diff --git a/fast/stages/2-networking/README.md b/fast/stages/2-networking/README.md
index ae6075610..ba559ec7c 100644
--- a/fast/stages/2-networking/README.md
+++ b/fast/stages/2-networking/README.md
@@ -59,6 +59,7 @@ It currently implements the following:
- **Hub and spoke (w/ NCC)**: Environment-based VPCs interconnected through an NCC full-mesh, resulting in full routing line-of-sight between spokes ([dataset](./datasets/hub-and-spokes-ncc/))
- **Hub and spoke (w/ VPC Peering)**: Environment-based VPCs interconnected through VPC peering, resulting in full isolation between spokes ([dataset](./datasets/hub-and-spokes-peerings/))
+- **Hub and spoke (w/ VPN)**: Environment-based VPCs interconnected through HA VPN, resulting in full isolation between spokes ([dataset](./datasets/hub-and-spokes-vpns/))
### Defaults file
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-peerings/README.md b/fast/stages/2-networking/datasets/hub-and-spokes-peerings/README.md
index 082b0ada2..02fefec2d 100644
--- a/fast/stages/2-networking/datasets/hub-and-spokes-peerings/README.md
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-peerings/README.md
@@ -95,17 +95,17 @@ The current setup adopts both firewall types, and uses [hierarchical rules on th
This dataset implements a centralized DNS architecture that handles resolution between GCP and on-premises environments.
-- **Cloud to on-prem:** A [forwarding zone](./dns/zones/net-core-0/fwd-root.yaml) for the `onprem.` domain is configured in the hub VPC. It forwards DNS queries for on-premises resources to the on-premises DNS resolvers.
-- **On-prem to cloud:** An [inbound DNS policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) allows on-premises systems to resolve resources in GCP.
+- **Cloud to on-prem:** A [forwarding zone](./dns/zones/net-core-0/fwd-root.yaml) for the `onprem.` domain is configured in the hub VPC. It forwards DNS queries for on-premises resources to the on-premises DNS resolvers.
+- **On-prem to cloud:** An [inbound DNS policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) allows on-premises systems to resolve resources in GCP.
DNS configuration is centralized in the hub project (`net-core-0`) and shared with the spokes using DNS peering:
-- The **hub** hosts:
- - A top-level private zone for the cloud environment (e.g., `test.`).
- - The forwarding zone to on-premises.
-- The **spokes** (`net-dev-0`, `net-prod-0`) host private zones for their specific subdomains (e.g., `dev.test.`, `prod.test.`). These zones are visible to the hub.
-- A **peering zone** for the `.` (root) domain is configured in the spokes, pointing to the hub. This delegates all DNS resolution from the spokes to the hub, creating a centralized model.
-- **Private Google Access** is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options).
+- The **hub** hosts:
+ - A top-level private zone for the cloud environment (e.g., `test.`).
+ - The forwarding zone to on-premises.
+- The **spokes** (`net-dev-0`, `net-prod-0`) host private zones for their specific subdomains (e.g., `dev.test.`, `prod.test.`). These zones are visible to the hub.
+- A **peering zone** for the `.` (root) domain is configured in the spokes, pointing to the hub. This delegates all DNS resolution from the spokes to the hub, creating a centralized model.
+- **Private Google Access** is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options).
To complete the configuration, on-premises DNS servers should be configured to forward queries for your cloud domain (e.g., `test.`) to the GCP inbound policy's IP addresses. Additionally, the `35.199.192.0/19` range (used by the inbound forwarder) should be routed over the VPN tunnels from on-premises.
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/prod/subnets/prod-default.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/prod/subnets/prod-default.yaml
index 4796030f3..2706fa9af 100644
--- a/fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/prod/subnets/prod-default.yaml
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/prod/subnets/prod-default.yaml
@@ -5,4 +5,4 @@
name: prod-default
region: $locations:primary
ip_cidr_range: 10.72.0.0/24
-description: Default europe-west12 subnet for prod
+description: Default primary-region subnet for prod
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/README.md b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/README.md
new file mode 100644
index 000000000..d4d17cac3
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/README.md
@@ -0,0 +1,114 @@
+# Hub and spoke with VPNs
+
+This stage sets up the shared network infrastructure environment, and leverages [HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) to implement a Hub and Spoke topology with a hub and two spokes.
+
+This model provides a clear separation between environments while centralizing shared services and connectivity in a hub network. Each spoke is connected to the hub via a dedicated HA VPN connection, ensuring traffic between spokes is routed through the hub.
+
+The following diagram illustrates the high-level design, and should be used as a reference for the following sections.
+
+
+
+
+## VPC design
+
+The hub VPC hosts external connectivity to on-premises networks and centralizes DNS configuration.
+
+The default dataset ships two different VPCs, mapping to hypothetical environments (dev and prod). Each VPC is created into its own project, and each project is configured as a Shared VPC host, so that network-related resources and access configurations via IAM are kept separate for each VPC.
+
+The design easily lends itself to implementing additional environments, or adopting a different logical mapping for spokes (e.g., one spoke for each company entity, etc.).
+
+## IP ranges, subnetting, routing
+
+Minimizing the number of routes (and subnets) in use on the cloud environment is an important consideration, as it simplifies management and avoids hitting [Cloud Router](https://cloud.google.com/network-connectivity/docs/router/quotas) and [VPC](https://cloud.google.com/vpc/docs/quota) quotas and limits. For this reason, we recommend careful planning of the IP space used in your cloud environment, to be able to use large IP CIDR blocks in routes whenever possible.
+
+This stage uses a dedicated /16 block (which should of course be sized to your needs) for each region in each VPC, and subnets created in each VPC should derive their ranges from the relevant block.
+
+The Prod Spoke VPC also defines and reserves - as an example - two "special" CIDR ranges dedicated to [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access) and [Internal Application Load Balancers (L7 LBs)](https://cloud.google.com/load-balancing/docs/l7-internal).
+
+Routes in GCP are either automatically created for VPC subnets, manually created via static routes, or dynamically programmed by [Cloud Routers](https://cloud.google.com/network-connectivity/docs/router#docs) via BGP sessions.
+
+In this dataset:
+
+- routes between multiple subnets within the same VPC are automatically programmed by GCP
+- each spoke exchanges routes with the hub via BGP over the HA VPN tunnels.
+- on-premises is connected to the hub VPC and dynamically exchanges BGP routes with GCP using HA VPN. The hub's Cloud Router then advertises these routes (all of RFC1918) to the spoke VPCs.
+
+### VPN Configuration
+
+HA VPN connections are defined in the `vpcs/[vpc-name]/vpns` directory. The hub VPC has VPNs connecting to each spoke, and the spokes have corresponding VPNs connecting back to the hub.
+
+For example, the connection from the hub to the `prod` spoke is defined in `vpcs/hub/vpns/to-prod.yaml`:
+
+```yaml
+name: to-prod
+region: europe-west8
+peer_gateways:
+ default:
+ gcp: $vpn_gateways:prod/to-hub
+router_config:
+ create: false
+ name: $routers:hub/vpn-router
+# ...
+```
+
+And the corresponding connection from the `prod` spoke to the hub is in `vpcs/prod/vpns/to-hub.yaml`:
+
+```yaml
+name: to-hub
+region: europe-west8
+peer_gateways:
+ default:
+ gcp: $vpn_gateways:hub/to-prod
+router_config:
+ create: false
+ name: $routers:prod/vpn-router
+# ...
+```
+
+For more information about cross-referencing resources, please check the [main README.md file](../../README.md).
+
+### Internet egress
+
+Cloud NAT provides the simplest path for internet egress. This setup uses Cloud NAT, which is enabled by default on the primary region in the hub VPC. All spokes route internet-bound traffic through the hub.
+
+e.g. in `vpcs/hub/.config.yaml`:
+
+```yaml
+# [...]
+nat_config:
+ nat-ew8:
+ region: europe-west8
+# [...]
+```
+
+Several other scenarios are possible through ad-hoc implementations, with varying degrees of complexity:
+
+- A forward proxy (including [SWP](https://cloud.google.com/secure-web-proxy/docs/overview)), with optional URL filters.
+- A default route to on-prem to leverage existing egress infrastructure.
+- A full-fledged perimeter firewall to control egress and implement additional security features like IPS.
+
+### VPC and Hierarchical Firewall
+
+The GCP Firewall is a stateful, distributed feature that allows the creation of L4 policies, either via VPC-level rules or more recently via hierarchical policies applied on the resource hierarchy (organization, folders).
+
+The current setup adopts both firewall types, and uses [hierarchical rules on the Networking folder](./firewall-policies/networking-policy.yaml) for common ingress rules, e.g., from health check or IAP forwarders ranges, and [VPC rules](./vpcs/prod/firewall-rules) for the environment or workload-level ingress.
+
+### DNS
+
+This dataset implements a centralized DNS architecture that handles resolution between GCP and on-premises environments.
+
+- **Cloud to on-prem:** A [forwarding zone](./dns/zones/net-core-0/fwd-root.yaml) for the `onprem.` domain is configured in the hub VPC. It forwards DNS queries for on-premises resources to the on-premises DNS resolvers.
+- **On-prem to cloud:** An [inbound DNS policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) allows on-premises systems to resolve resources in GCP.
