fix: updates for on-prem connectivity configuration (#827)

* fixes for on-prem conectivity configuration

* remove on prem roles

* add instructions to grant required roles to use secrets in VPN-HA

3-networks-dual-svpc/README.md

@@ -110,13 +110,19 @@ If you provisioned the prerequisites listed in the [Partner Interconnect README]
 If you are not able to use Dedicated or Partner Interconnect, you can also use an HA Cloud VPN to access on-premises resources.
 
 1. Rename `vpn.tf.example` to `vpn.tf` in base-env folder in `3-networks-dual-svpc/modules/base_env`.
-1. Create secret for VPN private pre-shared key.
+1. Create secret for VPN private pre-shared key and grant required roles to Networks terraform service account.
    ```
    echo '<YOUR-PRESHARED-KEY-SECRET>' | gcloud secrets create <VPN_PRIVATE_PSK_SECRET_NAME> --project <ENV_SECRETS_PROJECT> --replication-policy=automatic --data-file=-
+
+   gcloud secrets add-iam-policy-binding <VPN_PRIVATE_PSK_SECRET_NAME> --member='serviceAccount:<NETWORKS_TERRAFORM_SERVICE_ACCOUNT>' --role='roles/secretmanager.viewer' --project <ENV_SECRETS_PROJECT>
+   gcloud secrets add-iam-policy-binding <VPN_PRIVATE_PSK_SECRET_NAME> --member='serviceAccount:<NETWORKS_TERRAFORM_SERVICE_ACCOUNT>' --role='roles/secretmanager.secretAccessor' --project <ENV_SECRETS_PROJECT>
    ```
-1. Create secret for VPN restricted pre-shared key.
+1. Create secret for VPN restricted pre-shared key and grant required roles to Networks terraform service account.
    ```
    echo '<YOUR-PRESHARED-KEY-SECRET>' | gcloud secrets create <VPN_RESTRICTED_PSK_SECRET_NAME> --project <ENV_SECRETS_PROJECT> --replication-policy=automatic --data-file=-
+
+   gcloud secrets add-iam-policy-binding <VPN_RESTRICTED_PSK_SECRET_NAME> --member='serviceAccount:<NETWORKS_TERRAFORM_SERVICE_ACCOUNT>' --role='roles/secretmanager.viewer' --project <ENV_SECRETS_PROJECT>
+   gcloud secrets add-iam-policy-binding <VPN_RESTRICTED_PSK_SECRET_NAME> --member='serviceAccount:<NETWORKS_TERRAFORM_SERVICE_ACCOUNT>' --role='roles/secretmanager.secretAccessor' --project <ENV_SECRETS_PROJECT>
    ```
 1. In the file `vpn.tf`, update the values for `environment`, `vpn_psk_secret_name`, `on_prem_router_ip_address1`, `on_prem_router_ip_address2` and `bgp_peer_asn`.
 1. Verify other default values are valid for your environment.

3-networks-dual-svpc/modules/base_env/interconnect.tf.example

@@ -53,6 +53,10 @@ module "shared_restricted_interconnect" {
     vlan_3 = "cr7",
     vlan_4 = "cr8"
   }
+
+  depends_on = [
+    module.restricted_shared_vpc
+  ]
 }
 
 module "shared_base_interconnect" {
@@ -95,4 +99,8 @@ module "shared_base_interconnect" {
     vlan_3 = "cr3",
     vlan_4 = "cr4"
   }
+
+  depends_on = [
+    module.base_shared_vpc
+  ]
 }

3-networks-dual-svpc/modules/base_env/partner_interconnect.tf.example

@@ -40,6 +40,10 @@ module "shared_restricted_interconnect" {
     vlan_3 = "cr7",
     vlan_4 = "cr8"
   }
+
+  depends_on = [
+    module.restricted_shared_vpc
+  ]
 }
 
 module "shared_base_interconnect" {
@@ -69,4 +73,8 @@ module "shared_base_interconnect" {
     vlan_3 = "cr3",
     vlan_4 = "cr4"
   }
+
+  depends_on = [
+    module.base_shared_vpc
+  ]
 }

3-networks-dual-svpc/modules/base_env/vpn.tf.example

@@ -55,6 +55,10 @@ module "shared_base_vpn" {
 
   region2_router2_tunnel1_bgp_peer_address = "169.254.14.1"
   region2_router2_tunnel1_bgp_peer_range   = "169.254.14.2/30"
+
+  depends_on = [
+    module.base_shared_vpc
+  ]
 }
 
 module "shared_restricted_vpn" {
@@ -98,4 +102,8 @@ module "shared_restricted_vpn" {
 
   region2_router2_tunnel1_bgp_peer_address = "169.254.14.1"
   region2_router2_tunnel1_bgp_peer_range   = "169.254.14.2/30"
+
+  depends_on = [
+    module.restricted_shared_vpc
+  ]
 }

