From 712c46b1cbb927991fca9c5d43cca202a5ac34bb Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Fri, 18 Sep 2020 14:19:00 -0300 Subject: [PATCH 01/16] Initial code for peering example --- .../development/example_peering_project.tf | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 4-projects/business_unit_1/development/example_peering_project.tf diff --git a/4-projects/business_unit_1/development/example_peering_project.tf b/4-projects/business_unit_1/development/example_peering_project.tf new file mode 100644 index 000000000..770d20573 --- /dev/null +++ b/4-projects/business_unit_1/development/example_peering_project.tf @@ -0,0 +1,58 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + vpc_name = "d-peering-base" + network_name = "vpc-${local.vpc_name}" +} + +module "peering_project" { + source = "../../modules/single_project" + impersonate_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + folder_id = data.google_active_folder.env.name + skip_gcloud_download = var.skip_gcloud_download + environment = "development" + + # Metadata + project_prefix = "sample-peering" + application_name = "bu1-sample-peering" + billing_code = "1234" + primary_contact = "example@example.com" + secondary_contact = "example2@example.com" + business_code = "bu1" +} + +module "peering_network" { + source = "terraform-google-modules/network/google" + version = "~> 2.0" + project_id = module.peering_project.project_id + network_name = local.network_name + shared_vpc_host = "false" + delete_default_internet_gateway_routes = "true" + + subnets = var.subnets +} + +module "peering_network" { + source = "terraform-google-modules/network/google" + version = "~> 2.0" + project_id = module.peering_project.project_id + network_name = local.network_name + shared_vpc_host = "false" + delete_default_internet_gateway_routes = "true" +} \ No newline at end of file From da372ef1734ca2f56c8a8d612b29971c787c2fc8 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Fri, 18 Sep 2020 15:12:15 -0300 Subject: [PATCH 02/16] Adds initial code for peering --- .../development/example_peering_project.tf | 29 +++++--- .../development/example_peering_project.tf | 67 +++++++++++++++++++ 2 files changed, 86 insertions(+), 10 deletions(-) create mode 100644 4-projects/business_unit_2/development/example_peering_project.tf diff --git a/4-projects/business_unit_1/development/example_peering_project.tf b/4-projects/business_unit_1/development/example_peering_project.tf index 770d20573..47d3d0b94 100644 --- a/4-projects/business_unit_1/development/example_peering_project.tf +++ b/4-projects/business_unit_1/development/example_peering_project.tf @@ -14,6 +14,18 @@ * limitations under the License. */ + data "google_projects" "projects" { + count = var.vpc_type == "" ? 0 : 1 + filter = "parent.id:${split("/", var.folder_id)[1]} labels.application_name=${var.vpc_type}-shared-vpc-host labels.environment=${var.environment} lifecycleState=ACTIVE" +} + +data "google_compute_network" "shared_vpc" { + count = var.vpc_type == "" ? 0 : 1 + name = "vpc-${local.env_code}-shared-${var.vpc_type}" + project = data.google_projects.projects[0].projects[0].project_id +} + + locals { vpc_name = "d-peering-base" network_name = "vpc-${local.vpc_name}" @@ -44,15 +56,12 @@ module "peering_network" { network_name = local.network_name shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" - - subnets = var.subnets } -module "peering_network" { - source = "terraform-google-modules/network/google" - version = "~> 2.0" - project_id = module.peering_project.project_id - network_name = local.network_name - shared_vpc_host = "false" - delete_default_internet_gateway_routes = "true" -} \ No newline at end of file +module "peering" { + source = "terraform-google-modules/network/google//modules/network-peering" + + prefix = "bu1-d" + local_network = module.peering_network.network_self_link + peer_network = data.google_compute_network.shared_vpc[0].network_self_link +} diff --git a/4-projects/business_unit_2/development/example_peering_project.tf b/4-projects/business_unit_2/development/example_peering_project.tf new file mode 100644 index 000000000..47d3d0b94 --- /dev/null +++ b/4-projects/business_unit_2/development/example_peering_project.tf @@ -0,0 +1,67 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + data "google_projects" "projects" { + count = var.vpc_type == "" ? 0 : 1 + filter = "parent.id:${split("/", var.folder_id)[1]} labels.application_name=${var.vpc_type}-shared-vpc-host labels.environment=${var.environment} lifecycleState=ACTIVE" +} + +data "google_compute_network" "shared_vpc" { + count = var.vpc_type == "" ? 0 : 1 + name = "vpc-${local.env_code}-shared-${var.vpc_type}" + project = data.google_projects.projects[0].projects[0].project_id +} + + +locals { + vpc_name = "d-peering-base" + network_name = "vpc-${local.vpc_name}" +} + +module "peering_project" { + source = "../../modules/single_project" + impersonate_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + folder_id = data.google_active_folder.env.name + skip_gcloud_download = var.skip_gcloud_download + environment = "development" + + # Metadata + project_prefix = "sample-peering" + application_name = "bu1-sample-peering" + billing_code = "1234" + primary_contact = "example@example.com" + secondary_contact = "example2@example.com" + business_code = "bu1" +} + +module "peering_network" { + source = "terraform-google-modules/network/google" + version = "~> 2.0" + project_id = module.peering_project.project_id + network_name = local.network_name + shared_vpc_host = "false" + delete_default_internet_gateway_routes = "true" +} + +module "peering" { + source = "terraform-google-modules/network/google//modules/network-peering" + + prefix = "bu1-d" + local_network = module.peering_network.network_self_link + peer_network = data.google_compute_network.shared_vpc[0].network_self_link +} From 616407d94443d2dd57bef82800488db574518cde Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Mon, 21 Sep 2020 15:55:18 -0300 Subject: [PATCH 03/16] Adds peering for step 4-projects --- .../development/example_peering_project.tf | 37 +++++----- .../non-production/example_peering_project.tf | 72 +++++++++++++++++++ .../production/example_peering_project.tf | 72 +++++++++++++++++++ .../development/example_peering_project.tf | 36 +++++----- .../non-production/example_peering_project.tf | 71 ++++++++++++++++++ .../production/example_peering_project.tf | 71 ++++++++++++++++++ 6 files changed, 327 insertions(+), 32 deletions(-) create mode 100644 4-projects/business_unit_1/non-production/example_peering_project.tf create mode 100644 4-projects/business_unit_1/production/example_peering_project.tf create mode 100644 4-projects/business_unit_2/non-production/example_peering_project.tf create mode 100644 4-projects/business_unit_2/production/example_peering_project.tf diff --git a/4-projects/business_unit_1/development/example_peering_project.tf b/4-projects/business_unit_1/development/example_peering_project.tf index 47d3d0b94..438d94d43 100644 --- a/4-projects/business_unit_1/development/example_peering_project.tf +++ b/4-projects/business_unit_1/development/example_peering_project.tf @@ -14,21 +14,25 @@ * limitations under the License. */ - data "google_projects" "projects" { - count = var.vpc_type == "" ? 0 : 1 - filter = "parent.id:${split("/", var.folder_id)[1]} labels.application_name=${var.vpc_type}-shared-vpc-host labels.environment=${var.environment} lifecycleState=ACTIVE" -} -data "google_compute_network" "shared_vpc" { - count = var.vpc_type == "" ? 0 : 1 - name = "vpc-${local.env_code}-shared-${var.vpc_type}" - project = data.google_projects.projects[0].projects[0].project_id +locals { + vpc_name = "${local.env_code}-peering-base" + network_name = "vpc-${local.vpc_name}" + env_code = "d" + environment = "development" + vpc_type = "base" + business_code = "bu1" } +data "google_projects" "projects" { + count = local.vpc_type == "" ? 0 : 1 + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" +} -locals { - vpc_name = "d-peering-base" - network_name = "vpc-${local.vpc_name}" +data "google_compute_network" "shared_vpc" { + count = local.vpc_type == "" ? 0 : 1 + name = "vpc-${local.env_code}-shared-${local.vpc_type}" + project = data.google_projects.projects[0].projects[0].project_id } module "peering_project" { @@ -38,15 +42,15 @@ module "peering_project" { billing_account = var.billing_account folder_id = data.google_active_folder.env.name skip_gcloud_download = var.skip_gcloud_download - environment = "development" + environment = local.environment # Metadata project_prefix = "sample-peering" - application_name = "bu1-sample-peering" + application_name = "${local.business_code}-sample-peering" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = "bu1" + business_code = local.business_code } module "peering_network" { @@ -56,12 +60,13 @@ module "peering_network" { network_name = local.network_name shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" + subnets = [] } module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - prefix = "bu1-d" + prefix = "${local.business_code}-${local.env_code}" local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc[0].network_self_link + peer_network = data.google_compute_network.shared_vpc[0].self_link } diff --git a/4-projects/business_unit_1/non-production/example_peering_project.tf b/4-projects/business_unit_1/non-production/example_peering_project.tf new file mode 100644 index 000000000..5cfe303d7 --- /dev/null +++ b/4-projects/business_unit_1/non-production/example_peering_project.tf @@ -0,0 +1,72 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +locals { + vpc_name = "${local.env_code}-peering-base" + network_name = "vpc-${local.vpc_name}" + env_code = "n" + environment = "non-production" + vpc_type = "base" + business_code = "bu1" +} + +data "google_projects" "projects" { + count = local.vpc_type == "" ? 0 : 1 + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" +} + +data "google_compute_network" "shared_vpc" { + count = local.vpc_type == "" ? 