+
+DNS configuration is centralized in the hub project (`net-core-0`) and shared with the spokes using DNS peering:
+
+- The **hub** hosts:
+ - A top-level private zone for the cloud environment (e.g., `test.`).
+ - The forwarding zone to on-premises.
+- The **spokes** (`net-dev-0`, `net-prod-0`) host private zones for their specific subdomains (e.g., `dev.test.`, `prod.test.`). These zones are visible to the hub.
+- A **peering zone** for the `.` (root) domain is configured in the spokes, pointing to the hub. This delegates all DNS resolution from the spokes to the hub, creating a centralized model.
+- **Private Google Access** is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options).
+
+To complete the configuration, on-premises DNS servers should be configured to forward queries for your cloud domain (e.g., `test.`) to the GCP inbound policy's IP addresses. Additionally, the `35.199.192.0/19` range (used by the inbound forwarder) should be routed over the VPN tunnels from on-premises.
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/defaults.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/defaults.yaml
new file mode 100644
index 000000000..baa14c8b2
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/defaults.yaml
@@ -0,0 +1,39 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+context:
+ cidr_ranges_sets:
+ healthchecks:
+ - 35.191.0.0/16
+ - 130.211.0.0/22
+ - 209.85.152.0/22
+ - 209.85.204.0/22
+ rfc1918:
+ - 10.0.0.0/8
+ - 172.16.0.0/12
+ - 192.168.0.0/16
+ locations:
+ primary: europe-west8
+ secondary: europe-west12
+ iam_principals: {}
+
+projects:
+ defaults:
+ locations:
+ storage: eu
+
+vpcs:
+ auto_create_subnetworks: false
+ delete_default_route_on_create: true
+ mtu: 1500
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/diagram.png b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/diagram.png
new file mode 100644
index 000000000..c071ccf1b
Binary files /dev/null and b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/diagram.png differ
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/diagram.svg b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/diagram.svg
new file mode 100644
index 000000000..52f424f7b
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/diagram.svg
@@ -0,0 +1,2788 @@
+
+
+
+
+
+ image/svg+xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/response-policies/net-core-0.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/response-policies/net-core-0.yaml
new file mode 100644
index 000000000..e6a0ab7f5
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/response-policies/net-core-0.yaml
@@ -0,0 +1,156 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../schemas/dns-response-policy-rules.schema.json
+
+project_id: $project_ids:net-core-0
+networks:
+ - $networks:hub
+ - $networks:prod
+ - $networks:dev
+rules:
+ accounts:
+ dns_name: "accounts.google.com."
+ behavior: bypassResponsePolicy
+ aiplatform-notebook-cloud-all:
+ dns_name: "*.aiplatform-notebook.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ aiplatform-notebook-gu-all:
+ dns_name: "*.aiplatform-notebook.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ appengine:
+ dns_name: "appengine.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ appspot-all:
+ dns_name: "*.appspot.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ backupdr-cloud:
+ dns_name: "backupdr.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ backupdr-cloud-all:
+ dns_name: "*.backupdr.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ backupdr-gu:
+ dns_name: "backupdr.googleusercontent.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ backupdr-gu-all:
+ dns_name: "*.backupdr.googleusercontent.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ cloudfunctions:
+ dns_name: "*.cloudfunctions.net."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ cloudproxy:
+ dns_name: "*.cloudproxy.app."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ composer-cloud-all:
+ dns_name: "*.composer.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ composer-gu-all:
+ dns_name: "*.composer.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ datafusion-all:
+ dns_name: "*.datafusion.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ datafusion-gu-all:
+ dns_name: "*.datafusion.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dataproc:
+ dns_name: "dataproc.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dataproc-all:
+ dns_name: "*.dataproc.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dataproc-gu:
+ dns_name: "dataproc.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dataproc-gu-all:
+ dns_name: "*.dataproc.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ dl:
+ dns_name: "dl.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ gcr:
+ dns_name: "gcr.io."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ gcr-all:
+ dns_name: "*.gcr.io."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ gke-all:
+ dns_name: "*.gke.goog."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ googleapis-all:
+ dns_name: "*.googleapis.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ googleapis-private:
+ dns_name: "private.googleapis.com."
+ local_data:
+ A:
+ rrdatas:
+ - 199.36.153.8
+ - 199.36.153.9
+ - 199.36.153.10
+ - 199.36.153.11
+ AAAA:
+ rrdatas:
+ - "2600:2d00:2:2000::"
+ googleapis-restricted:
+ dns_name: "restricted.googleapis.com."
+ local_data:
+ A:
+ rrdatas:
+ - 199.36.153.4
+ - 199.36.153.5
+ - 199.36.153.6
+ - 199.36.153.7
+ AAAA:
+ rrdatas:
+ - "2600:2d00:2:1000::"
+ gstatic-all:
+ dns_name: "*.gstatic.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ kernels-gu:
+ dns_name: "kernels.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ kernels-gu-all:
+ dns_name: "*.kernels.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ ltsapis-all:
+ dns_name: "*.ltsapis.goog."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ notebooks:
+ dns_name: "notebooks.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ notebooks-all:
+ dns_name: "*.notebooks.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ notebooks-gu-all:
+ dns_name: "*.notebooks.googleusercontent.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ packages-cloud:
+ dns_name: "packages.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ packages-cloud-all:
+ dns_name: "*.packages.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ pkgdev:
+ dns_name: "pkg.dev."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ pkgdev-all:
+ dns_name: "*.pkg.dev."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ pkigoog:
+ dns_name: "pki.goog."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ pkigoog-all:
+ dns_name: "*.pki.goog."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ run-all:
+ dns_name: "*.run.app."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ source:
+ dns_name: "source.developers.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
+ storage:
+ dns_name: "storage.cloud.google.com."
+ local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-core-0/fwd-root.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-core-0/fwd-root.yaml
new file mode 100644
index 000000000..6db3e36b8
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-core-0/fwd-root.yaml
@@ -0,0 +1,14 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-core-0
+domain: onprem.
+forwarding:
+ forwarders:
+ "8.8.8.8": default
+ "1.1.1.1": default
+ client_networks:
+ - $networks:hub
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-core-0/peer-root.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-core-0/peer-root.yaml
new file mode 100644
index 000000000..3d5a3fe3f
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-core-0/peer-root.yaml
@@ -0,0 +1,13 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-core-0
+domain: .
+peering:
+ peer_network: $networks:hub
+ client_networks:
+ - $networks:prod
+ - $networks:dev
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-core-0/pvt-test.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-core-0/pvt-test.yaml
new file mode 100644
index 000000000..0369f0c42
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-core-0/pvt-test.yaml
@@ -0,0 +1,14 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-core-0
+domain: test.
+private:
+ client_networks:
+ - $networks:hub
+recordsets:
+ "A localhost":
+ records: ["127.0.0.1"]
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-dev-0/pvt-dev-test.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-dev-0/pvt-dev-test.yaml
new file mode 100644
index 000000000..b7fc735e9
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-dev-0/pvt-dev-test.yaml
@@ -0,0 +1,15 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-dev-0
+domain: dev.test.
+private:
+ client_networks:
+ - $networks:hub
+ - $networks:dev
+recordsets:
+ "A localhost":
+ records: ["127.0.0.1"]
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-prod-0/pvt-prod-test.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-prod-0/pvt-prod-test.yaml
new file mode 100644
index 000000000..c74ea25bd
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/dns/zones/net-prod-0/pvt-prod-test.yaml
@@ -0,0 +1,15 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../../schemas/dns.schema.json
+
+project_id: $project_ids:net-prod-0
+domain: prod.test.
