diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md
index 574689ef2..760272d98 100644
--- a/fast/stages/2-networking-a-simple/README.md
+++ b/fast/stages/2-networking-a-simple/README.md
@@ -482,9 +482,9 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | |
| [monitoring-vpn.tf](./monitoring-vpn.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy |
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
-| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
-| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
-| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
+| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-firewall-policy · net-vpc · net-vpc-firewall · project | |
+| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-firewall-policy · net-vpc · net-vpc-firewall · project | |
+| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-firewall-policy · net-vpc · net-vpc-firewall · project | |
| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file |
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
| [spoke-ncc.tf](./spoke-ncc.tf) | Peerings between landing and spokes. | | google_network_connectivity_hub · google_network_connectivity_spoke |
@@ -507,17 +507,17 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | |
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
-| [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | |
-| [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | |
-| [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | |
-| [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [outputs_location](variables.tf#L92) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L98) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | |
-| [regions](variables.tf#L118) | Region definitions. | object({…}) | | {…} | |
-| [spoke_configs](variables.tf#L130) | Spoke connectivity configurations. | object({…}) | | {…} | |
+| [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | |
+| [essential_contacts](variables.tf#L57) | Email used for essential contacts, unset if null. | string | | null | |
+| [factories_config](variables.tf#L63) | Configuration for network resource factories. | object({…}) | | {} | |
+| [outputs_location](variables.tf#L84) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [psa_ranges](variables.tf#L90) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | |
+| [regions](variables.tf#L110) | Region definitions. | object({…}) | | {…} | |
+| [spoke_configs](variables.tf#L122) | Spoke connectivity configurations. | object({…}) | | {…} | |
| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | object({…}) | | {} | 1-resman |
| [tag_values](variables-fast.tf#L100) | Root-level tag values. | map(string) | | {} | 1-resman |
-| [vpn_onprem_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [vpc_configs](variables.tf#L191) | Optional VPC network configurations. | object({…}) | | {} | |
+| [vpn_onprem_primary_config](variables.tf#L244) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-a-simple/dns-landing.tf b/fast/stages/2-networking-a-simple/dns-landing.tf
index 54f8d2115..f20ac2387 100644
--- a/fast/stages/2-networking-a-simple/dns-landing.tf
+++ b/fast/stages/2-networking-a-simple/dns-landing.tf
@@ -68,7 +68,7 @@ module "landing-dns-policy-googleapis" {
project_id = module.landing-project.project_id
name = "googleapis"
factories_config = {
- rules = var.factories_config.dns_policy_rules_file
+ rules = var.factories_config.dns_policy_rules
}
networks = {
landing = module.landing-vpc.self_link
diff --git a/fast/stages/2-networking-a-simple/main.tf b/fast/stages/2-networking-a-simple/main.tf
index 1126bc491..20796461a 100644
--- a/fast/stages/2-networking-a-simple/main.tf
+++ b/fast/stages/2-networking-a-simple/main.tf
@@ -67,11 +67,11 @@ module "folder" {
module "firewall-policy-default" {
source = "../../../modules/net-firewall-policy"
- name = var.factories_config.firewall_policy_name
+ name = var.factories_config.firewall.hierarchical.policy_name
parent_id = module.folder.id
factories_config = {
- cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
- ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ ingress_rules_file_path = var.factories_config.firewall.hierarchical.ingress_rules
}
}
diff --git a/fast/stages/2-networking-a-simple/monitoring.tf b/fast/stages/2-networking-a-simple/monitoring.tf
index 5142ed4fd..e02e894e5 100644
--- a/fast/stages/2-networking-a-simple/monitoring.tf
+++ b/fast/stages/2-networking-a-simple/monitoring.tf
@@ -17,11 +17,10 @@
# tfdoc:file:description Network monitoring dashboards.
locals {
- dashboard_path = "${var.factories_config.data_dir}/dashboards"
- dashboard_files = fileset(local.dashboard_path, "*.json")
+ dashboard_files = fileset(var.factories_config.dashboards, "*.json")
dashboards = {
for filename in local.dashboard_files :
- filename => "${local.dashboard_path}/${filename}"
+ filename => "${var.factories_config.dashboards}/${filename}"
}
}
diff --git a/fast/stages/2-networking-a-simple/net-dev.tf b/fast/stages/2-networking-a-simple/net-dev.tf
index ad14b3622..57599abf0 100644
--- a/fast/stages/2-networking-a-simple/net-dev.tf
+++ b/fast/stages/2-networking-a-simple/net-dev.tf
@@ -16,6 +16,22 @@
# tfdoc:file:description Dev spoke VPC and related resources.
+locals {
+ # streamline VPC configuration conditionals for modules by moving them here
+ dev_cfg = {
+ cloudnat = var.vpc_configs.dev.cloudnat.enable == true
+ dns_logging = var.vpc_configs.dev.dns.enable_logging == true
+ dns_policy = var.vpc_configs.dev.dns.create_inbound_policy == true
+ fw_classic = var.vpc_configs.dev.firewall.use_classic == true
+ fw_order = (
+ var.vpc_configs.dev.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = var.vpc_configs.dev.firewall.create_policy == true
+ }
+}
+
module "dev-spoke-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
@@ -67,24 +83,26 @@ module "dev-spoke-project" {
}
module "dev-spoke-vpc" {
- source = "../../../modules/net-vpc"
- project_id = module.dev-spoke-project.project_id
- name = "dev-spoke-0"
- mtu = 1500
- dns_policy = {
- logging = var.dns.enable_logging
+ source = "../../../modules/net-vpc"
+ project_id = module.dev-spoke-project.project_id
+ name = "dev-spoke-0"
+ mtu = var.vpc_configs.dev.mtu
+ delete_default_routes_on_create = true
+ dns_policy = !local.dev_cfg.dns_policy ? {} : {
+ inbound = true
+ logging = local.dev_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
+ subnets_folder = "${var.factories_config.subnets}/dev"
}
- psa_configs = var.psa_ranges.dev
+ firewall_policy_enforcement_order = local.dev_cfg.fw_order
+ psa_configs = var.psa_ranges.dev
# set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
restricted = true
}
- delete_default_routes_on_create = true
routes = {
default = {
dest_range = "0.0.0.0/0"
@@ -97,20 +115,40 @@ module "dev-spoke-vpc" {
module "dev-spoke-firewall" {
source = "../../../modules/net-vpc-firewall"
+ count = local.dev_cfg.fw_classic ? 1 : 0
project_id = module.dev-spoke-project.project_id
network = module.dev-spoke-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/dev"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/dev"
+ }
+}
+
+module "dev-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.dev_cfg.fw_policy ? 1 : 0
+ name = "dev-spoke-0"
+ parent_id = module.dev-spoke-project.project_id
+ region = "global"
+ attachments = {
+ dev-spoke-0 = module.dev-spoke-vpc.id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/ingress.yaml"
}
}
module "dev-spoke-cloudnat" {
- source = "../../../modules/net-cloudnat"
- for_each = toset(var.enable_cloud_nat ? values(module.dev-spoke-vpc.subnet_regions) : [])
+ source = "../../../modules/net-cloudnat"
+ for_each = toset(
+ local.dev_cfg.cloudnat ? values(module.dev-spoke-vpc.subnet_regions) : []
+ )
project_id = module.dev-spoke-project.project_id
region = each.value
name = "dev-nat-${local.region_shortnames[each.value]}"
diff --git a/fast/stages/2-networking-a-simple/net-landing.tf b/fast/stages/2-networking-a-simple/net-landing.tf
