diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
index c144de765..fd4bb9575 100644
--- a/1-org/envs/shared/README.md
+++ b/1-org/envs/shared/README.md
@@ -36,6 +36,7 @@
| dns\_hub\_project\_id | The DNS hub project ID |
| domains\_to\_allow | The list of domains to allow users from in IAM. |
| interconnect\_project\_id | The Dedicated Interconnect project ID |
+| interconnect\_project\_number | The Dedicated Interconnect project number |
| logs\_export\_bigquery\_dataset\_name | The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets |
| logs\_export\_logbucket\_name | The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets |
| logs\_export\_pubsub\_topic | The Pub/Sub topic for destination of log exports |
diff --git a/1-org/envs/shared/outputs.tf b/1-org/envs/shared/outputs.tf
index 0d648b617..725e26b2f 100644
--- a/1-org/envs/shared/outputs.tf
+++ b/1-org/envs/shared/outputs.tf
@@ -59,6 +59,11 @@ output "interconnect_project_id" {
description = "The Dedicated Interconnect project ID"
}
+output "interconnect_project_number" {
+ value = module.interconnect.project_number
+ description = "The Dedicated Interconnect project number"
+}
+
output "scc_notifications_project_id" {
value = module.scc_notifications.project_id
description = "The SCC notifications project ID"
diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md
index b02f8b689..73d2f0d58 100644
--- a/3-networks-dual-svpc/README.md
+++ b/3-networks-dual-svpc/README.md
@@ -94,8 +94,11 @@ This step makes use of the **Dual Shared VPC** architecture, and more details ca
If you provisioned the prerequisites listed in the [Dedicated Interconnect README](./modules/dedicated_interconnect/README.md), follow these steps to enable Dedicated Interconnect to access on-premises resources.
+1. Rename `interconnect.tf.example` to `interconnect.tf` in the shared envs folder in `3-networks-dual-svpc/envs/shared`
+1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
1. Rename `interconnect.tf.example` to `interconnect.tf` in base_env folder in `3-networks-dual-svpc/modules/base_env`.
1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
+1. Set variable `enable_dedicated_interconnect` to `true`
1. The candidate subnetworks and vlan_tag8021q variables can be set to `null` to allow the interconnect module to auto generate these values.
### Using Partner Interconnect
diff --git a/3-networks-dual-svpc/envs/shared/interconnect.tf.example b/3-networks-dual-svpc/envs/shared/interconnect.tf.example
index 49e4ca963..3aa517260 100644
--- a/3-networks-dual-svpc/envs/shared/interconnect.tf.example
+++ b/3-networks-dual-svpc/envs/shared/interconnect.tf.example
@@ -18,19 +18,19 @@ module "dns_hub_interconnect" {
source = "../../modules/dedicated_interconnect"
vpc_name = "c-dns-hub"
- interconnect_project_id = local.interconnect_project_id
+ interconnect_project_id = local.dns_hub_project_id
region1 = local.default_region1
region1_router1_name = module.dns_hub_region1_router1.router.name
region1_interconnect1_candidate_subnets = ["169.254.0.0/29"]
region1_interconnect1_vlan_tag8021q = "3931"
- region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-1"
+ region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
region1_interconnect1_location = "las-zone1-770"
region1_interconnect1_onprem_dc = "onprem-dc1"
region1_router2_name = module.dns_hub_region1_router2.router.name
region1_interconnect2_candidate_subnets = ["169.254.0.8/29"]
region1_interconnect2_vlan_tag8021q = "3932"
- region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-2"
+ region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
region1_interconnect2_location = "las-zone1-770"
region1_interconnect2_onprem_dc = "onprem-dc2"
@@ -38,13 +38,13 @@ module "dns_hub_interconnect" {
region2_router1_name = module.dns_hub_region2_router1.router.name
region2_interconnect1_candidate_subnets = ["169.254.0.16/29"]
region2_interconnect1_vlan_tag8021q = "3933"
- region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-3"
+ region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
region2_interconnect1_location = "lax-zone2-19"
region2_interconnect1_onprem_dc = "onprem-dc3"
region2_router2_name = module.dns_hub_region2_router2.router.name
region2_interconnect2_candidate_subnets = ["169.254.0.24/29"]
region2_interconnect2_vlan_tag8021q = "3934"
- region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-4"
+ region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
region2_interconnect2_location = "lax-zone1-403"
region2_interconnect2_onprem_dc = "onprem-dc4"
diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md
index 5f3a0e7f4..52e50d22f 100644
--- a/3-networks-dual-svpc/modules/base_env/README.md
+++ b/3-networks-dual-svpc/modules/base_env/README.md
@@ -13,6 +13,7 @@
| default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
| domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes |
| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.
Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`
Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | list(object({
from = any
to = any
})) | `[]` | no |
+| enable\_dedicated\_interconnect | Enable Dedicated Interconnect in the environment. | `bool` | `false` | no |
| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
| env | The environment to prepare (ex. development) | `string` | n/a | yes |
| environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes |
diff --git a/3-networks-dual-svpc/modules/base_env/interconnect.tf.example b/3-networks-dual-svpc/modules/base_env/interconnect.tf.example
index e53541f95..4034c9b6f 100644
--- a/3-networks-dual-svpc/modules/base_env/interconnect.tf.example
+++ b/3-networks-dual-svpc/modules/base_env/interconnect.tf.example
@@ -14,37 +14,105 @@
* limitations under the License.
*/
+locals {
+ base_config = {
+ "development" = {
+ region1_interconnect1_candidate_subnets = ["169.254.0.192/29"]
+ region1_interconnect1_vlan_tag8021q = "3905"
+ region1_interconnect2_candidate_subnets = ["169.254.0.200/29"]
+ region1_interconnect2_vlan_tag8021q = "3906"
+ region2_interconnect1_candidate_subnets = ["169.254.0.208/29"]
+ region2_interconnect1_vlan_tag8021q = "3907"
+ region2_interconnect2_candidate_subnets = ["169.254.0.216/29"]
+ region2_interconnect2_vlan_tag8021q = "3908"
+ },
+ "non-production" = {
+ region1_interconnect1_candidate_subnets = ["169.254.0.128/29"]
+ region1_interconnect1_vlan_tag8021q = "3915"
+ region1_interconnect2_candidate_subnets = ["169.254.0.136/29"]
+ region1_interconnect2_vlan_tag8021q = "3916"
+ region2_interconnect1_candidate_subnets = ["169.254.0.144/29"]
+ region2_interconnect1_vlan_tag8021q = "3917"
+ region2_interconnect2_candidate_subnets = ["169.254.0.152/29"]
+ region2_interconnect2_vlan_tag8021q = "3918"
+ },
+ "production" = {
+ region1_interconnect1_candidate_subnets = ["169.254.0.64/29"]
+ region1_interconnect1_vlan_tag8021q = "3925"
+ region1_interconnect2_candidate_subnets = ["169.254.0.72/29"]
+ region1_interconnect2_vlan_tag8021q = "3926"
+ region2_interconnect1_candidate_subnets = ["169.254.0.80/29"]
+ region2_interconnect1_vlan_tag8021q = "3927"
+ region2_interconnect2_candidate_subnets = ["169.254.0.88/29"]
+ region2_interconnect2_vlan_tag8021q = "3928"
+ },
+ }
+
+ restricted_config = {
+ "development" = {
+ region1_interconnect1_candidate_subnets = ["169.254.0.160/29"]
+ region1_interconnect1_vlan_tag8021q = "3901"
+ region1_interconnect2_candidate_subnets = ["169.254.0.168/29"]
+ region1_interconnect2_vlan_tag8021q = "3902"
+ region2_interconnect1_candidate_subnets = ["169.254.0.176/29"]
+ region2_interconnect1_vlan_tag8021q = "3903"
+ region2_interconnect2_candidate_subnets = ["169.254.0.184/29"]
+ region2_interconnect2_vlan_tag8021q = "3904"
+ },
+ "non-production" = {
+ region1_interconnect1_candidate_subnets = ["169.254.0.96/29"]
+ region1_interconnect1_vlan_tag8021q = "3911"
+ region1_interconnect2_candidate_subnets = ["169.254.0.104/29"]
+ region1_interconnect2_vlan_tag8021q = "3912"
+ region2_interconnect1_candidate_subnets = ["169.254.0.112/29"]
+ region2_interconnect1_vlan_tag8021q = "3913"
+ region2_interconnect2_candidate_subnets = ["169.254.0.120/29"]
+ region2_interconnect2_vlan_tag8021q = "3914"
+ },
+ "production" = {
+ region1_interconnect1_candidate_subnets = ["169.254.0.32/29"]
+ region1_interconnect1_vlan_tag8021q = "3921"
+ region1_interconnect2_candidate_subnets = ["169.254.0.40/29"]
+ region1_interconnect2_vlan_tag8021q = "3922"
+ region2_interconnect1_candidate_subnets = ["169.254.0.48/29"]
+ region2_interconnect1_vlan_tag8021q = "3923"
+ region2_interconnect2_candidate_subnets = ["169.254.0.56/29"]
+ region2_interconnect2_vlan_tag8021q = "3924"
+ },
+ }
+}
+
module "shared_restricted_interconnect" {
source = "../dedicated_interconnect"
vpc_name = "${var.environment_code}-shared-restricted"
- interconnect_project_id = local.interconnect_project_id
+ interconnect_project_id = local.restricted_project_id
region1 = var.default_region1
region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name
- region1_interconnect1_candidate_subnets = ["169.254.0.160/29"]
- region1_interconnect1_vlan_tag8021q = "3901"
- region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-1"
+ region1_interconnect1_candidate_subnets = local.restricted_config[var.env]["region1_interconnect1_candidate_subnets"]
+ region1_interconnect1_vlan_tag8021q = local.restricted_config[var.env]["region1_interconnect1_vlan_tag8021q"]
+ region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
region1_interconnect1_location = "las-zone1-770"
region1_interconnect1_onprem_dc = "onprem-dc1"
region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name
- region1_interconnect2_candidate_subnets = ["169.254.0.168/29"]
- region1_interconnect2_vlan_tag8021q = "3902"
- region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-2"
+ region1_interconnect2_candidate_subnets = local.restricted_config[var.env]["region1_interconnect2_candidate_subnets"]
