diff --git a/fast/stages/2-networking/README.md b/fast/stages/2-networking/README.md
index cd84dda82..ae6075610 100644
--- a/fast/stages/2-networking/README.md
+++ b/fast/stages/2-networking/README.md
@@ -57,6 +57,7 @@ The high-level flow for running this stage is:
The default dataset describes multiple different networking patterns.
It currently implements the following:
+- **Hub and spoke (w/ NCC)**: Environment-based VPCs interconnected through an NCC full-mesh, resulting in full routing line-of-sight between spokes ([dataset](./datasets/hub-and-spokes-ncc/))
- **Hub and spoke (w/ VPC Peering)**: Environment-based VPCs interconnected through VPC peering, resulting in full isolation between spokes ([dataset](./datasets/hub-and-spokes-peerings/))
### Defaults file
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/README.md b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/README.md
new file mode 100644
index 000000000..3de9400a3
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/README.md
@@ -0,0 +1,120 @@
+# NCC Hub and spoke
+
+This stage sets up the shared network infrastructure environment, and leverages [NCC](https://cloud.google.com/network-connectivity/docs/network-connectivity-center) to implement a VPC full mesh between different spokes, including hybrid spokes (e.g. VPN tunnels or VLAN attachments).
+
+- the NCC hub acts as a control-plane and single pane of glass for connectivity
+- the spoke VPCs allow partitioning workloads (e.g. by environments), while still retaining controlled access to central connectivity and services
+- Shared VPC in spokes splits management of network resources in specific (host) projects, while still allowing them to be consumed from workload (service) projects
+
+NCC allows for transitive connections between spokes, PSC endpoints transitivity, and a much higher limit in terms of VPCs that can participate to the peering group.
+
+The following diagram illustrates the high-level design, and should be used as a reference for the following sections.
+
+
+
+
+### VPC design
+
+The hub VPC hosts external connectivity (by default VPN tunnels), attached to the NCC Hub as a series of hybrid spokes.
+
+The default recipe ships two different VPCs, mapping to hypotetical environments (dev and prod). Each VPC is created into its own project, and each project is configured as a Shared VPC host, so that network-related resources and access configurations via IAM are kept separate for each VPC.
+
+The design easily lends itself to implementing additional environments, or adopting a different logical mapping for spokes (e.g. one spoke for each company entity, etc.).
+
+### IP ranges, subnetting, routing
+
+Minimizing the number of routes (and subnets) in use on the cloud environment is an important consideration, as it simplifies management and avoids hitting [Cloud Router](https://cloud.google.com/network-connectivity/docs/router/quotas) and [VPC](https://cloud.google.com/vpc/docs/quota) quotas and limits. For this reason, we recommend careful planning of the IP space used in your cloud environment, to be able to use large IP CIDR blocks in routes whenever possible.
+
+This stage uses a dedicated /16 block (which should of course be sized to your needs) for each region in each VPC, and subnets created in each VPC should derive their ranges from the relevant block.
+
+The Prod Spoke VPC also define and reserve - as an example - two "special" CIDR ranges dedicated to [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access) and [Internal Application Load Balancers (L7 LBs)](https://cloud.google.com/load-balancing/docs/l7-internal).
+
+Routes in GCP are either automatically created for VPC subnets, manually created via static routes, programmed by the NCC hub or dynamically programmed by [Cloud Routers](https://cloud.google.com/network-connectivity/docs/router#docs) via BGP sessions, which can be configured to advertise VPC ranges, and/or custom ranges via custom advertisements.
+
+Furthermore:
+
+- routes between multiple subnets within the same VPC are automatically programmed by GCP
+- each spoke exchanges routes with the NCC hub, and gets NCC routes belonging to other spoks from the hub
+- on-premises is connected to the hub VPC and dynamically exchanges BGP routes with GCP using HA VPN. The HA VPN tunnels are configured as Hybrid spokes on the NCC hub, and as such all spokes receive those dynamic routes.
+
+### NCC Configuration
+
+There's two main configurations controlling inter-VPC connectivity:
+
+The **NCC hub setup**, controlled by files in the [ncc-hubs](./ncc-hubs/) folder - each describing an hub and its configuration.
+
+[prod-hub](./ncc-hubs/hub.yaml)
+
+```yaml
+name: the-hub
+project_id: $project_ids:net-core-0
+groups:
+ default:
+ auto_accept:
+ - $project_ids:net-prod-0
+ - $project_ids:net-dev-0
+```
+
+The **NCC spokes attachment**, controlled by each VPC `.config` file
+
+[vpcs/prod/.config.yaml](./vpcs/prod/.config.yaml)
+
+```yaml
+# [...]
+ncc_config:
+ hub: $ncc_hubs:the-hub
+ group: $ncc_groups:the-hub/default
+# [...]
+```
+
+For more informations about cross referencing resources, please check the [main README.md file](../../README.md)
+
+### Internet egress
+
+Cloud NAT provides the simplest path for internet egress. This setup uses Cloud NAT, which is enabled by default on the primary region.
+
+e.g. in [vpcs/prod/.config.yaml](./vpcs/prod/.config.yaml)
+
+```yaml
+# [...]
+nat_config:
+ nat-primary:
+ region: $locations:primary
+# [...]
+```
+
+Several other scenarios are possible of course, with varying degrees of complexity:
+
+- a forward proxy (including [SWP](https://cloud.google.com/secure-web-proxy/docs/overview)), with optional URL filters
+- a default route to on-prem to leverage existing egress infrastructure
+- a full-fledged perimeter firewall to control egress and implement additional security features like IPS
+
+### VPC and Hierarchical Firewall
+
+The GCP Firewall is a stateful, distributed feature that allows the creation of L4 policies, either via VPC-level rules or more recently via hierarchical policies applied on the resource hierarchy (organization, folders).
+
+The current setup adopts both firewall types, and uses [hierarchical rules on the Networking folder](./firewall-policies/networking-policy.yaml) for common ingress rules, e.g. from health check or IAP forwarders ranges, and [VPC rules](./vpcs/prod/firewall-rules) for the environment or workload-level ingress.
+
+### DNS
+
+This dataset implements a centralized DNS architecture that handles resolution between GCP and on-premises environments.
+
+- **Cloud to on-prem:** A [forwarding zone](./dns/zones/net-core-0/fwd-root.yaml) for the `onprem.` domain is configured in the hub VPC. It forwards DNS queries for on-premises resources to the on-premises DNS resolvers.
+- **On-prem to cloud:** An [inbound DNS policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) allows on-premises systems to resolve resources in GCP.
+
+DNS configuration is centralized in the hub project (`net-core-0`) and shared with the spokes using DNS peering:
+
+- The **hub** hosts:
+ - A top-level private zone for the cloud environment (e.g., `test.`).
+ - The forwarding zone to on-premises.
+- The **spokes** (`net-dev-0`, `net-prod-0`) host private zones for their specific subdomains (e.g., `dev.test.`, `prod.test.`). These zones are visible to the hub.
+- A **peering zone** for the `.` (root) domain is configured in the spokes, pointing to the hub. This delegates all DNS resolution from the spokes to the hub, creating a centralized model.
+- **Private Google Access** is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options).
+
+To complete the configuration, on-premises DNS servers should be configured to forward queries for your cloud domain (e.g., `test.`) to the GCP inbound policy's IP addresses. Additionally, the `35.199.192.0/19` range (used by the GCP DNS forwarder) should be routed over the VPN tunnels from on-premises.
+
+### VPNs
+
+Connectivity to on-prem is implemented with HA VPN ([`net-vpn-ha`](../../../../../modules/net-vpn-ha/)) and defined in [`onprem.yaml`](./vpcs/hub/vpns/onprem.yaml). The file provisionally implements a single logical connection between onprem and the hub on the primary region through 2 IPSec tunnels, which are connected to the NCC Hub as hybrid spokes.
