diff --git a/.github/workflows/go-lint.yaml b/.github/workflows/go-lint.yaml
index 681a149f0..a82e3ddb7 100644
--- a/.github/workflows/go-lint.yaml
+++ b/.github/workflows/go-lint.yaml
@@ -37,7 +37,7 @@ jobs:
folder: [helpers/foundation-deployer]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+ - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: ${{ matrix.folder }}/go.mod
cache-dependency-path: ${{ matrix.folder }}/go.sum
diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md
index bc105515b..576f87f33 100644
--- a/0-bootstrap/README.md
+++ b/0-bootstrap/README.md
@@ -288,6 +288,7 @@ Each step has instructions for this change.
| billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
| bucket\_force\_destroy | When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no |
| bucket\_prefix | Name prefix to use for state bucket created. | `string` | `"bkt"` | no |
+| bucket\_tfstate\_kms\_force\_destroy | When deleting a bucket, this boolean option will delete the KMS keys used for the Terraform state bucket. | `bool` | `false` | no |
| default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
| group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes |
diff --git a/0-bootstrap/cb.tf b/0-bootstrap/cb.tf
index 5c726b731..326677a5a 100644
--- a/0-bootstrap/cb.tf
+++ b/0-bootstrap/cb.tf
@@ -22,6 +22,8 @@ locals {
cicd_project_id = module.tf_source.cloudbuild_project_id
+ state_bucket_kms_key = "projects/${module.seed_bootstrap.seed_project_id}/locations/${var.default_region}/keyRings/${var.project_prefix}-keyring/cryptoKeys/${var.project_prefix}-key"
+
bucket_self_link_prefix = "https://www.googleapis.com/storage/v1/b/"
default_state_bucket_self_link = "${local.bucket_self_link_prefix}${module.seed_bootstrap.gcs_bucket_tfstate}"
gcp_projects_state_bucket_self_link = module.gcp_projects_state_bucket.bucket.self_link
@@ -74,6 +76,12 @@ module "gcp_projects_state_bucket" {
project_id = module.seed_bootstrap.seed_project_id
location = var.default_region
force_destroy = var.bucket_force_destroy
+
+ encryption = {
+ default_kms_key_name = local.state_bucket_kms_key
+ }
+
+ depends_on = [module.seed_bootstrap.gcs_bucket_tfstate]
}
module "tf_source" {
diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf
index a98cb582f..6ca031abf 100644
--- a/0-bootstrap/main.tf
+++ b/0-bootstrap/main.tf
@@ -61,6 +61,9 @@ module "seed_bootstrap" {
parent_folder = var.parent_folder == "" ? "" : local.parent
org_admins_org_iam_permissions = local.org_admins_org_iam_permissions
project_prefix = var.project_prefix
+ encrypt_gcs_bucket_tfstate = true
+ key_rotation_period = "7776000s"
+ kms_prevent_destroy = !var.bucket_tfstate_kms_force_destroy
project_labels = {
environment = "bootstrap"
diff --git a/0-bootstrap/modules/cb-private-pool/README.md b/0-bootstrap/modules/cb-private-pool/README.md
index fa1d9e5a0..1e6969997 100644
--- a/0-bootstrap/modules/cb-private-pool/README.md
+++ b/0-bootstrap/modules/cb-private-pool/README.md
@@ -5,6 +5,7 @@
|------|-------------|------|---------|:--------:|
| private\_worker\_pool | name: Name of the worker pool. A name with a random suffix is generated if not set.
region: The private worker pool region. See https://cloud.google.com/build/docs/locations for available locations.
disk\_size\_gb: Size of the disk attached to the worker, in GB.
machine\_type: Machine type of a worker.
no\_external\_ip: If true, workers are created without any public address, which prevents network egress to public IPs.
enable\_network\_peering: Set to true to enable configuration of networking peering for the private worker pool.
create\_peered\_network: If true a network will be created to stablish the network peering.
peered\_network\_id: The ID of the existing network to configure peering for the private worker pool if create\_peered\_network false. The project containing the network must have Service Networking API (`servicenetworking.googleapis.com`) enabled.
peered\_network\_subnet\_ip: The IP range to be used for the subnet that a will created in the peered network if create\_peered\_network true.
peering\_address: The IP address or beginning of the peering address range. This can be supplied as an input to reserve a specific address or omitted to allow GCP to choose a valid one.
peering\_prefix\_length: The prefix length of the IP peering range. If not present, it means the address field is a single IP address. | object({
name = optional(string, "")
region = optional(string, "us-central1")
disk_size_gb = optional(number, 100)
machine_type = optional(string, "e2-medium")
no_external_ip = optional(bool, false)
enable_network_peering = optional(bool, false)
create_peered_network = optional(bool, false)
peered_network_id = optional(string, "")
peered_network_subnet_ip = optional(string, "")
peering_address = optional(string, null)
peering_prefix_length = optional(number, 24)
}) | `{}` | no |
| project\_id | ID of the project where the private pool will be created | `string` | n/a | yes |
+| vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
| vpn\_configuration | enable\_vpn: set to true to create VPN connection to on prem. If true, the following values must be valid.
on\_prem\_public\_ip\_address0: The first public IP address for on prem VPN connection.
on\_prem\_public\_ip\_address1: The second public IP address for on prem VPN connection.
router\_asn: Border Gateway Protocol (BGP) Autonomous System Number (ASN) for cloud routes.
bgp\_peer\_asn: Border Gateway Protocol (BGP) Autonomous System Number (ASN) for peer cloud routes.
shared\_secret: The shared secret used in the VPN.
psk\_secret\_project\_id: The ID of the project that contains the secret from secret manager that holds the VPN pre-shared key.
