allow configuring dns zone names in FAST networking stages (#3021)
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
b2e26e50ae
commit
7b993cd2f1
@@ -505,18 +505,18 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L51) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L57) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L78) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L84) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L104) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domain = optional(string, "onprem.example.com") resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L53) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L59) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L80) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L86) | IP ranges used for Private Service Access (CloudSQL, etc.). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L106) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
||||
| [spoke_configs](variables.tf#L116) | Spoke connectivity configurations. | <code title="object({ ncc_configs = optional(object({ export_psc = optional(bool, true) dev = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) prod = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) })) peering_configs = optional(object({ dev = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) prod = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) })) vpn_configs = optional(object({ dev = optional(object({ asn = optional(number, 65501) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) landing = optional(object({ asn = optional(number, 65500) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) prod = optional(object({ asn = optional(number, 65502) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) })) })">object({…})</code> | | <code title="{ peering_configs = {} }">{…}</code> | |
|
||||
| [spoke_configs](variables.tf#L118) | Spoke connectivity configurations. | <code title="object({ ncc_configs = optional(object({ export_psc = optional(bool, true) dev = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) prod = optional(object({ exclude_export_ranges = list(string) }), { exclude_export_ranges = [] }) })) peering_configs = optional(object({ dev = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) prod = optional(object({ export = optional(bool, true) import = optional(bool, true) public_export = optional(bool) public_import = optional(bool) }), {}) })) vpn_configs = optional(object({ dev = optional(object({ asn = optional(number, 65501) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) landing = optional(object({ asn = optional(number, 65500) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) prod = optional(object({ asn = optional(number, 65502) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }), {}) })) })">object({…})</code> | | <code title="{ peering_configs = {} }">{…}</code> | |
|
||||
| [stage_config](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [vpc_configs](variables.tf#L185) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_primary_config](variables.tf#L238) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpc_configs](variables.tf#L187) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_primary_config](variables.tf#L240) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -21,9 +21,9 @@
|
||||
module "dev-dns-priv-example" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-gcp-example-com"
|
||||
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
domain = "dev.gcp.example.com."
|
||||
domain = "dev.${var.dns.gcp_domain}."
|
||||
private = {
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
}
|
||||
|
||||
@@ -22,9 +22,9 @@ module "landing-dns-fwd-onprem-example" {
|
||||
source = "../../../modules/dns"
|
||||
count = length(var.dns.resolvers) > 0 ? 1 : 0
|
||||
project_id = module.landing-project.project_id
|
||||
name = "example-com"
|
||||
name = replace(var.dns.onprem_domain, ".", "-")
|
||||
zone_config = {
|
||||
domain = "onprem.example.com."
|
||||
domain = "${var.dns.onprem_domain}."
|
||||
forwarding = {
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
forwarders = { for ip in var.dns.resolvers : ip => null }
|
||||
@@ -49,9 +49,9 @@ module "landing-dns-fwd-onprem-rev-10" {
|
||||
module "landing-dns-priv-gcp" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
name = "gcp-example-com"
|
||||
name = replace(var.dns.gcp_domain, ".", "-")
|
||||
zone_config = {
|
||||
domain = "gcp.example.com."
|
||||
domain = "${var.dns.gcp_domain}."
|
||||
private = {
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
}
|
||||
|
||||
@@ -21,9 +21,9 @@
|
||||
module "prod-dns-priv-example" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-gcp-example-com"
|
||||
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
domain = "prod.gcp.example.com."
|
||||
domain = "prod.${var.dns.gcp_domain}."
|
||||
private = {
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
}
|
||||
|
||||
@@ -42,7 +42,9 @@ variable "alert_config" {
|
||||
variable "dns" {
|
||||
description = "DNS configuration."