0 : 1 + name = "vpc-${local.env_code}-shared-${local.vpc_type}" + project = data.google_projects.projects[0].projects[0].project_id +} + +module "peering_project" { + source = "../../modules/single_project" + impersonate_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + folder_id = data.google_active_folder.env.name + skip_gcloud_download = var.skip_gcloud_download + environment = local.environment + + # Metadata + project_prefix = "sample-peering" + application_name = "${local.business_code}-sample-peering" + billing_code = "1234" + primary_contact = "example@example.com" + secondary_contact = "example2@example.com" + business_code = local.business_code +} + +module "peering_network" { + source = "terraform-google-modules/network/google" + version = "~> 2.0" + project_id = module.peering_project.project_id + network_name = local.network_name + shared_vpc_host = "false" + delete_default_internet_gateway_routes = "true" + subnets = [] +} + +module "peering" { + source = "terraform-google-modules/network/google//modules/network-peering" + + prefix = "${local.business_code}-${local.env_code}" + local_network = module.peering_network.network_self_link + peer_network = data.google_compute_network.shared_vpc[0].self_link +} diff --git a/4-projects/business_unit_1/production/example_peering_project.tf b/4-projects/business_unit_1/production/example_peering_project.tf new file mode 100644 index 000000000..4060fae88 --- /dev/null +++ b/4-projects/business_unit_1/production/example_peering_project.tf @@ -0,0 +1,72 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +locals { + vpc_name = "${local.env_code}-peering-base" + network_name = "vpc-${local.vpc_name}" + env_code = "p" + environment = "production" + vpc_type = "base" + business_code = "bu1" +} + +data "google_projects" "projects" { + count = local.vpc_type == "" ? 0 : 1 + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" +} + +data "google_compute_network" "shared_vpc" { + count = local.vpc_type == "" ? 0 : 1 + name = "vpc-${local.env_code}-shared-${local.vpc_type}" + project = data.google_projects.projects[0].projects[0].project_id +} + +module "peering_project" { + source = "../../modules/single_project" + impersonate_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + folder_id = data.google_active_folder.env.name + skip_gcloud_download = var.skip_gcloud_download + environment = local.environment + + # Metadata + project_prefix = "sample-peering" + application_name = "${local.business_code}-sample-peering" + billing_code = "1234" + primary_contact = "example@example.com" + secondary_contact = "example2@example.com" + business_code = local.business_code +} + +module "peering_network" { + source = "terraform-google-modules/network/google" + version = "~> 2.0" + project_id = module.peering_project.project_id + network_name = local.network_name + shared_vpc_host = "false" + delete_default_internet_gateway_routes = "true" + subnets = [] +} + +module "peering" { + source = "terraform-google-modules/network/google//modules/network-peering" + + prefix = "${local.business_code}-${local.env_code}" + local_network = module.peering_network.network_self_link + peer_network = data.google_compute_network.shared_vpc[0].self_link +} diff --git a/4-projects/business_unit_2/development/example_peering_project.tf b/4-projects/business_unit_2/development/example_peering_project.tf index 47d3d0b94..2ea1252d9 100644 --- a/4-projects/business_unit_2/development/example_peering_project.tf +++ b/4-projects/business_unit_2/development/example_peering_project.tf @@ -14,21 +14,24 @@ * limitations under the License. */ - data "google_projects" "projects" { - count = var.vpc_type == "" ? 0 : 1 - filter = "parent.id:${split("/", var.folder_id)[1]} labels.application_name=${var.vpc_type}-shared-vpc-host labels.environment=${var.environment} lifecycleState=ACTIVE" +locals { + vpc_name = "${local.env_code}-peering-base" + network_name = "vpc-${local.vpc_name}" + env_code = "d" + environment = "development" + vpc_type = "base" + business_code = "bu2" } -data "google_compute_network" "shared_vpc" { - count = var.vpc_type == "" ? 0 : 1 - name = "vpc-${local.env_code}-shared-${var.vpc_type}" - project = data.google_projects.projects[0].projects[0].project_id +data "google_projects" "projects" { + count = local.vpc_type == "" ? 0 : 1 + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" } - -locals { - vpc_name = "d-peering-base" - network_name = "vpc-${local.vpc_name}" +data "google_compute_network" "shared_vpc" { + count = local.vpc_type == "" ? 0 : 1 + name = "vpc-${local.env_code}-shared-${local.vpc_type}" + project = data.google_projects.projects[0].projects[0].project_id } module "peering_project" { @@ -38,15 +41,15 @@ module "peering_project" { billing_account = var.billing_account folder_id = data.google_active_folder.env.name skip_gcloud_download = var.skip_gcloud_download - environment = "development" + environment = local.environment # Metadata project_prefix = "sample-peering" - application_name = "bu1-sample-peering" + application_name = "${local.business_code}-sample-peering" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = "bu1" + business_code = local.business_code } module "peering_network" { @@ -56,12 +59,13 @@ module "peering_network" { network_name = local.network_name shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" + subnets = [] } module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - prefix = "bu1-d" + prefix = "${local.business_code}-${local.env_code}" local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc[0].network_self_link + peer_network = data.google_compute_network.shared_vpc[0].self_link } diff --git a/4-projects/business_unit_2/non-production/example_peering_project.tf b/4-projects/business_unit_2/non-production/example_peering_project.tf new file mode 100644 index 000000000..3682548a2 --- /dev/null +++ b/4-projects/business_unit_2/non-production/example_peering_project.tf @@ -0,0 +1,71 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + vpc_name = "${local.env_code}-peering-base" + network_name = "vpc-${local.vpc_name}" + env_code = "n" + environment = "non-production" + vpc_type = "base" + business_code = "bu2" +} + +data "google_projects" "projects" { + count = local.vpc_type == "" ? 0 : 1 + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" +} + +data "google_compute_network" "shared_vpc" { + count = local.vpc_type == "" ? 0 : 1 + name = "vpc-${local.env_code}-shared-${local.vpc_type}" + project = data.google_projects.projects[0].projects[0].project_id +} + +module "peering_project" { + source = "../../modules/single_project" + impersonate_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + folder_id = data.google_active_folder.env.name + skip_gcloud_download = var.skip_gcloud_download + environment = local.environment + + # Metadata + project_prefix = "sample-peering" + application_name = "${local.business_code}-sample-peering" + billing_code = "1234" + primary_contact = "example@example.com" + secondary_contact = "example2@example.com" + business_code = local.business_code +} + +module "peering_network" { + source = "terraform-google-modules/network/google" + version = "~> 2.0" + project_id = module.peering_project.project_id + network_name = local.network_name + shared_vpc_host = "false" + delete_default_internet_gateway_routes = "true" + subnets = [] +} + +module "peering" { + source = "terraform-google-modules/network/google//modules/network-peering" + + prefix = "${local.business_code}-${local.env_code}" + local_network = module.peering_network.network_self_link + peer_network = data.google_compute_network.shared_vpc[0].self_link +} diff --git a/4-projects/business_unit_2/production/example_peering_project.tf b/4-projects/business_unit_2/production/example_peering_project.tf new file mode 100644 index 000000000..77858a614 --- /dev/null +++ b/4-projects/business_unit_2/production/example_peering_project.tf @@ -0,0 +1,71 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + vpc_name = "${local.env_code}-peering-base" + network_name = "vpc-${local.vpc_name}" + env_code = "p" + environment = "production" + vpc_type = "base" + business_code = "bu2" +} + +data "google_projects" "projects" { + count = local.vpc_type == "" ? 0 : 1 + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" +} + +data "google_compute_network" "shared_vpc" { + count = local.vpc_type == "" ? 0 : 1 + name = "vpc-${local.env_code}-shared-${local.vpc_type}" + project = data.google_projects.projects[0].projects[0].project_id +} + +module "peering_project" { + source = "../../modules/single_project" + impersonate_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + folder_id = data.google_active_folder.env.name + skip_gcloud_download = var.skip_gcloud_download + environment = local.environment + + # Metadata + project_prefix = "sample-peering" + application_name = "${local.business_code}-sample-peering" + billing_code = "1234" + primary_contact = "example@example.com" + secondary_contact = "example2@example.com" + business_code = local.business_code +} + +module "peering_network" { + source = "terraform-google-modules/network/google" + version = "~> 2.0" + project_id = module.peering_project.project_id + network_name = local.network_name + shared_vpc_host = "false" + delete_default_internet_gateway_routes = "true" + subnets = [] +} + +module "peering" { + source = "terraform-google-modules/network/google//modules/network-peering" + + prefix = "${local.business_code}-${local.env_code}" + local_network = module.peering_network.network_self_link + peer_network = data.google_compute_network.shared_vpc[0].self_link +} From 2c797da8b3f4d09ac9254abb40588c5c0087b613 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Wed, 23 Sep 2020 10:26:48 -0300 Subject: [PATCH 04/16] Fixes code review issues --- .../development/example_peering_project.tf | 30 ++++++------------ .../non-production/example_peering_project.tf | 30 ++++++------------ .../production/example_peering_project.tf | 31 ++++++------------- .../development/example_peering_project.tf | 29 ++++++----------- .../non-production/example_peering_project.tf | 29 ++++++----------- .../production/example_peering_project.tf | 30 ++++++------------ 6 files changed, 54 insertions(+), 125 deletions(-) diff --git a/4-projects/business_unit_1/development/example_peering_project.tf b/4-projects/business_unit_1/development/example_peering_project.tf index 438d94d43..4e48f4979 100644 --- a/4-projects/business_unit_1/development/example_peering_project.tf +++ b/4-projects/business_unit_1/development/example_peering_project.tf @@ -14,25 +14,13 @@ * limitations under the License. */ - -locals { - vpc_name = "${local.env_code}-peering-base" - network_name = "vpc-${local.vpc_name}" - env_code = "d" - environment = "development" - vpc_type = "base" - business_code = "bu1" -} - data "google_projects" "projects" { - count = local.vpc_type == "" ? 