU_DATA_BOUNDARY_AND_SUPPORT', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS', 'ISR_REGIONS_AND_SUPPORT', 'ISRAEL_DATA_BOUNDARY_AND_SUPPORT', 'ITAR', 'JAPAN_DATA_BOUNDARY', 'JP_REGIONS_AND_SUPPORT', 'KSA_DATA_BOUNDARY_WITH_ACCESS_JUSTIFICATIONS', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'REGIONAL_DATA_BOUNDARY', 'US_DATA_BOUNDARY_AND_SUPPORT', 'US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES', 'US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES_WITH_SUPPORT', 'US_REGIONAL_ACCESS']*
- ⁺**display_name**: *string*
- ⁺**location**: *string*
- ⁺**organization**: *string*

2
fast/stages/1-vpcsc/README.md
View File

@@ -169,7 +169,7 @@ status:
# perimeter definition here
```
If the dry-run and enforced configurations are different, define both explicitly in separate `spec` and `status` blocks, and set the `use_explicit_dry_run_spec` to `false`.
If the dry-run and enforced configurations are different, define both explicitly in separate `spec` and `status` blocks, and set the `use_explicit_dry_run_spec` to `true`.
## Context expansion

2
fast/stages/1-vpcsc/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v54.0.0
# FAST release: v54.1.0

27
fast/stages/2-networking/README.md
View File

@@ -159,18 +159,19 @@ The following diagram shows the canonical paths for the different factory config
```tree
.
├── dns
│ ├── response-policies # Response Policy Rules for DNS.
│ └── zones # DNS zones (private, forwarding, peering).
├── firewall-policies # Hierarchical firewall policies.
├── ncc-hubs # NCC configurations.
├── nvas # NVA configurations.
├── projects # Project definitions.
│ ├── response-policies # Response Policy Rules for DNS.
│ └── zones # DNS zones (private, forwarding, peering).
├── firewall-policies # Hierarchical firewall policies.
├── ncc-hubs # NCC configurations.
├── nvas # NVA configurations.
├── projects # Project definitions.
└── vpcs
└── [vpc-name] # Each subfolder represents a VPC.
├── .config.yaml # Main VPC configuration, peerings, NAT.
├── firewall-rules # VPC-level firewall rules.
├── subnets # Subnet definitions.
── vpns # VPN configurations.
└── [vpc-name] # Each subfolder represents a VPC.
├── .config.yaml # Main VPC configuration, peerings, NAT.
├── firewall-rules # VPC-level firewall rules.
├── subnets # Subnet definitions.
── vlan-attachments # VLAN attachment configurations.
└── vpns # VPN configurations.
```
### Networking projects
@@ -233,9 +234,10 @@ routers:
### VPC Connectivity
This stage supports multiple ways to connect VPCs:
This stage supports multiple ways to connect VPCs to other VPCs or other networks:
- **VPC Peering:** Managed via the `peering_config` section in a VPC's `.config.yaml` file.
- **VLAN Attachments:** Partner or Dedicated Interconnect VLAN attachments are defined in the `vpcs/[vpc-name]/vlan-attachments` directory. By default, they are disabled by passing a non-existing directory via `factories_config`.
- **VPNs:** High-availability VPNs are defined in the `vpcs/[vpc-name]/vpns` directory.
- **Network Connectivity Center (NCC):** Managed via the `ncc_config` section in a VPC's `.config.yaml` file.
@@ -302,6 +304,7 @@ Internally created resources are mapped to context namespaces, and use specific
| [factory-peering.tf](./factory-peering.tf) | VPC Peering factory. | | <code>google_compute_network_peering</code> |
| [factory-projects.tf](./factory-projects.tf) | Projects factory. | <code>project-factory</code> | |
| [factory-routers.tf](./factory-routers.tf) | Routers factory. | | <code>google_compute_router</code> |
| [factory-vlan-attachments.tf](./factory-vlan-attachments.tf) | VLAN attachments factory. | <code>net-vlan-attachment</code> | |
| [factory-vpcs.tf](./factory-vpcs.tf) | VPC and firewall rules factory. | <code>net-vpc</code> · <code>net-vpc-factory</code> | |
| [factory-vpns.tf](./factory-vpns.tf) | VPNs factory. | <code>net-vpn-ha</code> | <code>google_compute_ha_vpn_gateway</code> |
| [main.tf](./main.tf) | Module-level locals and resources. | | |

2
fast/stages/2-networking/datasets/hub-and-spokes-ncc/defaults.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

4
fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/.config.yaml
View File

@@ -8,7 +8,7 @@ project_id: $project_ids:net-core-0
name: hub-0
delete_default_routes_on_create: true
routers:
vpn-router:
hybrid-connectivity-router:
region: $locations:primary
asn: 64514
routes:
@@ -16,3 +16,5 @@ routes:
dest_range: 0.0.0.0/0
next_hop_type: "gateway"
next_hop: "default-internet-gateway"
factories_config:
vlan_attachments: "none"

28
fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vlan-attachments/onprem-0.yaml Normal file
View File

@@ -0,0 +1,28 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-0
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
ncc_spoke_config:
hub: $ncc_hubs:hub
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-0"
vlan_tag: "123"

28
fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vlan-attachments/onprem-1.yaml Normal file
View File

@@ -0,0 +1,28 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-1
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
ncc_spoke_config:
hub: $ncc_hubs:hub
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-1"
vlan_tag: "124"

4
fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vpns/onprem.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@ peer_gateways:
- 8.8.8.8
router_config:
create: false
name: $routers:hub/vpn-router
name: $routers:hub/hybrid-connectivity-router
ncc_spoke_config:
hub: $ncc_hubs:hub
tunnels:

2
fast/stages/2-networking/datasets/hub-and-spokes-nva/defaults.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

4
fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/.config.yaml
View File

@@ -9,7 +9,7 @@ name: dmz
delete_default_routes_on_create: true
mtu: 1500
routers:
vpn-router:
hybrid-connectivity-router:
region: $locations:primary
asn: 64514
custom_advertise:
@@ -47,3 +47,5 @@ routes:
priority: 100
next_hop_type: "gateway"
next_hop: "default-internet-gateway"
factories_config:
vlan_attachments: "none"

26
fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/vlan-attachments/onprem-0.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-0
region: $locations:primary
router_config:
create: false
name: $routers:dmz/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-0"
vlan_tag: "123"

26
fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/vlan-attachments/onprem-1.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-1
region: $locations:primary
router_config:
create: false
name: $routers:dmz/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-1"
vlan_tag: "124"

2
fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/vpns/onprem.yaml
View File

@@ -14,7 +14,7 @@ peer_gateways:
- 8.8.8.8
router_config:
create: false
name: $routers:dmz/vpn-router
name: $routers:dmz/hybrid-connectivity-router
tunnels:
remote-0:
bgp_peer:

2
fast/stages/2-networking/datasets/hub-and-spokes-peerings/defaults.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

4
fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/.config.yaml
View File

@@ -16,7 +16,7 @@ peering_config:
to-dev:
peer_network: $networks:dev
routers:
vpn-router:
hybrid-connectivity-router:
region: $locations:primary
asn: 64514
# Uncomment to enable custom route advertisement. (see https://docs.cloud.google.com/network-connectivity/docs/router/how-to/advertising-custom-ip)
@@ -36,3 +36,5 @@ routes:
next_hop: "default-internet-gateway"
# dns_policy:
# logging: true
factories_config:
vlan_attachments: "none"

26
fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/vlan-attachments/onprem-0.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-0
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-0"
vlan_tag: "123"

26
fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/vlan-attachments/onprem-1.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-1
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-1"
vlan_tag: "124"

2
fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/vpns/onprem.yaml
View File

@@ -14,7 +14,7 @@ peer_gateways:
- 8.8.8.8
router_config:
create: false
name: $routers:hub/vpn-router
name: $routers:hub/hybrid-connectivity-router
tunnels:
remote-0:
bgp_peer:

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/defaults.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/vpns/to-hub.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

10
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/.config.yaml
View File

@@ -19,8 +19,18 @@ routers:
"10.0.0.0/8": "rfc1918-10"
"172.16.0.0/12": "rfc1918-172"
"192.168.0.0/16": "rfc1918-192"
hybrid-connectivity-router:
region: $locations:primary
asn: 64515
custom_advertise:
ip_ranges:
"10.0.0.0/8": "rfc1918-10"
"172.16.0.0/12": "rfc1918-172"
"192.168.0.0/16": "rfc1918-192"
routes:
default:
dest_range: 0.0.0.0/0
next_hop_type: "gateway"
next_hop: "default-internet-gateway"
factories_config:
vlan_attachments: "none"

26
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vlan-attachments/onprem-0.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-0
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-0"
vlan_tag: "123"

26
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vlan-attachments/onprem-1.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/vlan-attachments.schema.json
name: to-onprem-vlan-1
region: $locations:primary
router_config:
create: false
name: $routers:hub/hybrid-connectivity-router
peer_asn: "64513"
dedicated_interconnect_config:
bandwidth: BPS_10G
interconnect: "https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-1"
vlan_tag: "124"

4
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/onprem.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@ peer_gateways:
- 8.8.8.8
router_config:
create: false
name: $routers:hub/vpn-router
name: $routers:hub/hybrid-connectivity-router
tunnels:
remote-0:
bgp_peer:

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-dev.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

6
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-prod.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,13 +27,13 @@ tunnels:
shared_secret: foobar
bgp_peer:
address: 169.254.2.1
asn: 64515
asn: 64517
bgp_session_range: "169.254.2.2/30"
vpn_gateway_interface: 0
remote-1:
shared_secret: foobar
bgp_peer:
address: 169.254.2.5
asn: 64515
asn: 64517
bgp_session_range: "169.254.2.6/30"
vpn_gateway_interface: 1

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/.config.yaml
View File

@@ -11,7 +11,7 @@ mtu: 1500
routers:
vpn-router:
region: $locations:primary
asn: 64515
asn: 64517
routes:
default:
dest_range: 0.0.0.0/0

2
fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/vpns/to-hub.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2025 Google LLC
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-cloudnat.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-dns.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-firewall-policies.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

53
fast/stages/2-networking/factory-ncc.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -72,7 +72,7 @@ locals {
"${vpn_key}/${replace(vpn_config.ncc_spoke_config.hub, "$ncc_hubs:", "")}" => merge(
vpn_config.ncc_spoke_config,
{
name = replace("${vpn_key}/${vpn_config.ncc_spoke_config.hub}", "$ncc_hubs:", "") # TODO: eww
name = replace("${vpn_key}/${vpn_config.ncc_spoke_config.hub}", "$ncc_hubs:", "")
project_id = vpn_config.project_id
hub = vpn_config.ncc_spoke_config.hub
group = try(vpn_config.ncc_spoke_config.group, null)
@@ -83,6 +83,22 @@ locals {
}
) if try(vpn_config.ncc_spoke_config != null, false)
}
ncc_vlan_attachment_spokes = {
for va_key, va_config in local.vlan_attachments :
"${va_key}/${replace(va_config.ncc_spoke_config.hub, "$ncc_hubs:", "")}" => merge(
va_config.ncc_spoke_config,
{
name = replace("${va_key}/${va_config.ncc_spoke_config.hub}", "$ncc_hubs:", "")
project_id = va_config.project_id
hub = va_config.ncc_spoke_config.hub
group = try(va_config.ncc_spoke_config.group, null)
location = va_config.region
description = lookup(va_config.ncc_spoke_config, "description", "Terraform-managed.")