psk\_secret\_name: The name of the secret to retrieve from secret manager that holds the VPN pre-shared key.
tunnel0\_bgp\_peer\_address: BGP peer address for tunnel 0.
tunnel0\_bgp\_session\_range: BGP session range for tunnel 0.
tunnel1\_bgp\_peer\_address: BGP peer address for tunnel 1.
tunnel1\_bgp\_session\_range: BGP session range for tunnel 1. | object({
enable_vpn = optional(bool, false)
on_prem_public_ip_address0 = optional(string, "")
on_prem_public_ip_address1 = optional(string, "")
router_asn = optional(number, 64515)
bgp_peer_asn = optional(number, 64513)
psk_secret_project_id = optional(string, "")
psk_secret_name = optional(string, "")
tunnel0_bgp_peer_address = optional(string, "")
tunnel0_bgp_session_range = optional(string, "")
tunnel1_bgp_peer_address = optional(string, "")
tunnel1_bgp_session_range = optional(string, "")
}) | `{}` | no |
## Outputs
diff --git a/0-bootstrap/modules/cb-private-pool/network.tf b/0-bootstrap/modules/cb-private-pool/network.tf
index 44acca4fc..8c62d210e 100644
--- a/0-bootstrap/modules/cb-private-pool/network.tf
+++ b/0-bootstrap/modules/cb-private-pool/network.tf
@@ -20,7 +20,7 @@ locals {
module "peered_network" {
source = "terraform-google-modules/network/google"
- version = "~> 7.0"
+ version = "~> 8.0"
count = var.private_worker_pool.create_peered_network ? 1 : 0
project_id = var.project_id
@@ -29,12 +29,17 @@ module "peered_network" {
subnets = [
{
- subnet_name = "sb-b-cbpools-${var.private_worker_pool.region}"
- subnet_ip = var.private_worker_pool.peered_network_subnet_ip
- subnet_region = var.private_worker_pool.region
- subnet_private_access = "true"
- subnet_flow_logs = "true"
- description = "Peered subnet for Cloud Build private pool"
+ subnet_name = "sb-b-cbpools-${var.private_worker_pool.region}"
+ subnet_ip = var.private_worker_pool.peered_network_subnet_ip
+ subnet_region = var.private_worker_pool.region
+ subnet_private_access = "true"
+ subnet_flow_logs = "true"
+ subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr
+ description = "Peered subnet for Cloud Build private pool"
}
]
diff --git a/0-bootstrap/modules/cb-private-pool/variables.tf b/0-bootstrap/modules/cb-private-pool/variables.tf
index f49c2b65a..5dfcbb6a0 100644
--- a/0-bootstrap/modules/cb-private-pool/variables.tf
+++ b/0-bootstrap/modules/cb-private-pool/variables.tf
@@ -106,3 +106,21 @@ variable "vpn_configuration" {
error_message = "If VPN configuration is enabled, all values are required."
}
}
+
+variable "vpc_flow_logs" {
+ description = <- dataset\_name: The name of the bigquery dataset to be created and used for log entries.
- logging\_sink\_name: The name of the log sink to be created.
- logging\_sink\_filter: The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is "" which exports all logs.
- expiration\_days: Table expiration time. If null logs will never be deleted.
- partitioned\_tables: Options that affect sinks exporting data to BigQuery. use\_partitioned\_tables - (Required) Whether to use BigQuery's partition tables.
- delete\_contents\_on\_destroy: If set to true, delete all contained objects in the logging destination. | object({
dataset_name = optional(string, null)
logging_sink_name = optional(string, null)
logging_sink_filter = optional(string, "")
expiration_days = optional(number, null)
partitioned_tables = optional(bool, true)
delete_contents_on_destroy = optional(bool, false)
}) | `null` | no |
-| logbucket\_options | Destination LogBucket options:
- name: The name of the log bucket to be created and used for log entries matching the filter.
- logging\_sink\_name: The name of the log sink to be created.
- logging\_sink\_filter: The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is "" which exports all logs.
- location: The location of the log bucket. Default: global.
- retention\_days: The number of days data should be retained for the log bucket. Default 30. | object({
name = optional(string, null)
logging_sink_name = optional(string, null)
logging_sink_filter = optional(string, "")
location = optional(string, "global")
retention_days = optional(number, 30)
}) | `null` | no |
+| logbucket\_options | Destination LogBucket options:
- name: The name of the log bucket to be created and used for log entries matching the filter.
- logging\_sink\_name: The name of the log sink to be created.
- logging\_sink\_filter: The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is "" which exports all logs.
- location: The location of the log bucket. Default: global.
- enable\_analytics: Whether or not Log Analytics is enabled. A Log bucket with Log Analytics enabled can be queried in the Log Analytics page using SQL queries. Cannot be disabled once enabled.
- linked\_dataset\_id: The ID of the linked BigQuery dataset. A valid link dataset ID must only have alphanumeric characters and underscores within it and have up to 100 characters.
- linked\_dataset\_description: A use-friendly description of the linked BigQuery dataset. The maximum length of the description is 8000 characters.
- retention\_days: The number of days data should be retained for the log bucket. Default 30. | object({
name = optional(string, null)
logging_sink_name = optional(string, null)
logging_sink_filter = optional(string, "")
location = optional(string, "global")
enable_analytics = optional(bool, true)
linked_dataset_id = optional(string, null)
linked_dataset_description = optional(string, null)
retention_days = optional(number, 30)
}) | `null` | no |
| logging\_destination\_project\_id | The ID of the project that will have the resources where the logs will be created. | `string` | n/a | yes |
| logging\_project\_key | (Optional) The key of logging destination project if it is inside resources map. It is mandatory when resource\_type = project and logging\_target\_type = logbucket. | `string` | `""` | no |
| pubsub\_options | Destination Pubsub options:
- topic\_name: The name of the pubsub topic to be created and used for log entries matching the filter.