+private:
+ client_networks:
+ - $networks:hub
+ - $networks:prod
+recordsets:
+ "A localhost":
+ records: ["127.0.0.1"]
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/firewall-policies/networking-policy.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/firewall-policies/networking-policy.yaml
new file mode 100644
index 000000000..029de7a53
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/firewall-policies/networking-policy.yaml
@@ -0,0 +1,55 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../schemas/firewall-policy.schema.json
+
+parent_id: $folder_ids:networking
+attachments:
+ networking: $folder_ids:networking
+name: network-policy
+ingress_rules:
+ allow-healthchecks:
+ description: Enable SSH, HTTP and HTTPS healthchecks
+ priority: 1001
+ match:
+ source_ranges:
+ - $cidr_ranges_sets:healthchecks
+ layer4_configs:
+ - protocol: tcp
+ ports: ["22", "80", "443"]
+
+ allow-ssh-from-iap:
+ description: Enable SSH from IAP
+ priority: 1002
+ enable_logging: true
+ match:
+ source_ranges:
+ - 35.235.240.0/20
+ layer4_configs:
+ - protocol: tcp
+ ports: ["22"]
+
+ allow-icmp:
+ description: Enable ICMP
+ priority: 1003
+ match:
+ source_ranges:
+ - 0.0.0.0/0
+ layer4_configs:
+ - protocol: icmp
+
+ allow-nat-ranges:
+ description: Enable NAT ranges for VPC serverless connector
+ priority: 1004
+ match:
+ source_ranges:
+ - 107.178.230.64/26
+ - 35.199.224.0/19
+egress_rules:
+ deny-example-ip:
+ description: Allow internal traffic within the VPC
+ priority: 2000
+ match:
+ destination_ranges:
+ - 1.2.3.4/32
+ layer4_configs:
+ - protocol: all
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/projects/net-core-0.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/projects/net-core-0.yaml
new file mode 100644
index 000000000..d6cdbe32f
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/projects/net-core-0.yaml
@@ -0,0 +1,19 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/project.schema.json
+name: prod-net-core-0
+parent: $folder_ids:networking
+services:
+ - container.googleapis.com
+ - compute.googleapis.com
+ - dns.googleapis.com
+ - iap.googleapis.com
+ - networkmanagement.googleapis.com
+ - networksecurity.googleapis.com
+ - servicenetworking.googleapis.com
+ - stackdriver.googleapis.com
+ - vpcaccess.googleapis.com
+shared_vpc_host_config:
+ enabled: true
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/projects/net-dev-0.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/projects/net-dev-0.yaml
new file mode 100644
index 000000000..29e3c4f5c
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/projects/net-dev-0.yaml
@@ -0,0 +1,20 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/project.schema.json
+
+name: dev-net-dev-0
+parent: $folder_ids:networking/dev
+services:
+ - container.googleapis.com
+ - compute.googleapis.com
+ - dns.googleapis.com
+ - iap.googleapis.com
+ - networkmanagement.googleapis.com
+ - networksecurity.googleapis.com
+ - servicenetworking.googleapis.com
+ - stackdriver.googleapis.com
+ - vpcaccess.googleapis.com
+shared_vpc_host_config:
+ enabled: true
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/projects/net-prod-0.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/projects/net-prod-0.yaml
new file mode 100644
index 000000000..fe344a677
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/projects/net-prod-0.yaml
@@ -0,0 +1,20 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/project.schema.json
+
+name: prod-net-prod-0
+parent: $folder_ids:networking/prod
+services:
+ - container.googleapis.com
+ - compute.googleapis.com
+ - dns.googleapis.com
+ - iap.googleapis.com
+ - networkmanagement.googleapis.com
+ - networksecurity.googleapis.com
+ - servicenetworking.googleapis.com
+ - stackdriver.googleapis.com
+ - vpcaccess.googleapis.com
+shared_vpc_host_config:
+ enabled: true
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/.config.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/.config.yaml
new file mode 100644
index 000000000..efe5bea57
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/.config.yaml
@@ -0,0 +1,14 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../schemas/vpc.schema.json
+
+project_id: $project_ids:net-dev-0
+name: dev
+delete_default_routes_on_create: false
+mtu: 1500
+routers:
+ vpn-router:
+ region: europe-west8
+ asn: 64516
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/firewall-rules/default-ingress.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/firewall-rules/default-ingress.yaml
new file mode 100644
index 000000000..77cbf3327
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/firewall-rules/default-ingress.yaml
@@ -0,0 +1,13 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
+
+ingress:
+ ingress-default-dev-deny:
+ description: "Deny and log any unmatched ingress traffic."
+ deny: true
+ priority: 65535
+ enable_logging:
+ include_metadata: false
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/subnets/dev-default.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/subnets/dev-default.yaml
new file mode 100644
index 000000000..b5252833a
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/subnets/dev-default.yaml
@@ -0,0 +1,8 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
+
+name: dev-default
+region: $locations:secondary
+ip_cidr_range: 10.73.0.0/24
+description: Default europe-west12 subnet for dev
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/vpns/to-hub.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/vpns/to-hub.yaml
new file mode 100644
index 000000000..532a50739
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/dev/vpns/to-hub.yaml
@@ -0,0 +1,37 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: to-hub
+region: europe-west8
+peer_gateways:
+ default:
+ gcp: $vpn_gateways:hub/to-dev
+router_config:
+ create: false
+ name: $routers:dev/vpn-router
+tunnels:
+ remote-0:
+ shared_secret: foobar
+ bgp_peer:
+ address: 169.254.3.2
+ asn: 64514
+ bgp_session_range: "169.254.3.1/30"
+ vpn_gateway_interface: 0
+ remote-1:
+ shared_secret: foobar
+ bgp_peer:
+ address: 169.254.3.6
+ asn: 64514
+ bgp_session_range: "169.254.3.5/30"
+ vpn_gateway_interface: 1
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/.config.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/.config.yaml
new file mode 100644
index 000000000..c7ed4999d
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/.config.yaml
@@ -0,0 +1,27 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../schemas/vpc.schema.json
+
+project_id: $project_ids:net-core-0
+name: hub
+delete_default_routes_on_create: false
+nat_config:
+ nat-ew8:
+ region: europe-west8
+routers:
+ vpn-router:
+ region: europe-west8
+ asn: 64514
+ custom_advertise:
+ ip_ranges:
+ "10.0.0.0/8": "rfc1918-10"
+ "172.16.0.0/12": "rfc1918-172"
+ "192.168.0.0/16": "rfc1918-192"
+routes:
+ gateway:
+ dest_range: "8.8.8.8/32"
+ priority: 100
+ next_hop_type: "gateway"
+ next_hop: "default-internet-gateway"
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/firewall-rules/default-ingress.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/firewall-rules/default-ingress.yaml
new file mode 100644
index 000000000..6b24210d5
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/firewall-rules/default-ingress.yaml
@@ -0,0 +1,13 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
+
+ingress:
+ ingress-default-landing-deny:
+ description: "Deny and log any unmatched ingress traffic."
+ deny: true
+ priority: 65535
+ enable_logging:
+ include_metadata: false
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/subnets/hub-default.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/subnets/hub-default.yaml
new file mode 100644
index 000000000..80129f09f
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/subnets/hub-default.yaml
@@ -0,0 +1,8 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
+
+name: hub-default
+region: $locations:secondary
+ip_cidr_range: 10.71.0.0/24
+description: Default europe-west12 subnet for hub
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/onprem.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/onprem.yaml
new file mode 100644
index 000000000..664d56c96
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/onprem.yaml
@@ -0,0 +1,42 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: to-onprem
+region: europe-west8
+peer_gateways:
+ default:
+ external:
+ redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
+ interfaces:
+ - 8.8.8.8
+router_config:
+ create: false
+ name: $routers:hub/vpn-router
+tunnels:
+ remote-0:
+ bgp_peer:
+ address: 169.254.128.1
+ asn: 64513
+ bgp_session_range: "169.254.128.2/30"
+ peer_external_gateway_interface: 0
+ shared_secret: "mySecret"
+ vpn_gateway_interface: 0
+ remote-1:
+ bgp_peer:
+ address: 169.254.128.5
+ asn: 64513
+ bgp_session_range: "169.254.128.6/30"
+ peer_external_gateway_interface: 0
+ shared_secret: "mySecret"
+ vpn_gateway_interface: 1
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-dev.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-dev.yaml
new file mode 100644
index 000000000..54763fcc5
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-dev.yaml
@@ -0,0 +1,37 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: to-dev
+region: europe-west8
+peer_gateways:
+ default:
+ gcp: $vpn_gateways:dev/to-hub
+router_config:
+ create: false
+ name: $routers:hub/vpn-router
+tunnels:
+ remote-0:
+ shared_secret: foobar
+ bgp_peer:
+ address: 169.254.3.1
+ asn: 64516
+ bgp_session_range: "169.254.3.2/30"
+ vpn_gateway_interface: 0
+ remote-1:
+ shared_secret: foobar
+ bgp_peer:
+ address: 169.254.3.5
+ asn: 64516
+ bgp_session_range: "169.254.3.6/30"
+ vpn_gateway_interface: 1
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-prod.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-prod.yaml
new file mode 100644
index 000000000..d23f8ca82
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/to-prod.yaml
@@ -0,0 +1,37 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: to-prod
+region: europe-west8
+peer_gateways:
+ default:
+ gcp: $vpn_gateways:prod/to-hub
+router_config:
+ create: false
+ name: $routers:hub/vpn-router
+tunnels:
+ remote-0:
+ shared_secret: foobar
+ bgp_peer:
+ address: 169.254.2.1
+ asn: 64515
+ bgp_session_range: "169.254.2.2/30"
+ vpn_gateway_interface: 0
+ remote-1:
+ shared_secret: foobar
+ bgp_peer:
+ address: 169.254.2.5
+ asn: 64515
+ bgp_session_range: "169.254.2.6/30"
+ vpn_gateway_interface: 1
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/.config.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/.config.yaml
new file mode 100644
index 000000000..c3bbe8235
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/.config.yaml
@@ -0,0 +1,14 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../schemas/vpc.schema.json
+
+project_id: $project_ids:net-prod-0
+name: prod
+delete_default_routes_on_create: false
+mtu: 1500
+routers:
+ vpn-router:
+ region: europe-west8
+ asn: 64515
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/firewall-rules/default-ingress.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/firewall-rules/default-ingress.yaml
new file mode 100644
index 000000000..cd99ce114
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/firewall-rules/default-ingress.yaml
@@ -0,0 +1,13 @@
+# skip boilerplate check
+---
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../schemas/firewall-rules.schema.json
+
+ingress:
+ ingress-default-prod-deny:
+ description: "Deny and log any unmatched ingress traffic."