labels = lookup(va_config.ncc_spoke_config, "labels", {})
attachment_uri = module.vlan-attachments[va_key].id
}
) if try(va_config.ncc_spoke_config != null, false)
}
}
resource "google_network_connectivity_hub" "default" {
@@ -192,4 +208,35 @@ resource "google_network_connectivity_spoke" "tunnels" {
depends_on = [module.vpn-ha]
}
resource "google_network_connectivity_spoke" "vlan_attachments" {
for_each = local.ncc_vlan_attachment_spokes
project = lookup(
local.ctx_projects.project_ids,
replace(each.value.project_id, "$project_ids:", ""),
each.value.project_id
)
name = replace(each.key, "/", "-")
location = lookup(
local.ctx.locations,
replace(each.value.location, "$locations:", ""),
each.value.location
)
description = each.value.description
labels = each.value.labels
hub = lookup(
local.ctx_ncc_hubs,
replace(each.value.hub, "$ncc_hubs:", ""),
each.value.hub
)
group = each.value.group == null ? null : lookup(
local.ctx_ncc_groups,
replace(each.value.group, "$ncc_groups:", ""),
each.value.group
)
linked_interconnect_attachments {
uris = [each.value.attachment_uri]
site_to_site_data_transfer = true
include_import_ranges = ["ALL_IPV4_RANGES"]
}
depends_on = [module.vlan-attachments]
}

22
fast/stages/2-networking/factory-nva.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -47,7 +47,7 @@ locals {
nva_def.auto_instance_config.image,
"projects/debian-cloud/global/images/family/debian-12"
)
instance_type = try(
machine_type = try(
nva_def.auto_instance_config.instance_type, "e2-standard-4"
)
metadata = coalesce(
@@ -60,7 +60,7 @@ locals {
}
)
attachments = try(nva_def.auto_instance_config.nics, [])
confidential_compute = try(nva_def.auto_instance_config.confidential_compute, false)
confidential_compute = try(nva_def.auto_instance_config.confidential_compute, null)
encryption = try(nva_def.auto_instance_config.encryption, null)
options = try(nva_def.auto_instance_config.options, null)
shielded_config = try(nva_def.auto_instance_config.shielded_config, null)
@@ -117,7 +117,7 @@ module "nva-instance" {
project_id = each.value.project_id
name = "nva-${each.key}"
zone = each.value.zone
instance_type = each.value.instance_type
machine_type = each.value.machine_type
tags = each.value.tags
can_ip_forward = true
network_interfaces = [for k, v in each.value.attachments :
@@ -129,14 +129,18 @@ module "nva-instance" {
}
]
boot_disk = {
source = {
image = each.value.image
}
initialize_params = {
image = each.value.image
google-logging-enabled = true
type = "pd-ssd"
size = 10 # TODO: make configurable?
type = "pd-ssd"
size = 10 # TODO: make configurable?
}
}
metadata = each.value.metadata
metadata = merge(
each.value.metadata,
{ google-logging-enabled = true }
)
encryption = each.value.encryption
shielded_config = each.value.shielded_config
confidential_compute = each.value.confidential_compute

2
fast/stages/2-networking/factory-peering.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-projects.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-networking/factory-routers.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

96
fast/stages/2-networking/factory-vlan-attachments.tf Normal file
View File

@@ -0,0 +1,96 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# tfdoc:file:description VLAN attachments factory.
locals {
# Discover YAML files that define VLAN attachments across all VPCs.
# It checks each VPC's configured `vlan_attachments` factory path (defaulting to
# `<factory_basepath>/vlan-attachments`).
# Returns a flattened map of all discovered files keyed by `<vpc_key>-<filename>`.
_vlan_attachments_files = try(
merge([
for vpc_key, vpc in local.vpcs : {
for f in try(fileset(
try(
startswith(vpc.factories_config.vlan_attachments, "/") || startswith(vpc.factories_config.vlan_attachments, ".") ? vpc.factories_config.vlan_attachments :
"${vpc.factory_basepath}/${vpc.factories_config.vlan_attachments}",
"${vpc.factory_basepath}/vlan-attachments"
),
"**/*.yaml"
), []) :
"${vpc_key}-${replace(f, ".yaml", "")}" => {
vpc_key = vpc_key
filename = f
path = try(
startswith(vpc.factories_config.vlan_attachments, "/") || startswith(vpc.factories_config.vlan_attachments, ".")
? "${vpc.factories_config.vlan_attachments}/${f}"
: "${vpc.factory_basepath}/${vpc.factories_config.vlan_attachments}/${f}",
"${vpc.factory_basepath}/vlan-attachments/${f}"
)
}
}
]...),
{}
)
# Read and decode the discovered YAML files. This step also injects VPC-level
# inferred attributes into each configuration, such as the `project_id` and
# `network`, ensuring each attachment is correctly associated with its parent VPC.
_vlan_attachments_preprocess = {
for k, v in local._vlan_attachments_files : k => merge(
try(yamldecode(file(v.path)), {}),
{
key = k
vpc_key = v.vpc_key
project_id = local.vpcs[v.vpc_key].project_id
network = local.vpcs[v.vpc_key].name
}
)
}
vlan_attachments = {
for k, v in local._vlan_attachments_preprocess : k => merge(v, {
region = try(v.region, local.vpc_defaults.region, null)
mtu = try(v.mtu, local.vpcs[v.vpc_key].mtu, local.vpc_defaults.mtu, 1500)
})
}
}
module "vlan-attachments" {
source = "../../../modules/net-vlan-attachment"
for_each = local.vlan_attachments
admin_enabled = try(each.value.admin_enabled, true)
dedicated_interconnect_config = try(each.value.dedicated_interconnect_config, null)
description = try(each.value.description, "Terraform managed.")