+ region1_interconnect2_vlan_tag8021q = local.restricted_config[var.env]["region1_interconnect2_vlan_tag8021q"]
+ region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
region1_interconnect2_location = "las-zone1-770"
region1_interconnect2_onprem_dc = "onprem-dc2"
region2 = var.default_region2
region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name
- region2_interconnect1_candidate_subnets = ["169.254.0.176/29"]
- region2_interconnect1_vlan_tag8021q = "3903"
- region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-3"
+ region2_interconnect1_candidate_subnets = local.restricted_config[var.env]["region2_interconnect1_candidate_subnets"]
+ region2_interconnect1_vlan_tag8021q = local.restricted_config[var.env]["region2_interconnect1_vlan_tag8021q"]
+ region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
region2_interconnect1_location = "lax-zone2-19"
region2_interconnect1_onprem_dc = "onprem-dc3"
region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name
- region2_interconnect2_candidate_subnets = ["169.254.0.184/29"]
- region2_interconnect2_vlan_tag8021q = "3904"
- region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-4"
+ region2_interconnect2_candidate_subnets = local.restricted_config[var.env]["region2_interconnect2_candidate_subnets"]
+ region2_interconnect2_vlan_tag8021q = local.restricted_config[var.env]["region2_interconnect2_vlan_tag8021q"]
+ region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
region2_interconnect2_location = "lax-zone1-403"
region2_interconnect2_onprem_dc = "onprem-dc4"
@@ -67,33 +135,33 @@ module "shared_base_interconnect" {
source = "../dedicated_interconnect"
vpc_name = "${var.environment_code}-shared-base"
- interconnect_project_id = local.interconnect_project_id
+ interconnect_project_id = local.base_project_id
region1 = var.default_region1
region1_router1_name = module.base_shared_vpc.region1_router1.router.name
- region1_interconnect1_candidate_subnets = ["169.254.0.192/29"]
- region1_interconnect1_vlan_tag8021q = "3905"
- region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-1"
+ region1_interconnect1_candidate_subnets = local.base_config[var.env]["region1_interconnect1_candidate_subnets"]
+ region1_interconnect1_vlan_tag8021q = local.base_config[var.env]["region1_interconnect1_vlan_tag8021q"]
+ region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
region1_interconnect1_location = "las-zone1-770"
region1_interconnect1_onprem_dc = "onprem-dc1"
region1_router2_name = module.base_shared_vpc.region1_router2.router.name
- region1_interconnect2_candidate_subnets = ["169.254.0.200/29"]
- region1_interconnect2_vlan_tag8021q = "3906"
- region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-2"
+ region1_interconnect2_candidate_subnets = local.base_config[var.env]["region1_interconnect2_candidate_subnets"]
+ region1_interconnect2_vlan_tag8021q = local.base_config[var.env]["region1_interconnect2_vlan_tag8021q"]
+ region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
region1_interconnect2_location = "las-zone1-770"
region1_interconnect2_onprem_dc = "onprem-dc2"
region2 = var.default_region2
region2_router1_name = module.base_shared_vpc.region2_router1.router.name
- region2_interconnect1_candidate_subnets = ["169.254.0.208/29"]
- region2_interconnect1_vlan_tag8021q = "3907"
- region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-3"
+ region2_interconnect1_candidate_subnets = local.base_config[var.env]["region2_interconnect1_candidate_subnets"]
+ region2_interconnect1_vlan_tag8021q = local.base_config[var.env]["region2_interconnect1_vlan_tag8021q"]
+ region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
region2_interconnect1_location = "lax-zone2-19"
region2_interconnect1_onprem_dc = "onprem-dc3"
region2_router2_name = module.base_shared_vpc.region2_router2.router.name
- region2_interconnect2_candidate_subnets = ["169.254.0.216/29"]
- region2_interconnect2_vlan_tag8021q = "3908"
- region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-4"
+ region2_interconnect2_candidate_subnets = local.base_config[var.env]["region2_interconnect2_candidate_subnets"]
+ region2_interconnect2_vlan_tag8021q = local.base_config[var.env]["region2_interconnect2_vlan_tag8021q"]
+ region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
region2_interconnect2_location = "lax-zone1-403"
region2_interconnect2_onprem_dc = "onprem-dc4"
diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf
index c264b1427..c9b40916a 100644
--- a/3-networks-dual-svpc/modules/base_env/main.tf
+++ b/3-networks-dual-svpc/modules/base_env/main.tf
@@ -15,21 +15,39 @@
*/
locals {
- org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id
- parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder
- parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id
- billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account
- default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
- folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix
- restricted_project_id = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_id