+ deny: true
+ priority: 65535
+ enable_logging:
+ include_metadata: false
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/subnets/prod-default.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/subnets/prod-default.yaml
new file mode 100644
index 000000000..2706fa9af
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/subnets/prod-default.yaml
@@ -0,0 +1,8 @@
+# skip boilerplate check
+
+# yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
+
+name: prod-default
+region: $locations:primary
+ip_cidr_range: 10.72.0.0/24
+description: Default primary-region subnet for prod
diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/vpns/to-hub.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/vpns/to-hub.yaml
new file mode 100644
index 000000000..70cb3bede
--- /dev/null
+++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/prod/vpns/to-hub.yaml
@@ -0,0 +1,37 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: to-hub
+region: europe-west8
+peer_gateways:
+ default:
+ gcp: $vpn_gateways:hub/to-prod
+router_config:
+ create: false
+ name: $routers:prod/vpn-router
+tunnels:
+ remote-0:
+ shared_secret: foobar
+ bgp_peer:
+ address: 169.254.2.2
+ asn: 64514
+ bgp_session_range: "169.254.2.1/30"
+ vpn_gateway_interface: 0
+ remote-1:
+ shared_secret: foobar
+ bgp_peer:
+ address: 169.254.2.6
+ asn: 64514
+ bgp_session_range: "169.254.2.5/30"
+ vpn_gateway_interface: 1
diff --git a/fast/stages/2-networking/factory-vpns.tf b/fast/stages/2-networking/factory-vpns.tf
index 89cbb759e..357938de0 100644
--- a/fast/stages/2-networking/factory-vpns.tf
+++ b/fast/stages/2-networking/factory-vpns.tf
@@ -85,10 +85,10 @@ module "vpn-ha" {
}
}
context = {
- gateways = local.ctx_gateways
- locations = local.ctx.locations
- network = local.ctx_vpcs.names
- project_ids = local.ctx_projects.project_ids
- routers = local.ctx_routers.names
+ locations = local.ctx.locations
+ network = local.ctx_vpcs.names
+ project_ids = local.ctx_projects.project_ids
+ routers = local.ctx_routers.names
+ vpn_gateways = local.ctx_gateways
}
}
diff --git a/fast/stages/2-networking/schemas/vpc.schema.json b/fast/stages/2-networking/schemas/vpc.schema.json
index ccb940c5e..f7a9462ac 100644
--- a/fast/stages/2-networking/schemas/vpc.schema.json
+++ b/fast/stages/2-networking/schemas/vpc.schema.json
@@ -338,6 +338,22 @@
},
"asn": {
"type": "number"
+ },
+ "custom_advertise": {
+ "type": "object",
+ "properties": {
+ "all_subnets": {
+ "type": "boolean"
+ },
+ "ip_ranges": {
+ "type": "object",
+ "patternProperties": {
+ ".*": {
+ "type": "string"
+ }
+ }
+ }
+ }
}
}
}
diff --git a/tests/fast/stages/s2_networking/peerings.yaml b/tests/fast/stages/s2_networking/peerings.yaml
index c3d6f3bed..3c4a3610e 100644
--- a/tests/fast/stages/s2_networking/peerings.yaml
+++ b/tests/fast/stages/s2_networking/peerings.yaml
@@ -1845,7 +1845,7 @@ values:
send_secondary_ip_range_if_empty: null
timeouts: null
module.vpcs["prod"].google_compute_subnetwork.subnetwork["europe-west8/prod-default"]:
- description: Default europe-west12 subnet for prod
+ description: Default primary-region subnet for prod
ip_cidr_range: 10.72.0.0/24
ip_collection: null
ipv6_access_type: null
diff --git a/tests/fast/stages/s2_networking/tftest.yaml b/tests/fast/stages/s2_networking/tftest.yaml
index 33e38f453..b1a6a8b90 100644
--- a/tests/fast/stages/s2_networking/tftest.yaml
+++ b/tests/fast/stages/s2_networking/tftest.yaml
@@ -17,3 +17,4 @@ module: fast/stages/2-networking
tests:
peerings:
ncc:
+ vpns:
diff --git a/tests/fast/stages/s2_networking/vpns.tfvars b/tests/fast/stages/s2_networking/vpns.tfvars
new file mode 100644
index 000000000..3f9585bd5
--- /dev/null
+++ b/tests/fast/stages/s2_networking/vpns.tfvars
@@ -0,0 +1,38 @@
+automation = {
+ outputs_bucket = "test"
+}
+billing_account = {
+ id = "000000-111111-222222"
+}
+factories_config = {
+ defaults = "datasets/hub-and-spokes-vpns/defaults.yaml"
+ dns = "datasets/hub-and-spokes-vpns/dns/zones"
+ dns-response-policies = "datasets/hub-and-spokes-vpns/dns/response-policies"
+ firewall-policies = "datasets/hub-and-spokes-vpns/firewall-policies"
+ folders = "datasets/hub-and-spokes-vpns/folders"
+ interconnect = "datasets/hub-and-spokes-vpns/interconnect"
+ ncc-hubs = "datasets/hub-and-spokes-vpns/ncc-hubs"
+ nvas = "datasets/hub-and-spokes-vpns/nvas"
+ projects = "datasets/hub-and-spokes-vpns/projects"
+ vpcs = "datasets/hub-and-spokes-vpns/vpcs"
+}
+
+folder_ids = {
+ "networking" = "folders/12345678"
+ "networking/prod" = "folders/23456789"
+ "networking/dev" = "folders/34567890"
+}
+organization = {
+ domain = "fast.example.com"
+ id = 123456789012
+ customer_id = "C00000000"
+}
+prefix = "fast"
+service_accounts = {
+ "iac-0/iac-pf-rw" = "iac-pf-rw@test.iam.gserviceaccount.com"
+ "iac-0/iac-pf-ro" = "iac-pf-ro@test.iam.gserviceaccount.com"
+}
+tag_values = {
+ "environment/development" = "tagValues/12345"
+ "environment/production" = "tagValues/12346"
+}
diff --git a/tests/fast/stages/s2_networking/vpns.yaml b/tests/fast/stages/s2_networking/vpns.yaml
new file mode 100644
index 000000000..d7df4d67f
--- /dev/null
+++ b/tests/fast/stages/s2_networking/vpns.yaml
@@ -0,0 +1,2475 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ google_compute_ha_vpn_gateway.default["dev/to-hub"]:
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ gateway_ip_version: IPV4
+ labels: null
+ name: dev-to-hub
+ network: dev
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ stack_type: IPV4_ONLY
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_compute_ha_vpn_gateway.default["hub/to-dev"]:
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ gateway_ip_version: IPV4
+ labels: null
+ name: hub-to-dev
+ network: hub
+ project: fast-prod-net-core-0
+ region: europe-west8
+ stack_type: IPV4_ONLY
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_compute_ha_vpn_gateway.default["hub/to-onprem"]:
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ gateway_ip_version: IPV4
+ labels: null
+ name: hub-to-onprem
+ network: hub
+ project: fast-prod-net-core-0
+ region: europe-west8
+ stack_type: IPV4_ONLY
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_compute_ha_vpn_gateway.default["hub/to-prod"]:
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ gateway_ip_version: IPV4
+ labels: null
+ name: hub-to-prod
+ network: hub
+ project: fast-prod-net-core-0
+ region: europe-west8
+ stack_type: IPV4_ONLY
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_compute_ha_vpn_gateway.default["prod/to-hub"]:
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ gateway_ip_version: IPV4
+ labels: null
+ name: prod-to-hub
+ network: prod
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ stack_type: IPV4_ONLY
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ google_compute_router.default["dev/vpn-router"]:
+ bgp:
+ - advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ asn: 64516
+ keepalive_interval: 20
+ description: null
+ encrypted_interconnect_router: null
+ md5_authentication_keys: []
+ name: dev-vpn-router
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ timeouts: null
+ google_compute_router.default["hub/vpn-router"]:
+ bgp:
+ - advertise_mode: CUSTOM
+ advertised_groups: []
+ advertised_ip_ranges:
+ - description: rfc1918-10
+ range: 10.0.0.0/8
+ - description: rfc1918-172
+ range: 172.16.0.0/12
+ - description: rfc1918-192
+ range: 192.168.0.0/16
+ asn: 64514
+ keepalive_interval: 20
+ description: null
+ encrypted_interconnect_router: null
+ md5_authentication_keys: []
+ name: hub-vpn-router
+ project: fast-prod-net-core-0
+ region: europe-west8
+ timeouts: null
+ google_compute_router.default["prod/vpn-router"]:
+ bgp:
+ - advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ asn: 64515
+ keepalive_interval: 20
+ description: null
+ encrypted_interconnect_router: null
+ md5_authentication_keys: []
+ name: prod-vpn-router
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ timeouts: null
+ google_storage_bucket_object.tfvars["1"]:
+ bucket: test
+ cache_control: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: different hash
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: tfvars/2-networking.auto.tfvars.json
+ retention: []
+ source: null
+ source_md5hash: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.version["1"]:
+ bucket: test
+ cache_control: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: different hash
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: versions/2-networking-version.txt
+ retention: []
+ source: fast_version.txt
+ source_md5hash: null
+ temporary_hold: null
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy.default[0]:
+ description: Terraform managed.
