fix: make dedicated interconnect comply with guide (#913)

terraform-google-modules · Dec 16, 2022 · 7d77636 · 7d77636
1 parent 49347f5
commit 7d77636
Show file tree

Hide file tree

Showing 19 changed files with 384 additions and 196 deletions.
diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -36,6 +36,7 @@
 | dns\_hub\_project\_id | The DNS hub project ID |
 | domains\_to\_allow | The list of domains to allow users from in IAM. |
 | interconnect\_project\_id | The Dedicated Interconnect project ID |
+| interconnect\_project\_number | The Dedicated Interconnect project number |
 | logs\_export\_bigquery\_dataset\_name | The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets |
 | logs\_export\_logbucket\_name | The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets |
 | logs\_export\_pubsub\_topic | The Pub/Sub topic for destination of log exports |

diff --git a/1-org/envs/shared/outputs.tf b/1-org/envs/shared/outputs.tf
@@ -59,6 +59,11 @@ output "interconnect_project_id" {
   description = "The Dedicated Interconnect project ID"
 }
 
+output "interconnect_project_number" {
+  value       = module.interconnect.project_number
+  description = "The Dedicated Interconnect project number"
+}
+
 output "scc_notifications_project_id" {
   value       = module.scc_notifications.project_id
   description = "The SCC notifications project ID"

diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md
@@ -94,8 +94,11 @@ This step makes use of the **Dual Shared VPC** architecture, and more details ca
 
 If you provisioned the prerequisites listed in the [Dedicated Interconnect README](./modules/dedicated_interconnect/README.md), follow these steps to enable Dedicated Interconnect to access on-premises resources.
 
+1. Rename `interconnect.tf.example` to `interconnect.tf` in the shared envs folder in `3-networks-dual-svpc/envs/shared`
+1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
 1. Rename `interconnect.tf.example` to `interconnect.tf` in base_env folder in `3-networks-dual-svpc/modules/base_env`.
 1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
+1. Set variable `enable_dedicated_interconnect` to `true`
 1. The candidate subnetworks and vlan_tag8021q variables can be set to `null` to allow the interconnect module to auto generate these values.
 
 ### Using Partner Interconnect

diff --git a/3-networks-dual-svpc/envs/shared/interconnect.tf.example b/3-networks-dual-svpc/envs/shared/interconnect.tf.example
@@ -18,33 +18,33 @@ module "dns_hub_interconnect" {
   source = "../../modules/dedicated_interconnect"
 
   vpc_name                = "c-dns-hub"
-  interconnect_project_id = local.interconnect_project_id
+  interconnect_project_id = local.dns_hub_project_id
 
   region1                                 = local.default_region1
   region1_router1_name                    = module.dns_hub_region1_router1.router.name
   region1_interconnect1_candidate_subnets = ["169.254.0.0/29"]
   region1_interconnect1_vlan_tag8021q     = "3931"
-  region1_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-1"
+  region1_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
   region1_interconnect1_location          = "las-zone1-770"
   region1_interconnect1_onprem_dc         = "onprem-dc1"
   region1_router2_name                    = module.dns_hub_region1_router2.router.name
   region1_interconnect2_candidate_subnets = ["169.254.0.8/29"]
   region1_interconnect2_vlan_tag8021q     = "3932"
-  region1_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-2"
+  region1_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
   region1_interconnect2_location          = "las-zone1-770"
   region1_interconnect2_onprem_dc         = "onprem-dc2"
 
   region2                                 = local.default_region2
   region2_router1_name                    = module.dns_hub_region2_router1.router.name
   region2_interconnect1_candidate_subnets = ["169.254.0.16/29"]
   region2_interconnect1_vlan_tag8021q     = "3933"
-  region2_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-3"
+  region2_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
   region2_interconnect1_location          = "lax-zone2-19"
   region2_interconnect1_onprem_dc         = "onprem-dc3"
   region2_router2_name                    = module.dns_hub_region2_router2.router.name
   region2_interconnect2_candidate_subnets = ["169.254.0.24/29"]
   region2_interconnect2_vlan_tag8021q     = "3934"
-  region2_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-4"
+  region2_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
   region2_interconnect2_location          = "lax-zone1-403"
   region2_interconnect2_onprem_dc         = "onprem-dc4"
 

diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md
@@ -13,6 +13,7 @@
 | default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
 | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes |
 | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
+| enable\_dedicated\_interconnect | Enable Dedicated Interconnect in the environment. | `bool` | `false` | no |
 | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
 | env | The environment to prepare (ex. development) | `string` | n/a | yes |
 | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes |

diff --git a/3-networks-dual-svpc/modules/base_env/interconnect.tf.example b/3-networks-dual-svpc/modules/base_env/interconnect.tf.example
@@ -14,37 +14,105 @@
  * limitations under the License.
  */
 