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/defaults.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/defaults.yaml
new file mode 100644
index 000000000..baa14c8b2
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/defaults.yaml
@@ -0,0 +1,39 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+context:
+ cidr_ranges_sets:
+ healthchecks:
+ - 35.191.0.0/16
+ - 130.211.0.0/22
+ - 209.85.152.0/22
+ - 209.85.204.0/22
+ rfc1918:
+ - 10.0.0.0/8
+ - 172.16.0.0/12
+ - 192.168.0.0/16
+ locations:
+ primary: europe-west8
+ secondary: europe-west12
+ iam_principals: {}
+
+projects:
+ defaults:
+ locations:
+ storage: eu
+
+vpcs:
+ auto_create_subnetworks: false
+ delete_default_route_on_create: true
+ mtu: 1500
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/diagram-ncc.png b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/diagram-ncc.png
new file mode 100644
index 000000000..21019668b
Binary files /dev/null and b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/diagram-ncc.png differ
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/diagram-ncc.svg b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/diagram-ncc.svg
new file mode 100644
index 000000000..ca982a58d
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/diagram-ncc.svg
@@ -0,0 +1,1956 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/response-policies/net-core-0.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/response-policies/net-core-0.yaml
new file mode 100644
index 000000000..e6a0ab7f5
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/response-policies/net-core-0.yaml
@@ -0,0 +1,156 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../schemas/dns-response-policy-rules.schema.json
+
+project_id: $project_ids:net-core-0
+networks:
+ - $networks:hub
+ - $networks:prod
+ - $networks:dev
+rules:
+ accounts:
+ dns_name: "accounts.google.com."
+ behavior: bypassResponsePolicy
+ aiplatform-notebook-cloud-all:
+ dns_name: "*.aiplatform-notebook.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ aiplatform-notebook-gu-all:
+ dns_name: "*.aiplatform-notebook.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ appengine:
+ dns_name: "appengine.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ appspot-all:
+ dns_name: "*.appspot.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ backupdr-cloud:
+ dns_name: "backupdr.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ backupdr-cloud-all:
+ dns_name: "*.backupdr.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ backupdr-gu:
+ dns_name: "backupdr.googleusercontent.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ backupdr-gu-all:
+ dns_name: "*.backupdr.googleusercontent.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ cloudfunctions:
+ dns_name: "*.cloudfunctions.net."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ cloudproxy:
+ dns_name: "*.cloudproxy.app."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ composer-cloud-all:
+ dns_name: "*.composer.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ composer-gu-all:
+ dns_name: "*.composer.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ datafusion-all:
+ dns_name: "*.datafusion.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ datafusion-gu-all:
+ dns_name: "*.datafusion.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dataproc:
+ dns_name: "dataproc.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dataproc-all:
+ dns_name: "*.dataproc.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dataproc-gu:
+ dns_name: "dataproc.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dataproc-gu-all:
+ dns_name: "*.dataproc.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dl:
+ dns_name: "dl.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ gcr:
+ dns_name: "gcr.io."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ gcr-all:
+ dns_name: "*.gcr.io."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ gke-all:
+ dns_name: "*.gke.goog."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ googleapis-all:
+ dns_name: "*.googleapis.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ googleapis-private:
+ dns_name: "private.googleapis.com."
+ local_data:
+ A:
+ rrdatas:
+ - 199.36.153.8
+ - 199.36.153.9
+ - 199.36.153.10
+ - 199.36.153.11
+ AAAA:
+ rrdatas:
+ - "2600:2d00:2:2000::"
+ googleapis-restricted:
+ dns_name: "restricted.googleapis.com."
+ local_data:
+ A:
+ rrdatas:
+ - 199.36.153.4
+ - 199.36.153.5
+ - 199.36.153.6
+ - 199.36.153.7
+ AAAA:
+ rrdatas:
+ - "2600:2d00:2:1000::"
+ gstatic-all:
+ dns_name: "*.gstatic.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ kernels-gu:
+ dns_name: "kernels.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ kernels-gu-all:
+ dns_name: "*.kernels.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ ltsapis-all:
+ dns_name: "*.ltsapis.goog."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ notebooks:
+ dns_name: "notebooks.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ notebooks-all:
+ dns_name: "*.notebooks.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ notebooks-gu-all:
+ dns_name: "*.notebooks.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ packages-cloud:
+ dns_name: "packages.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ packages-cloud-all:
+ dns_name: "*.packages.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ pkgdev:
+ dns_name: "pkg.dev."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ pkgdev-all:
+ dns_name: "*.pkg.dev."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ pkigoog:
+ dns_name: "pki.goog."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ pkigoog-all:
+ dns_name: "*.pki.goog."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ run-all:
+ dns_name: "*.run.app."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ source:
+ dns_name: "source.developers.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ storage:
+ dns_name: "storage.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/fwd-root.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/fwd-root.yaml
new file mode 100644
index 000000000..6db3e36b8
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/fwd-root.yaml
@@ -0,0 +1,14 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-core-0
+domain: onprem.
+forwarding:
+ forwarders:
+ "8.8.8.8": default
+ "1.1.1.1": default
+ client_networks:
+ - $networks:hub
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/peer-root.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/peer-root.yaml
new file mode 100644
index 000000000..3d5a3fe3f
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/peer-root.yaml
@@ -0,0 +1,13 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-core-0
+domain: .
+peering:
+ peer_network: $networks:hub
+ client_networks:
+ - $networks:prod
+ - $networks:dev
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/pvt-test.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/pvt-test.yaml
new file mode 100644
index 000000000..0369f0c42
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-core-0/pvt-test.yaml
@@ -0,0 +1,14 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-core-0
+domain: test.
+private:
+ client_networks:
+ - $networks:hub
+recordsets:
+ "A localhost":
+ records: ["127.0.0.1"]
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-dev-0/pvt-dev-test.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-dev-0/pvt-dev-test.yaml
new file mode 100644
index 000000000..b7fc735e9
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-dev-0/pvt-dev-test.yaml
@@ -0,0 +1,15 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-dev-0
+domain: dev.test.
+private:
+ client_networks:
+ - $networks:hub
+ - $networks:dev
+recordsets:
+ "A localhost":
+ records: ["127.0.0.1"]
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-prod-0/pvt-prod-test.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-prod-0/pvt-prod-test.yaml
new file mode 100644
index 000000000..c74ea25bd
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/dns/zones/net-prod-0/pvt-prod-test.yaml
@@ -0,0 +1,15 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-prod-0
+domain: prod.test.
