feat: Refactor/centralized network variable (#665)

* Add base env module * change the module to call the base env * fix the daniel reviews * add description to the variable * Remove others variable and hard code the value * fix the docs remove the params * hardcode the preactivate_partner_interconnectvariable * Fix the readme with the new source of files * Update 3-networks/README.md Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * Update 3-networks/README.md Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * Update 3-networks/README.md Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * accept some reviews * remove the enable_partner_interconnectvariable * fix the lint * fix the test * put the enable partner interconnect variable in the env module * hardcode the value of enable_partnet_interconnection Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
terraform-google-modules · Apr 4, 2022 · cdb97bf · cdb97bf
1 parent 3f61dba
commit cdb97bf
Show file tree

Hide file tree

Showing 35 changed files with 612 additions and 1,408 deletions.
diff --git a/3-networks/README.md b/3-networks/README.md
@@ -86,23 +86,23 @@ You need to set variables `enable_hub_and_spoke` and `enable_hub_and_spoke_trans
 
 If you provisioned the prerequisites listed in the [Dedicated Interconnect README](./modules/dedicated_interconnect/README.md), follow these steps to enable Dedicated Interconnect to access on-premises resources.
 
-1. Rename `interconnect.tf.example` to `interconnect.tf` in each environment folder in `3-networks/envs/<ENV>`.
+1. Rename `interconnect.tf.example` to `interconnect.tf` in base_env folder in `3-networks/modules/base_env`.
 1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
 1. The candidate subnetworks and vlan_tag8021q variables can be set to `null` to allow the interconnect module to auto generate these values.
 
 ### Using Partner Interconnect
 
 If you provisioned the prerequisites listed in the [Partner Interconnect README](./modules/partner_interconnect/README.md) follow this steps to enable Partner Interconnect to access on-premises resources.
 
-1. Rename `partner_interconnect.tf.example` to `partner_interconnect.tf` and `interconnect.auto.tfvars.example` to `interconnect.auto.tfvars` in the environment folder in `3-networks/envs/<environment>` .
+1. Rename `partner_interconnect.tf.example` to `partner_interconnect.tf` in the base-env folder in `3-networks/modules/base_env` .
 1. Update the file `partner_interconnect.tf` with values that are valid for your environment for the VLAN attachments, locations, and candidate subnetworks.
 1. The candidate subnetworks variable can be set to `null` to allow the interconnect module to auto generate this value.
 
 ### OPTIONAL - Using High Availability VPN
 
 If you are not able to use Dedicated or Partner Interconnect, you can also use an HA Cloud VPN to access on-premises resources.
 
-1. Rename `vpn.tf.example` to `vpn.tf` in each environment folder in `3-networks/envs/<ENV>`.
+1. Rename `vpn.tf.example` to `vpn.tf` in base-env folder in `3-networks/modules/base_env`.
 1. Create secret for VPN private preshared key.
    ```
    echo '<YOUR-PRESHARED-KEY-SECRET>' | gcloud secrets create <VPN_PRIVATE_PSK_SECRET_NAME> --project <ENV_SECRETS_PROJECT> --replication-policy=automatic --data-file=-

diff --git a/3-networks/common.auto.example.tfvars b/3-networks/common.auto.example.tfvars
@@ -18,10 +18,6 @@ org_id = "000000000000"
 
 terraform_service_account = "org-terraform@prj-b-seed-2334.iam.gserviceaccount.com"
 
-default_region1 = "us-central1"
-
-default_region2 = "us-west1"
-
 // The DNS name of peering managed zone. Must end with a period.
 domain = "example.com."
 

diff --git a/3-networks/envs/development/README.md b/3-networks/envs/development/README.md
@@ -16,27 +16,13 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes |
-| default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
-| default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
-| dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
-| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no |
-| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
-| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
-| nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no |
-| nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no |
-| nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no |
-| nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no |
-| nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no |
-| preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |
-| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes |
-| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
 