index 67e1c9d92..b55702efe 100644
--- a/fast/stages/2-networking-a-simple/net-landing.tf
+++ b/fast/stages/2-networking-a-simple/net-landing.tf
@@ -16,6 +16,31 @@
# tfdoc:file:description Landing VPC and related resources.
+locals {
+ # streamline VPC configuration conditionals for modules by moving them here
+ landing_cfg = {
+ cloudnat = (
+ local.spoke_connection != "ncc" &&
+ var.vpc_configs.landing.cloudnat.enable == true
+ )
+ dns_logging = var.vpc_configs.landing.dns.enable_logging == true
+ dns_policy = var.vpc_configs.landing.dns.create_inbound_policy == true
+ fw_classic = (
+ local.spoke_connection != "ncc" &&
+ var.vpc_configs.landing.firewall.use_classic == true
+ )
+ fw_order = (
+ var.vpc_configs.landing.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = (
+ local.spoke_connection != "ncc" &&
+ var.vpc_configs.landing.firewall.create_policy == true
+ )
+ }
+}
+
module "landing-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
@@ -42,19 +67,20 @@ module "landing-project" {
}
module "landing-vpc" {
- source = "../../../modules/net-vpc"
- project_id = module.landing-project.project_id
- name = "prod-landing-0"
- mtu = 1500
- dns_policy = {
+ source = "../../../modules/net-vpc"
+ project_id = module.landing-project.project_id
+ name = "prod-landing-0"
+ mtu = var.vpc_configs.landing.mtu
+ delete_default_routes_on_create = true
+ dns_policy = !local.landing_cfg.dns_policy ? {} : {
inbound = true
- logging = var.dns.enable_logging
+ logging = local.landing_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/landing"
+ subnets_folder = "${var.factories_config.subnets}/landing"
}
- delete_default_routes_on_create = true
+ firewall_policy_enforcement_order = local.landing_cfg.fw_order
routes = {
default = {
dest_range = "0.0.0.0/0"
@@ -66,22 +92,39 @@ module "landing-vpc" {
}
module "landing-firewall" {
- count = local.spoke_connection != "ncc" ? 1 : 0
source = "../../../modules/net-vpc-firewall"
+ count = local.landing_cfg.fw_classic ? 1 : 0
project_id = module.landing-project.project_id
network = module.landing-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/landing"
+ }
+}
+
+module "landing-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.landing_cfg.fw_policy ? 1 : 0
+ name = "prod-landing-0"
+ parent_id = module.landing-project.project_id
+ region = "global"
+ attachments = {
+ landing-0 = module.landing-vpc.id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/ingress.yaml"
}
}
module "landing-nat-primary" {
source = "../../../modules/net-cloudnat"
- count = var.enable_cloud_nat && local.spoke_connection != "ncc" ? 1 : 0
+ count = local.landing_cfg.cloudnat ? 1 : 0
project_id = module.landing-project.project_id
region = var.regions.primary
name = local.region_shortnames[var.regions.primary]
diff --git a/fast/stages/2-networking-a-simple/net-prod.tf b/fast/stages/2-networking-a-simple/net-prod.tf
index cfef3f425..62175101d 100644
--- a/fast/stages/2-networking-a-simple/net-prod.tf
+++ b/fast/stages/2-networking-a-simple/net-prod.tf
@@ -16,6 +16,22 @@
# tfdoc:file:description Production spoke VPC and related resources.
+locals {
+ # streamline VPC configuration conditionals for modules by moving them here
+ prod_cfg = {
+ cloudnat = var.vpc_configs.prod.cloudnat.enable == true
+ dns_logging = var.vpc_configs.prod.dns.enable_logging == true
+ dns_policy = var.vpc_configs.prod.dns.create_inbound_policy == true
+ fw_classic = var.vpc_configs.prod.firewall.use_classic == true
+ fw_order = (
+ var.vpc_configs.prod.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = var.vpc_configs.prod.firewall.create_policy == true
+ }
+}
+
module "prod-spoke-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
@@ -67,19 +83,21 @@ module "prod-spoke-project" {
}
module "prod-spoke-vpc" {
- source = "../../../modules/net-vpc"
- project_id = module.prod-spoke-project.project_id
- name = "prod-spoke-0"
- mtu = 1500
- dns_policy = {
- logging = var.dns.enable_logging
+ source = "../../../modules/net-vpc"
+ project_id = module.prod-spoke-project.project_id
+ name = "prod-spoke-0"
+ mtu = var.vpc_configs.prod.mtu
+ delete_default_routes_on_create = true
+ dns_policy = !local.prod_cfg.dns_policy ? {} : {
+ inbound = true
+ logging = local.prod_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
+ subnets_folder = "${var.factories_config.subnets}/prod"
}
- psa_configs = var.psa_ranges.prod
- delete_default_routes_on_create = true
+ firewall_policy_enforcement_order = local.prod_cfg.fw_order
+ psa_configs = var.psa_ranges.prod
routes = {
default = {
dest_range = "0.0.0.0/0"
@@ -92,20 +110,40 @@ module "prod-spoke-vpc" {
module "prod-spoke-firewall" {
source = "../../../modules/net-vpc-firewall"
+ count = local.prod_cfg.fw_classic ? 1 : 0
project_id = module.prod-spoke-project.project_id
network = module.prod-spoke-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/prod"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/prod"
+ }
+}
+
+module "prod-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.prod_cfg.fw_policy ? 1 : 0
+ name = "prod-spoke-0"
+ parent_id = module.prod-spoke-project.project_id
+ region = "global"
+ attachments = {
+ prod-spoke-0 = module.prod-spoke-vpc.id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/ingress.yaml"
}
}
module "prod-spoke-cloudnat" {
- source = "../../../modules/net-cloudnat"
- for_each = toset(var.enable_cloud_nat ? values(module.prod-spoke-vpc.subnet_regions) : [])
+ source = "../../../modules/net-cloudnat"
+ for_each = toset(
+ local.prod_cfg.cloudnat ? values(module.prod-spoke-vpc.subnet_regions) : []
+ )
project_id = module.prod-spoke-project.project_id
region = each.value
name = "prod-nat-${local.region_shortnames[each.value]}"
diff --git a/fast/stages/2-networking-a-simple/variables.tf b/fast/stages/2-networking-a-simple/variables.tf
index d04ad9a04..d64dfbb19 100644
--- a/fast/stages/2-networking-a-simple/variables.tf
+++ b/fast/stages/2-networking-a-simple/variables.tf
@@ -48,20 +48,12 @@ variable "create_test_instances" {
variable "dns" {
description = "DNS configuration."
type = object({
- enable_logging = optional(bool, true)
- resolvers = optional(list(string), [])
+ resolvers = optional(list(string), [])
})
default = {}
nullable = false
}
-variable "enable_cloud_nat" {
- description = "Deploy Cloud NAT."
- type = bool
- default = false
- nullable = false
-}
-
variable "essential_contacts" {
description = "Email used for essential contacts, unset if null."
type = string
@@ -71,22 +63,22 @@ variable "essential_contacts" {
variable "factories_config" {
description = "Configuration for network resource factories."
type = object({
- data_dir = optional(string, "data")
- dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
- firewall_policy_name = optional(string, "net-default")
+ dashboards = optional(string, "data/dashboards")
+ dns_policy_rules = optional(string, "data/dns-policy-rules.yaml")
+ firewall = optional(object({
+ cidr_file = optional(string, "data/cidrs.yaml")
+ classic_rules = optional(string, "data/firewall-rules")
+ hierarchical = optional(object({
+ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml")
+ ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml")
+ policy_name = optional(string, "net-default")
+ }), {})
+ policy_rules = optional(string, "data/firewall-policies")
+ }), {})
+ subnets = optional(string, "data/subnets")
})
- default = {
- data_dir = "data"
- }
+ default = {}
nullable = false
- validation {
- condition = var.factories_config.data_dir != null
- error_message = "Data folder needs to be non-null."
- }
- validation {
- condition = var.factories_config.firewall_policy_name != null
- error_message = "Firewall policy name needs to be non-null."
- }
}
variable "outputs_location" {
@@ -196,6 +188,59 @@ variable "spoke_configs" {
}
}
+variable "vpc_configs" {
+ description = "Optional VPC network configurations."