0 : 1 - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=development lifecycleState=ACTIVE" } data "google_compute_network" "shared_vpc" { - count = local.vpc_type == "" ? 0 : 1 - name = "vpc-${local.env_code}-shared-${local.vpc_type}" - project = data.google_projects.projects[0].projects[0].project_id + name = "vpc-d-shared-base" + project = data.google_projects.projects.projects[0].project_id } module "peering_project" { @@ -42,22 +30,22 @@ module "peering_project" { billing_account = var.billing_account folder_id = data.google_active_folder.env.name skip_gcloud_download = var.skip_gcloud_download - environment = local.environment + environment = "development" # Metadata project_prefix = "sample-peering" - application_name = "${local.business_code}-sample-peering" + application_name = "bu1-sample-peering" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = local.business_code + business_code = "bu1" } module "peering_network" { source = "terraform-google-modules/network/google" version = "~> 2.0" project_id = module.peering_project.project_id - network_name = local.network_name + network_name = "vpc-d-peering-base" shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" subnets = [] @@ -66,7 +54,7 @@ module "peering_network" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - prefix = "${local.business_code}-${local.env_code}" + prefix = "bu1-d" local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc[0].self_link + peer_network = data.google_compute_network.shared_vpc.self_link } diff --git a/4-projects/business_unit_1/non-production/example_peering_project.tf b/4-projects/business_unit_1/non-production/example_peering_project.tf index 5cfe303d7..722dababa 100644 --- a/4-projects/business_unit_1/non-production/example_peering_project.tf +++ b/4-projects/business_unit_1/non-production/example_peering_project.tf @@ -14,25 +14,13 @@ * limitations under the License. */ - -locals { - vpc_name = "${local.env_code}-peering-base" - network_name = "vpc-${local.vpc_name}" - env_code = "n" - environment = "non-production" - vpc_type = "base" - business_code = "bu1" -} - data "google_projects" "projects" { - count = local.vpc_type == "" ? 0 : 1 - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=non-production lifecycleState=ACTIVE" } data "google_compute_network" "shared_vpc" { - count = local.vpc_type == "" ? 0 : 1 - name = "vpc-${local.env_code}-shared-${local.vpc_type}" - project = data.google_projects.projects[0].projects[0].project_id + name = "vpc-n-shared-base" + project = data.google_projects.projects.projects[0].project_id } module "peering_project" { @@ -42,22 +30,22 @@ module "peering_project" { billing_account = var.billing_account folder_id = data.google_active_folder.env.name skip_gcloud_download = var.skip_gcloud_download - environment = local.environment + environment = "non-production" # Metadata project_prefix = "sample-peering" - application_name = "${local.business_code}-sample-peering" + application_name = "bu1-sample-peering" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = local.business_code + business_code = "bu1" } module "peering_network" { source = "terraform-google-modules/network/google" version = "~> 2.0" project_id = module.peering_project.project_id - network_name = local.network_name + network_name = "vpc-n-peering-base" shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" subnets = [] @@ -66,7 +54,7 @@ module "peering_network" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - prefix = "${local.business_code}-${local.env_code}" + prefix = "bu1-n" local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc[0].self_link + peer_network = data.google_compute_network.shared_vpc.self_link } diff --git a/4-projects/business_unit_1/production/example_peering_project.tf b/4-projects/business_unit_1/production/example_peering_project.tf index 4060fae88..d5dfdc4c0 100644 --- a/4-projects/business_unit_1/production/example_peering_project.tf +++ b/4-projects/business_unit_1/production/example_peering_project.tf @@ -14,25 +14,13 @@ * limitations under the License. */ - -locals { - vpc_name = "${local.env_code}-peering-base" - network_name = "vpc-${local.vpc_name}" - env_code = "p" - environment = "production" - vpc_type = "base" - business_code = "bu1" -} - data "google_projects" "projects" { - count = local.vpc_type == "" ? 0 : 1 - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=production lifecycleState=ACTIVE" } data "google_compute_network" "shared_vpc" { - count = local.vpc_type == "" ? 0 : 1 - name = "vpc-${local.env_code}-shared-${local.vpc_type}" - project = data.google_projects.projects[0].projects[0].project_id + name = "vpc-p-shared-base" + project = data.google_projects.projects.projects[0].project_id } module "peering_project" { @@ -42,22 +30,22 @@ module "peering_project" { billing_account = var.billing_account folder_id = data.google_active_folder.env.name skip_gcloud_download = var.skip_gcloud_download - environment = local.environment + environment = "production" # Metadata project_prefix = "sample-peering" - application_name = "${local.business_code}-sample-peering" + application_name = "bu1-sample-peering" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = local.business_code + business_code = "bu1" } module "peering_network" { source = "terraform-google-modules/network/google" version = "~> 2.0" project_id = module.peering_project.project_id - network_name = local.network_name + network_name = "vpc-p-peering-base" shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" subnets = [] @@ -65,8 +53,7 @@ module "peering_network" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - - prefix = "${local.business_code}-${local.env_code}" + prefix = "bu1-p" local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc[0].self_link + peer_network = data.google_compute_network.shared_vpc.self_link } diff --git a/4-projects/business_unit_2/development/example_peering_project.tf b/4-projects/business_unit_2/development/example_peering_project.tf index 2ea1252d9..379c47576 100644 --- a/4-projects/business_unit_2/development/example_peering_project.tf +++ b/4-projects/business_unit_2/development/example_peering_project.tf @@ -14,24 +14,13 @@ * limitations under the License. */ -locals { - vpc_name = "${local.env_code}-peering-base" - network_name = "vpc-${local.vpc_name}" - env_code = "d" - environment = "development" - vpc_type = "base" - business_code = "bu2" -} - data "google_projects" "projects" { - count = local.vpc_type == "" ? 0 : 1 - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=development lifecycleState=ACTIVE" } data "google_compute_network" "shared_vpc" { - count = local.vpc_type == "" ? 0 : 1 - name = "vpc-${local.env_code}-shared-${local.vpc_type}" - project = data.google_projects.projects[0].projects[0].project_id + name = "vpc-d-shared-base" + project = data.google_projects.projects.projects[0].project_id } module "peering_project" { @@ -41,22 +30,22 @@ module "peering_project" { billing_account = var.billing_account folder_id = data.google_active_folder.env.name skip_gcloud_download = var.skip_gcloud_download - environment = local.environment + environment = "development" # Metadata project_prefix = "sample-peering" - application_name = "${local.business_code}-sample-peering" + application_name = "bu2-sample-peering" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = local.business_code + business_code = "bu2" } module "peering_network" { source = "terraform-google-modules/network/google" version = "~> 2.0" project_id = module.peering_project.project_id - network_name = local.network_name + network_name = "vpc-d-peering-base" shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" subnets = [] @@ -65,7 +54,7 @@ module "peering_network" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - prefix = "${local.business_code}-${local.env_code}" + prefix = "bu2-d" local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc[0].self_link + peer_network = data.google_compute_network.shared_vpc.self_link } diff --git a/4-projects/business_unit_2/non-production/example_peering_project.tf b/4-projects/business_unit_2/non-production/example_peering_project.tf index 3682548a2..62b2bcfc6 100644 --- a/4-projects/business_unit_2/non-production/example_peering_project.tf +++ b/4-projects/business_unit_2/non-production/example_peering_project.tf @@ -14,24 +14,13 @@ * limitations under the License. */ -locals { - vpc_name = "${local.env_code}-peering-base" - network_name = "vpc-${local.vpc_name}" - env_code = "n" - environment = "non-production" - vpc_type = "base" - business_code = "bu2" -} - data "google_projects" "projects" { - count = local.vpc_type == "" ? 0 : 1 - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=non-production lifecycleState=ACTIVE" } data "google_compute_network" "shared_vpc" { - count = local.vpc_type == "" ? 