ipsec_gateway_ip_ranges = try(each.value.ipsec_gateway_ip_ranges, {})
mtu = each.value.mtu
name = try(each.value.name, each.value.key)
network = each.value.network
partner_interconnect_config = try(each.value.partner_interconnect_config, null)
peer_asn = each.value.peer_asn
project_id = try(each.value.project_id, local.project_defaults.defaults.parent)
region = each.value.region
router_config = each.value.router_config
vpn_gateways_ip_range = try(each.value.vpn_gateways_ip_range, null)
context = {
locations = local.ctx.locations
networks = local.ctx_vpcs.self_links
project_ids = local.ctx_projects.project_ids
routers = local.ctx_routers.names
}
depends_on = [module.vpc-factory]
}

19
fast/stages/2-networking/factory-vpcs.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -55,13 +55,22 @@ locals {
subnets_psc = try(v.subnets_psc, [])
subnets = try(v.subnets, [])
subnets_factory_config = {
subnets_folder = "${v.factory_basepath}/subnets"
subnets_folder = try(
startswith(v.factories_config.subnets, "/") || startswith(v.factories_config.subnets, ".") ? v.factories_config.subnets :
"${v.factory_basepath}/${v.factories_config.subnets}",
"${v.factory_basepath}/subnets"
)
}
firewall_factory_config = {
rules_folder = "${v.factory_basepath}/firewall-rules"
rules_folder = try(
startswith(v.factories_config.firewall_rules, "/") || startswith(v.factories_config.firewall_rules, ".") ? v.factories_config.firewall_rules :
"${v.factory_basepath}/${v.factories_config.firewall_rules}",
"${v.factory_basepath}/firewall-rules"
)
}
peering_config = try(v.peering_config, {})
vpn_config = try(v.vpn_config, {})
factories_config = try(v.factories_config, {})
peering_config = try(v.peering_config, {})
vpn_config = try(v.vpn_config, {})
}
)
}

45
fast/stages/2-networking/factory-vpns.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -18,24 +18,45 @@
locals {
_vpns_files = try(
fileset(local.paths.vpcs, "**/vpns/*.yaml"),
[]
merge([
for vpc_key, vpc in local.vpcs : {
for f in try(fileset(
try(
startswith(vpc.factories_config.vpns, "/") || startswith(vpc.factories_config.vpns, ".") ? vpc.factories_config.vpns :
"${vpc.factory_basepath}/${vpc.factories_config.vpns}",
"${vpc.factory_basepath}/vpns"
),
"**/*.yaml"
), []) :
"${vpc_key}-${replace(f, ".yaml", "")}" => {
vpc_key = vpc_key
filename = f
path = try(
startswith(vpc.factories_config.vpns, "/") || startswith(vpc.factories_config.vpns, ".")
? "${vpc.factories_config.vpns}/${f}"
: "${vpc.factory_basepath}/${vpc.factories_config.vpns}/${f}",
"${vpc.factory_basepath}/vpns/${f}"
)
}
}
]...),
{}
)
_vpns_preprocess = [
for f in local._vpns_files : merge(
yamldecode(file("${coalesce(local.paths.vpcs, "-")}/${f}")),
_vpns_preprocess = {
for k, v in local._vpns_files : k => merge(
yamldecode(file(v.path)),
{
factory_basepath = dirname(dirname(f))
vpc_name = v.vpc_key
}
)
]
}
ctx_gateways = { for k, v in google_compute_ha_vpn_gateway.default : k => v.id }
vpns = {
for v in local._vpns_preprocess : "${v.factory_basepath}/${v.name}" => merge(v, {
vpc_name = v.factory_basepath
for k, v in local._vpns_preprocess : "${v.vpc_name}/${v.name}" => merge(v, {
vpc_name = v.vpc_name
# TODO: discuss - this is pushing context at any cost, as project could be easily resolved
# as module.vpcs[v.factory_basepath].project_id
project_id = local.vpcs[v.factory_basepath].project_id
# as module.vpcs[v.vpc_name].project_id
project_id = local.vpcs[v.vpc_name].project_id
router_config = try(v.router_config, {})
region = try(v.region, local.defaults.vpcs.region)
peer_gateways = try(v.peer_gateways, {})

2
fast/stages/2-networking/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v54.0.0
# FAST release: v54.1.0

3
fast/stages/2-networking/main.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -85,4 +85,3 @@ locals {
try(local._defaults.vpcs, {})
)
}

2
fast/stages/2-networking/outputs.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

25
fast/stages/2-networking/schemas/folder.schema.json
View File

@@ -871,27 +871,48 @@
"enum": [
"ASSURED_WORKLOADS_FOR_PARTNERS",
"AU_REGIONS_AND_US_SUPPORT",
"AUSTRALIA_DATA_BOUNDARY_AND_SUPPORT",
"CA_PROTECTED_B",
"CA_REGIONS_AND_SUPPORT",
"CANADA_CONTROLLED_GOODS",
"CANADA_DATA_BOUNDARY_AND_SUPPORT",
"CJIS",
"COMPLIANCE_REGIME_UNSPECIFIED",
"DATA_BOUNDARY_FOR_CANADA_CONTROLLED_GOODS",
"DATA_BOUNDARY_FOR_CANADA_PROTECTED_B",
"DATA_BOUNDARY_FOR_CJIS",