+ type = object({
+ dev = optional(object({
+ mtu = optional(number, 1500)
+ cloudnat = optional(object({
+ enable = optional(bool, false)
+ }), {})
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ landing = optional(object({
+ mtu = optional(number, 1500)
+ cloudnat = optional(object({
+ enable = optional(bool, false)
+ }), {})
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ prod = optional(object({
+ mtu = optional(number, 1500)
+ cloudnat = optional(object({
+ enable = optional(bool, false)
+ }), {})
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ })
+ nullable = false
+ default = {}
+}
+
variable "vpn_onprem_primary_config" {
description = "VPN gateway configuration for onprem interconnection in the primary region."
type = object({
diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md
index c8f9b78bb..36bddf8c0 100644
--- a/fast/stages/2-networking-b-nva/README.md
+++ b/fast/stages/2-networking-b-nva/README.md
@@ -541,10 +541,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | |
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy |
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
-| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | |
-| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
-| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | |
-| [net-regional-vpc.tf](./net-regional-vpc.tf) | None | net-vpc · net-vpc-firewall | |
+| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-firewall-policy · net-vpc · net-vpc-firewall · net-vpc-peering · project | |
+| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-firewall-policy · net-vpc · net-vpc-firewall · project | |
+| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-firewall-policy · net-vpc · net-vpc-firewall · net-vpc-peering · project | |
+| [net-regional-vpc.tf](./net-regional-vpc.tf) | Regional VPCs and related resources. | net-firewall-policy · net-vpc · net-vpc-firewall | |
| [nva-bgp-ncc.tf](./nva-bgp-ncc.tf) | None | | google_network_connectivity_hub |
| [nva-bgp.tf](./nva-bgp.tf) | None | | google_compute_address |
| [nva-regional-vpc.tf](./nva-regional-vpc.tf) | None | | |
@@ -568,19 +568,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | |
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
-| [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | |
-| [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | |
-| [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | |
-| [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [gcp_ranges](variables.tf#L92) | GCP address ranges in name => range format. | map(string) | | {…} | |
-| [network_mode](variables.tf#L109) | Selection of the network design to deploy. | string | | "simple" | |
-| [outputs_location](variables.tf#L120) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L126) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | |
-| [regions](variables.tf#L146) | Region definitions. | object({…}) | | {…} | |
+| [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | |
+| [essential_contacts](variables.tf#L57) | Email used for essential contacts, unset if null. | string | | null | |
+| [factories_config](variables.tf#L63) | Configuration for network resource factories. | object({…}) | | {} | |
+| [gcp_ranges](variables.tf#L84) | GCP address ranges in name => range format. | map(string) | | {…} | |
+| [network_mode](variables.tf#L101) | Selection of the network design to deploy. | string | | "simple" | |
+| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [psa_ranges](variables.tf#L118) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | |
+| [regions](variables.tf#L138) | Region definitions. | object({…}) | | {…} | |
| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | object({…}) | | {} | 1-resman |
| [tag_values](variables-fast.tf#L100) | Root-level tag values. | map(string) | | {} | 1-resman |
-| [vpn_onprem_primary_config](variables.tf#L158) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
-| [vpn_onprem_secondary_config](variables.tf#L201) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
+| [vpc_configs](variables.tf#L150) | Optional VPC network configurations. | object({…}) | | {} | |
+| [vpn_onprem_primary_config](variables.tf#L233) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [vpn_onprem_secondary_config](variables.tf#L276) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-b-nva/dns-landing.tf b/fast/stages/2-networking-b-nva/dns-landing.tf
index f36965a2f..415a96ceb 100644
--- a/fast/stages/2-networking-b-nva/dns-landing.tf
+++ b/fast/stages/2-networking-b-nva/dns-landing.tf
@@ -98,7 +98,7 @@ module "landing-dns-policy-googleapis" {
project_id = module.landing-project.project_id
name = "googleapis"
factories_config = {
- rules = var.factories_config.dns_policy_rules_file
+ rules = var.factories_config.dns_policy_rules
}
networks = merge(
{
diff --git a/fast/stages/2-networking-b-nva/main.tf b/fast/stages/2-networking-b-nva/main.tf
index 179ddbfaf..2493c6dd8 100644
--- a/fast/stages/2-networking-b-nva/main.tf
+++ b/fast/stages/2-networking-b-nva/main.tf
@@ -76,10 +76,11 @@ module "folder" {
module "firewall-policy-default" {
source = "../../../modules/net-firewall-policy"
- name = var.factories_config.firewall_policy_name
+ name = var.factories_config.firewall.hierarchical.policy_name
parent_id = module.folder.id
factories_config = {
- cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
- ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = var.factories_config.firewall.hierarchical.egress_rules
+ ingress_rules_file_path = var.factories_config.firewall.hierarchical.ingress_rules
}
}
diff --git a/fast/stages/2-networking-b-nva/monitoring.tf b/fast/stages/2-networking-b-nva/monitoring.tf
index 95bb097ae..776ee24ae 100644
--- a/fast/stages/2-networking-b-nva/monitoring.tf
+++ b/fast/stages/2-networking-b-nva/monitoring.tf
@@ -17,7 +17,7 @@
# tfdoc:file:description Network monitoring dashboards.
locals {
- dashboard_path = "${var.factories_config.data_dir}/dashboards"
+ dashboard_path = var.factories_config.dashboards
dashboard_files = fileset(local.dashboard_path, "*.json")
dashboards = {
for filename in local.dashboard_files :
diff --git a/fast/stages/2-networking-b-nva/net-dev.tf b/fast/stages/2-networking-b-nva/net-dev.tf
index eec1d5586..5032ea921 100644
--- a/fast/stages/2-networking-b-nva/net-dev.tf
+++ b/fast/stages/2-networking-b-nva/net-dev.tf
@@ -16,6 +16,21 @@
# tfdoc:file:description Dev spoke VPC and related resources.
+locals {
+ # streamline VPC configuration conditionals for modules by moving them here
+ dev_cfg = {
+ dns_logging = var.vpc_configs.dev.dns.enable_logging == true
+ dns_policy = var.vpc_configs.dev.dns.create_inbound_policy == true
+ fw_classic = var.vpc_configs.dev.firewall.use_classic == true
+ fw_order = (
+ var.vpc_configs.dev.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = var.vpc_configs.dev.firewall.create_policy == true
+ }
+}
+
module "dev-spoke-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
@@ -69,16 +84,18 @@ module "dev-spoke-vpc" {
source = "../../../modules/net-vpc"
project_id = module.dev-spoke-project.project_id
name = "dev-spoke-0"
- mtu = 1500
- dns_policy = {
- logging = var.dns.enable_logging
+ mtu = var.vpc_configs.dev.mtu
+ dns_policy = !local.dev_cfg.dns_policy ? {} : {
+ inbound = true
+ logging = local.dev_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
+ subnets_folder = "${var.factories_config.subnets}/dev"
}
- delete_default_routes_on_create = true
- psa_configs = var.psa_ranges.dev
+ delete_default_routes_on_create = true
+ firewall_policy_enforcement_order = local.dev_cfg.fw_order
+ psa_configs = var.psa_ranges.dev
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
@@ -118,14 +135,32 @@ module "dev-spoke-vpc" {
module "dev-spoke-firewall" {
source = "../../../modules/net-vpc-firewall"
+ count = local.dev_cfg.fw_classic ? 1 : 0
project_id = module.dev-spoke-project.project_id
network = module.dev-spoke-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/dev"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/dev"
+ }
+}
+
+module "dev-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.dev_cfg.fw_policy ? 1 : 0
+ name = "dev-spoke-0"
+ parent_id = module.dev-spoke-project.project_id
+ region = "global"
+ attachments = {
+ dev-spoke-0 = module.dev-spoke-vpc.id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/ingress.yaml"
}
}
diff --git a/fast/stages/2-networking-b-nva/net-landing.tf b/fast/stages/2-networking-b-nva/net-landing.tf