0 : 1 - name = "vpc-${local.env_code}-shared-${local.vpc_type}" - project = data.google_projects.projects[0].projects[0].project_id + name = "vpc-n-shared-base" + project = data.google_projects.projects.projects[0].project_id } module "peering_project" { @@ -41,22 +30,22 @@ module "peering_project" { billing_account = var.billing_account folder_id = data.google_active_folder.env.name skip_gcloud_download = var.skip_gcloud_download - environment = local.environment + environment = "non-production" # Metadata project_prefix = "sample-peering" - application_name = "${local.business_code}-sample-peering" + application_name = "bu2-sample-peering" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = local.business_code + business_code = "bu2" } module "peering_network" { source = "terraform-google-modules/network/google" version = "~> 2.0" project_id = module.peering_project.project_id - network_name = local.network_name + network_name = "vpc-n-peering-base" shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" subnets = [] @@ -65,7 +54,7 @@ module "peering_network" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - prefix = "${local.business_code}-${local.env_code}" + prefix = "bu2-n" local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc[0].self_link + peer_network = data.google_compute_network.shared_vpc.self_link } diff --git a/4-projects/business_unit_2/production/example_peering_project.tf b/4-projects/business_unit_2/production/example_peering_project.tf index 77858a614..59cafe217 100644 --- a/4-projects/business_unit_2/production/example_peering_project.tf +++ b/4-projects/business_unit_2/production/example_peering_project.tf @@ -14,24 +14,13 @@ * limitations under the License. */ -locals { - vpc_name = "${local.env_code}-peering-base" - network_name = "vpc-${local.vpc_name}" - env_code = "p" - environment = "production" - vpc_type = "base" - business_code = "bu2" -} - data "google_projects" "projects" { - count = local.vpc_type == "" ? 0 : 1 - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=${local.vpc_type}-shared-vpc-host labels.environment=${local.environment} lifecycleState=ACTIVE" + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=production lifecycleState=ACTIVE" } data "google_compute_network" "shared_vpc" { - count = local.vpc_type == "" ? 0 : 1 - name = "vpc-${local.env_code}-shared-${local.vpc_type}" - project = data.google_projects.projects[0].projects[0].project_id + name = "vpc-p-shared-base" + project = data.google_projects.projects.projects[0].project_id } module "peering_project" { @@ -41,22 +30,22 @@ module "peering_project" { billing_account = var.billing_account folder_id = data.google_active_folder.env.name skip_gcloud_download = var.skip_gcloud_download - environment = local.environment + environment = "production" # Metadata project_prefix = "sample-peering" - application_name = "${local.business_code}-sample-peering" + application_name = "bu2-sample-peering" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = local.business_code + business_code = "bu2" } module "peering_network" { source = "terraform-google-modules/network/google" version = "~> 2.0" project_id = module.peering_project.project_id - network_name = local.network_name + network_name = "vpc-p-peering-base" shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" subnets = [] @@ -64,8 +53,7 @@ module "peering_network" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - - prefix = "${local.business_code}-${local.env_code}" + prefix = "bu2-p" local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc[0].self_link + peer_network = data.google_compute_network.shared_vpc.self_link } From 38d2866c0b32c4ec365f4c2a6a6658fe2bf54685 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Wed, 23 Sep 2020 10:45:02 -0300 Subject: [PATCH 05/16] Fixes linting issues --- .../business_unit_1/production/example_peering_project.tf | 2 +- .../business_unit_2/production/example_peering_project.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/4-projects/business_unit_1/production/example_peering_project.tf b/4-projects/business_unit_1/production/example_peering_project.tf index d5dfdc4c0..27eac32e6 100644 --- a/4-projects/business_unit_1/production/example_peering_project.tf +++ b/4-projects/business_unit_1/production/example_peering_project.tf @@ -52,7 +52,7 @@ module "peering_network" { } module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" + source = "terraform-google-modules/network/google//modules/network-peering" prefix = "bu1-p" local_network = module.peering_network.network_self_link peer_network = data.google_compute_network.shared_vpc.self_link diff --git a/4-projects/business_unit_2/production/example_peering_project.tf b/4-projects/business_unit_2/production/example_peering_project.tf index 59cafe217..79e7d825b 100644 --- a/4-projects/business_unit_2/production/example_peering_project.tf +++ b/4-projects/business_unit_2/production/example_peering_project.tf @@ -52,7 +52,7 @@ module "peering_network" { } module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" + source = "terraform-google-modules/network/google//modules/network-peering" prefix = "bu2-p" local_network = module.peering_network.network_self_link peer_network = data.google_compute_network.shared_vpc.self_link From 4a509e64d720d1809fd98a14564e7f8b093beac6 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 24 Sep 2020 09:02:07 -0300 Subject: [PATCH 06/16] Adds dependency variable --- 4-projects/business_unit_1/development/README.md | 1 + .../business_unit_1/development/example_peering_project.tf | 2 ++ 4-projects/business_unit_1/development/variables.tf | 6 ++++++ 4-projects/business_unit_1/non-production/README.md | 1 + .../non-production/example_peering_project.tf | 2 ++ 4-projects/business_unit_1/non-production/variables.tf | 6 ++++++ 4-projects/business_unit_1/production/README.md | 1 + .../business_unit_1/production/example_peering_project.tf | 2 ++ 4-projects/business_unit_1/production/variables.tf | 6 ++++++ 4-projects/business_unit_2/development/README.md | 1 + .../business_unit_2/development/example_peering_project.tf | 2 ++ 4-projects/business_unit_2/development/variables.tf | 6 ++++++ 4-projects/business_unit_2/non-production/README.md | 1 + .../non-production/example_peering_project.tf | 5 +++-- 4-projects/business_unit_2/non-production/variables.tf | 6 ++++++ 4-projects/business_unit_2/production/README.md | 1 + .../business_unit_2/production/example_peering_project.tf | 2 ++ 4-projects/business_unit_2/production/variables.tf | 6 ++++++ 18 files changed, 55 insertions(+), 2 deletions(-) diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md index 28e9f6975..5d9645874 100644 --- a/4-projects/business_unit_1/development/README.md +++ b/4-projects/business_unit_1/development/README.md @@ -7,6 +7,7 @@ | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | +| peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | diff --git a/4-projects/business_unit_1/development/example_peering_project.tf b/4-projects/business_unit_1/development/example_peering_project.tf index 4e48f4979..e3230a272 100644 --- a/4-projects/business_unit_1/development/example_peering_project.tf +++ b/4-projects/business_unit_1/development/example_peering_project.tf @@ -57,4 +57,6 @@ module "peering" { prefix = "bu1-d" local_network = module.peering_network.network_self_link peer_network = data.google_compute_network.shared_vpc.self_link + + module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_1/development/variables.tf b/4-projects/business_unit_1/development/variables.tf index bec230ecd..98e933f32 100644 --- a/4-projects/business_unit_1/development/variables.tf +++ b/4-projects/business_unit_1/development/variables.tf @@ -50,3 +50,9 @@ variable "perimeter_name" { description = "Access context manager service perimeter name to attach the restricted svpc project." type = string } + +variable "peering_module_depends_on" { + description = "List of modules or resources peering module depends on." + type = list + default = [] +} diff --git a/4-projects/business_unit_1/non-production/README.md b/4-projects/business_unit_1/non-production/README.md index 28e9f6975..5d9645874 100644 --- a/4-projects/business_unit_1/non-production/README.md +++ b/4-projects/business_unit_1/non-production/README.md @@ -7,6 +7,7 @@ | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | +| peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | diff --git a/4-projects/business_unit_1/non-production/example_peering_project.tf b/4-projects/business_unit_1/non-production/example_peering_project.tf index 722dababa..d6b384ad1 100644 --- a/4-projects/business_unit_1/non-production/example_peering_project.tf +++ b/4-projects/business_unit_1/non-production/example_peering_project.tf @@ -57,4 +57,6 @@ module "peering" { prefix = "bu1-n" local_network = module.peering_network.network_self_link peer_network = data.google_compute_network.shared_vpc.self_link + + module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_1/non-production/variables.tf b/4-projects/business_unit_1/non-production/variables.tf index bec230ecd..98e933f32 100644 --- a/4-projects/business_unit_1/non-production/variables.tf +++ b/4-projects/business_unit_1/non-production/variables.tf @@ -50,3 +50,9 @@ variable "perimeter_name" { description = "Access context manager service perimeter name to attach the restricted svpc project." type = string } + +variable "peering_module_depends_on" { + description = "List of modules or resources peering module depends on." + type = list + default = [] +} diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md index 87f4e274a..aa066fb8d 100644 --- a/4-projects/business_unit_1/production/README.md +++ b/4-projects/business_unit_1/production/README.md @@ -8,6 +8,7 @@ | env\_code | A short form of the environment field | string | `"p"` | no | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | +| peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | diff --git a/4-projects/business_unit_1/production/example_peering_project.tf b/4-projects/business_unit_1/production/example_peering_project.tf index 27eac32e6..84ccd7a97 100644 --- a/4-projects/business_unit_1/production/example_peering_project.tf +++ b/4-projects/business_unit_1/production/example_peering_project.tf @@ -56,4 +56,6 @@ module "peering" { prefix = "bu1-p" local_network = module.peering_network.network_self_link peer_network = data.google_compute_network.shared_vpc.self_link + + module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_1/production/variables.tf b/4-projects/business_unit_1/production/variables.tf index