+ gke_clusters: []
+ networks:
+ - {}
+ - {}
+ - {}
+ project: fast-prod-net-core-0
+ response_policy_name: net-core-0
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["accounts"]:
+ behavior: bypassResponsePolicy
+ dns_name: accounts.google.com.
+ local_data: []
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: accounts
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["aiplatform-notebook-cloud-all"]:
+ behavior: null
+ dns_name: "*.aiplatform-notebook.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.aiplatform-notebook.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: aiplatform-notebook-cloud-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["aiplatform-notebook-gu-all"]:
+ behavior: null
+ dns_name: "*.aiplatform-notebook.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.aiplatform-notebook.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: aiplatform-notebook-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["appengine"]:
+ behavior: null
+ dns_name: appengine.google.com.
+ local_data:
+ - local_datas:
+ - name: appengine.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: appengine
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["appspot-all"]:
+ behavior: null
+ dns_name: "*.appspot.com."
+ local_data:
+ - local_datas:
+ - name: "*.appspot.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: appspot-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["backupdr-cloud"]:
+ behavior: null
+ dns_name: backupdr.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: backupdr.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: backupdr-cloud
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["backupdr-cloud-all"]:
+ behavior: null
+ dns_name: "*.backupdr.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.backupdr.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: backupdr-cloud-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["backupdr-gu"]:
+ behavior: null
+ dns_name: backupdr.googleusercontent.google.com.
+ local_data:
+ - local_datas:
+ - name: backupdr.googleusercontent.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: backupdr-gu
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["backupdr-gu-all"]:
+ behavior: null
+ dns_name: "*.backupdr.googleusercontent.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.backupdr.googleusercontent.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: backupdr-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["cloudfunctions"]:
+ behavior: null
+ dns_name: "*.cloudfunctions.net."
+ local_data:
+ - local_datas:
+ - name: "*.cloudfunctions.net."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: cloudfunctions
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["cloudproxy"]:
+ behavior: null
+ dns_name: "*.cloudproxy.app."
+ local_data:
+ - local_datas:
+ - name: "*.cloudproxy.app."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: cloudproxy
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["composer-cloud-all"]:
+ behavior: null
+ dns_name: "*.composer.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.composer.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: composer-cloud-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["composer-gu-all"]:
+ behavior: null
+ dns_name: "*.composer.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.composer.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: composer-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["datafusion-all"]:
+ behavior: null
+ dns_name: "*.datafusion.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.datafusion.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: datafusion-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["datafusion-gu-all"]:
+ behavior: null
+ dns_name: "*.datafusion.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.datafusion.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: datafusion-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dataproc"]:
+ behavior: null
+ dns_name: dataproc.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: dataproc.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dataproc
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dataproc-all"]:
+ behavior: null
+ dns_name: "*.dataproc.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.dataproc.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dataproc-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dataproc-gu"]:
+ behavior: null
+ dns_name: dataproc.googleusercontent.com.
+ local_data:
+ - local_datas:
+ - name: dataproc.googleusercontent.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dataproc-gu
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dataproc-gu-all"]:
+ behavior: null
+ dns_name: "*.dataproc.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.dataproc.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dataproc-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["dl"]:
+ behavior: null
+ dns_name: dl.google.com.
+ local_data:
+ - local_datas:
+ - name: dl.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: dl
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["gcr"]:
+ behavior: null
+ dns_name: gcr.io.
+ local_data:
+ - local_datas:
+ - name: gcr.io.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: gcr
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["gcr-all"]:
+ behavior: null
+ dns_name: "*.gcr.io."
+ local_data:
+ - local_datas:
+ - name: "*.gcr.io."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: gcr-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["gke-all"]:
+ behavior: null
+ dns_name: "*.gke.goog."
+ local_data:
+ - local_datas:
+ - name: "*.gke.goog."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: gke-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["googleapis-all"]:
+ behavior: null
+ dns_name: "*.googleapis.com."
+ local_data:
+ - local_datas:
+ - name: "*.googleapis.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: googleapis-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["googleapis-private"]:
+ behavior: null
+ dns_name: private.googleapis.com.
+ local_data:
+ - local_datas:
+ - name: private.googleapis.com.
+ rrdatas:
+ - 199.36.153.8
+ - 199.36.153.9
+ - 199.36.153.10
+ - 199.36.153.11
+ ttl: null
+ type: A
+ - name: private.googleapis.com.
+ rrdatas:
+ - "2600:2d00:2:2000::"
+ ttl: null
+ type: AAAA
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: googleapis-private
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["googleapis-restricted"]:
+ behavior: null
+ dns_name: restricted.googleapis.com.
+ local_data:
+ - local_datas:
+ - name: restricted.googleapis.com.
+ rrdatas:
+ - 199.36.153.4
+ - 199.36.153.5
+ - 199.36.153.6
+ - 199.36.153.7
+ ttl: null
+ type: A
+ - name: restricted.googleapis.com.
+ rrdatas:
+ - "2600:2d00:2:1000::"
+ ttl: null
+ type: AAAA
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: googleapis-restricted
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["gstatic-all"]:
+ behavior: null
+ dns_name: "*.gstatic.com."
+ local_data:
+ - local_datas:
+ - name: "*.gstatic.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: gstatic-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["kernels-gu"]:
+ behavior: null
+ dns_name: kernels.googleusercontent.com.
+ local_data:
+ - local_datas:
+ - name: kernels.googleusercontent.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: kernels-gu
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["kernels-gu-all"]:
+ behavior: null
+ dns_name: "*.kernels.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.kernels.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: kernels-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["ltsapis-all"]:
+ behavior: null
+ dns_name: "*.ltsapis.goog."
+ local_data:
+ - local_datas:
+ - name: "*.ltsapis.goog."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: ltsapis-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["notebooks"]:
+ behavior: null
+ dns_name: notebooks.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: notebooks.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: notebooks
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["notebooks-all"]:
+ behavior: null
+ dns_name: "*.notebooks.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.notebooks.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: notebooks-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["notebooks-gu-all"]:
+ behavior: null
+ dns_name: "*.notebooks.googleusercontent.com."
+ local_data:
+ - local_datas:
+ - name: "*.notebooks.googleusercontent.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: notebooks-gu-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["packages-cloud"]:
+ behavior: null
+ dns_name: packages.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: packages.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: packages-cloud
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["packages-cloud-all"]:
+ behavior: null
+ dns_name: "*.packages.cloud.google.com."
+ local_data:
+ - local_datas:
+ - name: "*.packages.cloud.google.com."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: packages-cloud-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["pkgdev"]:
+ behavior: null
+ dns_name: pkg.dev.
+ local_data:
+ - local_datas:
+ - name: pkg.dev.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: pkgdev
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["pkgdev-all"]:
+ behavior: null
+ dns_name: "*.pkg.dev."
+ local_data:
+ - local_datas:
+ - name: "*.pkg.dev."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: pkgdev-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["pkigoog"]:
+ behavior: null
+ dns_name: pki.goog.
+ local_data:
+ - local_datas:
+ - name: pki.goog.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: pkigoog
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["pkigoog-all"]:
+ behavior: null
+ dns_name: "*.pki.goog."
+ local_data:
+ - local_datas:
+ - name: "*.pki.goog."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: pkigoog-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["run-all"]:
+ behavior: null
+ dns_name: "*.run.app."
+ local_data:
+ - local_datas:
+ - name: "*.run.app."
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: run-all
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["source"]:
+ behavior: null
+ dns_name: source.developers.google.com.
+ local_data:
+ - local_datas:
+ - name: source.developers.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: source
+ timeouts: null
+ module.dns-response-policies["net-core-0"].google_dns_response_policy_rule.default["storage"]:
+ behavior: null
+ dns_name: storage.cloud.google.com.
+ local_data:
+ - local_datas:
+ - name: storage.cloud.google.com.
+ rrdatas:
+ - private.googleapis.com.
+ ttl: null
+ type: CNAME
+ project: fast-prod-net-core-0
+ response_policy: net-core-0
+ rule_name: storage
+ timeouts: null
+ module.dns-zones["net-core-0/fwd-root"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: onprem.
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config:
+ - target_name_servers:
+ - domain_name: ""
+ forwarding_path: default
+ ipv4_address: 1.1.1.1
+ - domain_name: ""
+ forwarding_path: default
+ ipv4_address: 8.8.8.8
+ labels: null
+ name: net-core-0-fwd-root
+ peering_config: []
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ project: fast-prod-net-core-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-core-0/peer-root"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: .
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config: []
+ labels: null
+ name: net-core-0-peer-root
+ peering_config:
+ - target_network:
+ - {}
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ - {}
+ project: fast-prod-net-core-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-core-0/pvt-test"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: test.
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config: []
+ labels: null
+ name: net-core-0-pvt-test
+ peering_config: []
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ project: fast-prod-net-core-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-core-0/pvt-test"].google_dns_record_set.dns_record_set["A localhost"]:
+ managed_zone: net-core-0-pvt-test
+ name: localhost.test.
+ project: fast-prod-net-core-0
+ routing_policy: []
+ rrdatas:
+ - 127.0.0.1
+ ttl: 300
+ type: A
+ module.dns-zones["net-dev-0/pvt-dev-test"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: dev.test.