- restricted_project_number = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_number
- base_project_id = data.terraform_remote_state.environments_env.outputs.base_shared_vpc_project_id
- env_secret_project_id = data.terraform_remote_state.environments_env.outputs.env_secrets_project_id
- interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id
- dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id
- networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
- projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
+ org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id
+ parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder
+ parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id
+ billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account
+ default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
+ folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix
+ restricted_project_id = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_id
+ restricted_project_number = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_number
+ base_project_id = data.terraform_remote_state.environments_env.outputs.base_shared_vpc_project_id
+ env_secret_project_id = data.terraform_remote_state.environments_env.outputs.env_secrets_project_id
+ interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id
+ interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number
+ dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id
+ organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
+ networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
+ projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
+ dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [
+ {
+ "from" = {
+ "identity_type" = ""
+ "identities" = ["serviceAccount:${local.networks_service_account}"]
+ },
+ "to" = {
+ "resources" = ["projects/${local.interconnect_project_number}"]
+ "operations" = {
+ "compute.googleapis.com" = {
+ "methods" = ["*"]
+ }
+ }
+ }
+ },
+ ] : []
bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514"
@@ -208,17 +226,25 @@ module "restricted_shared_vpc" {
environment_code = var.environment_code
access_context_manager_policy_id = var.access_context_manager_policy_id
restricted_services = local.restricted_services
- members = distinct(concat(["serviceAccount:${local.networks_service_account}", "serviceAccount:${local.projects_service_account}"], var.perimeter_additional_members))
- private_service_cidr = var.restricted_private_service_cidr
- private_service_connect_ip = var.restricted_private_service_connect_ip
- org_id = local.org_id
- parent_folder = local.parent_folder
- bgp_asn_subnet = local.bgp_asn_number
- default_region1 = var.default_region1
- default_region2 = var.default_region2
- domain = var.domain
- ingress_policies = var.ingress_policies
- egress_policies = var.egress_policies
+ members = distinct(concat([
+ "serviceAccount:${local.networks_service_account}",
+ "serviceAccount:${local.projects_service_account}",
+ "serviceAccount:${local.organization_service_account}",
+ ], var.perimeter_additional_members))
+ private_service_cidr = var.restricted_private_service_cidr
+ private_service_connect_ip = var.restricted_private_service_connect_ip
+ org_id = local.org_id
+ parent_folder = local.parent_folder
+ bgp_asn_subnet = local.bgp_asn_number
+ default_region1 = var.default_region1
+ default_region2 = var.default_region2
+ domain = var.domain
+ ingress_policies = var.ingress_policies
+
+ egress_policies = distinct(concat(
+ local.dedicated_interconnect_egress_policy,
+ var.egress_policies
+ ))
subnets = [
{
diff --git a/3-networks-dual-svpc/modules/base_env/variables.tf b/3-networks-dual-svpc/modules/base_env/variables.tf
index 575fb3a89..1b656ba15 100644
--- a/3-networks-dual-svpc/modules/base_env/variables.tf
+++ b/3-networks-dual-svpc/modules/base_env/variables.tf
@@ -49,6 +49,12 @@ variable "domain" {
description = "The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period."
}
+variable "enable_dedicated_interconnect" {
+ description = "Enable Dedicated Interconnect in the environment."
+ type = bool
+ default = false
+}
+
variable "enable_partner_interconnect" {
description = "Enable Partner Interconnect in the environment."
type = bool
diff --git a/3-networks-dual-svpc/modules/dedicated_interconnect/README.md b/3-networks-dual-svpc/modules/dedicated_interconnect/README.md
index 98c42e430..632970051 100644
--- a/3-networks-dual-svpc/modules/dedicated_interconnect/README.md
+++ b/3-networks-dual-svpc/modules/dedicated_interconnect/README.md
@@ -8,7 +8,9 @@ This module implements the recommendation proposed in [Establishing 99.99% Avail
## Usage
-1. Rename `interconnect.tf.example` to `interconnect.tf` in the environment folder in `3-networks-dual-svpc/envs/`
+1. Rename `interconnect.tf.example` to `interconnect.tf` in the shared envs folder in `3-networks-dual-svpc/envs/shared`
+1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
+1. Rename `interconnect.tf.example` to `interconnect.tf` in base_env folder in `3-networks-dual-svpc/modules/base_env`.