3-networks-dual-svpc/modules/base_shared_vpc/main.tf

@@ -92,6 +92,7 @@ resource "google_service_networking_connection" "private_vpc_connection" {
 module "region1_router1" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
+
   name    = "cr-${local.vpc_name}-${var.default_region1}-cr1"
   project = var.project_id
   network = module.main.network_name
@@ -106,6 +107,7 @@ module "region1_router1" {
 module "region1_router2" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
+
   name    = "cr-${local.vpc_name}-${var.default_region1}-cr2"
   project = var.project_id
   network = module.main.network_name
@@ -120,6 +122,7 @@ module "region1_router2" {
 module "region2_router1" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
+
   name    = "cr-${local.vpc_name}-${var.default_region2}-cr3"
   project = var.project_id
   network = module.main.network_name
@@ -134,6 +137,7 @@ module "region2_router1" {
 module "region2_router2" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
+
   name    = "cr-${local.vpc_name}-${var.default_region2}-cr4"
   project = var.project_id
   network = module.main.network_name

3-networks-dual-svpc/modules/base_shared_vpc/outputs.tf

@@ -60,21 +60,21 @@ output "subnets_secondary_ranges" {
 }
 
 output "region1_router1" {
-  value       = try(module.region1_router1[0], null)
+  value       = module.region1_router1
   description = "Router 1 for Region 1"
 }
 
 output "region1_router2" {
-  value       = try(module.region1_router2[0], null)
+  value       = module.region1_router2
   description = "Router 2 for Region 1"
 }
 
 output "region2_router1" {
-  value       = try(module.region2_router1[0], null)
+  value       = module.region2_router1
   description = "Router 1 for Region 2"
 }
 
 output "region2_router2" {
-  value       = try(module.region2_router2[0], null)
+  value       = module.region2_router2
   description = "Router 2 for Region 2"
 }

3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf

@@ -94,6 +94,7 @@ resource "google_service_networking_connection" "private_vpc_connection" {
 module "region1_router1" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
+
   name    = "cr-${local.vpc_name}-${var.default_region1}-cr5"
   project = var.project_id
   network = module.main.network_name
@@ -108,6 +109,7 @@ module "region1_router1" {
 module "region1_router2" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
+
   name    = "cr-${local.vpc_name}-${var.default_region1}-cr6"
   project = var.project_id
   network = module.main.network_name
@@ -122,6 +124,7 @@ module "region1_router2" {
 module "region2_router1" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
+
   name    = "cr-${local.vpc_name}-${var.default_region2}-cr7"
   project = var.project_id
   network = module.main.network_name
@@ -136,6 +139,7 @@ module "region2_router1" {
 module "region2_router2" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
+
   name    = "cr-${local.vpc_name}-${var.default_region2}-cr8"
   project = var.project_id
   network = module.main.network_name

3-networks-dual-svpc/modules/restricted_shared_vpc/outputs.tf

@@ -50,22 +50,22 @@ output "subnets_secondary_ranges" {
 }
 
 output "region1_router1" {
-  value       = try(module.region1_router1[0], null)
+  value       = module.region1_router1
   description = "Router 1 for Region 1"
 }
 
 output "region1_router2" {
-  value       = try(module.region1_router2[0], null)
+  value       = module.region1_router2
   description = "Router 2 for Region 1"
 }
 
 output "region2_router1" {
-  value       = try(module.region2_router1[0], null)
+  value       = module.region2_router1
   description = "Router 1 for Region 2"
 }
 
 output "region2_router2" {
-  value       = try(module.region2_router2[0], null)
+  value       = module.region2_router2
   description = "Router 2 for Region 2"
 }
 

3-networks-hub-and-spoke/README.md

@@ -112,13 +112,19 @@ If you provisioned the prerequisites listed in the [Partner Interconnect README]
 If you are not able to use Dedicated or Partner Interconnect, you can also use an HA Cloud VPN to access on-premises resources.
 
 1. Rename `vpn.tf.example` to `vpn.tf` in base-env folder in `3-networks-hub-and-spoke/modules/base_env`.
-1. Create secret for VPN private pre-shared key.
+1. Create secret for VPN private pre-shared key and grant required roles to Networks terraform service account.
    ```
    echo '<YOUR-PRESHARED-KEY-SECRET>' | gcloud secrets create <VPN_PRIVATE_PSK_SECRET_NAME> --project <ENV_SECRETS_PROJECT> --replication-policy=automatic --data-file=-
+
+   gcloud secrets add-iam-policy-binding <VPN_PRIVATE_PSK_SECRET_NAME> --member='serviceAccount:<NETWORKS_TERRAFORM_SERVICE_ACCOUNT>' --role='roles/secretmanager.viewer' --project <ENV_SECRETS_PROJECT>
+   gcloud secrets add-iam-policy-binding <VPN_PRIVATE_PSK_SECRET_NAME> --member='serviceAccount:<NETWORKS_TERRAFORM_SERVICE_ACCOUNT>' --role='roles/secretmanager.secretAccessor' --project <ENV_SECRETS_PROJECT>
    ```
-1. Create secret for VPN restricted pre-shared key.
+1. Create secret for VPN restricted pre-shared key and grant required roles to Networks terraform service account.
    ```
    echo '<YOUR-PRESHARED-KEY-SECRET>' | gcloud secrets create <VPN_RESTRICTED_PSK_SECRET_NAME> --project <ENV_SECRETS_PROJECT> --replication-policy=automatic --data-file=-
+
+   gcloud secrets add-iam-policy-binding <VPN_RESTRICTED_PSK_SECRET_NAME> --member='serviceAccount:<NETWORKS_TERRAFORM_SERVICE_ACCOUNT>' --role='roles/secretmanager.viewer' --project <ENV_SECRETS_PROJECT>
+   gcloud secrets add-iam-policy-binding <VPN_RESTRICTED_PSK_SECRET_NAME> --member='serviceAccount:<NETWORKS_TERRAFORM_SERVICE_ACCOUNT>' --role='roles/secretmanager.secretAccessor' --project <ENV_SECRETS_PROJECT>
    ```
 1. In the file `vpn.tf`, update the values for `environment`, `vpn_psk_secret_name`, `on_prem_router_ip_address1`, `on_prem_router_ip_address2` and `bgp_peer_asn`.
 1. Verify other default values are valid for your environment.