a790eb74e..9a404438f 100644 --- a/4-projects/business_unit_1/production/variables.tf +++ b/4-projects/business_unit_1/production/variables.tf @@ -56,3 +56,9 @@ variable "perimeter_name" { description = "Access context manager service perimeter name to attach the restricted svpc project." type = string } + +variable "peering_module_depends_on" { + description = "List of modules or resources peering module depends on." + type = list + default = [] +} diff --git a/4-projects/business_unit_2/development/README.md b/4-projects/business_unit_2/development/README.md index 28e9f6975..5d9645874 100644 --- a/4-projects/business_unit_2/development/README.md +++ b/4-projects/business_unit_2/development/README.md @@ -7,6 +7,7 @@ | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | +| peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | diff --git a/4-projects/business_unit_2/development/example_peering_project.tf b/4-projects/business_unit_2/development/example_peering_project.tf index 379c47576..79ff747d0 100644 --- a/4-projects/business_unit_2/development/example_peering_project.tf +++ b/4-projects/business_unit_2/development/example_peering_project.tf @@ -57,4 +57,6 @@ module "peering" { prefix = "bu2-d" local_network = module.peering_network.network_self_link peer_network = data.google_compute_network.shared_vpc.self_link + + module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_2/development/variables.tf b/4-projects/business_unit_2/development/variables.tf index bec230ecd..98e933f32 100644 --- a/4-projects/business_unit_2/development/variables.tf +++ b/4-projects/business_unit_2/development/variables.tf @@ -50,3 +50,9 @@ variable "perimeter_name" { description = "Access context manager service perimeter name to attach the restricted svpc project." type = string } + +variable "peering_module_depends_on" { + description = "List of modules or resources peering module depends on." + type = list + default = [] +} diff --git a/4-projects/business_unit_2/non-production/README.md b/4-projects/business_unit_2/non-production/README.md index 28e9f6975..5d9645874 100644 --- a/4-projects/business_unit_2/non-production/README.md +++ b/4-projects/business_unit_2/non-production/README.md @@ -7,6 +7,7 @@ | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | +| peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | diff --git a/4-projects/business_unit_2/non-production/example_peering_project.tf b/4-projects/business_unit_2/non-production/example_peering_project.tf index 62b2bcfc6..7b4d35c5e 100644 --- a/4-projects/business_unit_2/non-production/example_peering_project.tf +++ b/4-projects/business_unit_2/non-production/example_peering_project.tf @@ -52,9 +52,10 @@ module "peering_network" { } module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" - + source = "terraform-google-modules/network/google//modules/network-peering" prefix = "bu2-n" local_network = module.peering_network.network_self_link peer_network = data.google_compute_network.shared_vpc.self_link + + module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_2/non-production/variables.tf b/4-projects/business_unit_2/non-production/variables.tf index bec230ecd..98e933f32 100644 --- a/4-projects/business_unit_2/non-production/variables.tf +++ b/4-projects/business_unit_2/non-production/variables.tf @@ -50,3 +50,9 @@ variable "perimeter_name" { description = "Access context manager service perimeter name to attach the restricted svpc project." type = string } + +variable "peering_module_depends_on" { + description = "List of modules or resources peering module depends on." + type = list + default = [] +} diff --git a/4-projects/business_unit_2/production/README.md b/4-projects/business_unit_2/production/README.md index 28e9f6975..5d9645874 100644 --- a/4-projects/business_unit_2/production/README.md +++ b/4-projects/business_unit_2/production/README.md @@ -7,6 +7,7 @@ | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | +| peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | diff --git a/4-projects/business_unit_2/production/example_peering_project.tf b/4-projects/business_unit_2/production/example_peering_project.tf index 79e7d825b..8cbf8c4e0 100644 --- a/4-projects/business_unit_2/production/example_peering_project.tf +++ b/4-projects/business_unit_2/production/example_peering_project.tf @@ -56,4 +56,6 @@ module "peering" { prefix = "bu2-p" local_network = module.peering_network.network_self_link peer_network = data.google_compute_network.shared_vpc.self_link + + module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_2/production/variables.tf b/4-projects/business_unit_2/production/variables.tf index bec230ecd..98e933f32 100644 --- a/4-projects/business_unit_2/production/variables.tf +++ b/4-projects/business_unit_2/production/variables.tf @@ -50,3 +50,9 @@ variable "perimeter_name" { description = "Access context manager service perimeter name to attach the restricted svpc project." type = string } + +variable "peering_module_depends_on" { + description = "List of modules or resources peering module depends on." + type = list + default = [] +} From 9d4eb8b0077d1c5d3f29c62ad12b7d026f67cb87 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 24 Sep 2020 09:45:30 -0300 Subject: [PATCH 07/16] Adds dependency on tests --- test/fixtures/projects/main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/fixtures/projects/main.tf b/test/fixtures/projects/main.tf index 7f8c1ff02..e19bfe82c 100644 --- a/test/fixtures/projects/main.tf +++ b/test/fixtures/projects/main.tf @@ -53,6 +53,7 @@ module "projects_bu2_dev" { access_context_manager_policy_id = var.policy_id parent_folder = var.parent_folder perimeter_name = var.dev_restricted_service_perimeter_name + peering_module_depends_on = [module.projects_bu1_dev.complete] } module "projects_bu2_nonprod" { @@ -63,6 +64,7 @@ module "projects_bu2_nonprod" { access_context_manager_policy_id = var.policy_id parent_folder = var.parent_folder perimeter_name = var.nonprod_restricted_service_perimeter_name + peering_module_depends_on = [module.projects_bu1_nonprod.complete] } @@ -74,4 +76,5 @@ module "projects_bu2_prod" { access_context_manager_policy_id = var.policy_id parent_folder = var.parent_folder perimeter_name = var.prod_restricted_service_perimeter_name + peering_module_depends_on = [module.projects_bu1_prod.complete] } From bc323e318411de41eefc025dea9523afe51be56e Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 24 Sep 2020 10:01:26 -0300 Subject: [PATCH 08/16] Adds peering complete output --- 4-projects/business_unit_1/development/outputs.tf | 5 +++++ 4-projects/business_unit_1/non-production/outputs.tf | 5 +++++ 4-projects/business_unit_1/production/outputs.tf | 5 +++++ 4-projects/business_unit_2/development/outputs.tf | 5 +++++ 4-projects/business_unit_2/non-production/outputs.tf | 5 +++++ 4-projects/business_unit_2/production/outputs.tf | 5 +++++ test/fixtures/projects/main.tf | 6 +++--- 7 files changed, 33 insertions(+), 3 deletions(-) diff --git a/4-projects/business_unit_1/development/outputs.tf b/4-projects/business_unit_1/development/outputs.tf index bac3540a5..f4e434fe1 100644 --- a/4-projects/business_unit_1/development/outputs.tf +++ b/4-projects/business_unit_1/development/outputs.tf @@ -48,3 +48,8 @@ output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." value = var.access_context_manager_policy_id } + +output "peering_complete" { + description = "Output to be used as a module dependency." + value = module.peering.complete +} diff --git a/4-projects/business_unit_1/non-production/outputs.tf b/4-projects/business_unit_1/non-production/outputs.tf index bac3540a5..f4e434fe1 100644 --- a/4-projects/business_unit_1/non-production/outputs.tf +++ b/4-projects/business_unit_1/non-production/outputs.tf @@ -48,3 +48,8 @@ output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." value = var.access_context_manager_policy_id } + +output "peering_complete" { + description = "Output to be used as a module dependency." + value = module.peering.complete +} diff --git a/4-projects/business_unit_1/production/outputs.tf b/4-projects/business_unit_1/production/outputs.tf index bac3540a5..f4e434fe1 100644 --- a/4-projects/business_unit_1/production/outputs.tf +++ b/4-projects/business_unit_1/production/outputs.tf @@ -48,3 +48,8 @@ output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." value = var.access_context_manager_policy_id } + +output "peering_complete" { + description = "Output to be used as a module dependency." + value = module.peering.complete +} diff --git a/4-projects/business_unit_2/development/outputs.tf b/4-projects/business_unit_2/development/outputs.tf index bac3540a5..f4e434fe1 100644 --- a/4-projects/business_unit_2/development/outputs.tf +++ b/4-projects/business_unit_2/development/outputs.tf @@ -48,3 +48,8 @@ output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." value = var.access_context_manager_policy_id } + +output "peering_complete" { + description = "Output to be used as a module dependency." + value = module.peering.complete +} diff --git a/4-projects/business_unit_2/non-production/outputs.tf b/4-projects/business_unit_2/non-production/outputs.tf index bac3540a5..f4e434fe1 100644 --- a/4-projects/business_unit_2/non-production/outputs.tf +++ b/4-projects/business_unit_2/non-production/outputs.tf @@ -48,3 +48,8 @@ output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." value = var.access_context_manager_policy_id } + +output "peering_complete" { + description = "Output to be used as a module dependency." + value = module.peering.complete +} diff --git a/4-projects/business_unit_2/production/outputs.tf b/4-projects/business_unit_2/production/outputs.tf index bac3540a5..f4e434fe1 100644 --- a/4-projects/business_unit_2/production/outputs.tf +++ b/4-projects/business_unit_2/production/outputs.tf @@ -48,3 +48,8 @@ output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." value = var.access_context_manager_policy_id } + +output "peering_complete" { + description = "Output to be used as a module dependency." + value = module.peering.complete +} diff --git a/test/fixtures/projects/main.tf