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config: []
+ labels: null
+ name: net-dev-0-pvt-dev-test
+ peering_config: []
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ - {}
+ project: fast-dev-net-dev-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-dev-0/pvt-dev-test"].google_dns_record_set.dns_record_set["A localhost"]:
+ managed_zone: net-dev-0-pvt-dev-test
+ name: localhost.dev.test.
+ project: fast-dev-net-dev-0
+ routing_policy: []
+ rrdatas:
+ - 127.0.0.1
+ ttl: 300
+ type: A
+ module.dns-zones["net-prod-0/pvt-prod-test"].google_dns_managed_zone.dns_managed_zone[0]:
+ cloud_logging_config:
+ - enable_logging: false
+ description: Terraform-managed.
+ dns_name: prod.test.
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ force_destroy: false
+ forwarding_config: []
+ labels: null
+ name: net-prod-0-pvt-prod-test
+ peering_config: []
+ private_visibility_config:
+ - gke_clusters: []
+ networks:
+ - {}
+ - {}
+ project: fast-prod-net-prod-0
+ reverse_lookup: false
+ service_directory_config: []
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ visibility: private
+ module.dns-zones["net-prod-0/pvt-prod-test"].google_dns_record_set.dns_record_set["A localhost"]:
+ managed_zone: net-prod-0-pvt-prod-test
+ name: localhost.prod.test.
+ project: fast-prod-net-prod-0
+ routing_policy: []
+ rrdatas:
+ - 127.0.0.1
+ ttl: 300
+ type: A
+ module.firewall["dev"].google_compute_firewall.custom-rules["ingress-default-dev-deny"]:
+ allow: []
+ deny:
+ - ports: []
+ protocol: all
+ description: Deny and log any unmatched ingress traffic.
+ direction: INGRESS
+ disabled: false
+ log_config:
+ - metadata: EXCLUDE_ALL_METADATA
+ name: ingress-default-dev-deny
+ network: dev
+ priority: 65535
+ project: fast-dev-net-dev-0
+ source_ranges:
+ - 0.0.0.0/0
+ source_service_accounts: null
+ source_tags: null
+ target_service_accounts: null
+ target_tags: null
+ timeouts: null
+ module.firewall["hub"].google_compute_firewall.custom-rules["ingress-default-landing-deny"]:
+ allow: []
+ deny:
+ - ports: []
+ protocol: all
+ description: Deny and log any unmatched ingress traffic.
+ direction: INGRESS
+ disabled: false
+ log_config:
+ - metadata: EXCLUDE_ALL_METADATA
+ name: ingress-default-landing-deny
+ network: hub
+ priority: 65535
+ project: fast-prod-net-core-0
+ source_ranges:
+ - 0.0.0.0/0
+ source_service_accounts: null
+ source_tags: null
+ target_service_accounts: null
+ target_tags: null
+ timeouts: null
+ module.firewall["prod"].google_compute_firewall.custom-rules["ingress-default-prod-deny"]:
+ allow: []
+ deny:
+ - ports: []
+ protocol: all
+ description: Deny and log any unmatched ingress traffic.
+ direction: INGRESS
+ disabled: false
+ log_config:
+ - metadata: EXCLUDE_ALL_METADATA
+ name: ingress-default-prod-deny
+ network: prod
+ priority: 65535
+ project: fast-prod-net-prod-0
+ source_ranges:
+ - 0.0.0.0/0
+ source_service_accounts: null
+ source_tags: null
+ target_service_accounts: null
+ target_tags: null
+ timeouts: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy.hierarchical[0]:
+ description: null
+ parent: folders/12345678
+ short_name: network-policy
+ timeouts: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_association.hierarchical["networking"]:
+ attachment_target: folders/12345678
+ name: network-policy-networking
+ timeouts: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["egress/deny-example-ip"]:
+ action: deny
+ description: Allow internal traffic within the VPC
+ direction: EGRESS
+ disabled: false
+ enable_logging: null
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges:
+ - 1.2.3.4/32
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: all
+ ports: null
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges: null
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 2000
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]:
+ action: allow
+ description: Enable SSH, HTTP and HTTPS healthchecks
+ direction: INGRESS
+ disabled: false
+ enable_logging: null
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges: null
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: tcp
+ ports:
+ - "22"
+ - "80"
+ - "443"
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges:
+ - 35.191.0.0/16
+ - 130.211.0.0/22
+ - 209.85.152.0/22
+ - 209.85.204.0/22
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 1001
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]:
+ action: allow
+ description: Enable ICMP
+ direction: INGRESS
+ disabled: false
+ enable_logging: null
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges: null
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: icmp
+ ports: null
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges:
+ - 0.0.0.0/0
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 1003
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]:
+ action: allow
+ description: Enable NAT ranges for VPC serverless connector
+ direction: INGRESS
+ disabled: false
+ enable_logging: null
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges: null
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: all
+ ports: null
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges:
+ - 107.178.230.64/26
+ - 35.199.224.0/19
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 1004
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.firewall_policies["network-policy"].google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]:
+ action: allow
+ description: Enable SSH from IAP
+ direction: INGRESS
+ disabled: false
+ enable_logging: true
+ match:
+ - dest_address_groups: null
+ dest_fqdns: null
+ dest_ip_ranges: null
+ dest_region_codes: null
+ dest_threat_intelligences: null
+ layer4_configs:
+ - ip_protocol: tcp
+ ports:
+ - "22"
+ src_address_groups: null
+ src_fqdns: null
+ src_ip_ranges:
+ - 35.235.240.0/20
+ src_region_codes: null
+ src_secure_tags: []
+ src_threat_intelligences: null
+ priority: 1002
+ security_profile_group: null
+ target_resources: null
+ target_secure_tags: []
+ target_service_accounts: null
+ timeouts: null
+ tls_inspect: null
+ module.nat["hub/nat-ew8"].google_compute_router.router[0]:
+ bgp: []
+ description: null
+ encrypted_interconnect_router: null
+ md5_authentication_keys: []
+ name: hub-nat-ew8-nat
+ project: fast-prod-net-core-0
+ region: europe-west8
+ timeouts: null
+ module.nat["hub/nat-ew8"].google_compute_router_nat.nat:
+ enable_dynamic_port_allocation: false
+ enable_endpoint_independent_mapping: true
+ icmp_idle_timeout_sec: 30
+ initial_nat_ips: null
+ log_config:
+ - enable: false
+ filter: ALL
+ max_ports_per_vm: 65536
+ name: hub-nat-ew8
+ nat64_subnetwork: []
+ nat_ip_allocate_option: AUTO_ONLY
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-nat-ew8-nat
+ rules: []
+ source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES
+ source_subnetwork_ip_ranges_to_nat64: null
+ subnetwork: []
+ tcp_established_idle_timeout_sec: 1200
+ tcp_time_wait_timeout_sec: 120
+ tcp_transitory_idle_timeout_sec: 30
+ timeouts: null
+ type: PUBLIC
+ udp_idle_timeout_sec: 30
+ module.projects.module.projects-iam["net-core-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+ project: fast-prod-net-core-0
+ timeouts: null
+ module.projects.module.projects-iam["net-dev-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+ project: fast-dev-net-dev-0
+ timeouts: null
+ module.projects.module.projects-iam["net-prod-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+ project: fast-prod-net-prod-0
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ folder_id: "12345678"
+ labels: null
+ name: fast-prod-net-core-0
+ org_id: null
+ project_id: fast-prod-net-core-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/compute.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/container.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["dns"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/dns.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/container.defaultNodeServiceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["networkmanagement"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/networkmanagement.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["service-networking"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/servicenetworking.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_iam_member.service_agents["vpcaccess"]:
+ condition: []
+ project: fast-prod-net-core-0
+ role: roles/vpcaccess.serviceAgent
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: compute.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["dns.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["iap.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["networkmanagement.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["networksecurity.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service.project_services["vpcaccess.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-core-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["container.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["dns.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["iap.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["networkmanagement.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["networksecurity.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-core-0"].google_project_service_identity.default["vpcaccess.googleapis.com"]:
+ project: fast-prod-net-core-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ folder_id: "34567890"
+ labels: null
+ name: fast-dev-net-dev-0
+ org_id: null
+ project_id: fast-dev-net-dev-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/compute.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/container.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["dns"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/dns.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/container.defaultNodeServiceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["networkmanagement"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/networkmanagement.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["service-networking"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/servicenetworking.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_iam_member.service_agents["vpcaccess"]:
+ condition: []
+ project: fast-dev-net-dev-0
+ role: roles/vpcaccess.serviceAgent
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: compute.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["dns.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["iap.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["networkmanagement.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["networksecurity.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service.project_services["vpcaccess.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-dev-net-dev-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["container.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["dns.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["iap.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["networkmanagement.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["networksecurity.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-dev-0"].google_project_service_identity.default["vpcaccess.googleapis.com"]:
+ project: fast-dev-net-dev-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ folder_id: "23456789"
+ labels: null
+ name: fast-prod-net-prod-0
+ org_id: null
+ project_id: fast-prod-net-prod-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/compute.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/container.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["dns"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/dns.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/container.defaultNodeServiceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["networkmanagement"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/networkmanagement.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["service-networking"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/servicenetworking.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_iam_member.service_agents["vpcaccess"]:
+ condition: []
+ project: fast-prod-net-prod-0
+ role: roles/vpcaccess.serviceAgent
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: compute.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["dns.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["iap.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["networkmanagement.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["networksecurity.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service.project_services["vpcaccess.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-net-prod-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["container.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: container.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["dns.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: dns.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["iap.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: iap.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["networkmanagement.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: networkmanagement.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["networksecurity.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.projects.module.projects["net-prod-0"].google_project_service_identity.default["vpcaccess.googleapis.com"]:
+ project: fast-prod-net-prod-0
+ service: vpcaccess.googleapis.com
+ timeouts: null
+ module.projects.terraform_data.defaults_preconditions:
+ input: null
+ output: null
+ triggers_replace: null
+ module.vpc_routes["hub"].google_compute_route.gateway["gateway"]:
+ description: Terraform-managed.