- logging\_sink\_name: The name of the log sink to be created.
- logging\_sink\_filter: The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is "" which exports all logs.
- create\_subscriber: Whether to create a subscription to the topic that was created and used for log entries matching the filter. If 'true', a pull subscription is created along with a service account that is granted roles/pubsub.subscriber and roles/pubsub.viewer to the topic. | object({
topic_name = optional(string, null)
logging_sink_name = optional(string, null)
logging_sink_filter = optional(string, "")
create_subscriber = optional(bool, true)
}) | `null` | no |
@@ -85,8 +71,8 @@ module "logging_logbucket" {
| Name | Description |
|------|-------------|
-| bigquery\_destination\_name | The resource name for the destination BigQuery. |
| logbucket\_destination\_name | The resource name for the destination Log Bucket. |
+| logbucket\_linked\_dataset\_name | The resource name of the Log Bucket linked BigQuery dataset. |
| pubsub\_destination\_name | The resource name for the destination Pub/Sub. |
| storage\_destination\_name | The resource name for the destination Storage. |
diff --git a/1-org/modules/centralized-logging/main.tf b/1-org/modules/centralized-logging/main.tf
index cfd54db96..5a7a974f6 100644
--- a/1-org/modules/centralized-logging/main.tf
+++ b/1-org/modules/centralized-logging/main.tf
@@ -39,34 +39,30 @@ locals {
for v in local.exports_list : "${v.res}_${v.type}" => v
}
destinations_options = {
- bgq = var.bigquery_options
pub = var.pubsub_options
sto = var.storage_options
lbk = var.logbucket_options
}
logging_sink_name_map = {
- bgq = try("sk-to-ds-logs-${var.logging_destination_project_id}", "sk-to-ds-logs")
pub = try("sk-to-tp-logs-${var.logging_destination_project_id}", "sk-to-tp-logs")
sto = try("sk-to-bkt-logs-${var.logging_destination_project_id}", "sk-to-bkt-logs")
lbk = try("sk-to-logbkt-logs-${var.logging_destination_project_id}", "sk-to-logbkt-logs")
}
logging_tgt_name = {
- bgq = replace("${local.logging_tgt_prefix.bgq}${random_string.suffix.result}", "-", "_")
pub = "${local.logging_tgt_prefix.pub}${random_string.suffix.result}"
sto = "${local.logging_tgt_prefix.sto}${random_string.suffix.result}"
lbk = "${local.logging_tgt_prefix.lbk}${random_string.suffix.result}"
}
destination_uri_map = {
- bgq = try(module.destination_bigquery[0].destination_uri, "")
pub = try(module.destination_pubsub[0].destination_uri, "")
sto = try(module.destination_storage[0].destination_uri, "")
lbk = try(module.destination_logbucket[0].destination_uri, "")
}
+
logging_tgt_prefix = {
- bgq = "ds_logs_"
pub = "tp-logs-"
sto = try("bkt-logs-${var.logging_destination_project_id}-", "bkt-logs-")
lbk = "logbkt-logs-"
@@ -92,7 +88,6 @@ module "log_export" {
parent_resource_type = var.resource_type
unique_writer_identity = true
include_children = local.include_children
- bigquery_options = each.value.type == "bgq" ? { use_partitioned_tables = true } : null
}
#-------------------------#
@@ -100,7 +95,7 @@ module "log_export" {
#-------------------------#
module "destination_logbucket" {
source = "terraform-google-modules/log-export/google//modules/logbucket"
- version = "~> 7.5.0"
+ version = "~> 7.7"
count = var.logbucket_options != null ? 1 : 0
@@ -108,6 +103,9 @@ module "destination_logbucket" {
name = coalesce(var.logbucket_options.name, local.logging_tgt_name.lbk)
log_sink_writer_identity = module.log_export["${local.value_first_resource}_lbk"].writer_identity
location = var.logbucket_options.location
+ enable_analytics = var.logbucket_options.enable_analytics
+ linked_dataset_id = var.logbucket_options.linked_dataset_id
+ linked_dataset_description = var.logbucket_options.linked_dataset_description
retention_days = var.logbucket_options.retention_days
grant_write_permission_on_bkt = false
}
@@ -126,35 +124,6 @@ resource "google_project_iam_member" "logbucket_sink_member" {
member = module.log_export["${each.value}_lbk"].writer_identity
}
-
-#-----------------------#
-# Send logs to BigQuery #
-#-----------------------#
-module "destination_bigquery" {
- source = "terraform-google-modules/log-export/google//modules/bigquery"
- version = "~> 7.4"
-
- count = var.bigquery_options != null ? 1 : 0
-
- project_id = var.logging_destination_project_id
- dataset_name = coalesce(var.bigquery_options.dataset_name, local.logging_tgt_name.bgq)
- log_sink_writer_identity = module.log_export["${local.value_first_resource}_bgq"].writer_identity
- expiration_days = var.bigquery_options.expiration_days
- delete_contents_on_destroy = var.bigquery_options.delete_contents_on_destroy
-}
-
-#-----------------------------------------#
-# Bigquery Service account IAM membership #
-#-----------------------------------------#
-resource "google_project_iam_member" "bigquery_sink_member" {
- for_each = var.bigquery_options != null ? var.resources : {}
-
- project = var.logging_destination_project_id
- role = "roles/bigquery.dataEditor"
- member = module.log_export["${each.value}_bgq"].writer_identity
-}
-
-
#----------------------#
# Send logs to Storage #
#----------------------#
diff --git a/1-org/modules/centralized-logging/outputs.tf b/1-org/modules/centralized-logging/outputs.tf
index e44824198..abd1a86b8 100644
--- a/1-org/modules/centralized-logging/outputs.tf
+++ b/1-org/modules/centralized-logging/outputs.tf
@@ -14,11 +14,6 @@
* limitations under the License.