b/test/fixtures/projects/main.tf index e19bfe82c..824d4bd92 100644 --- a/test/fixtures/projects/main.tf +++ b/test/fixtures/projects/main.tf @@ -53,7 +53,7 @@ module "projects_bu2_dev" { access_context_manager_policy_id = var.policy_id parent_folder = var.parent_folder perimeter_name = var.dev_restricted_service_perimeter_name - peering_module_depends_on = [module.projects_bu1_dev.complete] + peering_module_depends_on = [module.projects_bu1_dev.peering_complete] } module "projects_bu2_nonprod" { @@ -64,7 +64,7 @@ module "projects_bu2_nonprod" { access_context_manager_policy_id = var.policy_id parent_folder = var.parent_folder perimeter_name = var.nonprod_restricted_service_perimeter_name - peering_module_depends_on = [module.projects_bu1_nonprod.complete] + peering_module_depends_on = [module.projects_bu1_nonprod.peering_complete] } @@ -76,5 +76,5 @@ module "projects_bu2_prod" { access_context_manager_policy_id = var.policy_id parent_folder = var.parent_folder perimeter_name = var.prod_restricted_service_perimeter_name - peering_module_depends_on = [module.projects_bu1_prod.complete] + peering_module_depends_on = [module.projects_bu1_prod.peering_complete] } From 353623c20999d655f0885689d59a79c44ea077b3 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 24 Sep 2020 10:03:40 -0300 Subject: [PATCH 09/16] Adds peering complete output --- .../business_unit_1/development/README.md | 4 + .../development/example_peering_project.tf | 190 ++++++++++++++++++ .../business_unit_1/non-production/README.md | 1 + .../business_unit_1/production/README.md | 1 + .../business_unit_2/development/README.md | 4 + .../development/example_peering_project.tf | 190 ++++++++++++++++++ .../business_unit_2/non-production/README.md | 1 + .../business_unit_2/production/README.md | 1 + 8 files changed, 392 insertions(+) diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md index 5d9645874..c4ffa16c0 100644 --- a/4-projects/business_unit_1/development/README.md +++ b/4-projects/business_unit_1/development/README.md @@ -5,12 +5,15 @@ |------|-------------|:----:|:-----:|:-----:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR-ORGANIZATION_ID --format="value(name)"`. | string | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | bool | `"true"` | no | +| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | bool | `"false"` | no | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | +| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | bool | `"false"` | no | ## Outputs @@ -19,6 +22,7 @@ | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | +| peering\_complete | Output to be used as a module dependency. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_1/development/example_peering_project.tf b/4-projects/business_unit_1/development/example_peering_project.tf index e3230a272..fde742133 100644 --- a/4-projects/business_unit_1/development/example_peering_project.tf +++ b/4-projects/business_unit_1/development/example_peering_project.tf @@ -23,6 +23,18 @@ data "google_compute_network" "shared_vpc" { project = data.google_projects.projects.projects[0].project_id } +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + module "peering_project" { source = "../../modules/single_project" impersonate_service_account = var.terraform_service_account @@ -60,3 +72,181 @@ module "peering" { module_depends_on = var.peering_module_depends_on } + +/****************************************** + Mandatory firewall rules + *****************************************/ + +resource "google_compute_firewall" "deny_all_egress" { + name = "fw-d-peering-base-65535-e-d-all-all-tcp-udp" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65535 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + deny { + protocol = "tcp" + } + + deny { + protocol = "udp" + } + + destination_ranges = ["0.0.0.0/0"] +} + + +resource "google_compute_firewall" "allow_private_api_egress" { + name = "fw-d-peering-base-65534-e-a-allow-google-apis-all-tcp-443" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65534 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["443"] + } + + destination_ranges = ["199.36.153.8/30"] + + target_tags = ["allow-google-apis"] +} + + +/****************************************** + Optional firewall rules + *****************************************/ + +// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. +resource "google_compute_firewall" "allow_iap_ssh" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-d-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["22"] + } + + target_tags = ["allow-iap-ssh"] +} + +// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. +resource "google_compute_firewall" "allow_iap_rdp" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-d-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["allow-iap-rdp"] +} + +// Allow access to kms.windows.googlecloud.com for Windows license activation +resource "google_compute_firewall" "allow_windows_activation" { + count = var.windows_activation_enabled ? 1 : 0 + name = "fw-d-peering-base-0-e-a-allow-win-activation-all-tcp-1688" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 0 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["1688"] + } + + destination_ranges = ["35.190.247.13/32"] + + target_tags = ["allow-win-activation"] +} + +// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. +resource "google_compute_firewall" "allow_lb" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-d-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + + // Allow common app ports by default. + allow { + protocol = "tcp" + ports = ["80", "8080", "443"] + } + + target_tags = ["allow-lb"] +} diff --git a/4-projects/business_unit_1/non-production/README.md b/4-projects/business_unit_1/non-production/README.md index 5d9645874..4b63c9028 100644 --- a/4-projects/business_unit_1/non-production/README.md +++ b/4-projects/business_unit_1/non-production/README.md @@ -19,6 +19,7 @@ | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | +| peering\_complete | Output to be used as a module dependency. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md index aa066fb8d..08210e67e 100644 --- a/4-projects/business_unit_1/production/README.md +++ b/4-projects/business_unit_1/production/README.md @@ -20,6 +20,7 @@ | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | +| peering\_complete | Output to be used as a module dependency. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_2/development/README.md b/4-projects/business_unit_2/development/README.md index 5d9645874..c4ffa16c0 100644 --- a/4-projects/business_unit_2/development/README.md +++ b/4-projects/business_unit_2/development/README.md @@ -5,12 +5,15 @@ |------|-------------|:----:|:-----:|:-----:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR-ORGANIZATION_ID --format="value(name)"`. | string | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | bool | `"true"` | no | +| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | bool | `"false"` | no | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | +| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | bool | `"false"` | no | ## Outputs @@ -19,6 +22,7 @@ | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | +| peering\_complete | Output to be used as a module dependency. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_2/development/example_peering_project.tf b/4-projects/business_unit_2/development/example_peering_project.tf index 79ff747d0..2ae6a1a77 100644 --- a/4-projects/business_unit_2/development/example_peering_project.tf +++ b/4-projects/business_unit_2/development/example_peering_project.tf @@ -23,6 +23,18 @@ data "google_compute_network" "shared_vpc" { project = data.google_projects.projects.projects[0].project_id } +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + module "peering_project" { source = "../../modules/single_project" impersonate_service_account = var.terraform_service_account @@ -60,3 +72,181 @@ module "peering" { module_depends_on = var.peering_module_depends_on } + +/****************************************** + Mandatory firewall rules + *****************************************/ + +resource "google_compute_firewall" "deny_all_egress" { + name = "fw-d-peering-base-65535-e-d-all-all-tcp-udp" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65535 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + deny { + protocol = "tcp" + } + + deny { + protocol = "udp" + } + + destination_ranges = ["0.0.0.0/0"] +} + + +resource "google_compute_firewall" "allow_private_api_egress" { + name = "fw-d-peering-base-65534-e-a-allow-google-apis-all-tcp-443" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65534 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["443"] + } + + destination_ranges = ["199.36.153.8/30"] + + target_tags = ["allow-google-apis"] +} + + +/****************************************** + Optional firewall rules + *****************************************/ + +// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. +resource "google_compute_firewall" "allow_iap_ssh" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-d-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["22"] + } + + target_tags = ["allow-iap-ssh"] +} + +// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. +resource "google_compute_firewall" "allow_iap_rdp" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-d-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["allow-iap-rdp"] +} + +// Allow access to kms.windows.googlecloud.com for Windows license activation +resource "google_compute_firewall" "allow_windows_activation" { + count = var.windows_activation_enabled ? 