+private:
+ client_networks:
+ - $networks:hub
+ - $networks:prod
+recordsets:
+ "A localhost":
+ records: ["127.0.0.1"]
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/firewall-policies/networking-policy.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/firewall-policies/networking-policy.yaml
new file mode 100644
index 000000000..029de7a53
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/firewall-policies/networking-policy.yaml
@@ -0,0 +1,55 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../schemas/firewall-policy.schema.json
+
+parent_id: $folder_ids:networking
+attachments:
+ networking: $folder_ids:networking
+name: network-policy
+ingress_rules:
+ allow-healthchecks:
+ description: Enable SSH, HTTP and HTTPS healthchecks
+ priority: 1001
+ match:
+ source_ranges:
+ - $cidr_ranges_sets:healthchecks
+ layer4_configs:
+ - protocol: tcp
+ ports: ["22", "80", "443"]
+
+ allow-ssh-from-iap:
+ description: Enable SSH from IAP
+ priority: 1002
+ enable_logging: true
+ match:
+ source_ranges:
+ - 35.235.240.0/20
+ layer4_configs:
+ - protocol: tcp
+ ports: ["22"]
+
+ allow-icmp:
+ description: Enable ICMP
+ priority: 1003
+ match:
+ source_ranges:
+ - 0.0.0.0/0
+ layer4_configs:
+ - protocol: icmp
+
+ allow-nat-ranges:
+ description: Enable NAT ranges for VPC serverless connector
+ priority: 1004
+ match:
+ source_ranges:
+ - 107.178.230.64/26
+ - 35.199.224.0/19
+egress_rules:
+ deny-example-ip:
+ description: Allow internal traffic within the VPC
+ priority: 2000
+ match:
+ destination_ranges:
+ - 1.2.3.4/32
+ layer4_configs:
+ - protocol: all
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/ncc-hubs/hub.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/ncc-hubs/hub.yaml
new file mode 100644
index 000000000..4fa33441f
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/ncc-hubs/hub.yaml
@@ -0,0 +1,14 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/ncc-hub.schema.json
+
+name: hub
+project_id: $project_ids:net-core-0
+groups:
+ default:
+ auto_accept:
+ - $project_ids:net-core-0
+ - $project_ids:net-prod-0
+ - $project_ids:net-dev-0
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-core-0.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-core-0.yaml
new file mode 100644
index 000000000..d6cdbe32f
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-core-0.yaml
@@ -0,0 +1,19 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/project.schema.json
+name: prod-net-core-0
+parent: $folder_ids:networking
+services:
+ - container.googleapis.com
+ - compute.googleapis.com
+ - dns.googleapis.com
+ - iap.googleapis.com
+ - networkmanagement.googleapis.com
+ - networksecurity.googleapis.com
+ - servicenetworking.googleapis.com
+ - stackdriver.googleapis.com
+ - vpcaccess.googleapis.com
+shared_vpc_host_config:
+ enabled: true
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-dev-0.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-dev-0.yaml
new file mode 100644
index 000000000..29e3c4f5c
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-dev-0.yaml
@@ -0,0 +1,20 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/project.schema.json
+
+name: dev-net-dev-0
+parent: $folder_ids:networking/dev
+services:
+ - container.googleapis.com
+ - compute.googleapis.com
+ - dns.googleapis.com
+ - iap.googleapis.com
+ - networkmanagement.googleapis.com
+ - networksecurity.googleapis.com
+ - servicenetworking.googleapis.com
+ - stackdriver.googleapis.com
+ - vpcaccess.googleapis.com
+shared_vpc_host_config:
+ enabled: true
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-prod-0.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-prod-0.yaml
new file mode 100644
index 000000000..fe344a677
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/projects/net-prod-0.yaml
@@ -0,0 +1,20 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/project.schema.json
+
+name: prod-net-prod-0
+parent: $folder_ids:networking/prod
+services:
+ - container.googleapis.com
+ - compute.googleapis.com
+ - dns.googleapis.com
+ - iap.googleapis.com
+ - networkmanagement.googleapis.com
+ - networksecurity.googleapis.com
+ - servicenetworking.googleapis.com
+ - stackdriver.googleapis.com
+ - vpcaccess.googleapis.com
+shared_vpc_host_config:
+ enabled: true
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/.config.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/.config.yaml
new file mode 100644
index 000000000..112c3f1fe
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/.config.yaml
@@ -0,0 +1,16 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../schemas/vpc.schema.json
+
+project_id: $project_ids:net-dev-0
+name: dev
+delete_default_routes_on_create: false
+mtu: 1500
+nat_config:
+ nat-primary:
+ region: $locations:primary
+ncc_config:
+ hub: $ncc_hubs:hub
+ group: $ncc_groups:hub/default
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/firewall-rules/default-ingress.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/firewall-rules/default-ingress.yaml
new file mode 100644
index 000000000..77cbf3327
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/firewall-rules/default-ingress.yaml
@@ -0,0 +1,13 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
+
+ingress:
+ ingress-default-dev-deny:
+ description: "Deny and log any unmatched ingress traffic."
+ deny: true
+ priority: 65535
+ enable_logging:
+ include_metadata: false
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-dataplatform.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-dataplatform.yaml
new file mode 100644
index 000000000..d91c0c4ac
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-dataplatform.yaml
@@ -0,0 +1,13 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
+name: dev-dataplatform
+region: $locations:primary
+description: Default subnet for dev Data Platform
+ip_cidr_range: 10.68.2.0/24
+secondary_ip_ranges:
+ pods:
+ ip_cidr_range: 100.69.0.0/16
+ services:
+ ip_cidr_range: 100.71.2.0/24
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-default.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-default.yaml
new file mode 100644
index 000000000..e1cffabcc
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-default.yaml
@@ -0,0 +1,8 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
+name: dev-default
+region: $locations:primary
+ip_cidr_range: 10.68.0.0/24
+description: Default primary-region subnet for dev
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-gke-nodes.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-gke-nodes.yaml
new file mode 100644
index 000000000..07da55527
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/dev/subnets/dev-gke-nodes.yaml
@@ -0,0 +1,13 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
+name: dev-gke-nodes
+region: $locations:primary
+description: Default subnet for prod gke nodes
+ip_cidr_range: 10.68.1.0/24
+secondary_ip_ranges:
+ pods:
+ ip_cidr_range: 100.68.0.0/16
+ services:
+ ip_cidr_range: 100.71.1.0/24
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/.config.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/.config.yaml
new file mode 100644
index 000000000..70f22e390
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/.config.yaml
@@ -0,0 +1,20 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../schemas/vpc.schema.json
+
+project_id: $project_ids:net-core-0
+name: hub
+delete_default_routes_on_create: false
+routers:
+ vpn-router:
+ region: europe-west8
+ asn: 64514
+routes:
+ gateway:
+ # The configuration above is purely illustrative. Adjust as needed.
+ dest_range: "8.8.8.8/32"
+ priority: 100
+ next_hop_type: "gateway"
+ next_hop: "default-internet-gateway"
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/subnets/hub-default.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/subnets/hub-default.yaml
new file mode 100644
index 000000000..42e6f360b
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/subnets/hub-default.yaml
@@ -0,0 +1,8 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
+name: hub-default
+region: $locations:primary
+ip_cidr_range: 10.64.255.0/24
+description: Default primary-region subnet for hub
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vpns/onprem.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vpns/onprem.yaml
new file mode 100644
index 000000000..d85cd25b9
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/hub/vpns/onprem.yaml
@@ -0,0 +1,44 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: to-onprem
+region: $locations:primary
+peer_gateways:
+ default:
+ external:
+ redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
+ interfaces:
+ - 8.8.8.8
+router_config:
+ create: false
+ name: $routers:hub/vpn-router
+ncc_spoke_config:
+ hub: $ncc_hubs:hub
+tunnels:
+ remote-0:
+ bgp_peer:
+ address: 169.254.128.1
+ asn: 64513
+ bgp_session_range: "169.254.128.2/30"
+ peer_external_gateway_interface: 0
+ shared_secret: "mySecret"
+ vpn_gateway_interface: 0
+ remote-1:
+ bgp_peer:
+ address: 169.254.128.5
+ asn: 64513
+ bgp_session_range: "169.254.128.6/30"
+ peer_external_gateway_interface: 0
+ shared_secret: "mySecret"
+ vpn_gateway_interface: 1
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/.config.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/.config.yaml
new file mode 100644
index 000000000..a857997ae
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/.config.yaml
@@ -0,0 +1,28 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../schemas/vpc.schema.json
+
+project_id: $project_ids:net-prod-0
+name: prod
+delete_default_routes_on_create: false
+mtu: 1500
+nat_config:
+ nat-primary:
+ region: $locations:primary
+ncc_config:
+ hub: $ncc_hubs:hub
+ group: $ncc_groups:hub/default
+psa_configs:
+ - ranges:
+ psa: 10.72.224.0/24
+ export_routes: true
+ import_routes: true
+ peered_domains:
+ - "test."