"DATA_BOUNDARY_FOR_FEDRAMP_HIGH",
"DATA_BOUNDARY_FOR_FEDRAMP_MODERATE",
"DATA_BOUNDARY_FOR_IL2",
"DATA_BOUNDARY_FOR_IL4",
"DATA_BOUNDARY_FOR_IL5",
"DATA_BOUNDARY_FOR_IRS_PUBLICATION_1075",
"DATA_BOUNDARY_FOR_ITAR",
"EU_DATA_BOUNDARY_AND_SUPPORT",
"EU_REGIONS_AND_SUPPORT",
"FEDRAMP_HIGH",
"FEDRAMP_MODERATE",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
"HIPAA",
"HITRUST",
"IL2",
"IL4",
"IL5",
"IRS_1075",
"ISR_REGIONS_AND_SUPPORT",
"ISR_REGIONS",
"ISR_REGIONS_AND_SUPPORT",
"ISRAEL_DATA_BOUNDARY_AND_SUPPORT",
"ITAR",
"JAPAN_DATA_BOUNDARY",
"JP_REGIONS_AND_SUPPORT",
"KSA_DATA_BOUNDARY_WITH_ACCESS_JUSTIFICATIONS",
"KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
"REGIONAL_CONTROLS",
"REGIONAL_DATA_BOUNDARY",
"US_DATA_BOUNDARY_AND_SUPPORT",
"US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES",
"US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES_WITH_SUPPORT",
"US_REGIONAL_ACCESS"
]
},

29
fast/stages/2-networking/schemas/folder.schema.md
View File

@@ -6,6 +6,13 @@
*additional properties: false*
- **asset_search**: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *object*
<br>*additional properties: false*
- ⁺**asset_types**: *array*
- items: *string*
- **query**: *string*
- **asset_feeds**: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *object*
@@ -75,6 +82,26 @@
- **exempted_members**: *array*
- items: *string*
- **deletion_protection**: *boolean*
- **id**: *string*
<br>*pattern: ^(folders/[0-9]+|\$folder_ids:[a-z0-9_/-]+)$*
- **firewall_policy**: *object*
<br>*additional properties: false*
- ⁺**name**: *string*
- ⁺**policy**: *string*
- **logging**: *object*
<br>*additional properties: false*
- **kms_key_name**: *string*
- **storage_location**: *string*
- **sinks**: *object*
<br>*additional properties: false*
- **`^[a-z][a-z0-9-_]+$`**: *object*
<br>*additional properties: false*
- **description**: *string*
- **destination**: *string*
- **exclusions**: *object*
- **filter**: *string*
- **type**: *string*
<br>*default: logging*, *enum: ['bigquery', 'logging', 'project', 'pubsub', 'storage']*
- **factories_config**: *object*
<br>*additional properties: false*
- **org_policies**: *string*
@@ -253,7 +280,7 @@
- **assured_workload_config**<a name="refs-assured_workload_config"></a>: *object*
<br>*additional properties: false*
- ⁺**compliance_regime**: *string*
<br>*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS_AND_SUPPORT', 'ISR_REGIONS', 'ITAR', 'JP_REGIONS_AND_SUPPORT', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'US_REGIONAL_ACCESS']*
<br>*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'AUSTRALIA_DATA_BOUNDARY_AND_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CANADA_CONTROLLED_GOODS', 'CANADA_DATA_BOUNDARY_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'DATA_BOUNDARY_FOR_CANADA_CONTROLLED_GOODS', 'DATA_BOUNDARY_FOR_CANADA_PROTECTED_B', 'DATA_BOUNDARY_FOR_CJIS', 'DATA_BOUNDARY_FOR_FEDRAMP_HIGH', 'DATA_BOUNDARY_FOR_FEDRAMP_MODERATE', 'DATA_BOUNDARY_FOR_IL2', 'DATA_BOUNDARY_FOR_IL4', 'DATA_BOUNDARY_FOR_IL5', 'DATA_BOUNDARY_FOR_IRS_PUBLICATION_1075', 'DATA_BOUNDARY_FOR_ITAR', 'EU_DATA_BOUNDARY_AND_SUPPORT', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS', 'ISR_REGIONS_AND_SUPPORT', 'ISRAEL_DATA_BOUNDARY_AND_SUPPORT', 'ITAR', 'JAPAN_DATA_BOUNDARY', 'JP_REGIONS_AND_SUPPORT', 'KSA_DATA_BOUNDARY_WITH_ACCESS_JUSTIFICATIONS', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'REGIONAL_DATA_BOUNDARY', 'US_DATA_BOUNDARY_AND_SUPPORT', 'US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES', 'US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES_WITH_SUPPORT', 'US_REGIONAL_ACCESS']*
- ⁺**display_name**: *string*
- ⁺**location**: *string*
- ⁺**organization**: *string*

209
fast/stages/2-networking/schemas/vlan-attachments.schema.json Normal file
View File

@@ -0,0 +1,209 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/fast/stages/2-networking/schemas/vlan-attachments.schema.json",
"title": "VLAN Attachments schema",
"type": "object",
"additionalProperties": false,
"required": [
"peer_asn",
"router_config"
],
"properties": {
"admin_enabled": {
"type": "boolean",
"default": true
},
"dedicated_interconnect_config": {
"type": "object",
"additionalProperties": false,
"required": [
"interconnect",
"vlan_tag"
],
"properties": {
"bandwidth": {
"type": "string",
"enum": [
"BPS_50M",
"BPS_100M",
"BPS_200M",