+locals {
+  base_config = {
+    "development" = {
+      region1_interconnect1_candidate_subnets = ["169.254.0.192/29"]
+      region1_interconnect1_vlan_tag8021q     = "3905"
+      region1_interconnect2_candidate_subnets = ["169.254.0.200/29"]
+      region1_interconnect2_vlan_tag8021q     = "3906"
+      region2_interconnect1_candidate_subnets = ["169.254.0.208/29"]
+      region2_interconnect1_vlan_tag8021q     = "3907"
+      region2_interconnect2_candidate_subnets = ["169.254.0.216/29"]
+      region2_interconnect2_vlan_tag8021q     = "3908"
+    },
+    "non-production" = {
+      region1_interconnect1_candidate_subnets = ["169.254.0.128/29"]
+      region1_interconnect1_vlan_tag8021q     = "3915"
+      region1_interconnect2_candidate_subnets = ["169.254.0.136/29"]
+      region1_interconnect2_vlan_tag8021q     = "3916"
+      region2_interconnect1_candidate_subnets = ["169.254.0.144/29"]
+      region2_interconnect1_vlan_tag8021q     = "3917"
+      region2_interconnect2_candidate_subnets = ["169.254.0.152/29"]
+      region2_interconnect2_vlan_tag8021q     = "3918"
+    },
+    "production" = {
+      region1_interconnect1_candidate_subnets = ["169.254.0.64/29"]
+      region1_interconnect1_vlan_tag8021q     = "3925"
+      region1_interconnect2_candidate_subnets = ["169.254.0.72/29"]
+      region1_interconnect2_vlan_tag8021q     = "3926"
+      region2_interconnect1_candidate_subnets = ["169.254.0.80/29"]
+      region2_interconnect1_vlan_tag8021q     = "3927"
+      region2_interconnect2_candidate_subnets = ["169.254.0.88/29"]
+      region2_interconnect2_vlan_tag8021q     = "3928"
+    },
+  }
+
+  restricted_config = {
+    "development" = {
+      region1_interconnect1_candidate_subnets = ["169.254.0.160/29"]
+      region1_interconnect1_vlan_tag8021q     = "3901"
+      region1_interconnect2_candidate_subnets = ["169.254.0.168/29"]
+      region1_interconnect2_vlan_tag8021q     = "3902"
+      region2_interconnect1_candidate_subnets = ["169.254.0.176/29"]
+      region2_interconnect1_vlan_tag8021q     = "3903"
+      region2_interconnect2_candidate_subnets = ["169.254.0.184/29"]
+      region2_interconnect2_vlan_tag8021q     = "3904"
+    },
+    "non-production" = {
+      region1_interconnect1_candidate_subnets = ["169.254.0.96/29"]
+      region1_interconnect1_vlan_tag8021q     = "3911"
+      region1_interconnect2_candidate_subnets = ["169.254.0.104/29"]
+      region1_interconnect2_vlan_tag8021q     = "3912"
+      region2_interconnect1_candidate_subnets = ["169.254.0.112/29"]
+      region2_interconnect1_vlan_tag8021q     = "3913"
+      region2_interconnect2_candidate_subnets = ["169.254.0.120/29"]
+      region2_interconnect2_vlan_tag8021q     = "3914"
+    },
+    "production" = {
+      region1_interconnect1_candidate_subnets = ["169.254.0.32/29"]
+      region1_interconnect1_vlan_tag8021q     = "3921"
+      region1_interconnect2_candidate_subnets = ["169.254.0.40/29"]
+      region1_interconnect2_vlan_tag8021q     = "3922"
+      region2_interconnect1_candidate_subnets = ["169.254.0.48/29"]
+      region2_interconnect1_vlan_tag8021q     = "3923"
+      region2_interconnect2_candidate_subnets = ["169.254.0.56/29"]
+      region2_interconnect2_vlan_tag8021q     = "3924"
+    },
+  }
+}
+
 module "shared_restricted_interconnect" {
   source = "../dedicated_interconnect"
 
   vpc_name                = "${var.environment_code}-shared-restricted"
-  interconnect_project_id = local.interconnect_project_id
+  interconnect_project_id = local.restricted_project_id
 
   region1                                 = var.default_region1
   region1_router1_name                    = module.restricted_shared_vpc.region1_router1.router.name
-  region1_interconnect1_candidate_subnets = ["169.254.0.160/29"]
-  region1_interconnect1_vlan_tag8021q     = "3901"
-  region1_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-1"
+  region1_interconnect1_candidate_subnets = local.restricted_config[var.env]["region1_interconnect1_candidate_subnets"]
+  region1_interconnect1_vlan_tag8021q     = local.restricted_config[var.env]["region1_interconnect1_vlan_tag8021q"]
+  region1_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
   region1_interconnect1_location          = "las-zone1-770"
   region1_interconnect1_onprem_dc         = "onprem-dc1"
   region1_router2_name                    = module.restricted_shared_vpc.region1_router2.router.name
-  region1_interconnect2_candidate_subnets = ["169.254.0.168/29"]
-  region1_interconnect2_vlan_tag8021q     = "3902"
-  region1_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-2"
+  region1_interconnect2_candidate_subnets = local.restricted_config[var.env]["region1_interconnect2_candidate_subnets"]
+  region1_interconnect2_vlan_tag8021q     = local.restricted_config[var.env]["region1_interconnect2_vlan_tag8021q"]
+  region1_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
   region1_interconnect2_location          = "las-zone1-770"
   region1_interconnect2_onprem_dc         = "onprem-dc2"
 