+ dest_range: 8.8.8.8/32
+ name: hub-gateway
+ network: hub
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 100
+ project: fast-prod-net-core-0
+ tags: null
+ timeouts: null
+ module.vpcs["dev"].google_compute_network.network[0]:
+ auto_create_subnetworks: false
+ delete_default_routes_on_create: false
+ description: Terraform managed
+ enable_ula_internal_ipv6: null
+ mtu: 1500
+ name: dev
+ network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+ network_profile: null
+ project: fast-dev-net-dev-0
+ routing_mode: GLOBAL
+ timeouts: null
+ module.vpcs["dev"].google_compute_route.gateway["directpath-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 34.126.0.0/18
+ name: dev-directpath-googleapis
+ network: dev
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-dev-net-dev-0
+ tags: null
+ timeouts: null
+ module.vpcs["dev"].google_compute_route.gateway["private-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.8/30
+ name: dev-private-googleapis
+ network: dev
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-dev-net-dev-0
+ tags: null
+ timeouts: null
+ module.vpcs["dev"].google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: dev-restricted-googleapis
+ network: dev
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-dev-net-dev-0
+ tags: null
+ timeouts: null
+ module.vpcs["dev"].google_compute_subnetwork.subnetwork["europe-west12/dev-default"]:
+ description: Default europe-west12 subnet for dev
+ ip_cidr_range: 10.73.0.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config: []
+ name: dev-default
+ network: dev
+ private_ip_google_access: true
+ project: fast-dev-net-dev-0
+ region: europe-west12
+ reserved_internal_range: null
+ role: null
+ send_secondary_ip_range_if_empty: true
+ timeouts: null
+ module.vpcs["dev"].google_dns_policy.default[0]:
+ alternative_name_server_config: []
+ description: Managed by Terraform
+ enable_inbound_forwarding: null
+ enable_logging: null
+ name: dev
+ networks:
+ - {}
+ project: fast-dev-net-dev-0
+ timeouts: null
+ module.vpcs["hub"].google_compute_network.network[0]:
+ auto_create_subnetworks: false
+ delete_default_routes_on_create: false
+ description: Terraform managed
+ enable_ula_internal_ipv6: null
+ mtu: 1500
+ name: hub
+ network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+ network_profile: null
+ project: fast-prod-net-core-0
+ routing_mode: GLOBAL
+ timeouts: null
+ module.vpcs["hub"].google_compute_route.gateway["directpath-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 34.126.0.0/18
+ name: hub-directpath-googleapis
+ network: hub
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-core-0
+ tags: null
+ timeouts: null
+ module.vpcs["hub"].google_compute_route.gateway["private-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.8/30
+ name: hub-private-googleapis
+ network: hub
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-core-0
+ tags: null
+ timeouts: null
+ module.vpcs["hub"].google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: hub-restricted-googleapis
+ network: hub
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-core-0
+ tags: null
+ timeouts: null
+ module.vpcs["hub"].google_compute_subnetwork.subnetwork["europe-west12/hub-default"]:
+ description: Default europe-west12 subnet for hub
+ ip_cidr_range: 10.71.0.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config: []
+ name: hub-default
+ network: hub
+ private_ip_google_access: true
+ project: fast-prod-net-core-0
+ region: europe-west12
+ reserved_internal_range: null
+ role: null
+ send_secondary_ip_range_if_empty: true
+ timeouts: null
+ module.vpcs["hub"].google_dns_policy.default[0]:
+ alternative_name_server_config: []
+ description: Managed by Terraform
+ enable_inbound_forwarding: null
+ enable_logging: null
+ name: hub
+ networks:
+ - {}
+ project: fast-prod-net-core-0
+ timeouts: null
+ module.vpcs["prod"].google_compute_network.network[0]:
+ auto_create_subnetworks: false
+ delete_default_routes_on_create: false
+ description: Terraform managed
+ enable_ula_internal_ipv6: null
+ mtu: 1500
+ name: prod
+ network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+ network_profile: null
+ project: fast-prod-net-prod-0
+ routing_mode: GLOBAL
+ timeouts: null
+ module.vpcs["prod"].google_compute_route.gateway["directpath-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 34.126.0.0/18
+ name: prod-directpath-googleapis
+ network: prod
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-prod-0
+ tags: null
+ timeouts: null
+ module.vpcs["prod"].google_compute_route.gateway["private-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.8/30
+ name: prod-private-googleapis
+ network: prod
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-prod-0
+ tags: null
+ timeouts: null
+ module.vpcs["prod"].google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: prod-restricted-googleapis
+ network: prod
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: fast-prod-net-prod-0
+ tags: null
+ timeouts: null
+ module.vpcs["prod"].google_compute_subnetwork.subnetwork["europe-west8/prod-default"]:
+ description: Default primary-region subnet for prod
+ ip_cidr_range: 10.72.0.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config: []
+ name: prod-default
+ network: prod
+ private_ip_google_access: true
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ reserved_internal_range: null
+ role: null
+ send_secondary_ip_range_if_empty: true
+ timeouts: null
+ module.vpcs["prod"].google_dns_policy.default[0]:
+ alternative_name_server_config: []
+ description: Managed by Terraform
+ enable_inbound_forwarding: null
+ enable_logging: null
+ name: prod
+ networks:
+ - {}
+ project: fast-prod-net-prod-0
+ timeouts: null
+ module.vpn-ha["dev/to-hub"].google_compute_router_interface.router_interface["remote-0"]:
+ interconnect_attachment: null
+ ip_range: 169.254.3.1/30
+ name: dev-to-hub-remote-0
+ private_ip_address: null
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ router: dev-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: dev-to-hub-remote-0
+ module.vpn-ha["dev/to-hub"].google_compute_router_interface.router_interface["remote-1"]:
+ interconnect_attachment: null
+ ip_range: 169.254.3.5/30
+ name: dev-to-hub-remote-1
+ private_ip_address: null
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ router: dev-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: dev-to-hub-remote-1
+ module.vpn-ha["dev/to-hub"].google_compute_router_peer.bgp_peer["remote-0"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: dev-to-hub-remote-0
+ md5_authentication_key: []
+ name: dev-to-hub-remote-0
+ peer_asn: 64514
+ peer_ip_address: 169.254.3.2
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ router: dev-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["dev/to-hub"].google_compute_router_peer.bgp_peer["remote-1"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: dev-to-hub-remote-1
+ md5_authentication_key: []
+ name: dev-to-hub-remote-1
+ peer_asn: 64514
+ peer_ip_address: 169.254.3.6
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ router: dev-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["dev/to-hub"].google_compute_vpn_tunnel.tunnels["remote-0"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: dev-to-hub-remote-0
+ peer_external_gateway: null
+ peer_external_gateway_interface: null
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ router: dev-vpn-router
+ shared_secret: foobar
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 0
+ module.vpn-ha["dev/to-hub"].google_compute_vpn_tunnel.tunnels["remote-1"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: dev-to-hub-remote-1
+ peer_external_gateway: null
+ peer_external_gateway_interface: null
+ project: fast-dev-net-dev-0
+ region: europe-west8
+ router: dev-vpn-router
+ shared_secret: foobar
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 1
+ module.vpn-ha["dev/to-hub"].random_id.md5_keys["remote-0"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["dev/to-hub"].random_id.md5_keys["remote-1"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["dev/to-hub"].random_id.secret:
+ byte_length: 8
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-dev"].google_compute_router_interface.router_interface["remote-0"]:
+ interconnect_attachment: null
+ ip_range: 169.254.3.2/30
+ name: hub-to-dev-remote-0
+ private_ip_address: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: hub-to-dev-remote-0
+ module.vpn-ha["hub/to-dev"].google_compute_router_interface.router_interface["remote-1"]:
+ interconnect_attachment: null
+ ip_range: 169.254.3.6/30
+ name: hub-to-dev-remote-1
+ private_ip_address: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: hub-to-dev-remote-1
+ module.vpn-ha["hub/to-dev"].google_compute_router_peer.bgp_peer["remote-0"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: hub-to-dev-remote-0
+ md5_authentication_key: []
+ name: hub-to-dev-remote-0
+ peer_asn: 64516
+ peer_ip_address: 169.254.3.1
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["hub/to-dev"].google_compute_router_peer.bgp_peer["remote-1"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: hub-to-dev-remote-1
+ md5_authentication_key: []
+ name: hub-to-dev-remote-1
+ peer_asn: 64516
+ peer_ip_address: 169.254.3.5
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["hub/to-dev"].google_compute_vpn_tunnel.tunnels["remote-0"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: hub-to-dev-remote-0
+ peer_external_gateway: null