+subnets_proxy_only:
+ - ip_cidr_range: 10.72.240.0/24
+ region: $locations:primary
+ name: primary-region-proxy-only
+ active: true
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/firewall-rules/default-ingress.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/firewall-rules/default-ingress.yaml
new file mode 100644
index 000000000..cd99ce114
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/firewall-rules/default-ingress.yaml
@@ -0,0 +1,13 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
+
+ingress:
+ ingress-default-prod-deny:
+ description: "Deny and log any unmatched ingress traffic."
+ deny: true
+ priority: 65535
+ enable_logging:
+ include_metadata: false
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/subnets/prod-default.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/subnets/prod-default.yaml
new file mode 100644
index 000000000..7211ff778
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-ncc/vpcs/prod/subnets/prod-default.yaml
@@ -0,0 +1,8 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
+name: prod-default
+region: $locations:primary
+ip_cidr_range: 10.72.0.0/24
+description: Default primary-region subnet for prod
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-peerings/firewall-policies/networking-policy.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-peerings/firewall-policies/networking-policy.yaml
index daddf5b5d..029de7a53 100644
--- a/fast/stages/2-networking/datasets/hub-and-spokes-peerings/firewall-policies/networking-policy.yaml
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-peerings/firewall-policies/networking-policy.yaml
@@ -5,7 +5,7 @@
parent_id: $folder_ids:networking
attachments:
networking: $folder_ids:networking
-name: network-policies
+name: network-policy
ingress_rules:
allow-healthchecks:
description: Enable SSH, HTTP and HTTPS healthchecks
diff --git a/tests/fast/stages/s2_networking/ncc.tfvars b/tests/fast/stages/s2_networking/ncc.tfvars
new file mode 100644
index 000000000..38ecbb82f
--- /dev/null
+++ b/tests/fast/stages/s2_networking/ncc.tfvars
@@ -0,0 +1,38 @@
+automation = {
+ outputs_bucket = "test"
+}
+billing_account = {
+ id = "000000-111111-222222"
+}
+factories_config = {
+ defaults = "datasets/hub-and-spokes-ncc/defaults.yaml"
+ dns = "datasets/hub-and-spokes-ncc/dns/zones"
+ dns-response-policies = "datasets/hub-and-spokes-ncc/dns/response-policies"
+ firewall-policies = "datasets/hub-and-spokes-ncc/firewall-policies"
+ folders = "datasets/hub-and-spokes-ncc/folders"
+ interconnect = "datasets/hub-and-spokes-ncc/interconnect"
+ ncc-hubs = "datasets/hub-and-spokes-ncc/ncc-hubs"
+ nvas = "datasets/hub-and-spokes-ncc/nvas"
+ projects = "datasets/hub-and-spokes-ncc/projects"
+ vpcs = "datasets/hub-and-spokes-ncc/vpcs"
+}
+
+folder_ids = {
+ "networking" = "folders/12345678"
+ "networking/prod" = "folders/23456789"
+ "networking/dev" = "folders/34567890"
+}
+organization = {
+ domain = "fast.example.com"
+ id = 123456789012
+ customer_id = "C00000000"
+}
+prefix = "fast"
+service_accounts = {
+ "iac-0/iac-pf-rw" = "iac-pf-rw@test.iam.gserviceaccount.com"
+ "iac-0/iac-pf-ro" = "iac-pf-ro@test.iam.gserviceaccount.com"
+}
+tag_values = {
+ "environment/development" = "tagValues/12345"
+ "environment/production" = "tagValues/12346"
+}
diff --git a/tests/fast/stages/s2_networking/ncc.yaml b/tests/fast/stages/s2_networking/ncc.yaml
new file mode 100644
index 000000000..4e950cdf0
--- /dev/null
+++ b/tests/fast/stages/s2_networking/ncc.yaml
@@ -0,0 +1,2095 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ google_compute_ha_vpn_gateway.default["hub/to-onprem"]:
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ gateway_ip_version: IPV4
+ labels: null
+ name: hub-to-onprem
+ network: hub
+ project: fast-prod-net-core-0
+ region: europe-west8
+ stack_type: IPV4_ONLY
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_compute_router.default["hub/vpn-router"]:
+ bgp:
+ - advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ asn: 64514
+ keepalive_interval: 20
+ description: null
+ encrypted_interconnect_router: null
+ md5_authentication_keys: []
+ name: hub-vpn-router
+ project: fast-prod-net-core-0
+ region: europe-west8
+ timeouts: null
+ google_network_connectivity_group.default["hub/default"]:
+ auto_accept:
+ - auto_accept_projects:
+ - fast-prod-net-core-0
+ - fast-prod-net-prod-0
+ - fast-dev-net-dev-0
+ description: Terraform-managed
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ labels: null
+ name: default
+ project: fast-prod-net-core-0
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_network_connectivity_hub.default["hub"]:
+ description: Terraform-managed
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ export_psc: true
+ labels: null
+ name: hub
+ preset_topology: MESH
+ project: fast-prod-net-core-0
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_network_connectivity_spoke.tunnels["hub/to-onprem/hub"]:
+ description: Terraform-managed.
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ labels: null
+ linked_interconnect_attachments: []
+ linked_producer_vpc_network: []
+ linked_router_appliance_instances: []
+ linked_vpc_network: []
+ linked_vpn_tunnels:
+ - include_import_ranges:
+ - ALL_IPV4_RANGES
+ site_to_site_data_transfer: true
+ location: europe-west8
+ name: hub-to-onprem-hub
+ project: fast-prod-net-core-0
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_network_connectivity_spoke.vpcs["dev/hub"]:
+ description: Terraform-managed
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ labels: null
+ linked_interconnect_attachments: []
+ linked_producer_vpc_network: []
+ linked_router_appliance_instances: []
+ linked_vpc_network:
+ - exclude_export_ranges: null
+ include_export_ranges: null
+ linked_vpn_tunnels: []
+ location: global
+ name: dev-hub
+ project: fast-dev-net-dev-0
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_network_connectivity_spoke.vpcs["prod/hub"]:
+ description: Terraform-managed
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ labels: null
+ linked_interconnect_attachments: []
+ linked_producer_vpc_network: []
+ linked_router_appliance_instances: []
+ linked_vpc_network:
+ - exclude_export_ranges: null
+ include_export_ranges: null
+ linked_vpn_tunnels: []
+ location: global
+ name: prod-hub
+ project: fast-prod-net-prod-0
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_storage_bucket_object.tfvars["1"]:
+ bucket: test
+ cache_control: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: different hash
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: tfvars/2-networking.auto.tfvars.json
+ retention: []
+ source: null
+ source_md5hash: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.version["1"]:
+ bucket: test
+ cache_control: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: different hash
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: versions/2-networking-version.txt
+ retention: []
+ source: fast_version.txt
+ source_md5hash: null
+ temporary_hold: null
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy.default[0]:
+ description: Terraform managed.
+ gke_clusters: []
+ networks:
+ - {}
+ - {}
+ - {}
+ project: fast-prod-net-core-0
+ response_policy_name: net-core-0
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["accounts"]:
+ behavior: bypassResponsePolicy
+ dns_name: accounts.google.com.
+ local_data: []
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: accounts
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["aiplatform-notebook-cloud-all"]:
+ behavior: null
+ dns_name: "*.aiplatform-notebook.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.aiplatform-notebook.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: aiplatform-notebook-cloud-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["aiplatform-notebook-gu-all"]:
+ behavior: null
+ dns_name: "*.aiplatform-notebook.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.aiplatform-notebook.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: aiplatform-notebook-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["appengine"]:
+ behavior: null
+ dns_name: appengine.google.com.
