diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf index a914d3311..96ea21cf2 100644 --- a/3-networks-dual-svpc/envs/development/main.tf +++ b/3-networks-dual-svpc/envs/development/main.tf @@ -64,22 +64,24 @@ locals { module "base_env" { source = "../../modules/base_env" - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - members = ["serviceAccount:${var.terraform_service_account}"] - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies - enable_partner_interconnect = false - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - remote_state_bucket = var.remote_state_bucket + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + members = ["serviceAccount:${var.terraform_service_account}"] + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + egress_policies = var.egress_policies + enable_partner_interconnect = false + base_private_service_cidr = local.base_private_service_cidr + base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_secondary_ranges = local.base_subnet_secondary_ranges + base_private_service_connect_ip = "10.2.64.5" + restricted_private_service_cidr = local.restricted_private_service_cidr + restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + restricted_private_service_connect_ip = "10.10.64.5" + remote_state_bucket = var.remote_state_bucket } diff --git a/3-networks-dual-svpc/envs/non-production/main.tf b/3-networks-dual-svpc/envs/non-production/main.tf index 3c865a3ae..dbc4ed7f6 100644 --- a/3-networks-dual-svpc/envs/non-production/main.tf +++ b/3-networks-dual-svpc/envs/non-production/main.tf @@ -64,21 +64,23 @@ locals { module "base_env" { source = "../../modules/base_env" - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - members = ["serviceAccount:${var.terraform_service_account}"] - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies - enable_partner_interconnect = false - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - remote_state_bucket = var.remote_state_bucket + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + members = ["serviceAccount:${var.terraform_service_account}"] + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + egress_policies = var.egress_policies + enable_partner_interconnect = false + base_private_service_cidr = local.base_private_service_cidr + base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_secondary_ranges = local.base_subnet_secondary_ranges + base_private_service_connect_ip = "10.2.128.5" + restricted_private_service_cidr = local.restricted_private_service_cidr + restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + restricted_private_service_connect_ip = "10.10.128.5" + remote_state_bucket = var.remote_state_bucket } diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index a99c4b367..73e802024 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -64,21 +64,23 @@ locals { module "base_env" { source = "../../modules/base_env" - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - members = ["serviceAccount:${var.terraform_service_account}"] - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies - enable_partner_interconnect = false - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - remote_state_bucket = var.remote_state_bucket + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + members = ["serviceAccount:${var.terraform_service_account}"] + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + egress_policies = var.egress_policies + enable_partner_interconnect = false + base_private_service_cidr = local.base_private_service_cidr + base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_secondary_ranges = local.base_subnet_secondary_ranges + base_private_service_connect_ip = "10.2.192.5" + restricted_private_service_cidr = local.restricted_private_service_cidr + restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + restricted_private_service_connect_ip = "10.10.192.5" + remote_state_bucket = var.remote_state_bucket } diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md index 23a15d1d6..ca1af83b0 100644 --- a/3-networks-dual-svpc/modules/base_env/README.md +++ b/3-networks-dual-svpc/modules/base_env/README.md @@ -5,6 +5,7 @@ |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | | base\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc. | `string` | n/a | yes | +| base\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC | `string` | n/a | yes | | base\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | | base\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Base Shared Vpc. | `map(list(map(string)))` | n/a | yes | | default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | @@ -18,6 +19,7 @@ | members | An allowed list of members (users, service accounts)to be include in the VPC-SC perimeter. The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | `list(string)` | n/a | yes | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | | restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes | +| restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes | | restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 