+ peer_external_gateway_interface: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ shared_secret: foobar
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 0
+ module.vpn-ha["hub/to-dev"].google_compute_vpn_tunnel.tunnels["remote-1"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: hub-to-dev-remote-1
+ peer_external_gateway: null
+ peer_external_gateway_interface: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ shared_secret: foobar
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 1
+ module.vpn-ha["hub/to-dev"].random_id.md5_keys["remote-0"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-dev"].random_id.md5_keys["remote-1"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-dev"].random_id.secret:
+ byte_length: 8
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-onprem"].google_compute_external_vpn_gateway.external_gateway["default"]:
+ description: Terraform managed external VPN gateway
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ interface:
+ - id: 0
+ ip_address: 8.8.8.8
+ ipv6_address: null
+ labels: null
+ name: hub-to-onprem-default
+ project: fast-prod-net-core-0
+ redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ module.vpn-ha["hub/to-onprem"].google_compute_router_interface.router_interface["remote-0"]:
+ interconnect_attachment: null
+ ip_range: 169.254.128.2/30
+ name: hub-to-onprem-remote-0
+ private_ip_address: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: hub-to-onprem-remote-0
+ module.vpn-ha["hub/to-onprem"].google_compute_router_interface.router_interface["remote-1"]:
+ interconnect_attachment: null
+ ip_range: 169.254.128.6/30
+ name: hub-to-onprem-remote-1
+ private_ip_address: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: hub-to-onprem-remote-1
+ module.vpn-ha["hub/to-onprem"].google_compute_router_peer.bgp_peer["remote-0"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: hub-to-onprem-remote-0
+ md5_authentication_key: []
+ name: hub-to-onprem-remote-0
+ peer_asn: 64513
+ peer_ip_address: 169.254.128.1
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["hub/to-onprem"].google_compute_router_peer.bgp_peer["remote-1"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: hub-to-onprem-remote-1
+ md5_authentication_key: []
+ name: hub-to-onprem-remote-1
+ peer_asn: 64513
+ peer_ip_address: 169.254.128.5
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["hub/to-onprem"].google_compute_vpn_tunnel.tunnels["remote-0"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: hub-to-onprem-remote-0
+ peer_external_gateway_interface: 0
+ peer_gcp_gateway: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ shared_secret: mySecret
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 0
+ module.vpn-ha["hub/to-onprem"].google_compute_vpn_tunnel.tunnels["remote-1"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: hub-to-onprem-remote-1
+ peer_external_gateway_interface: 0
+ peer_gcp_gateway: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ shared_secret: mySecret
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 1
+ module.vpn-ha["hub/to-onprem"].random_id.md5_keys["remote-0"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-onprem"].random_id.md5_keys["remote-1"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-onprem"].random_id.secret:
+ byte_length: 8
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-prod"].google_compute_router_interface.router_interface["remote-0"]:
+ interconnect_attachment: null
+ ip_range: 169.254.2.2/30
+ name: hub-to-prod-remote-0
+ private_ip_address: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: hub-to-prod-remote-0
+ module.vpn-ha["hub/to-prod"].google_compute_router_interface.router_interface["remote-1"]:
+ interconnect_attachment: null
+ ip_range: 169.254.2.6/30
+ name: hub-to-prod-remote-1
+ private_ip_address: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: hub-to-prod-remote-1
+ module.vpn-ha["hub/to-prod"].google_compute_router_peer.bgp_peer["remote-0"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: hub-to-prod-remote-0
+ md5_authentication_key: []
+ name: hub-to-prod-remote-0
+ peer_asn: 64515
+ peer_ip_address: 169.254.2.1
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["hub/to-prod"].google_compute_router_peer.bgp_peer["remote-1"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: hub-to-prod-remote-1
+ md5_authentication_key: []
+ name: hub-to-prod-remote-1
+ peer_asn: 64515
+ peer_ip_address: 169.254.2.5
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["hub/to-prod"].google_compute_vpn_tunnel.tunnels["remote-0"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: hub-to-prod-remote-0
+ peer_external_gateway: null
+ peer_external_gateway_interface: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ shared_secret: foobar
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 0
+ module.vpn-ha["hub/to-prod"].google_compute_vpn_tunnel.tunnels["remote-1"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: hub-to-prod-remote-1
+ peer_external_gateway: null
+ peer_external_gateway_interface: null
+ project: fast-prod-net-core-0
+ region: europe-west8
+ router: hub-vpn-router
+ shared_secret: foobar
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 1
+ module.vpn-ha["hub/to-prod"].random_id.md5_keys["remote-0"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-prod"].random_id.md5_keys["remote-1"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["hub/to-prod"].random_id.secret:
+ byte_length: 8
+ keepers: null
+ prefix: null
+ module.vpn-ha["prod/to-hub"].google_compute_router_interface.router_interface["remote-0"]:
+ interconnect_attachment: null
+ ip_range: 169.254.2.1/30
+ name: prod-to-hub-remote-0
+ private_ip_address: null
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ router: prod-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: prod-to-hub-remote-0
+ module.vpn-ha["prod/to-hub"].google_compute_router_interface.router_interface["remote-1"]:
+ interconnect_attachment: null
+ ip_range: 169.254.2.5/30
+ name: prod-to-hub-remote-1
+ private_ip_address: null
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ router: prod-vpn-router
+ subnetwork: null
+ timeouts: null
+ vpn_tunnel: prod-to-hub-remote-1
+ module.vpn-ha["prod/to-hub"].google_compute_router_peer.bgp_peer["remote-0"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: prod-to-hub-remote-0
+ md5_authentication_key: []
+ name: prod-to-hub-remote-0
+ peer_asn: 64514
+ peer_ip_address: 169.254.2.2
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ router: prod-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["prod/to-hub"].google_compute_router_peer.bgp_peer["remote-1"]:
+ advertise_mode: DEFAULT
+ advertised_groups: []
+ advertised_ip_ranges: []
+ advertised_route_priority: 1000
+ custom_learned_ip_ranges: []
+ custom_learned_route_priority: null
+ enable: true
+ enable_ipv6: false
+ export_policies: null
+ import_policies: null
+ interface: prod-to-hub-remote-1
+ md5_authentication_key: []
+ name: prod-to-hub-remote-1
+ peer_asn: 64514
+ peer_ip_address: 169.254.2.6
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ router: prod-vpn-router
+ router_appliance_instance: null
+ timeouts: null
+ zero_advertised_route_priority: null
+ zero_custom_learned_route_priority: false
+ module.vpn-ha["prod/to-hub"].google_compute_vpn_tunnel.tunnels["remote-0"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: prod-to-hub-remote-0
+ peer_external_gateway: null
+ peer_external_gateway_interface: null
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ router: prod-vpn-router
+ shared_secret: foobar
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 0
+ module.vpn-ha["prod/to-hub"].google_compute_vpn_tunnel.tunnels["remote-1"]:
+ cipher_suite: []
+ description: null
+ effective_labels:
+ goog-terraform-provisioned: "true"
+ ike_version: 2
+ labels: null
+ name: prod-to-hub-remote-1
+ peer_external_gateway: null
+ peer_external_gateway_interface: null
+ project: fast-prod-net-prod-0
+ region: europe-west8
+ router: prod-vpn-router
+ shared_secret: foobar
+ shared_secret_wo: null
+ shared_secret_wo_version: null
+ target_vpn_gateway: null
+ terraform_labels:
+ goog-terraform-provisioned: "true"
+ timeouts: null
+ vpn_gateway_interface: 1
+ module.vpn-ha["prod/to-hub"].random_id.md5_keys["remote-0"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["prod/to-hub"].random_id.md5_keys["remote-1"]:
+ byte_length: 12
+ keepers: null
+ prefix: null
+ module.vpn-ha["prod/to-hub"].random_id.secret:
+ byte_length: 8
+ keepers: null
+ prefix: null
+
+counts:
+ google_compute_external_vpn_gateway: 1
+ google_compute_firewall: 3
+ google_compute_firewall_policy: 1
+ google_compute_firewall_policy_association: 1
+ google_compute_firewall_policy_rule: 5
+ google_compute_ha_vpn_gateway: 5
+ google_compute_network: 3
+ google_compute_route: 10
+ google_compute_router: 4
+ google_compute_router_interface: 10
+ google_compute_router_nat: 1
+ google_compute_router_peer: 10
+ google_compute_shared_vpc_host_project: 3
+ google_compute_subnetwork: 3
+ google_compute_vpn_tunnel: 10
+ google_dns_managed_zone: 5
+ google_dns_policy: 3
+ google_dns_record_set: 3
+ google_dns_response_policy: 1
+ google_dns_response_policy_rule: 42
+ google_project: 3
+ google_project_iam_member: 21
+ google_project_service: 27
+ google_project_service_identity: 21
+ google_storage_bucket_object: 2
+ modules: 27
+ random_id: 15
+ resources: 214
+ terraform_data: 1
+ VPN diagram
+