+ local_data:
+ - local_datas:
+ - name: appengine.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: appengine
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["appspot-all"]:
+ behavior: null
+ dns_name: "*.appspot.com."
+ local_data:
+ - local_datas:
+ - name: "*.appspot.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: appspot-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["backupdr-cloud"]:
+ behavior: null
+ dns_name: backupdr.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: backupdr.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: backupdr-cloud
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["backupdr-cloud-all"]:
+ behavior: null
+ dns_name: "*.backupdr.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.backupdr.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: backupdr-cloud-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["backupdr-gu"]:
+ behavior: null
+ dns_name: backupdr.googleusercontent.google.com.
+ local_data:
+ - local_datas:
+ - name: backupdr.googleusercontent.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: backupdr-gu
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["backupdr-gu-all"]:
+ behavior: null
+ dns_name: "*.backupdr.googleusercontent.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.backupdr.googleusercontent.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: backupdr-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["cloudfunctions"]:
+ behavior: null
+ dns_name: "*.cloudfunctions.net."
+ local_data:
+ - local_datas:
+ - name: "*.cloudfunctions.net."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: cloudfunctions
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["cloudproxy"]:
+ behavior: null
+ dns_name: "*.cloudproxy.app."
+ local_data:
+ - local_datas:
+ - name: "*.cloudproxy.app."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: cloudproxy
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["composer-cloud-all"]:
+ behavior: null
+ dns_name: "*.composer.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.composer.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: composer-cloud-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["composer-gu-all"]:
+ behavior: null
+ dns_name: "*.composer.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.composer.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: composer-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["datafusion-all"]:
+ behavior: null
+ dns_name: "*.datafusion.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.datafusion.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: datafusion-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["datafusion-gu-all"]:
+ behavior: null
+ dns_name: "*.datafusion.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.datafusion.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: datafusion-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dataproc"]:
+ behavior: null
+ dns_name: dataproc.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: dataproc.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dataproc
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dataproc-all"]:
+ behavior: null
+ dns_name: "*.dataproc.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.dataproc.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dataproc-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dataproc-gu"]:
+ behavior: null
+ dns_name: dataproc.googleusercontent.com.
+ local_data:
+ - local_datas:
+ - name: dataproc.googleusercontent.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dataproc-gu
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dataproc-gu-all"]:
+ behavior: null
+ dns_name: "*.dataproc.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.dataproc.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dataproc-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dl"]:
+ behavior: null
+ dns_name: dl.google.com.
+ local_data:
+ - local_datas:
+ - name: dl.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dl
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["gcr"]:
+ behavior: null
+ dns_name: gcr.io.
+ local_data:
+ - local_datas:
+ - name: gcr.io.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: gcr
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["gcr-all"]:
+ behavior: null
+ dns_name: "*.gcr.io."
+ local_data:
+ - local_datas:
+ - name: "*.gcr.io."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: gcr-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["gke-all"]:
+ behavior: null
+ dns_name: "*.gke.goog."
+ local_data:
+ - local_datas:
+ - name: "*.gke.goog."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: gke-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["googleapis-all"]:
+ behavior: null
+ dns_name: "*.googleapis.com."
+ local_data:
+ - local_datas:
+ - name: "*.googleapis.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: googleapis-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["googleapis-private"]:
+ behavior: null
+ dns_name: private.googleapis.com.
+ local_data:
+ - local_datas:
+ - name: private.googleapis.com.
+ rrdatas:
+ - 199.36.153.8
+ - 199.36.153.9
+ - 199.36.153.10
+ - 199.36.153.11
+ ttl: null
+ type: A
+ - name: private.googleapis.com.
+ rrdatas:
+ - "2600:2d00:2:2000::"
+ ttl: null
+ type: AAAA
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: googleapis-private
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["googleapis-restricted"]:
+ behavior: null
+ dns_name: restricted.googleapis.com.
+ local_data:
+ - local_datas:
+ - name: restricted.googleapis.com.
+ rrdatas:
+ - 199.36.153.4
+ - 199.36.153.5
+ - 199.36.153.6
+ - 199.36.153.7
+ ttl: null
+ type: A
+ - name: restricted.googleapis.com.
+ rrdatas:
+ - "2600:2d00:2:1000::"
+ ttl: null
+ type: AAAA
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: googleapis-restricted
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["gstatic-all"]:
+ behavior: null
+ dns_name: "*.gstatic.com."
+ local_data:
+ - local_datas:
+ - name: "*.gstatic.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: gstatic-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["kernels-gu"]:
+ behavior: null
+ dns_name: kernels.googleusercontent.com.
+ local_data:
+ - local_datas:
+ - name: kernels.googleusercontent.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: kernels-gu
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["kernels-gu-all"]:
+ behavior: null
+ dns_name: "*.kernels.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.kernels.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: kernels-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["ltsapis-all"]:
+ behavior: null
+ dns_name: "*.ltsapis.goog."
+ local_data:
+ - local_datas:
+ - name: "*.ltsapis.goog."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: ltsapis-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["notebooks"]:
+ behavior: null
+ dns_name: notebooks.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: notebooks.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: notebooks
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["notebooks-all"]:
+ behavior: null
+ dns_name: "*.notebooks.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.notebooks.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: notebooks-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["notebooks-gu-all"]:
+ behavior: null
+ dns_name: "*.notebooks.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.notebooks.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: notebooks-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["packages-cloud"]:
+ behavior: null
+ dns_name: packages.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: packages.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: packages-cloud
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["packages-cloud-all"]:
+ behavior: null
+ dns_name: "*.packages.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.packages.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: packages-cloud-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["pkgdev"]:
+ behavior: null
+ dns_name: pkg.dev.
+ local_data:
+ - local_datas:
+ - name: pkg.dev.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: pkgdev
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["pkgdev-all"]:
+ behavior: null
+ dns_name: "*.pkg.dev."
+ local_data:
+ - local_datas:
+ - name: "*.pkg.dev."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: pkgdev-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["pkigoog"]:
+ behavior: null
+ dns_name: pki.goog.
+ local_data:
+ - local_datas:
+ - name: pki.goog.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: pkigoog
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["pkigoog-all"]:
+ behavior: null
+ dns_name: "*.pki.goog."
+ local_data:
+ - local_datas:
+ - name: "*.pki.goog."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: pkigoog-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["run-all"]:
+ behavior: null
+ dns_name: "*.run.app."
+ local_data:
+ - local_datas:
+ - name: "*.run.app."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: run-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["source"]:
+ behavior: null
+ dns_name: source.developers.google.com.
+ local_data:
+ - local_datas:
+ - name: source.developers.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: source
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["storage"]:
+ behavior: null
+ dns_name: storage.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: storage.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: storage
+ timeouts: null
+ module.dns-zones["net-core-0/fwd-root"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: onprem.
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config:
+ - target_name_servers:
+ - domain_name: ""
+ forwarding_path: default
+ ipv4_address: 1.1.1.1
+ - domain_name: ""
+ forwarding_path: default
+ ipv4_address: 8.8.8.8
+ labels: null
+ name: net-core-0-fwd-root
+ peering_config: []
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ project: fast-prod-net-core-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-core-0/peer-root"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: .
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config: []
+ labels: null
+ name: net-core-0-peer-root
+ peering_config:
+ - target_network:
+ - {}
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ - {}
+ project: fast-prod-net-core-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-core-0/pvt-test"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: test.
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config: []
+ labels: null
+ name: net-core-0-pvt-test
+ peering_config: []
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ project: fast-prod-net-core-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-core-0/pvt-test"].google_dns_record_set.dns_record_set["A localhost"]:
+ managed_zone: net-core-0-pvt-test
+ name: localhost.test.