1 : 0 + name = "fw-d-peering-base-0-e-a-allow-win-activation-all-tcp-1688" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 0 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["1688"] + } + + destination_ranges = ["35.190.247.13/32"] + + target_tags = ["allow-win-activation"] +} + +// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. +resource "google_compute_firewall" "allow_lb" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-d-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" + network = "vpc-d-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + + // Allow common app ports by default. + allow { + protocol = "tcp" + ports = ["80", "8080", "443"] + } + + target_tags = ["allow-lb"] +} diff --git a/4-projects/business_unit_2/non-production/README.md b/4-projects/business_unit_2/non-production/README.md index 5d9645874..4b63c9028 100644 --- a/4-projects/business_unit_2/non-production/README.md +++ b/4-projects/business_unit_2/non-production/README.md @@ -19,6 +19,7 @@ | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | +| peering\_complete | Output to be used as a module dependency. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_2/production/README.md b/4-projects/business_unit_2/production/README.md index 5d9645874..4b63c9028 100644 --- a/4-projects/business_unit_2/production/README.md +++ b/4-projects/business_unit_2/production/README.md @@ -19,6 +19,7 @@ | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | +| peering\_complete | Output to be used as a module dependency. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | From 89298423559dd8b8a26c8d8819737b47bbb586f5 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 24 Sep 2020 10:12:39 -0300 Subject: [PATCH 10/16] Adds firewall rules --- .../business_unit_1/development/variables.tf | 18 ++ .../non-production/example_peering_project.tf | 192 ++++++++++++++++++ .../non-production/variables.tf | 18 ++ .../production/example_peering_project.tf | 190 +++++++++++++++++ .../business_unit_1/production/variables.tf | 36 ++++ .../business_unit_2/development/variables.tf | 18 ++ .../non-production/example_peering_project.tf | 190 +++++++++++++++++ .../non-production/variables.tf | 18 ++ .../production/example_peering_project.tf | 190 +++++++++++++++++ .../business_unit_2/production/variables.tf | 18 ++ 10 files changed, 888 insertions(+) diff --git a/4-projects/business_unit_1/development/variables.tf b/4-projects/business_unit_1/development/variables.tf index 98e933f32..747df103d 100644 --- a/4-projects/business_unit_1/development/variables.tf +++ b/4-projects/business_unit_1/development/variables.tf @@ -56,3 +56,21 @@ variable "peering_module_depends_on" { type = list default = [] } + +variable "firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls." + default = true +} + +variable "optional_fw_rules_enabled" { + type = bool + description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." + default = false +} + +variable "windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads." + default = false +} diff --git a/4-projects/business_unit_1/non-production/example_peering_project.tf b/4-projects/business_unit_1/non-production/example_peering_project.tf index d6b384ad1..f6036fc6a 100644 --- a/4-projects/business_unit_1/non-production/example_peering_project.tf +++ b/4-projects/business_unit_1/non-production/example_peering_project.tf @@ -23,6 +23,18 @@ data "google_compute_network" "shared_vpc" { project = data.google_projects.projects.projects[0].project_id } +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + module "peering_project" { source = "../../modules/single_project" impersonate_service_account = var.terraform_service_account @@ -60,3 +72,183 @@ module "peering" { module_depends_on = var.peering_module_depends_on } + + +/****************************************** + Mandatory firewall rules + *****************************************/ + +resource "google_compute_firewall" "deny_all_egress" { + name = "fw-n-peering-base-65535-e-n-all-all-tcp-udp" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65535 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + deny { + protocol = "tcp" + } + + deny { + protocol = "udp" + } + + destination_ranges = ["0.0.0.0/0"] +} + + +resource "google_compute_firewall" "allow_private_api_egress" { + name = "fw-n-peering-base-65534-e-a-allow-google-apis-all-tcp-443" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65534 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["443"] + } + + destination_ranges = ["199.36.153.8/30"] + + target_tags = ["allow-google-apis"] +} + + +/****************************************** + Optional firewall rules + *****************************************/ + +// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. +resource "google_compute_firewall" "allow_iap_ssh" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-n-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["22"] + } + + target_tags = ["allow-iap-ssh"] +} + +// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. +resource "google_compute_firewall" "allow_iap_rdp" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-n-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["allow-iap-rdp"] +} + +// Allow access to kms.windows.googlecloud.com for Windows license activation +resource "google_compute_firewall" "allow_windows_activation" { + count = var.windows_activation_enabled ? 1 : 0 + name = "fw-n-peering-base-0-e-a-allow-win-activation-all-tcp-1688" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 0 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["1688"] + } + + destination_ranges = ["35.190.247.13/32"] + + target_tags = ["allow-win-activation"] +} + +// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. +resource "google_compute_firewall" "allow_lb" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-n-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + + // Allow common app ports by default. + allow { + protocol = "tcp" + ports = ["80", "8080", "443"] + } + + target_tags = ["allow-lb"] +} + diff --git a/4-projects/business_unit_1/non-production/variables.tf b/4-projects/business_unit_1/non-production/variables.tf index 98e933f32..747df103d 100644 --- a/4-projects/business_unit_1/non-production/variables.tf +++ b/4-projects/business_unit_1/non-production/variables.tf @@ -56,3 +56,21 @@ variable "peering_module_depends_on" { type = list default = [] } + +variable "firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls." + default = true +} + +variable "optional_fw_rules_enabled" { + type = bool + description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." + default = false +} + +variable "windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads." + default = false +} diff --git a/4-projects/business_unit_1/production/example_peering_project.tf b/4-projects/business_unit_1/production/example_peering_project.tf index 84ccd7a97..afb827532 100644 --- a/4-projects/business_unit_1/production/example_peering_project.tf +++ b/4-projects/business_unit_1/production/example_peering_project.tf @@ -23,6 +23,18 @@ data "google_compute_network" "shared_vpc" { project = data.google_projects.projects.projects[0].project_id } +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + module "peering_project" { source = "../../modules/single_project" impersonate_service_account = var.terraform_service_account @@ -59,3 +71,181 @@ module "peering" { module_depends_on = var.peering_module_depends_on } + +/****************************************** + Mandatory firewall rules + *****************************************/ + +resource "google_compute_firewall" "deny_all_egress" { + name = "fw-p-peering-base-65535-e-p-all-all-tcp-udp" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65535 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + deny { + protocol = "tcp" + } + + deny { + protocol = "udp" + } + + destination_ranges = ["0.0.0.0/0"] +} + + +resource "google_compute_firewall" "allow_private_api_egress" { + name = "fw-p-peering-base-65534-e-a-allow-google-apis-all-tcp-443" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65534 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["443"] + } + + destination_ranges = ["199.36.153.8/30"] + + target_tags = ["allow-google-apis"] +} + + +/****************************************** + Optional firewall rules + *****************************************/ + +// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. +resource "google_compute_firewall" "allow_iap_ssh" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-p-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["22"] + } + + target_tags = ["allow-iap-ssh"] +} + +// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. +resource "google_compute_firewall" "allow_iap_rdp" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-p-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["allow-iap-rdp"] +} + +// Allow access to kms.windows.googlecloud.com for Windows license activation +resource "google_compute_firewall" "allow_windows_activation" { + count = var.windows_activation_enabled ? 