1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
1. The candidate subnetworks and vlan_tag8021q variables can be set to `null` to allow the interconnect module to auto generate these values.
diff --git a/3-networks-hub-and-spoke/README.md b/3-networks-hub-and-spoke/README.md
index d9a7366c1..4261e7297 100644
--- a/3-networks-hub-and-spoke/README.md
+++ b/3-networks-hub-and-spoke/README.md
@@ -103,7 +103,8 @@ To see the version that makes use of the **Dual Shared VPC** architecture mode c
If you provisioned the prerequisites listed in the [Dedicated Interconnect README](./modules/dedicated_interconnect/README.md), follow these steps to enable Dedicated Interconnect to access on-premises resources.
-1. Rename `interconnect.tf.example` to `interconnect.tf` in base_env folder in `3-networks-hub-and-spoke/modules/base_env`.
+1. Rename `interconnect.tf.example` to `interconnect.tf` in the shared envs folder in `3-networks-hub-and-spoke/envs/shared`
+1. Rename `interconnect.auto.tfvars.example` to `interconnect.auto.tfvars` in the shared envs folder in `3-networks-hub-and-spoke/envs/shared`
1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
1. The candidate subnetworks and vlan_tag8021q variables can be set to `null` to allow the interconnect module to auto generate these values.
diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md
index 242dea4ab..cf8a7bb90 100644
--- a/3-networks-hub-and-spoke/envs/shared/README.md
+++ b/3-networks-hub-and-spoke/envs/shared/README.md
@@ -25,9 +25,12 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
| custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no |
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
| domain | The DNS name of forwarding managed zone, for instance 'example.com'. Must end with a period. | `string` | n/a | yes |
+| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.
Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`
Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | list(object({
from = any
to = any
})) | `[]` | no |
+| enable\_dedicated\_interconnect | Enable Dedicated Interconnect in the environment. | `bool` | `false` | no |
| enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no |
| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
| firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no |
+| ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.
Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`
Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | list(object({
from = any
to = any
})) | `[]` | no |
| perimeter\_additional\_members | The list of additional members to be added to the perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:email@example.com` or `serviceAccount:my-service-account@example.com`. | `list(string)` | n/a | yes |
| preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
diff --git a/3-networks-hub-and-spoke/envs/shared/interconnect.auto.tfvars.example b/3-networks-hub-and-spoke/envs/shared/interconnect.auto.tfvars.example
index d7386135a..55de46319 100644
--- a/3-networks-hub-and-spoke/envs/shared/interconnect.auto.tfvars.example
+++ b/3-networks-hub-and-spoke/envs/shared/interconnect.auto.tfvars.example
@@ -1,4 +1,17 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
-enable_partner_interconnect = true
-preactivate_partner_interconnect = true
-
+enable_dedicated_interconnect = true
diff --git a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example
index 539974fa6..eb1c221d0 100644
--- a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example
+++ b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example
@@ -18,19 +18,19 @@ module "dns_hub_interconnect" {
source = "../../modules/dedicated_interconnect"
vpc_name = "c-dns-hub"
- interconnect_project_id = local.interconnect_project_id
+ interconnect_project_id = local.dns_hub_project_id
region1 = local.default_region1
region1_router1_name = module.dns_hub_region1_router1.router.name
region1_interconnect1_candidate_subnets = ["169.254.0.0/29"]
region1_interconnect1_vlan_tag8021q = "3931"
- region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-1"
+ region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
region1_interconnect1_location = "las-zone1-770"
region1_interconnect1_onprem_dc = "onprem-dc1"
region1_router2_name = module.dns_hub_region1_router2.router.name
region1_interconnect2_candidate_subnets = ["169.254.0.8/29"]
region1_interconnect2_vlan_tag8021q = "3932"
- region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-2"
+ region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
region1_interconnect2_location = "las-zone1-770"
region1_interconnect2_onprem_dc = "onprem-dc2"
@@ -38,13 +38,13 @@ module "dns_hub_interconnect" {
region2_router1_name = module.dns_hub_region2_router1.router.name