+ project: fast-prod-net-core-0
+ routing_policy: []
+ rrdatas:
+ - 127.0.0.1
+ ttl: 300
+ type: A
+ module.dns-zones["net-dev-0/pvt-dev-test"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: dev.test.
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config: []
+ labels: null
+ name: net-dev-0-pvt-dev-test
+ peering_config: []
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ - {}
+ project: fast-dev-net-dev-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-dev-0/pvt-dev-test"].google_dns_record_set.dns_record_set["A localhost"]:
+ managed_zone: net-dev-0-pvt-dev-test
+ name: localhost.dev.test.
+ project: fast-dev-net-dev-0
+ routing_policy: []
+ rrdatas:
+ - 127.0.0.1
+ ttl: 300
+ type: A
+ module.dns-zones["net-prod-0/pvt-prod-test"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: prod.test.
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config: []
+ labels: null
+ name: net-prod-0-pvt-prod-test
+ peering_config: []
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ - {}
+ project: fast-prod-net-prod-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-prod-0/pvt-prod-test"].google_dns_record_set.dns_record_set["A localhost"]:
+ managed_zone: net-prod-0-pvt-prod-test
+ name: localhost.prod.test.
+ project: fast-prod-net-prod-0
+ routing_policy: []
+ rrdatas:
+ - 127.0.0.1
+ ttl: 300
+ type: A
+ module.firewall["dev"].google_compute_firewall.custom-rules["ingress-default-dev-deny"]:
+ allow: []
+ deny:
+ - ports: []
+ protocol: all
+ description: Deny and log any unmatched ingress traffic.
+ direction: INGRESS
+ disabled: false
+ log_config:
+ - metadata: EXCLUDE_ALL_METADATA
+ name: ingress-default-dev-deny
+ network: dev
+ priority: 65535
+ project: fast-dev-net-dev-0
+ source_ranges:
+ - 0.0.0.0/0
+ source_service_accounts: null
+ source_tags: null
+ target_service_accounts: null
+ target_tags: null
+ timeouts: null
+ module.firewall["prod"].google_compute_firewall.custom-rules["ingress-default-prod-deny"]:
+ allow: []
+ deny:
+ - ports: []
+ protocol: all
+ description: Deny and log any unmatched ingress traffic.
+ direction: INGRESS
+ disabled: false
+ log_config:
+ - metadata: EXCLUDE_ALL_METADATA
+ name: ingress-default-prod-deny
+ network: prod
+ priority: 65535
+ project: fast-prod-net-prod-0
+ source_ranges:
+ - 0.0.0.0/0
+ source_service_accounts: null
+ source_tags: null
+ target_service_accounts: null
+ target_tags: null
+ timeouts: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy.hierarchical[0]:
+ description: null
+ parent: folders/12345678
+ short_name: network-policy
+ timeouts: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_association.hierarchical["networking"]:
+ attachment_target: folders/12345678
+ name: network-policy-networking
+ timeouts: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["egress/deny-example-ip"]:
+ action: deny
+ description: Allow internal traffic within the VPC
+ direction: EGRESS
+ disabled: false
+ enable_logging: null
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges:
+ - 1.2.3.4/32
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: all
+ ports: null
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges: null
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 2000
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]:
+ action: allow
+ description: Enable SSH, HTTP and HTTPS healthchecks
+ direction: INGRESS
+ disabled: false
+ enable_logging: null
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges: null
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: tcp
+ ports:
+ - "22"
+ - "80"
+ - "443"
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges:
+ - 35.191.0.0/16
+ - 130.211.0.0/22
+ - 209.85.152.0/22
+ - 209.85.204.0/22
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 1001
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]:
+ action: allow
+ description: Enable ICMP
+ direction: INGRESS
+ disabled: false
+ enable_logging: null
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges: null
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: icmp
+ ports: null
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges:
+ - 0.0.0.0/0
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 1003
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]:
+ action: allow
+ description: Enable NAT ranges for VPC serverless connector
+ direction: INGRESS
+ disabled: false
+ enable_logging: null
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges: null
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: all
+ ports: null
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges:
+ - 107.178.230.64/26
+ - 35.199.224.0/19
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 1004
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]:
+ action: allow
+ description: Enable SSH from IAP
+ direction: INGRESS
+ disabled: false
+ enable_logging: true
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges: null
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: tcp
+ ports:
+ - "22"
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges:
+ - 35.235.240.0/20
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 1002
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.nat["dev/nat-primary"].google_compute_router.router[0]:
+ bgp: []
+ description: null
+ encrypted_interconnect_router: null
+ md5_authentication_keys: []
+ name: dev-nat-primary-nat
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ timeouts: null
+ module.nat["dev/nat-primary"].google_compute_router_nat.nat:
+ enable_dynamic_port_allocation: false
+ enable_endpoint_independent_mapping: true
+ icmp_idle_timeout_sec: 30
+ initial_nat_ips: null
+ log_config:
+ - enable: false
+ filter: ALL
+ max_ports_per_vm: 65536
+ name: dev-nat-primary
+ nat64_subnetwork: []
+ nat_ip_allocate_option: AUTO_ONLY
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ router: dev-nat-primary-nat
+ rules: []
+ source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES
+ source_subnetwork_ip_ranges_to_nat64: null
+ subnetwork: []
+ tcp_established_idle_timeout_sec: 1200
+ tcp_time_wait_timeout_sec: 120
+ tcp_transitory_idle_timeout_sec: 30
+ timeouts: null
+ type: PUBLIC
+ udp_idle_timeout_sec: 30
+ module.nat["prod/nat-primary"].google_compute_router.router[0]:
+ bgp: []
+ description: null
+ encrypted_interconnect_router: null
+ md5_authentication_keys: []
+ name: prod-nat-primary-nat
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ timeouts: null
+ module.nat["prod/nat-primary"].google_compute_router_nat.nat:
+ enable_dynamic_port_allocation: false
+ enable_endpoint_independent_mapping: true
+ icmp_idle_timeout_sec: 30
+ initial_nat_ips: null
+ log_config:
+ - enable: false
+ filter: ALL
+ max_ports_per_vm: 65536
+ name: prod-nat-primary
+ nat64_subnetwork: []
+ nat_ip_allocate_option: AUTO_ONLY
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ router: prod-nat-primary-nat
+ rules: []
+ source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES
+ source_subnetwork_ip_ranges_to_nat64: null
+ subnetwork: []
+ tcp_established_idle_timeout_sec: 1200
+ tcp_time_wait_timeout_sec: 120
+ tcp_transitory_idle_timeout_sec: 30
+ timeouts: null
+ type: PUBLIC
+ udp_idle_timeout_sec: 30
+ module.projects.module.projects-iam["net-core-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+ project: fast-prod-net-core-0
+ timeouts: null
+ module.projects.module.projects-iam["net-dev-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+ project: fast-dev-net-dev-0
+ timeouts: null
+ module.projects.module.projects-iam["net-prod-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+ project: fast-prod-net-prod-0
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ folder_id: "12345678"
+ labels: null
+ name: fast-prod-net-core-0
+ org_id: null
+ project_id: fast-prod-net-core-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/compute.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/container.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["dns"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/dns.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/container.defaultNodeServiceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["networkmanagement"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/networkmanagement.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["service-networking"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/servicenetworking.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["vpcaccess"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/vpcaccess.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: compute.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["dns.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["iap.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["networkmanagement.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["networksecurity.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["vpcaccess.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["container.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["dns.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["iap.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["networkmanagement.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["networksecurity.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["vpcaccess.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ folder_id: "34567890"
+ labels: null
+ name: fast-dev-net-dev-0
+ org_id: null
+ project_id: fast-dev-net-dev-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/compute.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/container.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["dns"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/dns.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/container.defaultNodeServiceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["networkmanagement"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/networkmanagement.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["service-networking"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/servicenetworking.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["vpcaccess"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/vpcaccess.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: compute.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["dns.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["iap.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["networkmanagement.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["networksecurity.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["vpcaccess.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["container.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["dns.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["iap.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["networkmanagement.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["networksecurity.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["vpcaccess.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ folder_id: "23456789"
+ labels: null
+ name: fast-prod-net-prod-0
+ org_id: null
+ project_id: fast-prod-net-prod-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/compute.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/container.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["dns"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/dns.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/container.defaultNodeServiceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["networkmanagement"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/networkmanagement.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["service-networking"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/servicenetworking.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["vpcaccess"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/vpcaccess.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: compute.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["dns.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["iap.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["networkmanagement.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["networksecurity.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["vpcaccess.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["container.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["dns.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["iap.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["networkmanagement.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["networksecurity.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["vpcaccess.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.terraform_data.defaults_preconditions:
+ input: null
+ output: null
+ triggers_replace: null
+ module.vpc_routes["hub"].google_compute_route.gateway["gateway"]:
+ description: Terraform-managed.