*/
-output "bigquery_destination_name" {
- description = "The resource name for the destination BigQuery."
- value = try(module.destination_bigquery[0].resource_name, "")
-}
-
output "storage_destination_name" {
description = "The resource name for the destination Storage."
value = try(module.destination_storage[0].resource_name, "")
@@ -33,3 +28,8 @@ output "logbucket_destination_name" {
description = "The resource name for the destination Log Bucket."
value = try(module.destination_logbucket[0].resource_name, "")
}
+
+output "logbucket_linked_dataset_name" {
+ description = "The resource name of the Log Bucket linked BigQuery dataset."
+ value = try(module.destination_logbucket[0].linked_dataset_name, "")
+}
diff --git a/1-org/modules/centralized-logging/variables.tf b/1-org/modules/centralized-logging/variables.tf
index 4558ec46b..3cebb9d70 100644
--- a/1-org/modules/centralized-logging/variables.tf
+++ b/1-org/modules/centralized-logging/variables.tf
@@ -55,38 +55,20 @@ Destination LogBucket options:
- logging_sink_name: The name of the log sink to be created.
- logging_sink_filter: The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is "" which exports all logs.
- location: The location of the log bucket. Default: global.
+- enable_analytics: Whether or not Log Analytics is enabled. A Log bucket with Log Analytics enabled can be queried in the Log Analytics page using SQL queries. Cannot be disabled once enabled.
+- linked_dataset_id: The ID of the linked BigQuery dataset. A valid link dataset ID must only have alphanumeric characters and underscores within it and have up to 100 characters.
+- linked_dataset_description: A use-friendly description of the linked BigQuery dataset. The maximum length of the description is 8000 characters.
- retention_days: The number of days data should be retained for the log bucket. Default 30.
EOT
type = object({
- name = optional(string, null)
- logging_sink_name = optional(string, null)
- logging_sink_filter = optional(string, "")
- location = optional(string, "global")
- retention_days = optional(number, 30)
- })
- default = null
-}
-
-#----------------------------- #
-# Big Query specific variables #
-#----------------------------- #
-variable "bigquery_options" {
- description = < aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
enable_logging = optional(string, "true")
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
## Outputs
diff --git a/3-networks-dual-svpc/envs/shared/dns-hub.tf b/3-networks-dual-svpc/envs/shared/dns-hub.tf
index 2003af12e..c47fa1387 100644
--- a/3-networks-dual-svpc/envs/shared/dns-hub.tf
+++ b/3-networks-dual-svpc/envs/shared/dns-hub.tf
@@ -20,7 +20,7 @@
module "dns_hub_vpc" {
source = "terraform-google-modules/network/google"
- version = "~> 7.0"
+ version = "~> 8.0"
project_id = local.dns_hub_project_id
network_name = "vpc-c-dns-hub"
@@ -28,19 +28,29 @@ module "dns_hub_vpc" {
delete_default_internet_gateway_routes = "true"
subnets = [{
- subnet_name = "sb-c-dns-hub-${local.default_region1}"
- subnet_ip = "172.16.0.0/25"
- subnet_region = local.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = var.subnetworks_enable_logging
- description = "DNS hub subnet for region 1."
+ subnet_name = "sb-c-dns-hub-${local.default_region1}"
+ subnet_ip = "172.16.0.0/25"
+ subnet_region = local.default_region1
+ subnet_private_access = "true"
+ subnet_flow_logs = var.vpc_flow_logs.enable_logging
+ subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr
+ description = "DNS hub subnet for region 1."
}, {
- subnet_name = "sb-c-dns-hub-${local.default_region2}"
- subnet_ip = "172.16.0.128/25"
- subnet_region = local.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = var.subnetworks_enable_logging
- description = "DNS hub subnet for region 2."
+ subnet_name = "sb-c-dns-hub-${local.default_region2}"
+ subnet_ip = "172.16.0.128/25"
+ subnet_region = local.default_region2
+ subnet_private_access = "true"
+ subnet_flow_logs = var.vpc_flow_logs.enable_logging
+ subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr
+ description = "DNS hub subnet for region 2."
}]
routes = [{
diff --git a/3-networks-dual-svpc/envs/shared/variables.tf b/3-networks-dual-svpc/envs/shared/variables.tf
index a0354aabb..09bc69c00 100644
--- a/3-networks-dual-svpc/envs/shared/variables.tf
+++ b/3-networks-dual-svpc/envs/shared/variables.tf
@@ -25,10 +25,24 @@ variable "dns_enable_logging" {
default = true
}
-variable "subnetworks_enable_logging" {
- type = bool
- description = "Toggle subnetworks flow logging for VPC Subnetworks."
- default = true
+variable "vpc_flow_logs" {
+ description = < flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
| custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no |
| default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
| default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
@@ -24,6 +25,7 @@
| restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes |
| restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
| restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes |
+| restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
## Outputs
diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf
index 85ecd2c6a..5defc061f 100644
--- a/3-networks-dual-svpc/modules/base_env/main.tf
+++ b/3-networks-dual-svpc/modules/base_env/main.tf
@@ -221,20 +221,30 @@ module "restricted_shared_vpc" {
subnets = [
{
- subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}"
- subnet_ip = var.restricted_subnet_primary_ranges[var.default_region1]
- subnet_region = var.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = true
- description = "First ${var.env} subnet example."
+ subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}"
+ subnet_ip = var.restricted_subnet_primary_ranges[var.default_region1]
+ subnet_region = var.default_region1
+ subnet_private_access = "true"
+ subnet_flow_logs = true
+ subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr
+ description = "First ${var.env} subnet example."
},
{
- subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}"
- subnet_ip = var.restricted_subnet_primary_ranges[var.default_region2]
- subnet_region = var.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = true
- description = "Second ${var.env} subnet example."
+ subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}"
+ subnet_ip = var.restricted_subnet_primary_ranges[var.default_region2]
+ subnet_region = var.default_region2
+ subnet_private_access = "true"
+ subnet_flow_logs = true
+ subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr
+ description = "Second ${var.env} subnet example."
}
]
secondary_ranges = {
@@ -263,20 +273,30 @@ module "base_shared_vpc" {
subnets = [
{
- subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}"
- subnet_ip = var.base_subnet_primary_ranges[var.default_region1]
- subnet_region = var.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = true
- description = "First ${var.env} subnet example."
+ subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}"
+ subnet_ip = var.base_subnet_primary_ranges[var.default_region1]
+ subnet_region = var.default_region1
+ subnet_private_access = "true"
+ subnet_flow_logs = true
+ subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr
+ description = "First ${var.env} subnet example."
},
{
- subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}"
- subnet_ip = var.base_subnet_primary_ranges[var.default_region2]
- subnet_region = var.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = true
- description = "Second ${var.env} subnet example."
+ subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}"
+ subnet_ip = var.base_subnet_primary_ranges[var.default_region2]
+ subnet_region = var.default_region2
+ subnet_private_access = "true"
+ subnet_flow_logs = true
+ subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr
+ description = "Second ${var.env} subnet example."
}
]
secondary_ranges = {
diff --git a/3-networks-dual-svpc/modules/base_env/variables.tf b/3-networks-dual-svpc/modules/base_env/variables.tf
index 1b656ba15..5c30bfb75 100644
--- a/3-networks-dual-svpc/modules/base_env/variables.tf
+++ b/3-networks-dual-svpc/modules/base_env/variables.tf
@@ -81,6 +81,24 @@ variable "base_private_service_connect_ip" {
description = "The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC"
}
+variable "base_vpc_flow_logs" {
+ description = <list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
index c10e255e4..b481a37e1 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
@@ -26,7 +26,7 @@ locals {
module "main" {
source = "terraform-google-modules/network/google"
- version = "~> 7.0"
+ version = "~> 8.0"
project_id = var.project_id
network_name = local.network_name
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
index 4a8e779fd..5c4b1346d 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
@@ -69,7 +69,24 @@ variable "bgp_asn_subnet" {
}
variable "subnets" {
- type = list(map(string))
+ type = list(object({
+ subnet_name = string
+ subnet_ip = string
+ subnet_region = string
+ subnet_private_access = optional(string, "false")
+ subnet_private_ipv6_access = optional(string)
+ subnet_flow_logs = optional(string, "false")
+ subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
+ subnet_flow_logs_sampling = optional(string, "0.5")
+ subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
+ subnet_flow_logs_filter = optional(string, "true")
+ subnet_flow_logs_metadata_fields = optional(list(string), [])
+ description = optional(string)
+ purpose = optional(string)
+ role = optional(string)
+ stack_type = optional(string)
+ ipv6_access_type = optional(string)
+ }))
description = "The list of subnets being created"
default = []
}
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
index b6cebf542..35d56c4ed 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
@@ -28,7 +28,7 @@
| project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes |
| restricted\_services | List of services to restrict. | `list(string)` | n/a | yes |
| secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
-| subnets | The list of subnets being created | `list(map(string))` | `[]` | no |
+| subnets | The list of subnets being created | list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
index ee31c424e..a37a4dea1 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
@@ -26,7 +26,7 @@ locals {
module "main" {
source = "terraform-google-modules/network/google"
- version = "~> 7.0"
+ version = "~> 8.0"
project_id = var.project_id
network_name = local.network_name
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
index 47bb94ab0..fceb6f26b 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
@@ -79,7 +79,24 @@ variable "default_region2" {
}
variable "subnets" {
- type = list(map(string))
+ type = list(object({
+ subnet_name = string
+ subnet_ip = string
+ subnet_region = string
+ subnet_private_access = optional(string, "false")
+ subnet_private_ipv6_access = optional(string)
+ subnet_flow_logs = optional(string, "false")
+ subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
+ subnet_flow_logs_sampling = optional(string, "0.5")
+ subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
+ subnet_flow_logs_filter = optional(string, "true")
+ subnet_flow_logs_metadata_fields = optional(list(string), [])
+ description = optional(string)
+ purpose = optional(string)
+ role = optional(string)
+ stack_type = optional(string)
+ ipv6_access_type = optional(string)
+ }))
description = "The list of subnets being created"
default = []
}
diff --git a/3-networks-hub-and-spoke/README.md b/3-networks-hub-and-spoke/README.md
index 9a37953a1..bcee1c7d0 100644
--- a/3-networks-hub-and-spoke/README.md
+++ b/3-networks-hub-and-spoke/README.md
@@ -193,6 +193,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
sed -i "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars
```
+ **Note:** Make sure that you update the `perimeter_additional_members` variable with your e-mail in order to be able to view/access resources in the project protected by the VPC service controls.