index 5bd65e0b8..91ec3a89b 100644
--- a/fast/stages/2-networking-b-nva/net-landing.tf
+++ b/fast/stages/2-networking-b-nva/net-landing.tf
@@ -16,6 +16,33 @@
# tfdoc:file:description Landing VPC and related resources.
+locals {
+ # streamline VPC configuration conditionals for modules by moving them here
+ dmz_cfg = {
+ cloudnat = var.vpc_configs.dmz.cloudnat.enable == true
+ dns_logging = var.vpc_configs.dmz.dns.enable_logging == true
+ dns_policy = var.vpc_configs.dmz.dns.create_inbound_policy == true
+ fw_classic = var.vpc_configs.dmz.firewall.use_classic == true
+ fw_order = (
+ var.vpc_configs.dmz.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = var.vpc_configs.dmz.firewall.create_policy == true
+ }
+ landing_cfg = {
+ dns_logging = var.vpc_configs.landing.dns.enable_logging == true
+ dns_policy = var.vpc_configs.landing.dns.create_inbound_policy == true
+ fw_classic = var.vpc_configs.landing.firewall.use_classic == true
+ fw_order = (
+ var.vpc_configs.landing.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = var.vpc_configs.landing.firewall.create_policy == true
+ }
+}
+
module "landing-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
@@ -48,17 +75,18 @@ module "dmz-vpc" {
source = "../../../modules/net-vpc"
project_id = module.landing-project.project_id
name = "prod-dmz-0"
- mtu = 1500
- dns_policy = {
+ mtu = var.vpc_configs.dmz.mtu
+ dns_policy = !local.dmz_cfg.dns_policy ? {} : {
inbound = true
- logging = var.dns.enable_logging
+ logging = local.dmz_cfg.dns_logging
}
create_googleapis_routes = null
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/dmz"
+ subnets_folder = "${var.factories_config.subnets}/dmz"
}
- delete_default_routes_on_create = true
+ delete_default_routes_on_create = true
+ firewall_policy_enforcement_order = local.dmz_cfg.fw_order
routes = merge(
{
default = {
@@ -88,14 +116,32 @@ module "dmz-vpc" {
module "dmz-firewall" {
source = "../../../modules/net-vpc-firewall"
+ count = local.dmz_cfg.fw_classic ? 1 : 0
project_id = module.landing-project.project_id
network = module.dmz-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/dmz"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/dmz"
+ }
+}
+
+module "dmz-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.dmz_cfg.fw_policy ? 1 : 0
+ name = "prod-dmz-0"
+ parent_id = module.landing-project.project_id
+ region = "global"
+ attachments = {
+ dmz-0 = module.dmz-vpc.id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dmz/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dmz/ingress.yaml"
}
}
@@ -103,7 +149,7 @@ module "dmz-firewall" {
module "dmz-nat-primary" {
source = "../../../modules/net-cloudnat"
- count = var.enable_cloud_nat ? 1 : 0
+ count = local.dmz_cfg.cloudnat ? 1 : 0
project_id = module.landing-project.project_id
region = var.regions.primary
name = local.region_shortnames[var.regions.primary]
@@ -114,7 +160,7 @@ module "dmz-nat-primary" {
module "dmz-nat-secondary" {
source = "../../../modules/net-cloudnat"
- count = var.enable_cloud_nat ? 1 : 0
+ count = local.dmz_cfg.cloudnat ? 1 : 0
project_id = module.landing-project.project_id
region = var.regions.secondary
name = local.region_shortnames[var.regions.secondary]
@@ -129,15 +175,17 @@ module "landing-vpc" {
source = "../../../modules/net-vpc"
project_id = module.landing-project.project_id
name = "prod-landing-0"
+ mtu = var.vpc_configs.landing.mtu
delete_default_routes_on_create = true
- mtu = 1500
+ dns_policy = !local.landing_cfg.dns_policy ? {} : {
+ inbound = true
+ logging = local.landing_cfg.dns_logging
+ }
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/landing"
- }
- dns_policy = {
- inbound = true
+ subnets_folder = "${var.factories_config.subnets}/landing"
}
+ firewall_policy_enforcement_order = local.landing_cfg.fw_order
# Set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
@@ -147,13 +195,31 @@ module "landing-vpc" {
module "landing-firewall" {
source = "../../../modules/net-vpc-firewall"
+ count = local.landing_cfg.fw_classic ? 1 : 0
project_id = module.landing-project.project_id
network = module.landing-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/landing"
+ }
+}
+
+module "landing-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.landing_cfg.fw_policy ? 1 : 0
+ name = "prod-landing-0"
+ parent_id = module.landing-project.project_id
+ region = "global"
+ attachments = {
+ landing-0 = module.landing-vpc.id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/landing/ingress.yaml"
}
}
diff --git a/fast/stages/2-networking-b-nva/net-prod.tf b/fast/stages/2-networking-b-nva/net-prod.tf
index bb59e58a4..a40dc9876 100644
--- a/fast/stages/2-networking-b-nva/net-prod.tf
+++ b/fast/stages/2-networking-b-nva/net-prod.tf
@@ -16,6 +16,21 @@
# tfdoc:file:description Production spoke VPC and related resources.
+locals {
+ # streamline VPC configuration conditionals for modules by moving them here
+ prod_cfg = {
+ dns_logging = var.vpc_configs.prod.dns.enable_logging == true
+ dns_policy = var.vpc_configs.prod.dns.create_inbound_policy == true
+ fw_classic = var.vpc_configs.prod.firewall.use_classic == true
+ fw_order = (
+ var.vpc_configs.prod.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = var.vpc_configs.prod.firewall.create_policy == true
+ }
+}
+
module "prod-spoke-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
@@ -69,16 +84,18 @@ module "prod-spoke-vpc" {
source = "../../../modules/net-vpc"
project_id = module.prod-spoke-project.project_id
name = "prod-spoke-0"
- mtu = 1500
- dns_policy = {
- logging = var.dns.enable_logging
+ mtu = var.vpc_configs.prod.mtu
+ dns_policy = !local.prod_cfg.dns_policy ? {} : {
+ inbound = true
+ logging = local.prod_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
+ subnets_folder = "${var.factories_config.subnets}/prod"
}
- delete_default_routes_on_create = true
- psa_configs = var.psa_ranges.prod
+ delete_default_routes_on_create = true
+ firewall_policy_enforcement_order = local.prod_cfg.fw_order
+ psa_configs = var.psa_ranges.prod
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
@@ -118,14 +135,32 @@ module "prod-spoke-vpc" {
module "prod-spoke-firewall" {
source = "../../../modules/net-vpc-firewall"
+ count = local.prod_cfg.fw_classic ? 1 : 0
project_id = module.prod-spoke-project.project_id
network = module.prod-spoke-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/prod"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/prod"
+ }
+}
+
+module "prod-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.prod_cfg.fw_policy ? 1 : 0
+ name = "prod-spoke-0"
+ parent_id = module.prod-spoke-project.project_id
+ region = "global"
+ attachments = {
+ prod-spoke-0 = module.prod-spoke-vpc.id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/ingress.yaml"
}
}
diff --git a/fast/stages/2-networking-b-nva/net-regional-vpc.tf b/fast/stages/2-networking-b-nva/net-regional-vpc.tf
index 72e225f7f..3e7aecd6a 100644
--- a/fast/stages/2-networking-b-nva/net-regional-vpc.tf
+++ b/fast/stages/2-networking-b-nva/net-regional-vpc.tf
@@ -14,21 +14,61 @@
* limitations under the License.
*/
-# Regional Primary VPC
+# tfdoc:file:description Regional VPCs and related resources.