|
||||
type = object({
|
||||
resolvers = optional(list(string), [])
|
||||
gcp_domain = optional(string, "gcp.example.com")
|
||||
onprem_domain = optional(string, "onprem.example.com")
|
||||
resolvers = optional(list(string), [])
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
|
||||
@@ -566,20 +566,20 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
||||
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L51) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L57) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [gcp_ranges](variables.tf#L78) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.68.0.0/16" gcp_dev_secondary = "10.84.0.0/16" gcp_regional_vpc_primary = "10.65.0.0/17" gcp_regional_vpc_secondary = "10.81.0.0/17" gcp_landing_primary = "10.64.0.0/17" gcp_landing_secondary = "10.80.0.0/17" gcp_dmz_primary = "10.64.128.0/17" gcp_dmz_secondary = "10.80.128.0/17" gcp_prod_primary = "10.72.0.0/16" gcp_prod_secondary = "10.88.0.0/16" }">{…}</code> | |
|
||||
| [network_mode](variables.tf#L95) | Selection of the network design to deploy. | <code>string</code> | | <code>"simple"</code> | |
|
||||
| [outputs_location](variables.tf#L106) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L112) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L132) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domain = optional(string, "onprem.example.com") resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L53) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L59) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [gcp_ranges](variables.tf#L80) | GCP address ranges in name => range format. | <code>map(string)</code> | | <code title="{ gcp_dev_primary = "10.68.0.0/16" gcp_dev_secondary = "10.84.0.0/16" gcp_regional_vpc_primary = "10.65.0.0/17" gcp_regional_vpc_secondary = "10.81.0.0/17" gcp_landing_primary = "10.64.0.0/17" gcp_landing_secondary = "10.80.0.0/17" gcp_dmz_primary = "10.64.128.0/17" gcp_dmz_secondary = "10.80.128.0/17" gcp_prod_primary = "10.72.0.0/16" gcp_prod_secondary = "10.88.0.0/16" }">{…}</code> | |
|
||||
| [network_mode](variables.tf#L97) | Selection of the network design to deploy. | <code>string</code> | | <code>"simple"</code> | |
|
||||
| [outputs_location](variables.tf#L108) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L114) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L134) | Region definitions. | <code title="object({ primary = string secondary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" secondary = "europe-west4" }">{…}</code> | |
|
||||
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
||||
| [stage_config](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [vpc_configs](variables.tf#L144) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) dmz = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_primary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_secondary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_primary_config](variables.tf#L227) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_secondary_config](variables.tf#L270) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpc_configs](variables.tf#L146) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) dmz = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) landing = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_primary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) regional_secondary = optional(object({ mtu = optional(number, 1500) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_primary_config](variables.tf#L229) | VPN gateway configuration for onprem interconnection in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_secondary_config](variables.tf#L272) | VPN gateway configuration for onprem interconnection in the secondary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -21,9 +21,9 @@
|
||||
module "dev-dns-priv-example" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-gcp-example-com"
|
||||
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
domain = "dev.gcp.example.com."
|
||||
domain = "dev.${var.dns.gcp_domain}."
|
||||
private = {
|
||||
client_networks = [
|
||||
# module.dmz-vpc.self_link
|
||||
|
||||
@@ -22,9 +22,9 @@ module "landing-dns-fwd-onprem-example" {
|
||||
source = "../../../modules/dns"
|
||||
count = length(var.dns.resolvers) > 0 ? 1 : 0
|
||||
project_id = module.landing-project.project_id
|
||||
name = "example-com"
|
||||
name = replace(var.dns.onprem_domain, ".", "-")
|
||||
zone_config = {
|
||||
domain = "onprem.example.com."
|
||||
domain = "${var.dns.onprem_domain}."
|
||||
forwarding = {
|
||||
client_networks = concat(
|
||||
[
|
||||
@@ -69,9 +69,9 @@ module "landing-dns-fwd-onprem-rev-10" {
|
||||
module "landing-dns-priv-gcp" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
name = "gcp-example-com"
|
||||
name = replace(var.dns.gcp_domain, ".", "-")
|
||||
zone_config = {
|
||||
domain = "gcp.example.com."
|
||||
domain = "${var.dns.gcp_domain}."
|
||||
private = {
|
||||
client_networks = concat(
|
||||
[
|
||||
|
||||
@@ -21,9 +21,9 @@
|
||||
module "prod-dns-priv-example" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-gcp-example-com"
|
||||
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
domain = "prod.gcp.example.com."
|
||||
domain = "prod.${var.dns.gcp_domain}."
|
||||
private = {
|
||||
client_networks = [
|
||||
# module.dmz-vpc.self_link
|
||||
|
||||
@@ -42,7 +42,9 @@ variable "alert_config" {
|
||||
variable "dns" {
|
||||
description = "DNS configuration."