1. Commit changes
diff --git a/3-networks-hub-and-spoke/common.auto.example.tfvars b/3-networks-hub-and-spoke/common.auto.example.tfvars
index e6cb8edbd..9ce52ac7c 100644
--- a/3-networks-hub-and-spoke/common.auto.example.tfvars
+++ b/3-networks-hub-and-spoke/common.auto.example.tfvars
@@ -17,10 +17,10 @@
// The DNS name of peering managed zone. Must end with a period.
domain = "example.com."
-// Uncomment the following line and add you email in the perimeter_additional_members list.
+// Update the following line and add you email in the perimeter_additional_members list.
// You must be in this list to be able to view/access resources in the project protected by the VPC service controls.
-//perimeter_additional_members = ["user:YOUR-USER-EMAIL@example.com"]
+perimeter_additional_members = ["user:YOUR-USER-EMAIL@example.com"]
remote_state_bucket = "REMOTE_STATE_BUCKET"
diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md
index cf8a7bb90..310bc9930 100644
--- a/3-networks-hub-and-spoke/envs/shared/README.md
+++ b/3-networks-hub-and-spoke/envs/shared/README.md
@@ -21,9 +21,11 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
| base\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Base Hub. | `number` | `2` | no |
| base\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Base Hub. | `number` | `2` | no |
| base\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Base Hub | `bool` | `false` | no |
+| base\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
enable_logging = optional(string, "true")
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
| bgp\_asn\_dns | BGP Autonomous System Number (ASN). | `number` | `64667` | no |
| custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no |
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
+| dns\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
enable_logging = optional(string, "true")
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
| domain | The DNS name of forwarding managed zone, for instance 'example.com'. Must end with a period. | `string` | n/a | yes |
| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.
Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`
Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | list(object({
from = any
to = any
})) | `[]` | no |
| enable\_dedicated\_interconnect | Enable Dedicated Interconnect in the environment. | `bool` | `false` | no |
@@ -42,7 +44,7 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
| restricted\_hub\_nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT in Restricted Hub. | `number` | `2` | no |
| restricted\_hub\_nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT in Restricted Hub. | `number` | `2` | no |
| restricted\_hub\_windows\_activation\_enabled | Enable Windows license activation for Windows workloads in Restricted Hub. | `bool` | `false` | no |
-| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no |
+| restricted\_vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
enable_logging = optional(string, "true")
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
## Outputs
diff --git a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf
index 2782ae277..c377e4f7f 100644
--- a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf
+++ b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf
@@ -20,7 +20,7 @@
module "dns_hub_vpc" {
source = "terraform-google-modules/network/google"
- version = "~> 7.0"
+ version = "~> 8.0"
project_id = local.dns_hub_project_id
network_name = "vpc-c-dns-hub"
@@ -28,19 +28,29 @@ module "dns_hub_vpc" {
delete_default_internet_gateway_routes = "true"
subnets = [{
- subnet_name = "sb-c-dns-hub-${local.default_region1}"
- subnet_ip = "172.16.0.0/25"
- subnet_region = local.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = var.subnetworks_enable_logging
- description = "DNS hub subnet for region 1."
+ subnet_name = "sb-c-dns-hub-${local.default_region1}"
+ subnet_ip = "172.16.0.0/25"
+ subnet_region = local.default_region1
+ subnet_private_access = "true"
+ subnet_flow_logs = var.dns_vpc_flow_logs.enable_logging
+ subnet_flow_logs_interval = var.dns_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.dns_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.dns_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.dns_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.dns_vpc_flow_logs.filter_expr
+ description = "DNS hub subnet for region 1."
}, {
- subnet_name = "sb-c-dns-hub-${local.default_region2}"
- subnet_ip = "172.16.0.128/25"
- subnet_region = local.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = var.subnetworks_enable_logging
- description = "DNS hub subnet for region 2."
+ subnet_name = "sb-c-dns-hub-${local.default_region2}"
+ subnet_ip = "172.16.0.128/25"
+ subnet_region = local.default_region2
+ subnet_private_access = "true"
+ subnet_flow_logs = var.dns_vpc_flow_logs.enable_logging
+ subnet_flow_logs_interval = var.dns_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.dns_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.dns_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.dns_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.dns_vpc_flow_logs.filter_expr
+ description = "DNS hub subnet for region 2."