+
+locals {
+ # streamline VPC configuration conditionals for modules by moving them here
+ regpri_cfg = {
+ dns_logging = var.vpc_configs.regional_primary.dns.enable_logging == true
+ dns_policy = var.vpc_configs.regional_primary.dns.create_inbound_policy == true
+ fw_classic = (
+ var.network_mode == "regional_vpc" &&
+ var.vpc_configs.regional_primary.firewall.use_classic == true
+ )
+ fw_order = (
+ var.vpc_configs.regional_primary.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = (
+ var.network_mode == "regional_vpc" &&
+ var.vpc_configs.regional_primary.firewall.create_policy == true
+ )
+ }
+ regsec_cfg = {
+ dns_logging = var.vpc_configs.regional_secondary.dns.enable_logging == true
+ dns_policy = var.vpc_configs.regional_secondary.dns.create_inbound_policy == true
+ fw_classic = (
+ var.network_mode == "regional_vpc" &&
+ var.vpc_configs.regional_secondary.firewall.use_classic == true
+ )
+ fw_order = (
+ var.vpc_configs.regional_secondary.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = (
+ var.network_mode == "regional_vpc" &&
+ var.vpc_configs.regional_secondary.firewall.create_policy == true
+ )
+ }
+}
module "regional-primary-vpc" {
- count = (var.network_mode == "regional_vpc") ? 1 : 0
- source = "../../../modules/net-vpc"
- project_id = module.landing-project.project_id
- name = "prod-regional-primary-0"
- delete_default_routes_on_create = true
- mtu = 1500
+ count = (var.network_mode == "regional_vpc") ? 1 : 0
+ source = "../../../modules/net-vpc"
+ project_id = module.landing-project.project_id
+ name = "prod-regional-primary-0"
+ delete_default_routes_on_create = true
+ firewall_policy_enforcement_order = local.regpri_cfg.fw_order
+ mtu = var.vpc_configs.regional_primary.mtu
+ dns_policy = !local.regpri_cfg.dns_policy ? {} : {
+ inbound = true
+ logging = local.regpri_cfg.dns_logging
+ }
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/regional-pri"
- }
- dns_policy = {
- inbound = true
+ subnets_folder = "${var.factories_config.subnets}/regional-pri"
}
routes = {
default = {
@@ -46,7 +86,7 @@ module "regional-primary-vpc" {
}
module "regional-primary-firewall" {
- count = (var.network_mode == "regional_vpc") ? 1 : 0
+ count = local.regpri_cfg.fw_classic ? 1 : 0
source = "../../../modules/net-vpc-firewall"
project_id = module.landing-project.project_id
network = module.regional-primary-vpc[0].name
@@ -54,27 +94,45 @@ module "regional-primary-firewall" {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/regional-pri"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/regional-pri"
+ }
+}
+
+module "regional-primary-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.regpri_cfg.fw_policy ? 1 : 0
+ name = "prod-regional-primary-0"
+ parent_id = module.landing-project.project_id
+ region = "global"
+ attachments = {
+ regional-primary-0 = module.regional-primary-vpc[0].id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/regional-primary/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/regional-primary/ingress.yaml"
}
}
# Regional Secondary VPC
module "regional-secondary-vpc" {
- count = (var.network_mode == "regional_vpc") ? 1 : 0
-
- source = "../../../modules/net-vpc"
- project_id = module.landing-project.project_id
- name = "prod-regional-secondary-0"
- delete_default_routes_on_create = true
- mtu = 1500
+ count = (var.network_mode == "regional_vpc") ? 1 : 0
+ source = "../../../modules/net-vpc"
+ project_id = module.landing-project.project_id
+ name = "prod-regional-secondary-0"
+ delete_default_routes_on_create = true
+ firewall_policy_enforcement_order = local.regsec_cfg.fw_order
+ mtu = var.vpc_configs.regional_secondary.mtu
+ dns_policy = !local.regsec_cfg.dns_policy ? {} : {
+ inbound = true
+ logging = local.regsec_cfg.dns_logging
+ }
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/regional-sec"
- }
- dns_policy = {
- inbound = true
+ subnets_folder = "${var.factories_config.subnets}/regional-sec"
}
routes = {
default = {
@@ -92,8 +150,7 @@ module "regional-secondary-vpc" {
}
module "regional-secondary-firewall" {
- count = (var.network_mode == "regional_vpc") ? 1 : 0
-
+ count = local.regsec_cfg.fw_classic ? 1 : 0
source = "../../../modules/net-vpc-firewall"
project_id = module.landing-project.project_id
network = module.regional-secondary-vpc[0].name
@@ -101,7 +158,24 @@ module "regional-secondary-firewall" {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/regional-sec"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/regional-sec"
+ }
+}
+
+module "regional-secondary-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.regsec_cfg.fw_policy ? 1 : 0
+ name = "prod-regional-secondary-0"
+ parent_id = module.landing-project.project_id
+ region = "global"
+ attachments = {
+ regional-secondary-0 = module.regional-secondary-vpc[0].id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/regional-secondary/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/regional-secondary/ingress.yaml"
}
}
diff --git a/fast/stages/2-networking-b-nva/variables.tf b/fast/stages/2-networking-b-nva/variables.tf
index cc8e8065d..f211b0895 100644
--- a/fast/stages/2-networking-b-nva/variables.tf
+++ b/fast/stages/2-networking-b-nva/variables.tf
@@ -48,20 +48,12 @@ variable "create_test_instances" {
variable "dns" {
description = "DNS configuration."
type = object({
- enable_logging = optional(bool, true)
- resolvers = optional(list(string), [])
+ resolvers = optional(list(string), [])
})
default = {}
nullable = false
}
-variable "enable_cloud_nat" {
- description = "Deploy Cloud NAT."
- type = bool
- default = false
- nullable = false
-}
-
variable "essential_contacts" {
description = "Email used for essential contacts, unset if null."
type = string
@@ -71,22 +63,22 @@ variable "essential_contacts" {
variable "factories_config" {
description = "Configuration for network resource factories."
type = object({
- data_dir = optional(string, "data")
- dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
- firewall_policy_name = optional(string, "net-default")
+ dashboards = optional(string, "data/dashboards")
+ dns_policy_rules = optional(string, "data/dns-policy-rules.yaml")
+ firewall = optional(object({
+ cidr_file = optional(string, "data/cidrs.yaml")
+ classic_rules = optional(string, "data/firewall-rules")
+ hierarchical = optional(object({
+ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml")
+ ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml")
+ policy_name = optional(string, "net-default")
+ }), {})
+ policy_rules = optional(string, "data/firewall-policies")
+ }), {})
+ subnets = optional(string, "data/subnets")
})
- default = {
- data_dir = "data"
- }
+ default = {}
nullable = false
- validation {
- condition = var.factories_config.data_dir != null
- error_message = "Data folder needs to be non-null."
- }
- validation {
- condition = var.factories_config.firewall_policy_name != null
- error_message = "Firewall policy name needs to be non-null."
- }
}
variable "gcp_ranges" {
@@ -155,6 +147,89 @@ variable "regions" {
}
}
+variable "vpc_configs" {
+ description = "Optional VPC network configurations."
+ type = object({
+ dev = optional(object({
+ mtu = optional(number, 1500)
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ dmz = optional(object({
+ mtu = optional(number, 1500)
+ cloudnat = optional(object({
+ enable = optional(bool, false)
+ }), {})
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ landing = optional(object({
+ mtu = optional(number, 1500)
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ prod = optional(object({
+ mtu = optional(number, 1500)
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ regional_primary = optional(object({
+ mtu = optional(number, 1500)
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ regional_secondary = optional(object({
+ mtu = optional(number, 1500)
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ })
+ nullable = false
+ default = {}
+}
+
variable "vpn_onprem_primary_config" {
description = "VPN gateway configuration for onprem interconnection in the primary region."