"BPS_300M",
"BPS_400M",
"BPS_500M",
"BPS_1G",
"BPS_2G",
"BPS_5G",
"BPS_10G",
"BPS_20G",
"BPS_50G",
"BPS_100G",
"BPS_400G"
]
},
"bgp_range": {
"type": "string"
},
"bgp_priority": {
"type": "number"
},
"interconnect": {
"type": "string"
},
"vlan_tag": {
"type": "string"
}
}
},
"description": {
"type": "string"
},
"ipsec_gateway_ip_ranges": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"mtu": {
"type": "number",
"default": 1500
},
"name": {
"type": "string"
},
"partner_interconnect_config": {
"type": "object",
"additionalProperties": false,
"required": [
"edge_availability_domain"
],
"properties": {
"edge_availability_domain": {
"type": "string",
"enum": [
"AVAILABILITY_DOMAIN_1",
"AVAILABILITY_DOMAIN_2",
"AVAILABILITY_DOMAIN_ANY"
]
}
}
},
"peer_asn": {
"type": "string"
},
"region": {
"type": "string"
},
"router_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"create": {
"type": "boolean",
"default": true
},
"asn": {
"type": "number"
},
"bfd": {
"type": "object",
"additionalProperties": false,
"properties": {
"min_receive_interval": {
"type": "number"
},
"min_transmit_interval": {
"type": "number"
},
"multiplier": {
"type": "number"
},
"session_initialization_mode": {
"type": "string",
"enum": [
"ACTIVE",
"PASSIVE"
]
}
}
},
"custom_advertise": {
"type": "object",
"additionalProperties": false,
"required": [
"all_subnets",
"ip_ranges"
],
"properties": {
"all_subnets": {
"type": "boolean"
},
"ip_ranges": {
"type": "object",
"additionalProperties": {
"type": "string"
}
}
}
},
"md5_authentication_key": {
"type": "object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"keepalive": {
"type": "number"
},
"name": {
"type": "string"
}
}
},
"vpn_gateways_ip_range": {
"type": "string"
},
"ncc_spoke_config": {
"$ref": "#/$defs/ncc_spoke_config"
}
},
"$defs": {
"ncc_spoke_config": {
"type": "object",
"properties": {
"hub": {
"type": "string"
},
"description": {
"type": "string"
},
"labels": {
"type": "object"
},
"exclude_export_ranges": {
"type": "array",
"items": {
"type": "string"
}
},
"include_export_ranges": {
"type": "array",
"items": {
"type": "string"
}
},
"group": {
"type": "string"
}
}
}
}
}

65
fast/stages/2-networking/schemas/vlan-attachments.schema.md Normal file
View File

@@ -0,0 +1,65 @@
# VLAN Attachments schema
<!-- markdownlint-disable MD036 -->
## Properties
*additional properties: false*
- **admin_enabled**: *boolean*
- **dedicated_interconnect_config**: *object*
<br>*additional properties: false*
- **bandwidth**: *string*
<br>*enum: ['BPS_50M', 'BPS_100M', 'BPS_200M', 'BPS_300M', 'BPS_400M', 'BPS_500M', 'BPS_1G', 'BPS_2G', 'BPS_5G', 'BPS_10G', 'BPS_20G', 'BPS_50G', 'BPS_100G', 'BPS_400G']*
- **bgp_range**: *string*
- **bgp_priority**: *number*
- ⁺**interconnect**: *string*
- ⁺**vlan_tag**: *string*
- **description**: *string*
- **ipsec_gateway_ip_ranges**: *object*
<br>*additional properties: string*
- **mtu**: *number*
<br>*default: 1500*
- **name**: *string*
- **partner_interconnect_config**: *object*
<br>*additional properties: false*
- ⁺**edge_availability_domain**: *string*
<br>*enum: ['AVAILABILITY_DOMAIN_1', 'AVAILABILITY_DOMAIN_2', 'AVAILABILITY_DOMAIN_ANY']*
- ⁺**peer_asn**: *string*
- **region**: *string*
- ⁺**router_config**: *object*
<br>*additional properties: false*
- **create**: *boolean*
- **asn**: *number*
- **bfd**: *object*
<br>*additional properties: false*
- **min_receive_interval**: *number*
- **min_transmit_interval**: *number*
- **multiplier**: *number*
- **session_initialization_mode**: *string*
<br>*enum: ['ACTIVE', 'PASSIVE']*
- **custom_advertise**: *object*
<br>*additional properties: false*
- ⁺**all_subnets**: *boolean*
- ⁺**ip_ranges**: *object*
<br>*additional properties: string*
- **md5_authentication_key**: *object*
<br>*additional properties: false*
- ⁺**name**: *string*
- **key**: *string*
- **keepalive**: *number*
- **name**: *string*
- **vpn_gateways_ip_range**: *string*
- **ncc_spoke_config**: *reference([ncc_spoke_config](#refs-ncc_spoke_config))*
## Definitions
- **ncc_spoke_config**<a name="refs-ncc_spoke_config"></a>: *object*
- **hub**: *string*
- **description**: *string*
- **labels**: *object*
- **exclude_export_ranges**: *array*
- items: *string*
- **include_export_ranges**: *array*
- items: *string*
- **group**: *string*

18
fast/stages/2-networking/schemas/vpc.schema.json
View File

@@ -18,6 +18,24 @@
"description": {