region2_interconnect1_candidate_subnets = ["169.254.0.16/29"]
region2_interconnect1_vlan_tag8021q = "3933"
- region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-3"
+ region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
region2_interconnect1_location = "lax-zone2-19"
region2_interconnect1_onprem_dc = "onprem-dc3"
region2_router2_name = module.dns_hub_region2_router2.router.name
region2_interconnect2_candidate_subnets = ["169.254.0.24/29"]
region2_interconnect2_vlan_tag8021q = "3934"
- region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-4"
+ region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
region2_interconnect2_location = "lax-zone1-403"
region2_interconnect2_onprem_dc = "onprem-dc4"
@@ -58,3 +58,102 @@ module "dns_hub_interconnect" {
vlan_4 = "cr4"
}
}
+
+module "shared_restricted_interconnect" {
+ source = "../../modules/dedicated_interconnect"
+
+ vpc_name = "c-shared-restricted"
+ interconnect_project_id = local.restricted_net_hub_project_id
+
+ region1 = local.default_region1
+ region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name
+ region1_interconnect1_candidate_subnets = ["169.254.0.32/29"]
+ region1_interconnect1_vlan_tag8021q = "3921"
+ region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
+ region1_interconnect1_location = "las-zone1-770"
+ region1_interconnect1_onprem_dc = "onprem-dc-1"
+ region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name
+ region1_interconnect2_candidate_subnets = ["169.254.0.40/29"]
+ region1_interconnect2_vlan_tag8021q = "3922"
+ region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
+ region1_interconnect2_location = "las-zone1-770"
+ region1_interconnect2_onprem_dc = "onprem-dc-2"
+
+ region2 = local.default_region2
+ region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name
+ region2_interconnect1_candidate_subnets = ["169.254.0.48/29"]
+ region2_interconnect1_vlan_tag8021q = "3923"
+ region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
+ region2_interconnect1_location = "lax-zone2-19"
+ region2_interconnect1_onprem_dc = "onprem-dc-3"
+ region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name
+ region2_interconnect2_candidate_subnets = ["169.254.0.56/29"]
+ region2_interconnect2_vlan_tag8021q = "3924"
+ region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
+ region2_interconnect2_location = "lax-zone1-403"
+ region2_interconnect2_onprem_dc = "onprem-dc-4"
+
+ peer_asn = "64515"
+ peer_name = "interconnect-peer"
+
+ cloud_router_labels = {
+ vlan_1 = "cr5",
+ vlan_2 = "cr6",
+ vlan_3 = "cr7",
+ vlan_4 = "cr8"
+ }
+
+ depends_on = [
+ module.restricted_shared_vpc
+ ]
+}
+
+module "shared_base_interconnect" {
+ source = "../../modules/dedicated_interconnect"
+
+ vpc_name = "c-shared-base"
+ interconnect_project_id = local.base_net_hub_project_id
+
+ region1 = local.default_region1
+ region1_router1_name = module.base_shared_vpc.region1_router1.router.name
+ region1_interconnect1_candidate_subnets = ["169.254.0.64/29"]
+ region1_interconnect1_vlan_tag8021q = "3925"
+ region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
+ region1_interconnect1_location = "las-zone1-770"
+ region1_interconnect1_onprem_dc = "onprem-dc-1"
+ region1_router2_name = module.base_shared_vpc.region1_router2.router.name
+ region1_interconnect2_candidate_subnets = ["169.254.0.72/29"]
+ region1_interconnect2_vlan_tag8021q = "3926"
+ region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
+ region1_interconnect2_location = "las-zone1-770"
+ region1_interconnect2_onprem_dc = "onprem-dc-2"
+
+ region2 = local.default_region2
+ region2_router1_name = module.base_shared_vpc.region2_router1.router.name
+ region2_interconnect1_candidate_subnets = ["169.254.0.80/29"]
+ region2_interconnect1_vlan_tag8021q = "3927"
+ region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
+ region2_interconnect1_location = "lax-zone2-19"
+ region2_interconnect1_onprem_dc = "onprem-dc-3"
+ region2_router2_name = module.base_shared_vpc.region2_router2.router.name
+ region2_interconnect2_candidate_subnets = ["169.254.0.88/29"]
+ region2_interconnect2_vlan_tag8021q = "3928"
+ region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
+ region2_interconnect2_location = "lax-zone1-403"
+ region2_interconnect2_onprem_dc = "onprem-dc-4"
+
+
+ peer_asn = "64515"
+ peer_name = "interconnect-peer"
+
+ cloud_router_labels = {
+ vlan_1 = "cr1",
+ vlan_2 = "cr2",
+ vlan_3 = "cr3",
+ vlan_4 = "cr4"
+ }
+
+ depends_on = [
+ module.base_shared_vpc
+ ]
+}
diff --git a/3-networks-hub-and-spoke/envs/shared/main.tf b/3-networks-hub-and-spoke/envs/shared/main.tf
index 744b68df7..98062bef1 100644
--- a/3-networks-hub-and-spoke/envs/shared/main.tf
+++ b/3-networks-hub-and-spoke/envs/shared/main.tf
@@ -22,6 +22,7 @@ locals {