type = object({
diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md
index 71d8487c6..af512fe80 100644
--- a/fast/stages/2-networking-c-separate-envs/README.md
+++ b/fast/stages/2-networking-c-separate-envs/README.md
@@ -345,8 +345,8 @@ Regions are defined via the `regions` variable which sets up a mapping between t
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | |
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy |
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
-| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
-| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
+| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-firewall-policy · net-vpc · net-vpc-firewall · project | |
+| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-firewall-policy · net-vpc · net-vpc-firewall · project | |
| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file |
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
| [test-resources.tf](./test-resources.tf) | Temporary instances for testing | compute-vm | |
@@ -365,17 +365,17 @@ Regions are defined via the `regions` variable which sets up a mapping between t
| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap |
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
-| [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | |
-| [enable_cloud_nat](variables.tf#L53) | Deploy Cloud NAT. | bool | | false | |
-| [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | string | | null | |
-| [factories_config](variables.tf#L66) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | |
-| [regions](variables.tf#L113) | Region definitions. | object({…}) | | {…} | |
+| [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | |
+| [essential_contacts](variables.tf#L52) | Email used for essential contacts, unset if null. | string | | null | |
+| [factories_config](variables.tf#L58) | Configuration for network resource factories. | object({…}) | | {} | |
+| [outputs_location](variables.tf#L79) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [psa_ranges](variables.tf#L85) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | |
+| [regions](variables.tf#L105) | Region definitions. | object({…}) | | {…} | |
| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | object({…}) | | {} | 1-resman |
| [tag_values](variables-fast.tf#L100) | Root-level tag values. | map(string) | | {} | 1-resman |
-| [vpn_onprem_dev_primary_config](variables.tf#L123) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | |
-| [vpn_onprem_prod_primary_config](variables.tf#L166) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | |
+| [vpc_configs](variables.tf#L115) | Optional VPC network configurations. | object({…}) | | {} | |
+| [vpn_onprem_dev_primary_config](variables.tf#L153) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | |
+| [vpn_onprem_prod_primary_config](variables.tf#L196) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-c-separate-envs/dns-dev.tf b/fast/stages/2-networking-c-separate-envs/dns-dev.tf
index b176af16b..e29dc861e 100644
--- a/fast/stages/2-networking-c-separate-envs/dns-dev.tf
+++ b/fast/stages/2-networking-c-separate-envs/dns-dev.tf
@@ -68,7 +68,7 @@ module "dev-dns-policy-googleapis" {
project_id = module.dev-spoke-project.project_id
name = "googleapis"
factories_config = {
- rules = var.factories_config.dns_policy_rules_file
+ rules = var.factories_config.dns_policy_rules
}
networks = {
dev = module.dev-spoke-vpc.self_link
diff --git a/fast/stages/2-networking-c-separate-envs/dns-prod.tf b/fast/stages/2-networking-c-separate-envs/dns-prod.tf
index adcc38893..7234c6e26 100644
--- a/fast/stages/2-networking-c-separate-envs/dns-prod.tf
+++ b/fast/stages/2-networking-c-separate-envs/dns-prod.tf
@@ -68,7 +68,7 @@ module "prod-dns-policy-googleapis" {
project_id = module.prod-spoke-project.project_id
name = "googleapis"
factories_config = {
- rules = var.factories_config.dns_policy_rules_file
+ rules = var.factories_config.dns_policy_rules
}
networks = {
prod = module.prod-spoke-vpc.self_link
diff --git a/fast/stages/2-networking-c-separate-envs/main.tf b/fast/stages/2-networking-c-separate-envs/main.tf
index 7497e2d50..954659093 100644
--- a/fast/stages/2-networking-c-separate-envs/main.tf
+++ b/fast/stages/2-networking-c-separate-envs/main.tf
@@ -61,10 +61,11 @@ module "folder" {
module "firewall-policy-default" {
source = "../../../modules/net-firewall-policy"
- name = var.factories_config.firewall_policy_name
+ name = var.factories_config.firewall.hierarchical.policy_name
parent_id = module.folder.id
factories_config = {
- cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
- ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = var.factories_config.firewall.hierarchical.egress_rules
+ ingress_rules_file_path = var.factories_config.firewall.hierarchical.ingress_rules
}
}
diff --git a/fast/stages/2-networking-c-separate-envs/monitoring.tf b/fast/stages/2-networking-c-separate-envs/monitoring.tf
index d3750fee0..dbf014966 100644
--- a/fast/stages/2-networking-c-separate-envs/monitoring.tf
+++ b/fast/stages/2-networking-c-separate-envs/monitoring.tf
@@ -17,11 +17,10 @@
# tfdoc:file:description Network monitoring dashboards.
locals {
- dashboard_path = "${var.factories_config.data_dir}/dashboards"
- dashboard_files = fileset(local.dashboard_path, "*.json")
+ dashboard_files = fileset(var.factories_config.dashboards, "*.json")
dashboards = {
for filename in local.dashboard_files :
- filename => "${local.dashboard_path}/${filename}"
+ filename => "${var.factories_config.dashboards}/${filename}"
}
}
diff --git a/fast/stages/2-networking-c-separate-envs/net-dev.tf b/fast/stages/2-networking-c-separate-envs/net-dev.tf
index 185db01ff..cfab30d90 100644
--- a/fast/stages/2-networking-c-separate-envs/net-dev.tf
+++ b/fast/stages/2-networking-c-separate-envs/net-dev.tf
@@ -16,6 +16,22 @@
# tfdoc:file:description Dev spoke VPC and related resources.
+locals {
+ # streamline VPC configuration conditionals for modules by moving them here
+ dev_cfg = {
+ cloudnat = var.vpc_configs.dev.cloudnat.enable == true
+ dns_logging = var.vpc_configs.dev.dns.enable_logging == true
+ dns_policy = var.vpc_configs.dev.dns.create_inbound_policy == true
+ fw_classic = var.vpc_configs.dev.firewall.use_classic == true
+ fw_order = (
+ var.vpc_configs.dev.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = var.vpc_configs.dev.firewall.create_policy == true
+ }
+}
+
module "dev-spoke-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
@@ -67,41 +83,72 @@ module "dev-spoke-project" {
}
module "dev-spoke-vpc" {
- source = "../../../modules/net-vpc"
- project_id = module.dev-spoke-project.project_id
- name = "dev-spoke-0"
- mtu = 1500
- dns_policy = {
- logging = var.dns.enable_logging
+ source = "../../../modules/net-vpc"
+ project_id = module.dev-spoke-project.project_id
+ name = "dev-spoke-0"
+ mtu = var.vpc_configs.dev.mtu
+ delete_default_routes_on_create = true
+ dns_policy = !local.dev_cfg.dns_policy ? {} : {
+ inbound = true
+ logging = local.dev_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
+ subnets_folder = "${var.factories_config.subnets}/dev"
}
- psa_configs = var.psa_ranges.dev
+ firewall_policy_enforcement_order = local.dev_cfg.fw_order
+ psa_configs = var.psa_ranges.dev
# set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
restricted = true
}
+ routes = {
+ default = {
+ dest_range = "0.0.0.0/0"
+ next_hop = "default-internet-gateway"
+ next_hop_type = "gateway"
+ priority = 1000
+ }
+ }
}
module "dev-spoke-firewall" {
source = "../../../modules/net-vpc-firewall"
+ count = local.dev_cfg.fw_classic ? 1 : 0
project_id = module.dev-spoke-project.project_id
network = module.dev-spoke-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/dev"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/dev"
+ }
+}
+
+module "dev-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.dev_cfg.fw_policy ? 1 : 0
+ name = "dev-spoke-0"
+ parent_id = module.dev-spoke-project.project_id
+ region = "global"
+ attachments = {
+ dev-spoke-0 = module.dev-spoke-vpc.id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/dev/ingress.yaml"
}
}
module "dev-spoke-cloudnat" {
- source = "../../../modules/net-cloudnat"
- for_each = toset(var.enable_cloud_nat ? values(module.dev-spoke-vpc.subnet_regions) : [])
+ source = "../../../modules/net-cloudnat"
+ for_each = toset(
+ local.dev_cfg.cloudnat ? values(module.dev-spoke-vpc.subnet_regions) : []
+ )
project_id = module.dev-spoke-project.project_id
region = each.value
name = "dev-nat-${local.region_shortnames[each.value]}"
diff --git a/fast/stages/2-networking-c-separate-envs/net-prod.tf b/fast/stages/2-networking-c-separate-envs/net-prod.tf