}]
routes = [{
diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
index af7fe0415..feacd24e9 100644
--- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
+++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
@@ -186,20 +186,30 @@ module "base_shared_vpc" {
subnets = [
{
- subnet_name = "sb-c-shared-base-hub-${local.default_region1}"
- subnet_ip = local.base_subnet_primary_ranges[local.default_region1]
- subnet_region = local.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = var.subnetworks_enable_logging
- description = "Base network hub subnet for ${local.default_region1}"
+ subnet_name = "sb-c-shared-base-hub-${local.default_region1}"
+ subnet_ip = local.base_subnet_primary_ranges[local.default_region1]
+ subnet_region = local.default_region1
+ subnet_private_access = "true"
+ subnet_flow_logs = var.base_vpc_flow_logs.enable_logging
+ subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr
+ description = "Base network hub subnet for ${local.default_region1}"
},
{
- subnet_name = "sb-c-shared-base-hub-${local.default_region2}"
- subnet_ip = local.base_subnet_primary_ranges[local.default_region2]
- subnet_region = local.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = var.subnetworks_enable_logging
- description = "Base network hub subnet for ${local.default_region2}"
+ subnet_name = "sb-c-shared-base-hub-${local.default_region2}"
+ subnet_ip = local.base_subnet_primary_ranges[local.default_region2]
+ subnet_region = local.default_region2
+ subnet_private_access = "true"
+ subnet_flow_logs = var.base_vpc_flow_logs.enable_logging
+ subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr
+ description = "Base network hub subnet for ${local.default_region2}"
}
]
secondary_ranges = {}
@@ -242,20 +252,32 @@ module "restricted_shared_vpc" {
subnets = [
{
- subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}"
- subnet_ip = local.restricted_subnet_primary_ranges[local.default_region1]
- subnet_region = local.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = var.subnetworks_enable_logging
- description = "Restricted network hub subnet for ${local.default_region1}"
+ subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}"
+ subnet_ip = local.restricted_subnet_primary_ranges[local.default_region1]
+ subnet_region = local.default_region1
+ subnet_private_access = "true"
+ subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging
+ subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr
+
+ description = "Restricted network hub subnet for ${local.default_region1}"
},
{
- subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}"
- subnet_ip = local.restricted_subnet_primary_ranges[local.default_region2]
- subnet_region = local.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = var.subnetworks_enable_logging
- description = "Restricted network hub subnet for ${local.default_region2}"
+ subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}"
+ subnet_ip = local.restricted_subnet_primary_ranges[local.default_region2]
+ subnet_region = local.default_region2
+ subnet_private_access = "true"
+ subnet_flow_logs = var.restricted_vpc_flow_logs.enable_logging
+ subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr
+
+ description = "Restricted network hub subnet for ${local.default_region2}"
}
]
secondary_ranges = {}
diff --git a/3-networks-hub-and-spoke/envs/shared/variables.tf b/3-networks-hub-and-spoke/envs/shared/variables.tf
index 52e105c99..880b8f463 100644
--- a/3-networks-hub-and-spoke/envs/shared/variables.tf
+++ b/3-networks-hub-and-spoke/envs/shared/variables.tf
@@ -35,10 +35,24 @@ variable "dns_enable_logging" {
default = true
}
-variable "subnetworks_enable_logging" {
- type = bool
- description = "Toggle subnetworks flow logging for VPC Subnetworks."
- default = true
+variable "dns_vpc_flow_logs" {
+ description = < flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
| custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no |
| default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
| default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
@@ -24,6 +25,7 @@
| restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes |
| restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
| restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes |
+| restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
## Outputs
diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf
index 74aee203b..af3889736 100644
--- a/3-networks-hub-and-spoke/modules/base_env/main.tf
+++ b/3-networks-hub-and-spoke/modules/base_env/main.tf
@@ -216,20 +216,30 @@ module "restricted_shared_vpc" {
subnets = [
{
- subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}"
- subnet_ip = var.restricted_subnet_primary_ranges[var.default_region1]
- subnet_region = var.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = true
- description = "First ${var.env} subnet example."
+ subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}"
+ subnet_ip = var.restricted_subnet_primary_ranges[var.default_region1]
+ subnet_region = var.default_region1
+ subnet_private_access = "true"
+ subnet_flow_logs = true
+ subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr
+ description = "First ${var.env} subnet example."
},
{
- subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}"
- subnet_ip = var.restricted_subnet_primary_ranges[var.default_region2]
- subnet_region = var.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = true
- description = "Second ${var.env} subnet example."
+ subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}"
+ subnet_ip = var.restricted_subnet_primary_ranges[var.default_region2]
+ subnet_region = var.default_region2
+ subnet_private_access = "true"
+ subnet_flow_logs = true
+ subnet_flow_logs_interval = var.restricted_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.restricted_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr
+ description = "Second ${var.env} subnet example."
}
]
secondary_ranges = {
@@ -260,20 +270,30 @@ module "base_shared_vpc" {
subnets = [
{
- subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}"
- subnet_ip = var.base_subnet_primary_ranges[var.default_region1]
- subnet_region = var.default_region1
- subnet_private_access = "true"
- subnet_flow_logs = true
- description = "First ${var.env} subnet example."
+ subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}"
+ subnet_ip = var.base_subnet_primary_ranges[var.default_region1]
+ subnet_region = var.default_region1
+ subnet_private_access = "true"
+ subnet_flow_logs = true
+ subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr
+ description = "First ${var.env} subnet example."
},
{
- subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}"
- subnet_ip = var.base_subnet_primary_ranges[var.default_region2]
- subnet_region = var.default_region2
- subnet_private_access = "true"
- subnet_flow_logs = true
- description = "Second ${var.env} subnet example."
+ subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}"
+ subnet_ip = var.base_subnet_primary_ranges[var.default_region2]
+ subnet_region = var.default_region2
+ subnet_private_access = "true"
+ subnet_flow_logs = true
+ subnet_flow_logs_interval = var.base_vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.base_vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.base_vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.base_vpc_flow_logs.filter_expr
+ description = "Second ${var.env} subnet example."