"type": "string"
},
"factories_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"firewall_rules": {
"type": "string"
},
"subnets": {
"type": "string"
},
"vlan_attachments": {
"type": "string"
},
"vpns": {
"type": "string"
}
}
},
"auto_create_subnetworks": {
"type": "boolean"
},

6
fast/stages/2-networking/schemas/vpc.schema.md
View File

@@ -16,6 +16,12 @@
<br>*enum: ['GLOBAL', 'REGIONAL']*
- **firewall_policy_enforcement_order**: *string*
<br>*enum: ['BEFORE_CLASSIC_FIREWALL', 'AFTER_CLASSIC_FIREWALL']*
- **factories_config**: *object*
<br>*additional properties: false*
- **firewall_rules**: *string*
- **subnets**: *string*
- **vlan_attachments**: *string*
- **vpns**: *string*
- **create_googleapis_routes**: *reference([create_googleapis_routes](#refs-create_googleapis_routes))*
- **dns_policy**: *reference([dns_policy](#refs-dns_policy))*
- **ipv6_config**: *reference([ipv6_config](#refs-ipv6_config))*

2
fast/stages/2-networking/variables.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
fast/stages/2-project-factory/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v54.0.0
# FAST release: v54.1.0

25
fast/stages/2-project-factory/schemas/folder.schema.json
View File

@@ -871,27 +871,48 @@
"enum": [
"ASSURED_WORKLOADS_FOR_PARTNERS",
"AU_REGIONS_AND_US_SUPPORT",
"AUSTRALIA_DATA_BOUNDARY_AND_SUPPORT",
"CA_PROTECTED_B",
"CA_REGIONS_AND_SUPPORT",
"CANADA_CONTROLLED_GOODS",
"CANADA_DATA_BOUNDARY_AND_SUPPORT",
"CJIS",
"COMPLIANCE_REGIME_UNSPECIFIED",
"DATA_BOUNDARY_FOR_CANADA_CONTROLLED_GOODS",
"DATA_BOUNDARY_FOR_CANADA_PROTECTED_B",
"DATA_BOUNDARY_FOR_CJIS",
"DATA_BOUNDARY_FOR_FEDRAMP_HIGH",
"DATA_BOUNDARY_FOR_FEDRAMP_MODERATE",
"DATA_BOUNDARY_FOR_IL2",
"DATA_BOUNDARY_FOR_IL4",
"DATA_BOUNDARY_FOR_IL5",
"DATA_BOUNDARY_FOR_IRS_PUBLICATION_1075",
"DATA_BOUNDARY_FOR_ITAR",
"EU_DATA_BOUNDARY_AND_SUPPORT",
"EU_REGIONS_AND_SUPPORT",
"FEDRAMP_HIGH",
"FEDRAMP_MODERATE",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
"HIPAA",
"HITRUST",
"IL2",
"IL4",
"IL5",
"IRS_1075",
"ISR_REGIONS_AND_SUPPORT",
"ISR_REGIONS",
"ISR_REGIONS_AND_SUPPORT",
"ISRAEL_DATA_BOUNDARY_AND_SUPPORT",
"ITAR",
"JAPAN_DATA_BOUNDARY",
"JP_REGIONS_AND_SUPPORT",
"KSA_DATA_BOUNDARY_WITH_ACCESS_JUSTIFICATIONS",
"KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
"REGIONAL_CONTROLS",
"REGIONAL_DATA_BOUNDARY",
"US_DATA_BOUNDARY_AND_SUPPORT",
"US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES",
"US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES_WITH_SUPPORT",
"US_REGIONAL_ACCESS"
]
},

2
fast/stages/2-project-factory/schemas/folder.schema.md
View File

@@ -253,7 +253,7 @@
- **assured_workload_config**<a name="refs-assured_workload_config"></a>: *object*
<br>*additional properties: false*
- ⁺**compliance_regime**: *string*
<br>*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS_AND_SUPPORT', 'ISR_REGIONS', 'ITAR', 'JP_REGIONS_AND_SUPPORT', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'US_REGIONAL_ACCESS']*
<br>*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'AUSTRALIA_DATA_BOUNDARY_AND_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CANADA_CONTROLLED_GOODS', 'CANADA_DATA_BOUNDARY_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'DATA_BOUNDARY_FOR_CANADA_CONTROLLED_GOODS', 'DATA_BOUNDARY_FOR_CANADA_PROTECTED_B', 'DATA_BOUNDARY_FOR_CJIS', 'DATA_BOUNDARY_FOR_FEDRAMP_HIGH', 'DATA_BOUNDARY_FOR_FEDRAMP_MODERATE', 'DATA_BOUNDARY_FOR_IL2', 'DATA_BOUNDARY_FOR_IL4', 'DATA_BOUNDARY_FOR_IL5', 'DATA_BOUNDARY_FOR_IRS_PUBLICATION_1075', 'DATA_BOUNDARY_FOR_ITAR', 'EU_DATA_BOUNDARY_AND_SUPPORT', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS', 'ISR_REGIONS_AND_SUPPORT', 'ISRAEL_DATA_BOUNDARY_AND_SUPPORT', 'ITAR', 'JAPAN_DATA_BOUNDARY', 'JP_REGIONS_AND_SUPPORT', 'KSA_DATA_BOUNDARY_WITH_ACCESS_JUSTIFICATIONS', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'REGIONAL_DATA_BOUNDARY', 'US_DATA_BOUNDARY_AND_SUPPORT', 'US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES', 'US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES_WITH_SUPPORT', 'US_REGIONAL_ACCESS']*
- ⁺**display_name**: *string*
- ⁺**location**: *string*
- ⁺**organization**: *string*

2
fast/stages/2-security/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v54.0.0
# FAST release: v54.1.0

25
fast/stages/2-security/schemas/folder.schema.json
View File

@@ -871,27 +871,48 @@
"enum": [
"ASSURED_WORKLOADS_FOR_PARTNERS",