index f25c9f556..96b0e2c91 100644
--- a/fast/stages/2-networking-c-separate-envs/net-prod.tf
+++ b/fast/stages/2-networking-c-separate-envs/net-prod.tf
@@ -16,6 +16,22 @@
# tfdoc:file:description Production spoke VPC and related resources.
+locals {
+ # streamline VPC configuration conditionals for modules by moving them here
+ prod_cfg = {
+ cloudnat = var.vpc_configs.prod.cloudnat.enable == true
+ dns_logging = var.vpc_configs.prod.dns.enable_logging == true
+ dns_policy = var.vpc_configs.prod.dns.create_inbound_policy == true
+ fw_classic = var.vpc_configs.prod.firewall.use_classic == true
+ fw_order = (
+ var.vpc_configs.prod.firewall.policy_has_priority == true
+ ? "BEFORE_CLASSIC_FIREWALL"
+ : "AFTER_CLASSIC_FIREWALL"
+ )
+ fw_policy = var.vpc_configs.prod.firewall.create_policy == true
+ }
+}
+
module "prod-spoke-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
@@ -67,41 +83,72 @@ module "prod-spoke-project" {
}
module "prod-spoke-vpc" {
- source = "../../../modules/net-vpc"
- project_id = module.prod-spoke-project.project_id
- name = "prod-spoke-0"
- mtu = 1500
- dns_policy = {
- logging = var.dns.enable_logging
+ source = "../../../modules/net-vpc"
+ project_id = module.prod-spoke-project.project_id
+ name = "prod-spoke-0"
+ mtu = var.vpc_configs.prod.mtu
+ delete_default_routes_on_create = true
+ dns_policy = !local.prod_cfg.dns_policy ? {} : {
+ inbound = true
+ logging = local.prod_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
- subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
+ subnets_folder = "${var.factories_config.subnets}/prod"
}
- psa_configs = var.psa_ranges.prod
+ firewall_policy_enforcement_order = local.prod_cfg.fw_order
+ psa_configs = var.psa_ranges.prod
# set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
restricted = true
}
+ routes = {
+ default = {
+ dest_range = "0.0.0.0/0"
+ next_hop = "default-internet-gateway"
+ next_hop_type = "gateway"
+ priority = 1000
+ }
+ }
}
module "prod-spoke-firewall" {
source = "../../../modules/net-vpc-firewall"
+ count = local.prod_cfg.fw_classic ? 1 : 0
project_id = module.prod-spoke-project.project_id
network = module.prod-spoke-vpc.name
default_rules_config = {
disabled = true
}
factories_config = {
- cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml"
- rules_folder = "${var.factories_config.data_dir}/firewall-rules/prod"
+ cidr_tpl_file = var.factories_config.firewall.cidr_file
+ rules_folder = "${var.factories_config.firewall.classic_rules}/prod"
+ }
+}
+
+module "prod-firewall-policy" {
+ source = "../../../modules/net-firewall-policy"
+ count = local.prod_cfg.fw_policy ? 1 : 0
+ name = "prod-spoke-0"
+ parent_id = module.prod-spoke-project.project_id
+ region = "global"
+ attachments = {
+ prod-spoke-0 = module.prod-spoke-vpc.id
+ }
+ # TODO: add context for security groups
+ factories_config = {
+ cidr_file_path = var.factories_config.firewall.cidr_file
+ egress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/egress.yaml"
+ ingress_rules_file_path = "${var.factories_config.firewall.policy_rules}/prod/ingress.yaml"
}
}
module "prod-spoke-cloudnat" {
- source = "../../../modules/net-cloudnat"
- for_each = toset(var.enable_cloud_nat ? values(module.prod-spoke-vpc.subnet_regions) : [])
+ source = "../../../modules/net-cloudnat"
+ for_each = toset(
+ local.prod_cfg.cloudnat ? values(module.prod-spoke-vpc.subnet_regions) : []
+ )
project_id = module.prod-spoke-project.project_id
region = each.value
name = "prod-nat-${local.region_shortnames[each.value]}"
diff --git a/fast/stages/2-networking-c-separate-envs/variables.tf b/fast/stages/2-networking-c-separate-envs/variables.tf
index aabaab2d9..14e12f8b9 100644
--- a/fast/stages/2-networking-c-separate-envs/variables.tf
+++ b/fast/stages/2-networking-c-separate-envs/variables.tf
@@ -43,20 +43,12 @@ variable "dns" {
description = "DNS configuration."
type = object({
dev_resolvers = optional(list(string), [])
- enable_logging = optional(bool, true)
prod_resolvers = optional(list(string), [])
})
default = {}
nullable = false
}
-variable "enable_cloud_nat" {
- description = "Deploy Cloud NAT."
- type = bool
- default = false
- nullable = false
-}
-
variable "essential_contacts" {
description = "Email used for essential contacts, unset if null."
type = string
@@ -66,22 +58,22 @@ variable "essential_contacts" {
variable "factories_config" {
description = "Configuration for network resource factories."
type = object({
- data_dir = optional(string, "data")
- dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
- firewall_policy_name = optional(string, "net-default")
+ dashboards = optional(string, "data/dashboards")
+ dns_policy_rules = optional(string, "data/dns-policy-rules.yaml")
+ firewall = optional(object({
+ cidr_file = optional(string, "data/cidrs.yaml")
+ classic_rules = optional(string, "data/firewall-rules")
+ hierarchical = optional(object({
+ egress_rules = optional(string, "data/hierarchical-egress-rules.yaml")
+ ingress_rules = optional(string, "data/hierarchical-ingress-rules.yaml")
+ policy_name = optional(string, "net-default")
+ }), {})
+ policy_rules = optional(string, "data/firewall-policies")
+ }), {})
+ subnets = optional(string, "data/subnets")
})
- default = {
- data_dir = "data"
- }
+ default = {}
nullable = false
- validation {
- condition = var.factories_config.data_dir != null
- error_message = "Data folder needs to be non-null."
- }
- validation {
- condition = var.factories_config.firewall_policy_name != null
- error_message = "Firewall policy name needs to be non-null."
- }
}
variable "outputs_location" {
@@ -120,6 +112,44 @@ variable "regions" {
}
}
+variable "vpc_configs" {
+ description = "Optional VPC network configurations."
+ type = object({
+ dev = optional(object({
+ mtu = optional(number, 1500)
+ cloudnat = optional(object({
+ enable = optional(bool, false)
+ }), {})
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ prod = optional(object({
+ mtu = optional(number, 1500)
+ cloudnat = optional(object({
+ enable = optional(bool, false)
+ }), {})
+ dns = optional(object({
+ create_inbound_policy = optional(bool, true)
+ enable_logging = optional(bool, true)
+ }), {})
+ firewall = optional(object({
+ create_policy = optional(bool, false)
+ policy_has_priority = optional(bool, false)
+ use_classic = optional(bool, true)
+ }), {})
+ }), {})
+ })
+ nullable = false
+ default = {}
+}
+
variable "vpn_onprem_dev_primary_config" {
description = "VPN gateway configuration for onprem interconnection from dev in the primary region."
type = object({
diff --git a/tests/fast/stages/s2_networking_a_simple/ncc.tfvars b/tests/fast/stages/s2_networking_a_simple/ncc.tfvars
index ff17f1035..4d8991703 100644
--- a/tests/fast/stages/s2_networking_a_simple/ncc.tfvars
+++ b/tests/fast/stages/s2_networking_a_simple/ncc.tfvars
@@ -9,10 +9,8 @@ custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
dns = {
- resolvers = ["10.10.10.10"]
- enable_logging = true
+ resolvers = ["10.10.10.10"]
}
-enable_cloud_nat = true
environments = {
dev = {
is_default = false
@@ -56,3 +54,20 @@ tag_values = {
"environment/development" = "tagValues/12345"
"environment/production" = "tagValues/12346"
}
+vpc_configs = {
+ dev = {
+ cloudnat = {
+ enable = true
+ }
+ }
+ landing = {
+ cloudnat = {
+ enable = true
+ }
+ }
+ prod = {
+ cloudnat = {
+ enable = true
+ }
+ }
+}
diff --git a/tests/fast/stages/s2_networking_a_simple/simple.tfvars b/tests/fast/stages/s2_networking_a_simple/simple.tfvars
index 99e2cb2cb..2ce954552 100644
--- a/tests/fast/stages/s2_networking_a_simple/simple.tfvars
+++ b/tests/fast/stages/s2_networking_a_simple/simple.tfvars
@@ -9,10 +9,8 @@ custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
dns = {
- resolvers = ["10.10.10.10"]
- enable_logging = true
+ resolvers = ["10.10.10.10"]
}
-enable_cloud_nat = true
environments = {
dev = {
is_default = false
@@ -78,6 +76,23 @@ tag_values = {
"environment/development" = "tagValues/12345"