1e9ae160f..7bd18ed70 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -91,6 +91,7 @@ module "restricted_shared_vpc" { restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] members = var.members private_service_cidr = var.restricted_private_service_cidr + private_service_connect_ip = var.restricted_private_service_connect_ip org_id = local.org_id parent_folder = local.parent_folder bgp_asn_subnet = local.bgp_asn_number @@ -130,17 +131,18 @@ module "restricted_shared_vpc" { *****************************************/ module "base_shared_vpc" { - source = "../base_shared_vpc" - project_id = local.base_project_id - dns_hub_project_id = local.dns_hub_project_id - environment_code = var.environment_code - private_service_cidr = var.base_private_service_cidr - org_id = local.org_id - parent_folder = local.parent_folder - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - bgp_asn_subnet = local.bgp_asn_number + source = "../base_shared_vpc" + project_id = local.base_project_id + dns_hub_project_id = local.dns_hub_project_id + environment_code = var.environment_code + private_service_cidr = var.base_private_service_cidr + private_service_connect_ip = var.base_private_service_connect_ip + org_id = local.org_id + parent_folder = local.parent_folder + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + bgp_asn_subnet = local.bgp_asn_number subnets = [ { diff --git a/3-networks-dual-svpc/modules/base_env/variables.tf b/3-networks-dual-svpc/modules/base_env/variables.tf index 1ec78de4b..6ccd0b2bf 100644 --- a/3-networks-dual-svpc/modules/base_env/variables.tf +++ b/3-networks-dual-svpc/modules/base_env/variables.tf @@ -70,6 +70,11 @@ variable "base_subnet_secondary_ranges" { description = "The base subnet secondary IPTs ranges to the Base Shared Vpc." } +variable "base_private_service_connect_ip" { + type = string + description = "The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC" +} + variable "restricted_private_service_cidr" { type = string description = "CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc." @@ -85,6 +90,11 @@ variable "restricted_subnet_secondary_ranges" { description = "The base subnet secondary IPTs ranges to the Restricted Shared Vpc" } +variable "restricted_private_service_connect_ip" { + type = string + description = "The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC" +} + variable "egress_policies" { description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress_from and egress_to.\n\nExample: `[{ from={ identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions)" type = list(object({ diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index 83f5c5608..d65840a9b 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -23,6 +23,7 @@ | org\_id | Organization ID | `string` | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | +| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes | | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | `list(map(string))` | `[]` | no | diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf b/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf index 5e21edb9a..0c03ea327 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf @@ -21,6 +21,6 @@ module "private_service_connect" { project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-base" network_self_link = module.main.network_self_link - private_service_connect_ip = "10.3.0.5" + private_service_connect_ip = var.private_service_connect_ip forwarding_rule_target = "all-apis" } diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index 1c28e38ee..c7735c659 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -114,6 +114,11 @@ variable "private_service_cidr" { default = null } +variable "private_service_connect_ip" { + type = string + description = "Internal IP to be used as the private service connect endpoint" +} + variable "windows_activation_enabled" { type = bool description = "Enable Windows license activation for Windows workloads." diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index adb1774b4..f68b7cf3c 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -26,6 +26,7 @@ | org\_id | Organization ID | `string` | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | +| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_services | List of services to restrict. | `list(string)` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf index b503c2c12..58ef89e9b 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf @@ -21,6 +21,6 @@ module "private_service_connect" { project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-restricted" network_self_link = module.main.network_self_link - private_service_connect_ip = "10.3.0.5" + private_service_connect_ip = var.private_service_connect_ip forwarding_rule_target = "vpc-sc" } diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 601cf7e05..0ea6d4c68 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -124,6 +124,11 @@ variable "private_service_cidr" { default = null } +variable "private_service_connect_ip" { + type = string + description = "Internal IP to be used as the private