 ## Outputs
 

diff --git a/3-networks/envs/development/interconnect.auto.tfvars.example b/3-networks/envs/development/interconnect.auto.tfvars.example
diff --git a/3-networks/envs/development/main.tf b/3-networks/envs/development/main.tf
@@ -15,184 +15,72 @@
  */
 
 locals {
-  environment_code          = "d"
-  env                       = "development"
-  restricted_project_id     = data.google_projects.restricted_host_project.projects[0].project_id
-  restricted_project_number = data.google_project.restricted_host_project.number
-  base_project_id           = data.google_projects.base_host_project.projects[0].project_id
-  parent_id                 = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
-  mode                      = var.enable_hub_and_spoke ? "spoke" : null
-  bgp_asn_number            = var.enable_partner_interconnect ? "16550" : "64514"
-  enable_transitivity       = var.enable_hub_and_spoke && var.enable_hub_and_spoke_transitivity
+  env              = "development"
+  environment_code = substr(local.env, 0, 1)
+  default_region1  = "us-west1"
+  default_region2  = "us-central1"
   /*
    * Base network ranges
    */
-  base_subnet_aggregates    = ["10.0.0.0/16", "10.1.0.0/16", "100.64.0.0/16", "100.65.0.0/16"]
-  base_hub_subnet_ranges    = ["10.0.0.0/24", "10.1.0.0/24"]
   base_private_service_cidr = "10.16.64.0/21"
   base_subnet_primary_ranges = {
-    (var.default_region1) = "10.0.64.0/21"
-    (var.default_region2) = "10.1.64.0/21"
+    (local.default_region1) = "10.0.64.0/21"
+    (local.default_region2) = "10.1.64.0/21"
   }
   base_subnet_secondary_ranges = {
-    (var.default_region1) = [
+    (local.default_region1) = [
       {
-        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
+        range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod"
         ip_cidr_range = "100.64.64.0/21"
       },
       {
-        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"
+        range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc"
         ip_cidr_range = "100.64.72.0/21"
       }
     ]
   }
   /*
    * Restricted network ranges
    */
-  restricted_subnet_aggregates    = ["10.8.0.0/16", "10.9.0.0/16", "100.72.0.0/16", "100.73.0.0/16"]
-  restricted_hub_subnet_ranges    = ["10.8.0.0/24", "10.9.0.0/24"]
   restricted_private_service_cidr = "10.24.64.0/21"
   restricted_subnet_primary_ranges = {
-    (var.default_region1) = "10.8.64.0/21"
-    (var.default_region2) = "10.9.64.0/21"
+    (local.default_region1) = "10.8.64.0/21"
+    (local.default_region2) = "10.9.64.0/21"
   }
   restricted_subnet_secondary_ranges = {
-    (var.default_region1) = [
+    (local.default_region1) = [
       {
-        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
+        range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod"
         ip_cidr_range = "100.72.64.0/21"
       },
       {
-        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
+        range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc"
         ip_cidr_range = "100.72.72.0/21"
       }
     ]
   }
 }
 
-data "google_active_folder" "env" {
-  display_name = "${var.folder_prefix}-${local.env}"
-  parent       = local.parent_id
-}
-
-/******************************************
-  VPC Host Projects
-*****************************************/
-
-data "google_projects" "restricted_host_project" {
-  filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=restricted-shared-vpc-host labels.environment=${local.env} lifecycleState=ACTIVE"
-}
-
-data "google_project" "restricted_host_project" {
-  project_id = data.google_projects.restricted_host_project.projects[0].project_id
-}
-
-data "google_projects" "base_host_project" {
-  filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=${local.env} lifecycleState=ACTIVE"
-}
-
-/******************************************
- Restricted shared VPC
-*****************************************/
-module "restricted_shared_vpc" {
-  source                           = "../../modules/restricted_shared_vpc"
-  project_id                       = local.restricted_project_id
-  project_number                   = local.restricted_project_number
-  environment_code                 = local.environment_code
-  access_context_manager_policy_id = var.access_context_manager_policy_id
-  restricted_services              = ["bigquery.googleapis.com", "storage.googleapis.com"]
-  members                          = ["serviceAccount:${var.terraform_service_account}"]
-  private_service_cidr             = local.restricted_private_service_cidr
-  org_id                           = var.org_id
-  parent_folder                    = var.parent_folder
-  bgp_asn_subnet                   = local.bgp_asn_number
-  default_region1                  = var.default_region1
-  default_region2                  = var.default_region2
-  domain                           = var.domain
-  dns_enable_inbound_forwarding    = var.dns_enable_inbound_forwarding
-  dns_enable_logging               = var.dns_enable_logging
-  firewall_enable_logging          = var.firewall_enable_logging
-  windows_activation_enabled       = var.windows_activation_enabled
-  nat_enabled                      = var.nat_enabled
-  nat_bgp_asn                      = var.nat_bgp_asn
-  nat_num_addresses_region1        = var.nat_num_addresses_region1
-  nat_num_addresses_region2        = var.nat_num_addresses_region2
-  folder_prefix                    = var.folder_prefix
-  mode                             = local.mode
+module "base_env" {
+  source = "../../modules/base_env"
 