default_region2 = "us-central1"
dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id
interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id
+ interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number
parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder
org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id
billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account
@@ -37,8 +38,26 @@ locals {
base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id
restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id
restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number
+ organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
networks_service_account = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
projects_service_account = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
+
+ dedicated_interconnect_egress_policy = var.enable_dedicated_interconnect ? [
+ {
+ "from" = {
+ "identity_type" = ""
+ "identities" = ["serviceAccount:${local.networks_service_account}"]
+ },
+ "to" = {
+ "resources" = ["projects/${local.interconnect_project_number}"]
+ "operations" = {
+ "compute.googleapis.com" = {
+ "methods" = ["*"]
+ }
+ }
+ }
+ },
+ ] : []
}
data "terraform_remote_state" "bootstrap" {
diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
index 74e06e353..a30484707 100644
--- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
+++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
@@ -220,21 +220,25 @@ module "restricted_shared_vpc" {
private_service_connect_ip = "10.10.0.5"
access_context_manager_policy_id = var.access_context_manager_policy_id
restricted_services = local.restricted_services
- members = distinct(concat(["serviceAccount:${local.networks_service_account}", "serviceAccount:${local.projects_service_account}"], var.perimeter_additional_members))
- org_id = local.org_id
- bgp_asn_subnet = local.bgp_asn_number
- default_region1 = local.default_region1
- default_region2 = local.default_region2
- domain = var.domain
- dns_enable_inbound_forwarding = var.restricted_hub_dns_enable_inbound_forwarding
- dns_enable_logging = var.restricted_hub_dns_enable_logging
- firewall_enable_logging = var.restricted_hub_firewall_enable_logging
- nat_enabled = var.restricted_hub_nat_enabled
- nat_bgp_asn = var.restricted_hub_nat_bgp_asn
- nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1
- nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2
- windows_activation_enabled = var.restricted_hub_windows_activation_enabled
- mode = "hub"
+ members = distinct(concat([
+ "serviceAccount:${local.networks_service_account}",
+ "serviceAccount:${local.projects_service_account}",
+ "serviceAccount:${local.organization_service_account}",
+ ], var.perimeter_additional_members))
+ org_id = local.org_id
+ bgp_asn_subnet = local.bgp_asn_number
+ default_region1 = local.default_region1
+ default_region2 = local.default_region2
+ domain = var.domain
+ dns_enable_inbound_forwarding = var.restricted_hub_dns_enable_inbound_forwarding
+ dns_enable_logging = var.restricted_hub_dns_enable_logging
+ firewall_enable_logging = var.restricted_hub_firewall_enable_logging
+ nat_enabled = var.restricted_hub_nat_enabled
+ nat_bgp_asn = var.restricted_hub_nat_bgp_asn
+ nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1
+ nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2
+ windows_activation_enabled = var.restricted_hub_windows_activation_enabled
+ mode = "hub"
subnets = [
{
@@ -256,5 +260,12 @@ module "restricted_shared_vpc" {
]
secondary_ranges = {}
+ egress_policies = distinct(concat(
+ local.dedicated_interconnect_egress_policy,
+ var.egress_policies
+ ))
+
+ ingress_policies = var.ingress_policies
+
depends_on = [module.dns_hub_vpc]
}
diff --git a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.auto.tfvars.example b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.auto.tfvars.example
new file mode 100644
index 000000000..c773306f9
--- /dev/null
+++ b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.auto.tfvars.example
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+enable_partner_interconnect = true
+preactivate_partner_interconnect = true
+
diff --git a/3-networks-hub-and-spoke/envs/shared/variables.tf b/3-networks-hub-and-spoke/envs/shared/variables.tf
index d8c346190..52e105c99 100644
--- a/3-networks-hub-and-spoke/envs/shared/variables.tf
+++ b/3-networks-hub-and-spoke/envs/shared/variables.tf
@@ -159,6 +159,12 @@ variable "firewall_policies_enable_logging" {
default = true
}
+variable "enable_dedicated_interconnect" {
+ description = "Enable Dedicated Interconnect in the environment."
+ type = bool
+ default = false
+}
+
variable "enable_partner_interconnect" {
description = "Enable Partner Interconnect in the environment."