3-networks-hub-and-spoke/modules/base_env/interconnect.tf.example

@@ -52,6 +52,10 @@ module "shared_restricted_interconnect" {
     vlan_3 = "cr7",
     vlan_4 = "cr8"
   }
+
+  depends_on = [
+    module.restricted_shared_vpc
+  ]
 }
 
 module "shared_base_interconnect" {
@@ -94,4 +98,8 @@ module "shared_base_interconnect" {
     vlan_3 = "cr3",
     vlan_4 = "cr4"
   }
+
+  depends_on = [
+    module.base_shared_vpc
+  ]
 }

3-networks-hub-and-spoke/modules/base_env/partner_interconnect.tf.example

@@ -40,6 +40,10 @@ module "shared_restricted_interconnect" {
     vlan_3 = "cr7",
     vlan_4 = "cr8"
   }
+
+  depends_on = [
+    module.restricted_shared_vpc
+  ]
 }
 
 module "shared_base_interconnect" {
@@ -69,4 +73,8 @@ module "shared_base_interconnect" {
     vlan_3 = "cr3",
     vlan_4 = "cr4"
   }
+
+  depends_on = [
+    module.base_shared_vpc
+  ]
 }

3-networks-hub-and-spoke/modules/base_env/vpn.tf.example

@@ -55,6 +55,10 @@ module "shared_base_vpn" {
 
   region2_router2_tunnel1_bgp_peer_address = "169.254.14.1"
   region2_router2_tunnel1_bgp_peer_range   = "169.254.14.2/30"
+
+  depends_on = [
+    module.base_shared_vpc
+  ]
 }
 
 module "shared_restricted_vpn" {
@@ -98,4 +102,8 @@ module "shared_restricted_vpn" {
 
   region2_router2_tunnel1_bgp_peer_address = "169.254.14.1"
   region2_router2_tunnel1_bgp_peer_range   = "169.254.14.2/30"
+
+  depends_on = [
+    module.restricted_shared_vpc
+  ]
 }

3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf

@@ -116,6 +116,7 @@ module "region1_router1" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
   count   = var.mode != "spoke" ? 1 : 0
+
   name    = "cr-${local.vpc_name}-${var.default_region1}-cr1"
   project = var.project_id
   network = module.main.network_name
@@ -131,6 +132,7 @@ module "region1_router2" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
   count   = var.mode != "spoke" ? 1 : 0
+
   name    = "cr-${local.vpc_name}-${var.default_region1}-cr2"
   project = var.project_id
   network = module.main.network_name
@@ -146,6 +148,7 @@ module "region2_router1" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
   count   = var.mode != "spoke" ? 1 : 0
+
   name    = "cr-${local.vpc_name}-${var.default_region2}-cr3"
   project = var.project_id
   network = module.main.network_name
@@ -161,6 +164,7 @@ module "region2_router2" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
   count   = var.mode != "spoke" ? 1 : 0
+
   name    = "cr-${local.vpc_name}-${var.default_region2}-cr4"
   project = var.project_id
   network = module.main.network_name

3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf

@@ -117,6 +117,7 @@ module "region1_router1" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
   count   = var.mode != "spoke" ? 1 : 0
+
   name    = "cr-${local.vpc_name}-${var.default_region1}-cr5"
   project = var.project_id
   network = module.main.network_name
@@ -132,6 +133,7 @@ module "region1_router2" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
   count   = var.mode != "spoke" ? 1 : 0
+
   name    = "cr-${local.vpc_name}-${var.default_region1}-cr6"
   project = var.project_id
   network = module.main.network_name
@@ -147,6 +149,7 @@ module "region2_router1" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
   count   = var.mode != "spoke" ? 1 : 0
+
   name    = "cr-${local.vpc_name}-${var.default_region2}-cr7"
   project = var.project_id
   network = module.main.network_name
@@ -162,6 +165,7 @@ module "region2_router2" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 3.0"
   count   = var.mode != "spoke" ? 1 : 0
+
   name    = "cr-${local.vpc_name}-${var.default_region2}-cr8"
   project = var.project_id
   network = module.main.network_name