diff --git a/fast/stage-links.sh b/fast/stage-links.sh deleted file mode 100755 index 5ad46edd8..000000000 --- a/fast/stage-links.sh +++ /dev/null @@ -1,187 +0,0 @@ -#!/bin/bash -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ $# -eq 0 ]; then - echo "Error: no folder or GCS bucket specified. Use -h or --help for usage." - exit 1 -fi - -if [[ "$1" == "-h" || "$1" == "--help" ]]; then - cat < $MESSAGE <---" -fi diff --git a/fast/stages/2-networking-a-simple/.fast-stage.env b/fast/stages/2-networking-a-simple/.fast-stage.env index 592fb344a..9b10516e9 100644 --- a/fast/stages/2-networking-a-simple/.fast-stage.env +++ b/fast/stages/2-networking-a-simple/.fast-stage.env @@ -2,4 +2,4 @@ FAST_STAGE_DESCRIPTION="networking (simple)" FAST_STAGE_LEVEL=2 FAST_STAGE_NAME=networking FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" -FAST_STAGE_OPTIONAL="2-nsec" \ No newline at end of file +FAST_STAGE_OPTIONAL="2-networking-ngfw" \ No newline at end of file diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 415390d5f..926209c9a 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -513,9 +513,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs_location](variables.tf#L84) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L90) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | | [regions](variables.tf#L110) | Region definitions. | object({…}) | | {…} | | +| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | map(string) | | {} | 2-networking-ngfw | | [spoke_configs](variables.tf#L122) | Spoke connectivity configurations. | object({…}) | | {…} | | -| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L100) | Root-level tag values. | map(string) | | {} | 1-resman | +| [stage_config](variables-fast.tf#L94) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L108) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpc_configs](variables.tf#L191) | Optional VPC network configurations. | object({…}) | | {} | | | [vpn_onprem_primary_config](variables.tf#L244) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-a-simple/net-dev.tf b/fast/stages/2-networking-a-simple/net-dev.tf index 57599abf0..d4776d0e0 100644 --- a/fast/stages/2-networking-a-simple/net-dev.tf +++ b/fast/stages/2-networking-a-simple/net-dev.tf @@ -136,12 +136,12 @@ module "dev-firewall-policy" { attachments = { dev-spoke-0 = module.dev-spoke-vpc.id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } module "dev-spoke-cloudnat" { diff --git a/fast/stages/2-networking-a-simple/net-landing.tf b/fast/stages/2-networking-a-simple/net-landing.tf index b55702efe..0e137b9b5 100644 --- a/fast/stages/2-networking-a-simple/net-landing.tf +++ b/fast/stages/2-networking-a-simple/net-landing.tf @@ -114,12 +114,12 @@ module "landing-firewall-policy" { attachments = { landing-0 = module.landing-vpc.id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } module "landing-nat-primary" { diff --git a/fast/stages/2-networking-a-simple/net-prod.tf b/fast/stages/2-networking-a-simple/net-prod.tf index 62175101d..999d34368 100644 --- a/fast/stages/2-networking-a-simple/net-prod.tf +++ b/fast/stages/2-networking-a-simple/net-prod.tf @@ -131,12 +131,12 @@ module "prod-firewall-policy" { attachments = { prod-spoke-0 = module.prod-spoke-vpc.id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } module "prod-spoke-cloudnat" { diff --git a/fast/stages/2-networking-a-simple/schemas/firewall-policy-rules.schema.json b/fast/stages/2-networking-a-simple/schemas/firewall-policy-rules.schema.json new file mode 120000 index 000000000..e37a764d2 --- /dev/null +++ b/fast/stages/2-networking-a-simple/schemas/firewall-policy-rules.schema.json @@ -0,0 +1 @@ +../../../../modules/net-firewall-policy/schemas/firewall-policy-rules.schema.json \ No newline at end of file diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf index dd7f96bf5..c01b3f27f 100644 --- a/fast/stages/2-networking-a-simple/variables-fast.tf +++ b/fast/stages/2-networking-a-simple/variables-fast.tf @@ -83,6 +83,14 @@ variable "prefix" { } } +variable "security_profile_groups" { + # tfdoc:variable:source 2-networking-ngfw + description = "Security profile group ids used for policy rule substitutions." + type = map(string) + nullable = false + default = {} +} + variable "stage_config" { # tfdoc:variable:source 1-resman description = "FAST stage configuration." diff --git a/fast/stages/2-networking-b-nva/.fast-stage.env b/fast/stages/2-networking-b-nva/.fast-stage.env index 