service connect endpoint." +} + variable "windows_activation_enabled" { type = bool description = "Enable Windows license activation for Windows workloads." diff --git a/3-networks-hub-and-spoke/envs/development/main.tf b/3-networks-hub-and-spoke/envs/development/main.tf index b9b99bcc5..591d9cb14 100644 --- a/3-networks-hub-and-spoke/envs/development/main.tf +++ b/3-networks-hub-and-spoke/envs/development/main.tf @@ -64,22 +64,24 @@ locals { module "base_env" { source = "../../modules/base_env" - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - members = ["serviceAccount:${var.terraform_service_account}"] - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies - enable_partner_interconnect = false - enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - remote_state_bucket = var.remote_state_bucket + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + members = ["serviceAccount:${var.terraform_service_account}"] + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + egress_policies = var.egress_policies + enable_partner_interconnect = false + enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity + base_private_service_cidr = local.base_private_service_cidr + base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_secondary_ranges = local.base_subnet_secondary_ranges + base_private_service_connect_ip = "10.2.64.5" + restricted_private_service_cidr = local.restricted_private_service_cidr + restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + restricted_private_service_connect_ip = "10.10.64.5" + remote_state_bucket = var.remote_state_bucket } diff --git a/3-networks-hub-and-spoke/envs/non-production/main.tf b/3-networks-hub-and-spoke/envs/non-production/main.tf index 472bda3b5..2ae159605 100644 --- a/3-networks-hub-and-spoke/envs/non-production/main.tf +++ b/3-networks-hub-and-spoke/envs/non-production/main.tf @@ -64,22 +64,24 @@ locals { module "base_env" { source = "../../modules/base_env" - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - members = ["serviceAccount:${var.terraform_service_account}"] - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies - enable_partner_interconnect = false - enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - remote_state_bucket = var.remote_state_bucket + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + members = ["serviceAccount:${var.terraform_service_account}"] + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + egress_policies = var.egress_policies + enable_partner_interconnect = false + enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity + base_private_service_cidr = local.base_private_service_cidr + base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_secondary_ranges = local.base_subnet_secondary_ranges + base_private_service_connect_ip = "10.2.128.5" + restricted_private_service_cidr = local.restricted_private_service_cidr + restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + restricted_private_service_connect_ip = "10.10.128.5" + remote_state_bucket = var.remote_state_bucket } diff --git a/3-networks-hub-and-spoke/envs/production/main.tf b/3-networks-hub-and-spoke/envs/production/main.tf index 1940d0742..4a83e4c79 100644 --- a/3-networks-hub-and-spoke/envs/production/main.tf +++ b/3-networks-hub-and-spoke/envs/production/main.tf @@ -64,22 +64,24 @@ locals { module "base_env" { source = "../../modules/base_env" - env = local.env - environment_code = local.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - members = ["serviceAccount:${var.terraform_service_account}"] - default_region1 = local.default_region1 - default_region2 = local.default_region2 - domain = var.domain - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies - enable_partner_interconnect = false - enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity - base_private_service_cidr = local.base_private_service_cidr - base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - remote_state_bucket = var.remote_state_bucket + env = local.env + environment_code = local.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + members = ["serviceAccount:${var.terraform_service_account}"] + default_region1 = local.default_region1 + default_region2 = local.default_region2 + domain = var.domain + ingress_policies = var.ingress_policies + egress_policies = var.egress_policies + enable_partner_interconnect = false + enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity + base_private_service_cidr = local.base_private_service_cidr + base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_secondary_ranges = local.base_subnet_secondary_ranges + base_private_service_connect_ip = "10.2.192.5" + restricted_private_service_cidr = local.restricted_private_service_cidr + restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + restricted_private_service_connect_ip = "10.10.192.5" + remote_state_bucket = var.remote_state_bucket } diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index 4f67c351b..05b0b3d7f 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -40,6 +40,7 @@ module "base_shared_vpc" { project_id = local.base_net_hub_project_id dns_hub_project_id = local.dns_hub_project_id environment_code = local.environment_code + private_service_connect_ip = "10.2.0.5" org_id = local.org_id bgp_asn_subnet = local.bgp_asn_number default_region1 = local.default_region1 @@ -88,6 +89,7 @@ module "restricted_shared_vpc" { project_number = local.restricted_net_hub_project_number dns_hub_project_id = local.dns_hub_project_id environment_code = local.environment_code + private_service_connect_ip = "10.10.0.5" access_context_manager_policy_id = var.access_context_manager_policy_id restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] members = ["serviceAccount:${var.terraform_service_account}"] diff --git a/3-networks-hub-and-spoke/modules/base_env/README.md b/3-networks-hub-and-spoke/modules/base_env/README.md index 710e3cddd..2d26ce1a0 100644 --- a/3-networks-hub-and-spoke/modules/base_env/README.md +++ b/3-networks-hub-and-spoke/modules/base_env/README.md @@ -5,6 +5,7 @@ |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | | base\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc. | `string` | n/a | yes | +| base\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC | `string` | n/a | yes | | base\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | | base\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Base Shared Vpc. | `map(list(map(string)))` | n/a | yes | | default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | @@ -19,6 +20,7 @@ | members | An allowed list of members (users, service accounts)to be include in the VPC-SC perimeter. The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | `list(string)` | n/a | yes | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | | restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes | +| restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes | | restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 825804acc..e0dd87bf2 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -95,6 +95,7 @@ module "restricted_shared_vpc" { restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] members = var.members private_service_cidr = var.restricted_private_service_cidr + private_service_connect_ip = var.restricted_private_service_connect_ip ingress_policies = var.ingress_policies egress_policies = var.egress_policies org_id = local.org_id @@ -134,18 +135,19 @@ module "restricted_shared_vpc" { *****************************************/ module "base_shared_vpc" { - source = "../base_shared_vpc" - project_id = local.base_project_id - dns_hub_project_id = local.dns_hub_project_id - base_net_hub_project_id = local.base_net_hub_project_id - environment_code = var.environment_code - private_service_cidr = var.base_private_service_cidr - org_id = local.org_id - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - bgp_asn_subnet = local.bgp_asn_number - mode = "spoke" + source = "../base_shared_vpc" + project_id = local.base_project_id + dns_hub_project_id = local.dns_hub_project_id + base_net_hub_project_id = local.base_net_hub_project_id + environment_code = var.environment_code + private_service_cidr = var.base_private_service_cidr + private_service_connect_ip = var.base_private_service_connect_ip + org_id = local.org_id + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + bgp_asn_subnet = local.bgp_asn_number + mode = "spoke" subnets = [ { diff --git a/3-networks-hub-and-spoke/modules/base_env/variables.tf b/3-networks-hub-and-spoke/modules/base_env/variables.tf index cee370ad4..4dbb8ec4e 100644 --- a/3-networks-hub-and-spoke/modules/base_env/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_env/variables.tf @@ -76,6 +76,11 @@ variable "base_subnet_secondary_ranges" { description = "The base subnet secondary IPTs ranges to the Base Shared Vpc." } +variable "base_private_service_connect_ip" { + type = string + description = "The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC" +} + variable "restricted_private_service_cidr" { type = string description = "CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc." @@ -91,6 +96,11 @@ variable "restricted_subnet_secondary_ranges" { description = "The base subnet secondary IPTs ranges to the Restricted Shared Vpc" } +variable "restricted_private_service_connect_ip" { + type = string + description = "The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC" +} + variable "egress_policies" { description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress_from and egress_to.