type = bool
@@ -182,3 +188,21 @@ variable "custom_restricted_services" {
type = list(string)
default = []
}
+
+variable "egress_policies" {
+ description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress_from and egress_to.\n\nExample: `[{ from={ identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions)"
+ type = list(object({
+ from = any
+ to = any
+ }))
+ default = []
+}
+
+variable "ingress_policies" {
+ description = "A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to.\n\nExample: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions)"
+ type = list(object({
+ from = any
+ to = any
+ }))
+ default = []
+}
diff --git a/3-networks-hub-and-spoke/modules/base_env/interconnect.tf.example b/3-networks-hub-and-spoke/modules/base_env/interconnect.tf.example
deleted file mode 100644
index d7f68c596..000000000
--- a/3-networks-hub-and-spoke/modules/base_env/interconnect.tf.example
+++ /dev/null
@@ -1,114 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-module "shared_restricted_interconnect" {
- source = "../dedicated_interconnect"
-
- vpc_name = "${var.environment_code}-shared-restricted"
- interconnect_project_id = local.interconnect_project_id
-
- region1 = var.default_region1
- region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name
- region1_interconnect1_candidate_subnets = ["169.254.0.160/29"]
- region1_interconnect1_vlan_tag8021q = "3901"
- region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-1"
- region1_interconnect1_location = "las-zone1-770"
- region1_interconnect1_onprem_dc = "onprem-dc1"
- region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name
- region1_interconnect2_candidate_subnets = ["169.254.0.168/29"]
- region1_interconnect2_vlan_tag8021q = "3902"
- region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-2"
- region1_interconnect2_location = "las-zone1-770"
- region1_interconnect2_onprem_dc = "onprem-dc2"
-
- region2 = var.default_region2
- region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name
- region2_interconnect1_candidate_subnets = ["169.254.0.176/29"]
- region2_interconnect1_vlan_tag8021q = "3903"
- region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-3"
- region2_interconnect1_location = "lax-zone2-19"
- region2_interconnect1_onprem_dc = "onprem-dc3"
- region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name
- region2_interconnect2_candidate_subnets = ["169.254.0.184/29"]
- region2_interconnect2_vlan_tag8021q = "3904"
- region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-4"
- region2_interconnect2_location = "lax-zone1-403"
- region2_interconnect2_onprem_dc = "onprem-dc4"
-
- peer_asn = "64515"
- peer_name = "interconnect-peer"
-
- cloud_router_labels = {
- vlan_1 = "cr5",
- vlan_2 = "cr6",
- vlan_3 = "cr7",
- vlan_4 = "cr8"
- }
-
- depends_on = [
- module.restricted_shared_vpc
- ]
-}
-
-module "shared_base_interconnect" {
- source = "../dedicated_interconnect"
-
- vpc_name = "${var.environment_code}-shared-base"
- interconnect_project_id = local.interconnect_project_id
-
- region1 = var.default_region1
- region1_router1_name = module.base_shared_vpc.region1_router1.router.name
- region1_interconnect1_candidate_subnets = ["169.254.0.192/29"]
- region1_interconnect1_vlan_tag8021q = "3905"
- region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-1"
- region1_interconnect1_location = "las-zone1-770"
- region1_interconnect1_onprem_dc = "onprem-dc1"
- region1_router2_name = module.base_shared_vpc.region1_router2.router.name
- region1_interconnect2_candidate_subnets = ["169.254.0.200/29"]
- region1_interconnect2_vlan_tag8021q = "3906"
- region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-2"
- region1_interconnect2_location = "las-zone1-770"
- region1_interconnect2_onprem_dc = "onprem-dc2"
-
- region2 = var.default_region2
- region2_router1_name = module.base_shared_vpc.region2_router1.router.name
- region2_interconnect1_candidate_subnets = ["169.254.0.208/29"]
- region2_interconnect1_vlan_tag8021q = "3907"
- region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-3"
- region2_interconnect1_location = "lax-zone2-19"
- region2_interconnect1_onprem_dc = "onprem-dc3"
- region2_router2_name = module.base_shared_vpc.region2_router2.router.name
- region2_interconnect2_candidate_subnets = ["169.254.0.216/29"]
- region2_interconnect2_vlan_tag8021q = "3908"
- region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/example-interconnect-project/global/interconnects/example-interconnect-4"
- region2_interconnect2_location = "lax-zone1-403"
- region2_interconnect2_onprem_dc = "onprem-dc4"
-
-
- peer_asn = "64515"
- peer_name = "interconnect-peer"
-
- cloud_router_labels = {
- vlan_1 = "cr1",
- vlan_2 = "cr2",
- vlan_3 = "cr3",
- vlan_4 = "cr4"
- }
-
- depends_on = [
- module.base_shared_vpc
- ]
-}
diff --git a/3-networks-hub-and-spoke/modules/dedicated_interconnect/README.md b/3-networks-hub-and-spoke/modules/dedicated_interconnect/README.md
index 87db5cced..70c61e3b1 100644
--- a/3-networks-hub-and-spoke/modules/dedicated_interconnect/README.md
+++ b/3-networks-hub-and-spoke/modules/dedicated_interconnect/README.md
@@ -8,7 +8,8 @@ This module implements the recommendation proposed in [Establishing 99.99% Avail
## Usage
-1. Rename `interconnect.tf.example` to `interconnect.tf` in the environment folder in `3-networks-hub-and-spoke/envs/`
+1. Rename `interconnect.tf.example` to `interconnect.tf` in the shared envs folder in `3-networks-hub-and-spoke/envs/shared`
+1. Rename `interconnect.auto.tfvars.example` to `interconnect.auto.tfvars` in the shared envs folder in `3-networks-hub-and-spoke/envs/shared`
1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
1. The candidate subnetworks and vlan_tag8021q variables can be set to `null` to allow the interconnect module to auto generate these values.