   region2                                 = var.default_region2
   region2_router1_name                    = module.restricted_shared_vpc.region2_router1.router.name
-  region2_interconnect1_candidate_subnets = ["169.254.0.176/29"]
-  region2_interconnect1_vlan_tag8021q     = "3903"
-  region2_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-3"
+  region2_interconnect1_candidate_subnets = local.restricted_config[var.env]["region2_interconnect1_candidate_subnets"]
+  region2_interconnect1_vlan_tag8021q     = local.restricted_config[var.env]["region2_interconnect1_vlan_tag8021q"]
+  region2_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
   region2_interconnect1_location          = "lax-zone2-19"
   region2_interconnect1_onprem_dc         = "onprem-dc3"
   region2_router2_name                    = module.restricted_shared_vpc.region2_router2.router.name
-  region2_interconnect2_candidate_subnets = ["169.254.0.184/29"]
-  region2_interconnect2_vlan_tag8021q     = "3904"
-  region2_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-4"
+  region2_interconnect2_candidate_subnets = local.restricted_config[var.env]["region2_interconnect2_candidate_subnets"]
+  region2_interconnect2_vlan_tag8021q     = local.restricted_config[var.env]["region2_interconnect2_vlan_tag8021q"]
+  region2_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
   region2_interconnect2_location          = "lax-zone1-403"
   region2_interconnect2_onprem_dc         = "onprem-dc4"
 
@@ -67,33 +135,33 @@ module "shared_base_interconnect" {
   source = "../dedicated_interconnect"
 
   vpc_name                = "${var.environment_code}-shared-base"
-  interconnect_project_id = local.interconnect_project_id
+  interconnect_project_id = local.base_project_id
 
   region1                                 = var.default_region1
   region1_router1_name                    = module.base_shared_vpc.region1_router1.router.name
-  region1_interconnect1_candidate_subnets = ["169.254.0.192/29"]
-  region1_interconnect1_vlan_tag8021q     = "3905"
-  region1_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-1"
+  region1_interconnect1_candidate_subnets = local.base_config[var.env]["region1_interconnect1_candidate_subnets"]
+  region1_interconnect1_vlan_tag8021q     = local.base_config[var.env]["region1_interconnect1_vlan_tag8021q"]
+  region1_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
   region1_interconnect1_location          = "las-zone1-770"
   region1_interconnect1_onprem_dc         = "onprem-dc1"
   region1_router2_name                    = module.base_shared_vpc.region1_router2.router.name
-  region1_interconnect2_candidate_subnets = ["169.254.0.200/29"]
-  region1_interconnect2_vlan_tag8021q     = "3906"
-  region1_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-2"
+  region1_interconnect2_candidate_subnets = local.base_config[var.env]["region1_interconnect2_candidate_subnets"]
+  region1_interconnect2_vlan_tag8021q     = local.base_config[var.env]["region1_interconnect2_vlan_tag8021q"]
+  region1_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
   region1_interconnect2_location          = "las-zone1-770"
   region1_interconnect2_onprem_dc         = "onprem-dc2"
 
   region2                                 = var.default_region2
   region2_router1_name                    = module.base_shared_vpc.region2_router1.router.name
-  region2_interconnect1_candidate_subnets = ["169.254.0.208/29"]
-  region2_interconnect1_vlan_tag8021q     = "3907"
-  region2_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-3"
+  region2_interconnect1_candidate_subnets = local.base_config[var.env]["region2_interconnect1_candidate_subnets"]
+  region2_interconnect1_vlan_tag8021q     = local.base_config[var.env]["region2_interconnect1_vlan_tag8021q"]
+  region2_interconnect1                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
   region2_interconnect1_location          = "lax-zone2-19"
   region2_interconnect1_onprem_dc         = "onprem-dc3"
   region2_router2_name                    = module.base_shared_vpc.region2_router2.router.name
-  region2_interconnect2_candidate_subnets = ["169.254.0.216/29"]
-  region2_interconnect2_vlan_tag8021q     = "3908"
-  region2_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-4"
+  region2_interconnect2_candidate_subnets = local.base_config[var.env]["region2_interconnect2_candidate_subnets"]
+  region2_interconnect2_vlan_tag8021q     = local.base_config[var.env]["region2_interconnect2_vlan_tag8021q"]
+  region2_interconnect2                   = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
   region2_interconnect2_location          = "lax-zone1-403"
   region2_interconnect2_onprem_dc         = "onprem-dc4"