3e8057f51..83c3bb545 100644 --- a/fast/stages/2-networking-b-nva/.fast-stage.env +++ b/fast/stages/2-networking-b-nva/.fast-stage.env @@ -2,4 +2,4 @@ FAST_STAGE_DESCRIPTION="networking (nva)" FAST_STAGE_LEVEL=2 FAST_STAGE_NAME=networking FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" -FAST_STAGE_OPTIONAL="2-nsec" \ No newline at end of file +FAST_STAGE_OPTIONAL="2-networking-ngfw" \ No newline at end of file diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index db6db9716..20b88a151 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -576,8 +576,9 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L118) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | | [regions](variables.tf#L138) | Region definitions. | object({…}) | | {…} | | -| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L100) | Root-level tag values. | map(string) | | {} | 1-resman | +| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | map(string) | | {} | 2-networking-ngfw | +| [stage_config](variables-fast.tf#L94) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L108) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpc_configs](variables.tf#L150) | Optional VPC network configurations. | object({…}) | | {} | | | [vpn_onprem_primary_config](variables.tf#L233) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | | [vpn_onprem_secondary_config](variables.tf#L276) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-b-nva/net-dev.tf b/fast/stages/2-networking-b-nva/net-dev.tf index 5032ea921..5a95118a1 100644 --- a/fast/stages/2-networking-b-nva/net-dev.tf +++ b/fast/stages/2-networking-b-nva/net-dev.tf @@ -156,12 +156,12 @@ module "dev-firewall-policy" { attachments = { dev-spoke-0 = module.dev-spoke-vpc.id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } module "peering-dev" { diff --git a/fast/stages/2-networking-b-nva/net-landing.tf b/fast/stages/2-networking-b-nva/net-landing.tf index 91ec3a89b..702946765 100644 --- a/fast/stages/2-networking-b-nva/net-landing.tf +++ b/fast/stages/2-networking-b-nva/net-landing.tf @@ -137,12 +137,12 @@ module "dmz-firewall-policy" { attachments = { dmz-0 = module.dmz-vpc.id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dmz/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dmz/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } # NAT @@ -216,10 +216,10 @@ module "landing-firewall-policy" { attachments = { landing-0 = module.landing-vpc.id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } diff --git a/fast/stages/2-networking-b-nva/net-prod.tf b/fast/stages/2-networking-b-nva/net-prod.tf index a40dc9876..dfe9cdadb 100644 --- a/fast/stages/2-networking-b-nva/net-prod.tf +++ b/fast/stages/2-networking-b-nva/net-prod.tf @@ -156,12 +156,12 @@ module "prod-firewall-policy" { attachments = { prod-spoke-0 = module.prod-spoke-vpc.id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } module "peering-prod" { diff --git a/fast/stages/2-networking-b-nva/net-regional-vpc.tf b/fast/stages/2-networking-b-nva/net-regional-vpc.tf index 3e7aecd6a..155ae1793 100644 --- a/fast/stages/2-networking-b-nva/net-regional-vpc.tf +++ b/fast/stages/2-networking-b-nva/net-regional-vpc.tf @@ -108,12 +108,12 @@ module "regional-primary-firewall-policy" { attachments = { regional-primary-0 = module.regional-primary-vpc[0].id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/regional-primary/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/regional-primary/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } # Regional Secondary VPC @@ -172,10 +172,10 @@ module "regional-secondary-firewall-policy" { attachments = { regional-secondary-0 = module.regional-secondary-vpc[0].id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/regional-secondary/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/regional-secondary/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } diff --git a/fast/stages/2-networking-b-nva/schemas/firewall-policy-rules.schema.json b/fast/stages/2-networking-b-nva/schemas/firewall-policy-rules.schema.json new file mode 120000 index 000000000..e37a764d2 --- /dev/null +++ b/fast/stages/2-networking-b-nva/schemas/firewall-policy-rules.schema.json @@ -0,0 +1 @@ +../../../../modules/net-firewall-policy/schemas/firewall-policy-rules.schema.json \ No newline at end of file diff --git a/fast/stages/2-networking-b-nva/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf index dd7f96bf5..c01b3f27f 100644 --- a/fast/stages/2-networking-b-nva/variables-fast.tf +++ b/fast/stages/2-networking-b-nva/variables-fast.tf @@ -83,6 +83,14 @@ variable "prefix" { } } +variable "security_profile_groups" { + # tfdoc:variable:source 2-networking-ngfw + description = "Security profile group ids used for policy rule substitutions." + type = map(string) + nullable = false + default = {} +} + variable "stage_config" { # tfdoc:variable:source 1-resman description = "FAST stage configuration." diff --git a/fast/stages/2-networking-c-separate-envs/.fast-stage.env b/fast/stages/2-networking-c-separate-envs/.fast-stage.env index 0c1d6b578..1d3fffa33 100644 --- a/fast/stages/2-networking-c-separate-envs/.fast-stage.env +++ b/fast/stages/2-networking-c-separate-envs/.fast-stage.env @@ -2,4 +2,4 @@ FAST_STAGE_DESCRIPTION="networking (separate environments)" FAST_STAGE_LEVEL=2 FAST_STAGE_NAME=networking FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" -FAST_STAGE_OPTIONAL="2-nsec" \ No newline at end of file +FAST_STAGE_OPTIONAL="2-networking-ngfw" \ No newline at end of file diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index 853a0a846..175d31d79 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -371,8 +371,9 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [outputs_location](variables.tf#L79) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L85) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | | [regions](variables.tf#L105) | Region definitions. | object({…}) | | {…} | | -| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L100) | Root-level tag values. | map(string) | | {} | 1-resman | +| [security_profile_groups](variables-fast.tf#L86) | Security profile group ids used for policy rule substitutions. | map(string) | | {} | 2-networking-ngfw | +| [stage_config](variables-fast.tf#L94) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L108) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpc_configs](variables.tf#L115) | Optional VPC network configurations. | object({…}) | | {} | | | [vpn_onprem_dev_primary_config](variables.tf#L153) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | | [vpn_onprem_prod_primary_config](variables.tf#L196) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-c-separate-envs/net-dev.tf b/fast/stages/2-networking-c-separate-envs/net-dev.tf index cfab30d90..42b966070 100644 --- a/fast/stages/2-networking-c-separate-envs/net-dev.tf +++ b/fast/stages/2-networking-c-separate-envs/net-dev.tf @@ -136,12 +136,12 @@ module "dev-firewall-policy" { attachments = { dev-spoke-0 = module.dev-spoke-vpc.id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } module "dev-spoke-cloudnat" { diff --git a/fast/stages/2-networking-c-separate-envs/net-prod.tf b/fast/stages/2-networking-c-separate-envs/net-prod.tf index 96b0e2c91..77c730381 100644 --- a/fast/stages/2-networking-c-separate-envs/net-prod.tf +++ b/fast/stages/2-networking-c-separate-envs/net-prod.tf @@ -136,12 +136,12 @@ module "prod-firewall-policy" { attachments = { prod-spoke-0 = module.prod-spoke-vpc.id } - # TODO: add context for security groups factories_config = { cidr_file_path = var.factories_config.firewall.cidr_file egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/egress.yaml" ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/ingress.yaml" } + security_profile_group_ids = var.security_profile_groups } module "prod-spoke-cloudnat" { diff --git a/fast/stages/2-networking-c-separate-envs/schemas/firewall-policy-rules.schema.json b/fast/stages/2-networking-c-separate-envs/schemas/firewall-policy-rules.schema.json new file mode 120000 index 000000000..e37a764d2 --- /dev/null +++ b/fast/stages/2-networking-c-separate-envs/schemas/firewall-policy-rules.schema.json @@ -0,0 +1 @@ +../../../../modules/net-firewall-policy/schemas/firewall-policy-rules.schema.json \ No newline at end of file diff --git a/fast/stages/2-networking-c-separate-envs/variables-fast.tf b/fast/stages/2-networking-c-separate-envs/variables-fast.tf index dd7f96bf5..c01b3f27f 100644 --- a/fast/stages/2-networking-c-separate-envs/variables-fast.tf +++ b/fast/stages/2-networking-c-separate-envs/variables-fast.tf @@ -83,6 +83,14 @@ variable "prefix" { } } +variable "security_profile_groups" { + # tfdoc:variable:source 2-networking-ngfw + description = "Security profile group ids used for policy rule substitutions." + type = map(string) + nullable = false + default = {} +} + variable "stage_config" { # tfdoc:variable:source 1-resman description = "FAST stage configuration."