-  subnets = [
-    {
-      subnet_name           = "sb-${local.environment_code}-shared-restricted-${var.default_region1}"
-      subnet_ip             = local.restricted_subnet_primary_ranges[var.default_region1]
-      subnet_region         = var.default_region1
-      subnet_private_access = "true"
-      subnet_flow_logs      = var.subnetworks_enable_logging
-      description           = "First ${local.env} subnet example."
-    },
-    {
-      subnet_name           = "sb-${local.environment_code}-shared-restricted-${var.default_region2}"
-      subnet_ip             = local.restricted_subnet_primary_ranges[var.default_region2]
-      subnet_region         = var.default_region2
-      subnet_private_access = "true"
-      subnet_flow_logs      = var.subnetworks_enable_logging
-      description           = "Second ${local.env} subnet example."
-    }
-  ]
-  secondary_ranges = {
-    "sb-${local.environment_code}-shared-restricted-${var.default_region1}" = local.restricted_subnet_secondary_ranges[var.default_region1]
-  }
-  allow_all_ingress_ranges = local.enable_transitivity ? local.restricted_hub_subnet_ranges : null
-  allow_all_egress_ranges  = local.enable_transitivity ? local.restricted_subnet_aggregates : null
-}
+  env                                = local.env
+  environment_code                   = local.environment_code
+  org_id                             = var.org_id
+  access_context_manager_policy_id   = var.access_context_manager_policy_id
+  terraform_service_account          = var.terraform_service_account
+  default_region1                    = local.default_region1
+  default_region2                    = local.default_region2
+  domain                             = var.domain
+  parent_folder                      = var.parent_folder
+  enable_hub_and_spoke               = var.enable_hub_and_spoke
+  enable_partner_interconnect        = false
+  enable_hub_and_spoke_transitivity  = var.enable_hub_and_spoke_transitivity
+  base_private_service_cidr          = local.base_private_service_cidr
+  base_subnet_primary_ranges         = local.base_subnet_primary_ranges
+  base_subnet_secondary_ranges       = local.base_subnet_secondary_ranges
+  restricted_private_service_cidr    = local.restricted_private_service_cidr
+  restricted_subnet_primary_ranges   = local.restricted_subnet_primary_ranges
+  restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges
 
-/******************************************
- Base shared VPC
-*****************************************/
-
-module "base_shared_vpc" {
-  source                        = "../../modules/base_shared_vpc"
-  project_id                    = local.base_project_id
-  environment_code              = local.environment_code
-  private_service_cidr          = local.base_private_service_cidr
-  org_id                        = var.org_id
-  parent_folder                 = var.parent_folder
-  default_region1               = var.default_region1
-  default_region2               = var.default_region2
-  domain                        = var.domain
-  bgp_asn_subnet                = local.bgp_asn_number
-  dns_enable_inbound_forwarding = var.dns_enable_inbound_forwarding
-  dns_enable_logging            = var.dns_enable_logging
-  firewall_enable_logging       = var.firewall_enable_logging
-  windows_activation_enabled    = var.windows_activation_enabled
-  nat_enabled                   = var.nat_enabled
-  nat_bgp_asn                   = var.nat_bgp_asn
-  nat_num_addresses_region1     = var.nat_num_addresses_region1
-  nat_num_addresses_region2     = var.nat_num_addresses_region2
-  nat_num_addresses             = var.nat_num_addresses
-  folder_prefix                 = var.folder_prefix
-  mode                          = local.mode
-
-  subnets = [
-    {
-      subnet_name           = "sb-${local.environment_code}-shared-base-${var.default_region1}"
-      subnet_ip             = local.base_subnet_primary_ranges[var.default_region1]
-      subnet_region         = var.default_region1
-      subnet_private_access = "true"
-      subnet_flow_logs      = var.subnetworks_enable_logging
-      description           = "First ${local.env} subnet example."
-    },
-    {
-      subnet_name           = "sb-${local.environment_code}-shared-base-${var.default_region2}"
-      subnet_ip             = local.base_subnet_primary_ranges[var.default_region2]
-      subnet_region         = var.default_region2
-      subnet_private_access = "true"
-      subnet_flow_logs      = var.subnetworks_enable_logging
-      description           = "Second ${local.env} subnet example."
-    }
-  ]
-  secondary_ranges = {
-    "sb-${local.environment_code}-shared-base-${var.default_region1}" = local.base_subnet_secondary_ranges[var.default_region1]
-  }
-  allow_all_ingress_ranges = local.enable_transitivity ? local.base_hub_subnet_ranges : null
-  allow_all_egress_ranges  = local.enable_transitivity ? local.base_subnet_aggregates : null
 }
diff --git a/3-networks/envs/development/outputs.tf b/3-networks/envs/development/outputs.tf
@@ -19,47 +19,47 @@
 *********************/
 