+ dest_range: 8.8.8.8/32
+ name: hub-gateway
+ network: hub
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 100
+ project: fast-prod-net-core-0
+ tags: null
+ timeouts: null
+ module.vpcs["dev"].google_compute_network.network[0]:
+ auto_create_subnetworks: false
+ delete_default_routes_on_create: false
+ description: Terraform managed
+ enable_ula_internal_ipv6: null
+ mtu: 1500
+ name: dev
+ network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+ network_profile: null
+ project: fast-dev-net-dev-0
+ routing_mode: GLOBAL
+ timeouts: null
+ module.vpcs["dev"].google_compute_route.gateway["directpath-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 34.126.0.0/18
+ name: dev-directpath-googleapis
+ network: dev
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-dev-net-dev-0
+ tags: null
+ timeouts: null
+ module.vpcs["dev"].google_compute_route.gateway["private-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.8/30
+ name: dev-private-googleapis
+ network: dev
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-dev-net-dev-0
+ tags: null
+ timeouts: null
+ module.vpcs["dev"].google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: dev-restricted-googleapis
+ network: dev
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-dev-net-dev-0
+ tags: null
+ timeouts: null
+ module.vpcs["dev"].google_compute_subnetwork.subnetwork["europe-west8/dev-dataplatform"]:
+ description: Default subnet for dev Data Platform
+ ip_cidr_range: 10.68.2.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config: []
+ name: dev-dataplatform
+ network: dev
+ private_ip_google_access: true
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ reserved_internal_range: null
+ role: null
+ secondary_ip_range:
+ - ip_cidr_range: 100.69.0.0/16
+ range_name: pods
+ reserved_internal_range: null
+ - ip_cidr_range: 100.71.2.0/24
+ range_name: services
+ reserved_internal_range: null
+ send_secondary_ip_range_if_empty: true
+ timeouts: null
+ module.vpcs["dev"].google_compute_subnetwork.subnetwork["europe-west8/dev-default"]:
+ description: Default primary-region subnet for dev
+ ip_cidr_range: 10.68.0.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config: []
+ name: dev-default
+ network: dev
+ private_ip_google_access: true
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ reserved_internal_range: null
+ role: null
+ send_secondary_ip_range_if_empty: true
+ timeouts: null
+ module.vpcs["dev"].google_compute_subnetwork.subnetwork["europe-west8/dev-gke-nodes"]:
+ description: Default subnet for prod gke nodes
+ ip_cidr_range: 10.68.1.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config: []
+ name: dev-gke-nodes
+ network: dev
+ private_ip_google_access: true
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ reserved_internal_range: null
+ role: null
+ secondary_ip_range:
+ - ip_cidr_range: 100.68.0.0/16
+ range_name: pods
+ reserved_internal_range: null
+ - ip_cidr_range: 100.71.1.0/24
+ range_name: services
+ reserved_internal_range: null
+ send_secondary_ip_range_if_empty: true
+ timeouts: null
+ module.vpcs["dev"].google_dns_policy.default[0]:
+ alternative_name_server_config: []
+ description: Managed by Terraform
+ enable_inbound_forwarding: null
+ enable_logging: null
+ name: dev
+ networks:
+ - {}
+ project: fast-dev-net-dev-0
+ timeouts: null
+ module.vpcs["hub"].google_compute_network.network[0]:
+ auto_create_subnetworks: false
+ delete_default_routes_on_create: false
+ description: Terraform managed
+ enable_ula_internal_ipv6: null
+ mtu: 1500
+ name: hub
+ network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+ network_profile: null
+ project: fast-prod-net-core-0
+ routing_mode: GLOBAL
+ timeouts: null
+ module.vpcs["hub"].google_compute_route.gateway["directpath-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 34.126.0.0/18
+ name: hub-directpath-googleapis
+ network: hub
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-core-0
+ tags: null
+ timeouts: null
+ module.vpcs["hub"].google_compute_route.gateway["private-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.8/30
+ name: hub-private-googleapis
+ network: hub
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-core-0
+ tags: null
+ timeouts: null
+ module.vpcs["hub"].google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: hub-restricted-googleapis
+ network: hub
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-core-0
+ tags: null
+ timeouts: null
+ module.vpcs["hub"].google_compute_subnetwork.subnetwork["europe-west8/hub-default"]:
+ description: Default primary-region subnet for hub
+ ip_cidr_range: 10.64.255.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config: []
+ name: hub-default
+ network: hub
+ private_ip_google_access: true
+ project: fast-prod-net-core-0
+ region: europe-west8
+ reserved_internal_range: null
+ role: null
+ send_secondary_ip_range_if_empty: true
+ timeouts: null
+ module.vpcs["hub"].google_dns_policy.default[0]:
+ alternative_name_server_config: []
+ description: Managed by Terraform
+ enable_inbound_forwarding: null
+ enable_logging: null
+ name: hub
+ networks:
+ - {}
+ project: fast-prod-net-core-0
+ timeouts: null
+ module.vpcs["prod"].google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-psa"]:
+ address: 10.72.224.0
+ address_type: INTERNAL
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ip_version: null
+ labels: null
+ name: servicenetworking-googleapis-com-psa
+ prefix_length: 24
+ project: fast-prod-net-prod-0
+ purpose: VPC_PEERING
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ module.vpcs["prod"].google_compute_network.network[0]:
+ auto_create_subnetworks: false
+ delete_default_routes_on_create: false
+ description: Terraform managed
+ enable_ula_internal_ipv6: null
+ mtu: 1500
+ name: prod
+ network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+ network_profile: null
+ project: fast-prod-net-prod-0
+ routing_mode: GLOBAL
+ timeouts: null
+ module.vpcs["prod"].google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
+ export_custom_routes: true
+ import_custom_routes: true
+ network: prod
+ project: fast-prod-net-prod-0
+ timeouts: null
+ module.vpcs["prod"].google_compute_route.gateway["directpath-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 34.126.0.0/18
+ name: prod-directpath-googleapis
+ network: prod
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-prod-0
+ tags: null
+ timeouts: null
+ module.vpcs["prod"].google_compute_route.gateway["private-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.8/30
+ name: prod-private-googleapis
+ network: prod
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-prod-0
+ tags: null
+ timeouts: null
+ module.vpcs["prod"].google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: prod-restricted-googleapis
+ network: prod
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-prod-0
+ tags: null
+ timeouts: null
+ module.vpcs["prod"].google_compute_subnetwork.proxy_only["europe-west8/primary-region-proxy-only"]:
+ description:
+ Terraform-managed proxy-only subnet for Regional HTTPS, Internal
+ HTTPS or Cross-Regional HTTPS Internal LB.