\n\nExample: `[{ from={ identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions)" type = list(object({ diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md index e2bd1b315..48b064e27 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md @@ -23,6 +23,7 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no | | org\_id | Organization ID | `string` | n/a | yes | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | +| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | `list(map(string))` | `[]` | no | diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf index 5e21edb9a..0c03ea327 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf @@ -21,6 +21,6 @@ module "private_service_connect" { project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-base" network_self_link = module.main.network_self_link - private_service_connect_ip = "10.3.0.5" + private_service_connect_ip = var.private_service_connect_ip forwarding_rule_target = "all-apis" } diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf index c575cd077..926928e54 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf @@ -126,6 +126,11 @@ variable "private_service_cidr" { default = null } +variable "private_service_connect_ip" { + type = string + description = "Internal IP to be used as the private service connect endpoint." +} + variable "windows_activation_enabled" { type = bool description = "Enable Windows license activation for Windows workloads." diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md index b59faea05..0e38fe42c 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md @@ -25,6 +25,7 @@ | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | | org\_id | Organization ID | `string` | n/a | yes | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | +| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf index b503c2c12..58ef89e9b 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf @@ -21,6 +21,6 @@ module "private_service_connect" { project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-restricted" network_self_link = module.main.network_self_link - private_service_connect_ip = "10.3.0.5" + private_service_connect_ip = var.private_service_connect_ip forwarding_rule_target = "vpc-sc" } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf index 538223347..6a967f02b 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf @@ -142,6 +142,11 @@ variable "private_service_cidr" { default = null } +variable "private_service_connect_ip" { + type = string + description = "Internal IP to be used as the private service connect endpoint." +} + variable "windows_activation_enabled" { type = bool description = "Enable Windows license activation for Windows workloads." diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index a40a52523..dcf7ed79d 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -120,9 +120,19 @@ func TestNetworks(t *testing.T) { }, } - googleapisCIDR := map[string]string{ - "base": "10.3.0.5", - "restricted": "10.3.0.5", + googleapisCIDR := map[string]map[string]string{ + "development": { + "base": "10.2.64.5", + "restricted": "10.10.64.5", + }, + "non-production": { + "base": "10.2.128.5", + "restricted": "10.10.128.5", + }, + "production": { + "base": "10.2.192.5", + "restricted": "10.10.192.5", + }, } operationService := "storage.googleapis.com" @@ -283,7 +293,7 @@ func TestNetworks(t *testing.T) { assert.Equal(allowApiEgressName, allowApiEgressRule.Get("name").String(), fmt.Sprintf("firewall rule %s should exist", allowApiEgressName)) assert.Equal("EGRESS", allowApiEgressRule.Get("direction").String(), fmt.Sprintf("firewall rule %s direction should be EGRESS", allowApiEgressName)) assert.True(allowApiEgressRule.Get("logConfig.enable").Bool(), fmt.Sprintf("firewall rule %s should have log configuration enabled", allowApiEgressName)) - assert.Equal(googleapisCIDR[networkType], allowApiEgressRule.Get("destinationRanges").Array()[0].String(), fmt.Sprintf("firewall rule %s destination ranges should be %s", allowApiEgressName, googleapisCIDR[networkType])) + assert.Equal(googleapisCIDR[envName][networkType], allowApiEgressRule.Get("destinationRanges").Array()[0].String(), fmt.Sprintf("firewall rule %s destination ranges should be %s", allowApiEgressName, googleapisCIDR[envName][networkType])) assert.Equal(1, len(allowApiEgressRule.Get("allowed").Array()), fmt.Sprintf("firewall rule %s should have only one allowed", allowApiEgressName)) assert.Equal(2, len(allowApiEgressRule.Get("allowed.0").Map()), fmt.Sprintf("firewall rule %s should have only one allowed only with protocol end ports", allowApiEgressName)) assert.Equal("tcp", allowApiEgressRule.Get("allowed.0.IPProtocol").String(), fmt.Sprintf("firewall rule %s should allow tcp protocol", allowApiEgressName)) @@ -319,7 +329,7 @@ func TestNetworks(t *testing.T) { assert.Equal(routerName, computeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", routerName)) assert.Equal("64514", computeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64514", routerName)) assert.Equal(1, len(computeRouter.Get("bgp.advertisedIpRanges").Array()), fmt.Sprintf("router %s should have only one advertised IP range", routerName)) - assert.Equal(googleapisCIDR[networkType], computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", routerName, googleapisCIDR[networkType])) + assert.Equal(googleapisCIDR[envName][networkType], computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", routerName, googleapisCIDR[envName][networkType])) assert.Equal(networkSelfLink, computeRouter.Get("network").String(), fmt.Sprintf("router %s should have be from network %s", routerName, networkNames[networkType]["network_name"])) } }