 output "restricted_host_project_id" {
-  value       = local.restricted_project_id
+  value       = module.base_env.restricted_host_project_id
   description = "The restricted host project ID"
 }
 
 output "restricted_network_name" {
-  value       = module.restricted_shared_vpc.network_name
+  value       = module.base_env.restricted_network_name
   description = "The name of the VPC being created"
 }
 
 output "restricted_network_self_link" {
-  value       = module.restricted_shared_vpc.network_self_link
+  value       = module.base_env.restricted_network_self_link
   description = "The URI of the VPC being created"
 }
 
 output "restricted_subnets_names" {
-  value       = module.restricted_shared_vpc.subnets_names
+  value       = module.base_env.restricted_subnets_names
   description = "The names of the subnets being created"
 }
 
 output "restricted_subnets_ips" {
-  value       = module.restricted_shared_vpc.subnets_ips
+  value       = module.base_env.restricted_subnets_ips
   description = "The IPs and CIDRs of the subnets being created"
 }
 
 output "restricted_subnets_self_links" {
-  value       = module.restricted_shared_vpc.subnets_self_links
+  value       = module.base_env.restricted_subnets_self_links
   description = "The self-links of subnets being created"
 }
 
 output "restricted_subnets_secondary_ranges" {
-  value       = module.restricted_shared_vpc.subnets_secondary_ranges
+  value       = module.base_env.restricted_subnets_secondary_ranges
   description = "The secondary ranges associated with these subnets"
 }
 
 output "restricted_access_level_name" {
-  value       = module.restricted_shared_vpc.access_level_name
+  value       = module.base_env.restricted_access_level_name
   description = "Access context manager access level name"
 }
 
 output "restricted_service_perimeter_name" {
-  value       = module.restricted_shared_vpc.service_perimeter_name
+  value       = module.base_env.restricted_service_perimeter_name
   description = "Access context manager service perimeter name"
 }
 
@@ -68,36 +68,36 @@ output "restricted_service_perimeter_name" {
 *****************************************/
 
 output "base_host_project_id" {
-  value       = local.base_project_id
+  value       = module.base_env.base_host_project_id
   description = "The base host project ID"
 }
 
 output "base_network_name" {
-  value       = module.base_shared_vpc.network_name
+  value       = module.base_env.base_network_name
   description = "The name of the VPC being created"
 }
 
 output "base_network_self_link" {
-  value       = module.base_shared_vpc.network_self_link
+  value       = module.base_env.base_network_self_link
   description = "The URI of the VPC being created"
 }
 
 output "base_subnets_names" {
-  value       = module.base_shared_vpc.subnets_names
+  value       = module.base_env.base_subnets_names
   description = "The names of the subnets being created"
 }
 
 output "base_subnets_ips" {
-  value       = module.base_shared_vpc.subnets_ips
+  value       = module.base_env.base_subnets_ips
   description = "The IPs and CIDRs of the subnets being created"
 }
 
 output "base_subnets_self_links" {
-  value       = module.base_shared_vpc.subnets_self_links
+  value       = module.base_env.base_subnets_self_links
   description = "The self-links of subnets being created"
 }
 
 output "base_subnets_secondary_ranges" {
-  value       = module.base_shared_vpc.subnets_secondary_ranges
+  value       = module.base_env.base_subnets_secondary_ranges
   description = "The secondary ranges associated with these subnets"
 }