"environment/production" = "tagValues/12346"
}
+vpc_configs = {
+ dev = {
+ cloudnat = {
+ enable = true
+ }
+ }
+ landing = {
+ cloudnat = {
+ enable = true
+ }
+ }
+ prod = {
+ cloudnat = {
+ enable = true
+ }
+ }
+}
# spoke_configs defaults to peering
vpn_onprem_primary_config = {
peer_external_gateways = {
@@ -114,4 +129,3 @@ vpn_onprem_primary_config = {
}
}
}
-
diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.tfvars b/tests/fast/stages/s2_networking_a_simple/vpn.tfvars
index 764902a0a..53f5430a0 100644
--- a/tests/fast/stages/s2_networking_a_simple/vpn.tfvars
+++ b/tests/fast/stages/s2_networking_a_simple/vpn.tfvars
@@ -9,10 +9,8 @@ custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
dns = {
- resolvers = ["10.10.10.10"]
- enable_logging = true
+ resolvers = ["10.10.10.10"]
}
-enable_cloud_nat = true
environments = {
dev = {
is_default = false
@@ -56,3 +54,20 @@ tag_values = {
"environment/development" = "tagValues/12345"
"environment/production" = "tagValues/12346"
}
+vpc_configs = {
+ dev = {
+ cloudnat = {
+ enable = true
+ }
+ }
+ landing = {
+ cloudnat = {
+ enable = true
+ }
+ }
+ prod = {
+ cloudnat = {
+ enable = true
+ }
+ }
+}
diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars b/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars
index a1e74c195..7be895c46 100644
--- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars
+++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars
@@ -9,10 +9,8 @@ custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
dns = {
- resolvers = ["10.10.10.10"]
- enable_logging = true
+ resolvers = ["10.10.10.10"]
}
-enable_cloud_nat = true
enable_test_instances = true
environments = {
dev = {
@@ -36,6 +34,12 @@ groups = {
gcp-network-admins = "gcp-vpc-network-admins"
}
network_mode = "ncc_ra"
+organization = {
+ domain = "fast.example.com"
+ id = 123456789012
+ customer_id = "C00000000"
+}
+prefix = "fast2"
service_accounts = {
data-platform-dev = "string"
data-platform-prod = "string"
@@ -45,12 +49,17 @@ service_accounts = {
project-factory-dev = "string"
project-factory-prod = "string"
}
-organization = {
- domain = "fast.example.com"
- id = 123456789012
- customer_id = "C00000000"
+vpc_configs = {
+ dmz = {
+ cloudnat = {
+ enable = true
+ }
+ }
+}
+tag_values = {
+ "environment/development" = "tagValues/12345"
+ "environment/production" = "tagValues/12346"
}
-prefix = "fast2"
vpn_onprem_primary_config = {
peer_external_gateways = {
default = {
@@ -129,7 +138,3 @@ vpn_onprem_secondary_config = {
}
}
}
-tag_values = {
- "environment/development" = "tagValues/12345"
- "environment/production" = "tagValues/12346"
-}
diff --git a/tests/fast/stages/s2_networking_b_nva/regional.tfvars b/tests/fast/stages/s2_networking_b_nva/regional.tfvars
index e8d4e4ce2..47d9cc019 100644
--- a/tests/fast/stages/s2_networking_b_nva/regional.tfvars
+++ b/tests/fast/stages/s2_networking_b_nva/regional.tfvars
@@ -9,10 +9,8 @@ custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
dns = {
- resolvers = ["10.10.10.10"]
- enable_logging = true
+ resolvers = ["10.10.10.10"]
}
-enable_cloud_nat = true
enable_test_instances = true
environments = {
dev = {
@@ -36,6 +34,12 @@ groups = {
gcp-network-admins = "gcp-vpc-network-admins"
}
network_mode = "regional_vpc"
+organization = {
+ domain = "fast.example.com"
+ id = 123456789012
+ customer_id = "C00000000"
+}
+prefix = "fast2"
service_accounts = {
data-platform-dev = "string"
data-platform-prod = "string"
@@ -45,12 +49,17 @@ service_accounts = {
project-factory-dev = "string"
project-factory-prod = "string"
}
-organization = {
- domain = "fast.example.com"
- id = 123456789012
- customer_id = "C00000000"
+tag_values = {
+ "environment/development" = "tagValues/12345"
+ "environment/production" = "tagValues/12346"
+}
+vpc_configs = {
+ dmz = {
+ cloudnat = {
+ enable = true
+ }
+ }
}
-prefix = "fast2"
vpn_onprem_primary_config = {
peer_external_gateways = {
default = {
@@ -129,7 +138,3 @@ vpn_onprem_secondary_config = {
}
}
}
-tag_values = {
- "environment/development" = "tagValues/12345"
- "environment/production" = "tagValues/12346"
-}
diff --git a/tests/fast/stages/s2_networking_b_nva/simple.tfvars b/tests/fast/stages/s2_networking_b_nva/simple.tfvars
index d4ca2fa9d..26fbffbf4 100644
--- a/tests/fast/stages/s2_networking_b_nva/simple.tfvars
+++ b/tests/fast/stages/s2_networking_b_nva/simple.tfvars
@@ -9,10 +9,8 @@ custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
dns = {
- resolvers = ["10.10.10.10"]
- enable_logging = true
+ resolvers = ["10.10.10.10"]
}
-enable_cloud_nat = true
enable_test_instances = true
environments = {
dev = {
@@ -32,10 +30,16 @@ folder_ids = {
networking-dev = null
networking-prod = null
}
-network_mode = "simple"
groups = {
gcp-network-admins = "gcp-vpc-network-admins"
}
+network_mode = "simple"
+organization = {
+ domain = "fast.example.com"
+ id = 123456789012
+ customer_id = "C00000000"
+}
+prefix = "fast2"
service_accounts = {
data-platform-dev = "string"
data-platform-prod = "string"
@@ -45,12 +49,17 @@ service_accounts = {
project-factory-dev = "string"
project-factory-prod = "string"
}
-organization = {
- domain = "fast.example.com"
- id = 123456789012
- customer_id = "C00000000"
+tag_values = {
+ "environment/development" = "tagValues/12345"
+ "environment/production" = "tagValues/12346"
+}
+vpc_configs = {
+ dmz = {
+ cloudnat = {
+ enable = true
+ }
+ }
}
-prefix = "fast2"
vpn_onprem_primary_config = {
peer_external_gateways = {
default = {
@@ -129,7 +138,3 @@ vpn_onprem_secondary_config = {
}
}
}
-tag_values = {
- "environment/development" = "tagValues/12345"
- "environment/production" = "tagValues/12346"
-}
diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars b/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars
index 74b8a4387..bd17d56a3 100644
--- a/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars
+++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars
@@ -11,9 +11,7 @@ custom_roles = {
dns = {
dev_resolvers = ["10.10.10.10"]
prod_resolvers = ["10.20.10.10"]
- enable_logging = true
}
-enable_cloud_nat = true
environments = {
dev = {
is_default = false
@@ -54,6 +52,18 @@ tag_values = {
"environment/development" = "tagValues/12345"
"environment/production" = "tagValues/12346"
}
+vpc_configs = {
+ dev = {
+ cloudnat = {
+ enable = true
+ }
+ }
+ prod = {
+ cloudnat = {
+ enable = true
+ }
+ }
+}
vpn_onprem_dev_primary_config = {
peer_external_gateways = {
default = {
diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml
index 1f684b598..5bcfe8b27 100644
--- a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml
+++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml
@@ -20,13 +20,13 @@ counts:
google_compute_firewall_policy_rule: 4
google_compute_ha_vpn_gateway: 2
google_compute_network: 2
- google_compute_route: 4
+ google_compute_route: 6
google_compute_router: 4
google_compute_router_interface: 4
google_compute_router_nat: 2
google_compute_router_peer: 4
google_compute_shared_vpc_host_project: 2
- google_compute_subnetwork: 6
+ google_compute_subnetwork: 4
google_compute_vpn_tunnel: 4
google_dns_managed_zone: 6
google_dns_policy: 2
@@ -41,9 +41,8 @@ counts:
google_project_iam_member: 16
google_project_service: 20
google_project_service_identity: 16
- google_storage_bucket_object: 2
+ google_storage_bucket_object: 1
google_tags_tag_binding: 2
- google_vpc_access_connector: 2
- modules: 22
+ modules: 20
random_id: 6
- resources: 215
+ resources: 212
diff --git a/tests/fast/stages/s2_networking_c_separate_envs/tftest.yaml b/tests/fast/stages/s2_networking_c_separate_envs/tftest.yaml
index 573cd8344..8dee17457 100644
--- a/tests/fast/stages/s2_networking_c_separate_envs/tftest.yaml
+++ b/tests/fast/stages/s2_networking_c_separate_envs/tftest.yaml
@@ -16,5 +16,3 @@ module: fast/stages/2-networking-c-separate-envs
tests:
simple:
- extra_files:
- - ../../plugins/2-networking-serverless-connector/*.tf