|
||||
type = object({
|
||||
resolvers = optional(list(string), [])
|
||||
gcp_domain = optional(string, "gcp.example.com")
|
||||
onprem_domain = optional(string, "onprem.example.com")
|
||||
resolvers = optional(list(string), [])
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
|
||||
@@ -364,18 +364,18 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|
||||
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | <code title="object({ vpn_tunnel_established = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) user_labels = optional(map(string), {}) })) vpn_tunnel_bandwidth = optional(object({ auto_close = optional(string, null) duration = optional(string, "120s") enabled = optional(bool, true) notification_channels = optional(list(string), []) threshold_mbys = optional(string, "187.5") user_labels = optional(map(string), {}) })) })">object({…})</code> | | <code title="{ vpn_tunnel_established = {} vpn_tunnel_bandwidth = {} }">{…}</code> | |
|
||||
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | <code title="object({ project_iam_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ dev_resolvers = optional(list(string), []) prod_resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L52) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L58) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L79) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L85) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L105) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
||||
| [dns](variables.tf#L42) | DNS configuration. | <code title="object({ gcp_domain = optional(string, "gcp.example.com") onprem_domain = optional(string, "onprem.example.com") dev_resolvers = optional(list(string), []) prod_resolvers = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [essential_contacts](variables.tf#L54) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L60) | Configuration for network resource factories. | <code title="object({ dashboards = optional(string, "data/dashboards") dns_policy_rules = optional(string, "data/dns-policy-rules.yaml") firewall = optional(object({ cidr_file = optional(string, "data/cidrs.yaml") classic_rules = optional(string, "data/firewall-rules") hierarchical = optional(object({ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml") ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml") policy_name = optional(string, "net-default") }), {}) policy_rules = optional(string, "data/firewall-policies") }), {}) subnets = optional(string, "data/subnets") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L81) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L87) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [regions](variables.tf#L107) | Region definitions. | <code title="object({ primary = string })">object({…})</code> | | <code title="{ primary = "europe-west1" }">{…}</code> | |
|
||||
| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | <code>map(string)</code> | | <code>{}</code> | <code>2-networking-ngfw</code> |
|
||||
| [stage_config](variables-fast.tf#L94) | FAST stage configuration. | <code title="object({ networking = optional(object({ short_name = optional(string) iam_admin_delegated = optional(map(list(string)), {}) iam_viewer = optional(map(list(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [tag_values](variables-fast.tf#L108) | Root-level tag values. | <code>map(string)</code> | | <code>{}</code> | <code>1-resman</code> |
|
||||
| [vpc_configs](variables.tf#L115) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_dev_primary_config](variables.tf#L153) | VPN gateway configuration for onprem interconnection from dev in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_prod_primary_config](variables.tf#L196) | VPN gateway configuration for onprem interconnection from prod in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpc_configs](variables.tf#L117) | Optional VPC network configurations. | <code title="object({ dev = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) prod = optional(object({ mtu = optional(number, 1500) cloudnat = optional(object({ enable = optional(bool, false) }), {}) dns = optional(object({ create_inbound_policy = optional(bool, true) enable_logging = optional(bool, true) }), {}) firewall = optional(object({ create_policy = optional(bool, false) policy_has_priority = optional(bool, false) use_classic = optional(bool, true) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [vpn_onprem_dev_primary_config](variables.tf#L155) | VPN gateway configuration for onprem interconnection from dev in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpn_onprem_prod_primary_config](variables.tf#L198) | VPN gateway configuration for onprem interconnection from prod in the primary region. | <code title="object({ peer_external_gateways = map(object({ redundancy_type = string interfaces = list(string) })) router_config = object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) }) tunnels = map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number })) })">object({…})</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -21,9 +21,9 @@
|
||||
module "dev-dns-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
name = "dev-gcp-example-com"
|
||||
name = "dev-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
domain = "dev.gcp.example.com."
|
||||
domain = "dev.${var.dns.gcp_domain}."
|
||||
private = {
|
||||
client_networks = [module.dev-spoke-vpc.self_link]
|
||||
}
|
||||
|
||||
@@ -21,9 +21,9 @@
|
||||
module "prod-dns-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
name = "prod-gcp-example-com"
|
||||
name = "prod-${replace(var.dns.gcp_domain, ".", "-")}"
|
||||
zone_config = {
|
||||
domain = "prod.gcp.example.com."
|
||||
domain = "prod.${var.dns.gcp_domain}."
|
||||
private = {
|
||||
client_networks = [module.prod-spoke-vpc.self_link]
|
||||
}
|
||||
|
||||
@@ -42,6 +42,8 @@ variable "alert_config" {
|
||||
variable "dns" {
|
||||
description = "DNS configuration."
|
||||
type = object({
|
||||
gcp_domain = optional(string, "gcp.example.com")
|
||||
onprem_domain = optional(string, "onprem.example.com")
|
||||
dev_resolvers = optional(list(string), [])
|
||||
prod_resolvers = optional(list(string), [])
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user