"AU_REGIONS_AND_US_SUPPORT",
"AUSTRALIA_DATA_BOUNDARY_AND_SUPPORT",
"CA_PROTECTED_B",
"CA_REGIONS_AND_SUPPORT",
"CANADA_CONTROLLED_GOODS",
"CANADA_DATA_BOUNDARY_AND_SUPPORT",
"CJIS",
"COMPLIANCE_REGIME_UNSPECIFIED",
"DATA_BOUNDARY_FOR_CANADA_CONTROLLED_GOODS",
"DATA_BOUNDARY_FOR_CANADA_PROTECTED_B",
"DATA_BOUNDARY_FOR_CJIS",
"DATA_BOUNDARY_FOR_FEDRAMP_HIGH",
"DATA_BOUNDARY_FOR_FEDRAMP_MODERATE",
"DATA_BOUNDARY_FOR_IL2",
"DATA_BOUNDARY_FOR_IL4",
"DATA_BOUNDARY_FOR_IL5",
"DATA_BOUNDARY_FOR_IRS_PUBLICATION_1075",
"DATA_BOUNDARY_FOR_ITAR",
"EU_DATA_BOUNDARY_AND_SUPPORT",
"EU_REGIONS_AND_SUPPORT",
"FEDRAMP_HIGH",
"FEDRAMP_MODERATE",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
"HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
"HIPAA",
"HITRUST",
"IL2",
"IL4",
"IL5",
"IRS_1075",
"ISR_REGIONS_AND_SUPPORT",
"ISR_REGIONS",
"ISR_REGIONS_AND_SUPPORT",
"ISRAEL_DATA_BOUNDARY_AND_SUPPORT",
"ITAR",
"JAPAN_DATA_BOUNDARY",
"JP_REGIONS_AND_SUPPORT",
"KSA_DATA_BOUNDARY_WITH_ACCESS_JUSTIFICATIONS",
"KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
"REGIONAL_CONTROLS",
"REGIONAL_DATA_BOUNDARY",
"US_DATA_BOUNDARY_AND_SUPPORT",
"US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES",
"US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES_WITH_SUPPORT",
"US_REGIONAL_ACCESS"
]
},

2
fast/stages/2-security/schemas/folder.schema.md
View File

@@ -253,7 +253,7 @@
- **assured_workload_config**<a name="refs-assured_workload_config"></a>: *object*
<br>*additional properties: false*
- ⁺**compliance_regime**: *string*
<br>*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS_AND_SUPPORT', 'ISR_REGIONS', 'ITAR', 'JP_REGIONS_AND_SUPPORT', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'US_REGIONAL_ACCESS']*
<br>*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'AUSTRALIA_DATA_BOUNDARY_AND_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CANADA_CONTROLLED_GOODS', 'CANADA_DATA_BOUNDARY_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'DATA_BOUNDARY_FOR_CANADA_CONTROLLED_GOODS', 'DATA_BOUNDARY_FOR_CANADA_PROTECTED_B', 'DATA_BOUNDARY_FOR_CJIS', 'DATA_BOUNDARY_FOR_FEDRAMP_HIGH', 'DATA_BOUNDARY_FOR_FEDRAMP_MODERATE', 'DATA_BOUNDARY_FOR_IL2', 'DATA_BOUNDARY_FOR_IL4', 'DATA_BOUNDARY_FOR_IL5', 'DATA_BOUNDARY_FOR_IRS_PUBLICATION_1075', 'DATA_BOUNDARY_FOR_ITAR', 'EU_DATA_BOUNDARY_AND_SUPPORT', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS', 'ISR_REGIONS_AND_SUPPORT', 'ISRAEL_DATA_BOUNDARY_AND_SUPPORT', 'ITAR', 'JAPAN_DATA_BOUNDARY', 'JP_REGIONS_AND_SUPPORT', 'KSA_DATA_BOUNDARY_WITH_ACCESS_JUSTIFICATIONS', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'REGIONAL_DATA_BOUNDARY', 'US_DATA_BOUNDARY_AND_SUPPORT', 'US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES', 'US_DATA_BOUNDARY_FOR_HEALTHCARE_AND_LIFE_SCIENCES_WITH_SUPPORT', 'US_REGIONAL_ACCESS']*
- ⁺**display_name**: *string*
- ⁺**location**: *string*
- ⁺**organization**: *string*

2
fast/stages/3-data-platform-dev/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v54.0.0
# FAST release: v54.1.0

2
fast/stages/3-gcve-dev/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v54.0.0
# FAST release: v54.1.0

12
fast/stages/3-gke-dev/README.md
View File

@@ -115,19 +115,19 @@ clusters = {
}
private_nodes = true
}
enable_features = {
enable_features = {
binary_authorization = true
groups_for_rbac = "gke-security-groups@example.com"
intranode_visibility = true
rbac_binding_config = {
enable_insecure_binding_system_unauthenticated: false
enable_insecure_binding_system_authenticated: false
enable_insecure_binding_system_unauthenticated : false
enable_insecure_binding_system_authenticated : false
}
shielded_nodes = true
shielded_nodes = true
upgrade_notifications = {
event_types = ["SECURITY_BULLETIN_EVENT", "UPGRADE_AVAILABLE_EVENT", "UPGRADE_INFO_EVENT", "UPGRADE_EVENT"]
}
workload_identity = true
workload_identity = true
}
vpc_config = {
subnetwork = "projects/ldj-dev-net-spoke-0/regions/europe-west8/subnetworks/gke"
@@ -141,7 +141,7 @@ clusters = {
nodepools = {
test-00 = {
00 = {
node_count = { initial = 1 }
node_count = { initial = 1 }
node_config = {
sandbox_config_gvisor = true
}

2
fast/stages/3-gke-dev/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v54.0.0
# FAST release: v54.1.0

2
fast/stages/3-secops-dev/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v54.0.0
# FAST release: v54.1.0