+ ip_cidr_range: 10.72.240.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config: []
+ name: primary-region-proxy-only
+ network: prod
+ project: fast-prod-net-prod-0
+ purpose: REGIONAL_MANAGED_PROXY
+ region: europe-west8
+ reserved_internal_range: null
+ role: ACTIVE
+ send_secondary_ip_range_if_empty: null
+ timeouts: null
+ module.vpcs["prod"].google_compute_subnetwork.subnetwork["europe-west8/prod-default"]:
+ description: Default primary-region subnet for prod
+ ip_cidr_range: 10.72.0.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config: []
+ name: prod-default
+ network: prod
+ private_ip_google_access: true
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ reserved_internal_range: null
+ role: null
+ send_secondary_ip_range_if_empty: true
+ timeouts: null
+ module.vpcs["prod"].google_dns_policy.default[0]:
+ alternative_name_server_config: []
+ description: Managed by Terraform
+ enable_inbound_forwarding: null
+ enable_logging: null
+ name: prod
+ networks:
+ - {}
+ project: fast-prod-net-prod-0
+ timeouts: null
+ module.vpcs["prod"].google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
+ deletion_policy: null
+ reserved_peering_ranges:
+ - servicenetworking-googleapis-com-psa
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ update_on_creation_fail: null
+ module.vpcs["prod"].google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-test"]:
+ dns_suffix: test.
+ name: servicenetworking-googleapis-com-test
+ network: prod
+ project: fast-prod-net-prod-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.vpn-ha["hub/to-onprem"].google_compute_external_vpn_gateway.external_gateway["default"]:
+ description: Terraform managed external VPN gateway
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ interface:
+ - id: 0
+ ip_address: 8.8.8.8
+ ipv6_address: null
+ labels: null
+ name: hub-to-onprem-default
+ project: fast-prod-net-core-0
+ redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ module.vpn-ha["hub/to-onprem"].google_compute_router_interface.router_interface["remote-0"]:
+ interconnect_attachment: null
+ ip_range: 169.254.128.2/30
+ name: hub-to-onprem-remote-0
+ private_ip_address: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: hub-to-onprem-remote-0
+ module.vpn-ha["hub/to-onprem"].google_compute_router_interface.router_interface["remote-1"]:
+ interconnect_attachment: null
+ ip_range: 169.254.128.6/30
+ name: hub-to-onprem-remote-1
+ private_ip_address: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: hub-to-onprem-remote-1
+ module.vpn-ha["hub/to-onprem"].google_compute_router_peer.bgp_peer["remote-0"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: hub-to-onprem-remote-0
+ md5_authentication_key: []
+ name: hub-to-onprem-remote-0
+ peer_asn: 64513
+ peer_ip_address: 169.254.128.1
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["hub/to-onprem"].google_compute_router_peer.bgp_peer["remote-1"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: hub-to-onprem-remote-1
+ md5_authentication_key: []
+ name: hub-to-onprem-remote-1
+ peer_asn: 64513
+ peer_ip_address: 169.254.128.5
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["hub/to-onprem"].google_compute_vpn_tunnel.tunnels["remote-0"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: hub-to-onprem-remote-0
+ peer_external_gateway_interface: 0
+ peer_gcp_gateway: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ shared_secret: mySecret
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 0
+ module.vpn-ha["hub/to-onprem"].google_compute_vpn_tunnel.tunnels["remote-1"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: hub-to-onprem-remote-1
+ peer_external_gateway_interface: 0
+ peer_gcp_gateway: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ shared_secret: mySecret
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 1
+ module.vpn-ha["hub/to-onprem"].random_id.md5_keys["remote-0"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-onprem"].random_id.md5_keys["remote-1"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-onprem"].random_id.secret:
+ byte_length: 8
+ keepers: null
+ prefix: null
+
+counts:
+ google_compute_external_vpn_gateway: 1
+ google_compute_firewall: 2
+ google_compute_firewall_policy: 1
+ google_compute_firewall_policy_association: 1
+ google_compute_firewall_policy_rule: 5
+ google_compute_global_address: 1
+ google_compute_ha_vpn_gateway: 1
+ google_compute_network: 3
+ google_compute_network_peering_routes_config: 1
+ google_compute_route: 10
+ google_compute_router: 3
+ google_compute_router_interface: 2
+ google_compute_router_nat: 2
+ google_compute_router_peer: 2
+ google_compute_shared_vpc_host_project: 3
+ google_compute_subnetwork: 6
+ google_compute_vpn_tunnel: 2
+ google_dns_managed_zone: 5
+ google_dns_policy: 3
+ google_dns_record_set: 3
+ google_dns_response_policy: 1
+ google_dns_response_policy_rule: 42
+ google_network_connectivity_group: 1
+ google_network_connectivity_hub: 1
+ google_network_connectivity_spoke: 3
+ google_project: 3
+ google_project_iam_member: 21
+ google_project_service: 27
+ google_project_service_identity: 21
+ google_service_networking_connection: 1
+ google_service_networking_peered_dns_domain: 1
+ google_storage_bucket_object: 2
+ modules: 23
+ random_id: 3
+ resources: 185
+ terraform_data: 1
diff --git a/tests/fast/stages/s2_networking/peerings.yaml b/tests/fast/stages/s2_networking/peerings.yaml
index 53261ac66..c3d6f3bed 100644
--- a/tests/fast/stages/s2_networking/peerings.yaml
+++ b/tests/fast/stages/s2_networking/peerings.yaml
@@ -938,16 +938,16 @@ values:
target_service_accounts: null
target_tags: null
timeouts: null
- module.firewall_policies["network-policies"].google_compute_firewall_policy.hierarchical[0]:
+ module.firewall_policies["network-policy"].google_compute_firewall_policy.hierarchical[0]:
description: null
parent: folders/12345678
- short_name: network-policies
+ short_name: network-policy
timeouts: null
- module.firewall_policies["network-policies"].google_compute_firewall_policy_association.hierarchical["networking"]:
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_association.hierarchical["networking"]:
attachment_target: folders/12345678
- name: network-policies-networking
+ name: network-policy-networking
timeouts: null
- module.firewall_policies["network-policies"].google_compute_firewall_policy_rule.hierarchical["egress/deny-example-ip"]:
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["egress/deny-example-ip"]:
action: deny
description: Allow internal traffic within the VPC
direction: EGRESS
@@ -976,7 +976,7 @@ values:
target_service_accounts: null
timeouts: null
tls_inspect: null
- module.firewall_policies["network-policies"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]:
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]:
action: allow
description: Enable SSH, HTTP and HTTPS healthchecks
direction: INGRESS
@@ -1011,7 +1011,7 @@ values:
target_service_accounts: null
timeouts: null
tls_inspect: null
- module.firewall_policies["network-policies"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]:
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]:
action: allow
description: Enable ICMP
direction: INGRESS
@@ -1040,7 +1040,7 @@ values:
target_service_accounts: null
timeouts: null
tls_inspect: null
- module.firewall_policies["network-policies"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]:
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]:
action: allow
description: Enable NAT ranges for VPC serverless connector
direction: INGRESS
@@ -1070,7 +1070,7 @@ values:
target_service_accounts: null
timeouts: null
tls_inspect: null
- module.firewall_policies["network-policies"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]:
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]:
action: allow
description: Enable SSH from IAP
direction: INGRESS
diff --git a/tests/fast/stages/s2_networking/tftest.yaml b/tests/fast/stages/s2_networking/tftest.yaml
index 185989dbc..33e38f453 100644
--- a/tests/fast/stages/s2_networking/tftest.yaml
+++ b/tests/fast/stages/s2_networking/tftest.yaml
@@ -16,3 +16,4 @@ module: fast/stages/2-networking
tests:
peerings:
+ ncc:
+ NCC diagram
+