}
]
secondary_ranges = {
diff --git a/3-networks-hub-and-spoke/modules/base_env/variables.tf b/3-networks-hub-and-spoke/modules/base_env/variables.tf
index 83d05ccf9..e80215472 100644
--- a/3-networks-hub-and-spoke/modules/base_env/variables.tf
+++ b/3-networks-hub-and-spoke/modules/base_env/variables.tf
@@ -81,6 +81,24 @@ variable "base_private_service_connect_ip" {
description = "The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC"
}
+variable "base_vpc_flow_logs" {
+ description = <list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf
index 220901027..cfb65759e 100644
--- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf
+++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf
@@ -27,7 +27,7 @@ locals {
module "main" {
source = "terraform-google-modules/network/google"
- version = "~> 7.0"
+ version = "~> 8.0"
project_id = var.project_id
network_name = local.network_name
diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf
index efb21c323..f9d92a43d 100644
--- a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf
+++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf
@@ -81,7 +81,24 @@ variable "bgp_asn_subnet" {
}
variable "subnets" {
- type = list(map(string))
+ type = list(object({
+ subnet_name = string
+ subnet_ip = string
+ subnet_region = string
+ subnet_private_access = optional(string, "false")
+ subnet_private_ipv6_access = optional(string)
+ subnet_flow_logs = optional(string, "false")
+ subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
+ subnet_flow_logs_sampling = optional(string, "0.5")
+ subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
+ subnet_flow_logs_filter = optional(string, "true")
+ subnet_flow_logs_metadata_fields = optional(list(string), [])
+ description = optional(string)
+ purpose = optional(string)
+ role = optional(string)
+ stack_type = optional(string)
+ ipv6_access_type = optional(string)
+ }))
description = "The list of subnets being created"
default = []
}
diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md
index 0b1970f8d..63291e27a 100644
--- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md
+++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md
@@ -31,7 +31,7 @@
| restricted\_net\_hub\_project\_number | The restricted net hub project number | `string` | `""` | no |
| restricted\_services | List of services to restrict. | `list(string)` | n/a | yes |
| secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
-| subnets | The list of subnets being created | `list(map(string))` | `[]` | no |
+| subnets | The list of subnets being created | list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string, "false")
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string, "false")
subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
subnet_flow_logs_sampling = optional(string, "0.5")
subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
subnet_flow_logs_filter = optional(string, "true")
subnet_flow_logs_metadata_fields = optional(list(string), [])
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
})) | `[]` | no |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf
index 34d60a593..b00723e24 100644
--- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf
+++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf
@@ -27,7 +27,7 @@ locals {
module "main" {
source = "terraform-google-modules/network/google"
- version = "~> 7.0"
+ version = "~> 8.0"
project_id = var.project_id
network_name = local.network_name
diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf
index 77836a925..55f9fb0d6 100644
--- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf
+++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf
@@ -97,7 +97,24 @@ variable "default_region2" {
}
variable "subnets" {
- type = list(map(string))
+ type = list(object({
+ subnet_name = string
+ subnet_ip = string
+ subnet_region = string
+ subnet_private_access = optional(string, "false")
+ subnet_private_ipv6_access = optional(string)
+ subnet_flow_logs = optional(string, "false")
+ subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC")
+ subnet_flow_logs_sampling = optional(string, "0.5")
+ subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA")
+ subnet_flow_logs_filter = optional(string, "true")
+ subnet_flow_logs_metadata_fields = optional(list(string), [])
+ description = optional(string)
+ purpose = optional(string)
+ role = optional(string)
+ stack_type = optional(string)
+ ipv6_access_type = optional(string)
+ }))
description = "The list of subnets being created"
default = []
}
diff --git a/4-projects/modules/base_env/README.md b/4-projects/modules/base_env/README.md
index 86d771843..974f498ff 100644
--- a/4-projects/modules/base_env/README.md
+++ b/4-projects/modules/base_env/README.md
@@ -22,6 +22,7 @@
| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no |
| subnet\_ip\_range | IP range for the peered subnetwork. If "peering\_iap\_fw\_rules\_enabled" is true, this field should not be null. | `string` | `null` | no |
| subnet\_region | Region which the peered subnet will be created. If "peering\_iap\_fw\_rules\_enabled" is true, this field should not be null. | `string` | `null` | no |
+| vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
diff --git a/4-projects/modules/base_env/example_peering_project.tf b/4-projects/modules/base_env/example_peering_project.tf
index 952f4442d..c7a8d7ac9 100644
--- a/4-projects/modules/base_env/example_peering_project.tf
+++ b/4-projects/modules/base_env/example_peering_project.tf
@@ -74,7 +74,7 @@ module "peering_project" {
module "peering_network" {
source = "terraform-google-modules/network/google"
- version = "~> 7.0"
+ version = "~> 8.0"
project_id = module.peering_project.project_id
network_name = "vpc-${local.env_code}-peering-base"
@@ -83,12 +83,17 @@ module "peering_network" {
subnets = [
{
- subnet_name = "sb-${local.env_code}-${var.business_code}-peered-${var.subnet_region}"
- subnet_ip = var.subnet_ip_range
- subnet_region = var.subnet_region
- subnet_private_access = "true"
- subnet_flow_logs = "true"
- description = "Peered subnetwork on region ${var.subnet_region}."
+ subnet_name = "sb-${local.env_code}-${var.business_code}-peered-${var.subnet_region}"
+ subnet_ip = var.subnet_ip_range
+ subnet_region = var.subnet_region
+ subnet_private_access = "true"
+ description = "Peered subnetwork on region ${var.subnet_region}."
+ subnet_flow_logs = "true"
+ subnet_flow_logs_interval = var.vpc_flow_logs.aggregation_interval
+ subnet_flow_logs_sampling = var.vpc_flow_logs.flow_sampling
+ subnet_flow_logs_metadata = var.vpc_flow_logs.metadata
+ subnet_flow_logs_metadata_fields = var.vpc_flow_logs.metadata_fields
+ subnet_flow_logs_filter = var.vpc_flow_logs.filter_expr
}
]
}
diff --git a/4-projects/modules/base_env/variables.tf b/4-projects/modules/base_env/variables.tf
index eca7edeab..786736a66 100644
--- a/4-projects/modules/base_env/variables.tf
+++ b/4-projects/modules/base_env/variables.tf
@@ -53,6 +53,24 @@ variable "windows_activation_enabled" {
default = false
}
+variable "vpc_flow_logs" {
+ description = <