1 : 0 + name = "fw-p-peering-base-0-e-a-allow-win-activation-all-tcp-1688" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 0 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["1688"] + } + + destination_ranges = ["35.190.247.13/32"] + + target_tags = ["allow-win-activation"] +} + +// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. +resource "google_compute_firewall" "allow_lb" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-p-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + + // Allow common app ports by default. + allow { + protocol = "tcp" + ports = ["80", "8080", "443"] + } + + target_tags = ["allow-lb"] +} diff --git a/4-projects/business_unit_1/production/variables.tf b/4-projects/business_unit_1/production/variables.tf index 9a404438f..476040903 100644 --- a/4-projects/business_unit_1/production/variables.tf +++ b/4-projects/business_unit_1/production/variables.tf @@ -62,3 +62,39 @@ variable "peering_module_depends_on" { type = list default = [] } + +variable "firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls." + default = true +} + +variable "optional_fw_rules_enabled" { + type = bool + description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." + default = false +} + +variable "windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads." + default = false +} + +variable "firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls." + default = true +} + +variable "optional_fw_rules_enabled" { + type = bool + description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." + default = false +} + +variable "windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads." + default = false +} diff --git a/4-projects/business_unit_2/development/variables.tf b/4-projects/business_unit_2/development/variables.tf index 98e933f32..747df103d 100644 --- a/4-projects/business_unit_2/development/variables.tf +++ b/4-projects/business_unit_2/development/variables.tf @@ -56,3 +56,21 @@ variable "peering_module_depends_on" { type = list default = [] } + +variable "firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls." + default = true +} + +variable "optional_fw_rules_enabled" { + type = bool + description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." + default = false +} + +variable "windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads." + default = false +} diff --git a/4-projects/business_unit_2/non-production/example_peering_project.tf b/4-projects/business_unit_2/non-production/example_peering_project.tf index 7b4d35c5e..49e51237a 100644 --- a/4-projects/business_unit_2/non-production/example_peering_project.tf +++ b/4-projects/business_unit_2/non-production/example_peering_project.tf @@ -23,6 +23,18 @@ data "google_compute_network" "shared_vpc" { project = data.google_projects.projects.projects[0].project_id } +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + module "peering_project" { source = "../../modules/single_project" impersonate_service_account = var.terraform_service_account @@ -59,3 +71,181 @@ module "peering" { module_depends_on = var.peering_module_depends_on } + +/****************************************** + Mandatory firewall rules + *****************************************/ + +resource "google_compute_firewall" "deny_all_egress" { + name = "fw-n-peering-base-65535-e-n-all-all-tcp-udp" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65535 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + deny { + protocol = "tcp" + } + + deny { + protocol = "udp" + } + + destination_ranges = ["0.0.0.0/0"] +} + + +resource "google_compute_firewall" "allow_private_api_egress" { + name = "fw-n-peering-base-65534-e-a-allow-google-apis-all-tcp-443" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65534 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["443"] + } + + destination_ranges = ["199.36.153.8/30"] + + target_tags = ["allow-google-apis"] +} + + +/****************************************** + Optional firewall rules + *****************************************/ + +// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. +resource "google_compute_firewall" "allow_iap_ssh" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-n-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["22"] + } + + target_tags = ["allow-iap-ssh"] +} + +// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. +resource "google_compute_firewall" "allow_iap_rdp" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-n-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["allow-iap-rdp"] +} + +// Allow access to kms.windows.googlecloud.com for Windows license activation +resource "google_compute_firewall" "allow_windows_activation" { + count = var.windows_activation_enabled ? 1 : 0 + name = "fw-n-peering-base-0-e-a-allow-win-activation-all-tcp-1688" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 0 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["1688"] + } + + destination_ranges = ["35.190.247.13/32"] + + target_tags = ["allow-win-activation"] +} + +// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. +resource "google_compute_firewall" "allow_lb" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-n-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" + network = "vpc-n-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + + // Allow common app ports by default. + allow { + protocol = "tcp" + ports = ["80", "8080", "443"] + } + + target_tags = ["allow-lb"] +} diff --git a/4-projects/business_unit_2/non-production/variables.tf b/4-projects/business_unit_2/non-production/variables.tf index 98e933f32..747df103d 100644 --- a/4-projects/business_unit_2/non-production/variables.tf +++ b/4-projects/business_unit_2/non-production/variables.tf @@ -56,3 +56,21 @@ variable "peering_module_depends_on" { type = list default = [] } + +variable "firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls." + default = true +} + +variable "optional_fw_rules_enabled" { + type = bool + description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." + default = false +} + +variable "windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads." + default = false +} diff --git a/4-projects/business_unit_2/production/example_peering_project.tf b/4-projects/business_unit_2/production/example_peering_project.tf index 8cbf8c4e0..88dc194a0 100644 --- a/4-projects/business_unit_2/production/example_peering_project.tf +++ b/4-projects/business_unit_2/production/example_peering_project.tf @@ -23,6 +23,18 @@ data "google_compute_network" "shared_vpc" { project = data.google_projects.projects.projects[0].project_id } +data "google_netblock_ip_ranges" "legacy_health_checkers" { + range_type = "legacy-health-checkers" +} + +data "google_netblock_ip_ranges" "health_checkers" { + range_type = "health-checkers" +} + +data "google_netblock_ip_ranges" "iap_forwarders" { + range_type = "iap-forwarders" +} + module "peering_project" { source = "../../modules/single_project" impersonate_service_account = var.terraform_service_account @@ -59,3 +71,181 @@ module "peering" { module_depends_on = var.peering_module_depends_on } + +/****************************************** + Mandatory firewall rules + *****************************************/ + +resource "google_compute_firewall" "deny_all_egress" { + name = "fw-p-peering-base-65535-e-p-all-all-tcp-udp" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65535 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + deny { + protocol = "tcp" + } + + deny { + protocol = "udp" + } + + destination_ranges = ["0.0.0.0/0"] +} + + +resource "google_compute_firewall" "allow_private_api_egress" { + name = "fw-p-peering-base-65534-e-a-allow-google-apis-all-tcp-443" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 65534 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["443"] + } + + destination_ranges = ["199.36.153.8/30"] + + target_tags = ["allow-google-apis"] +} + + +/****************************************** + Optional firewall rules + *****************************************/ + +// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. +resource "google_compute_firewall" "allow_iap_ssh" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-p-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["22"] + } + + target_tags = ["allow-iap-ssh"] +} + +// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. +resource "google_compute_firewall" "allow_iap_rdp" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-p-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + // Cloud IAP's TCP forwarding netblock + source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) + + allow { + protocol = "tcp" + ports = ["3389"] + } + + target_tags = ["allow-iap-rdp"] +} + +// Allow access to kms.windows.googlecloud.com for Windows license activation +resource "google_compute_firewall" "allow_windows_activation" { + count = var.windows_activation_enabled ? 1 : 0 + name = "fw-p-peering-base-0-e-a-allow-win-activation-all-tcp-1688" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + direction = "EGRESS" + priority = 0 + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + allow { + protocol = "tcp" + ports = ["1688"] + } + + destination_ranges = ["35.190.247.13/32"] + + target_tags = ["allow-win-activation"] +} + +// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. +resource "google_compute_firewall" "allow_lb" { + count = var.optional_fw_rules_enabled ? 1 : 0 + name = "fw-p-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" + network = "vpc-p-peering-base" + project = module.peering_project.project_id + + dynamic "log_config" { + for_each = var.firewall_enable_logging == true ? [{ + metadata = "INCLUDE_ALL_METADATA" + }] : [] + + content { + metadata = log_config.value.metadata + } + } + + source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) + + // Allow common app ports by default. + allow { + protocol = "tcp" + ports = ["80", "8080", "443"] + } + + target_tags = ["allow-lb"] +} diff --git a/4-projects/business_unit_2/production/variables.tf b/4-projects/business_unit_2/production/variables.tf index 98e933f32..747df103d 100644 --- a/4-projects/business_unit_2/production/variables.tf +++ b/4-projects/business_unit_2/production/variables.tf @@ -56,3 +56,21 @@ variable "peering_module_depends_on" { type = list default = [] } + +variable "firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls." + default = true +} + +variable "optional_fw_rules_enabled" { + type = bool + description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." + default = false +} + +variable "windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads." + default = false +} From cb906a4fc5cd3b4a9e39ef1694579fa9a47b1cc6 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 24 Sep 2020 10:13:36 -0300 Subject: [PATCH 11/16] Removes duplicated variables --- .../business_unit_1/production/variables.tf | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/4-projects/business_unit_1/production/variables.tf b/4-projects/business_unit_1/production/variables.tf index 476040903..8d1427583 100644 --- a/4-projects/business_unit_1/production/variables.tf +++ b/4-projects/business_unit_1/production/variables.tf @@ -80,21 +80,3 @@ variable "windows_activation_enabled" { description = "Enable Windows license activation for Windows workloads." default = false } - -variable "firewall_enable_logging" { - type = bool - description = "Toggle firewall logging for VPC Firewalls." - default = true -} - -variable "optional_fw_rules_enabled" { - type = bool - description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." - default = false -} - -variable "windows_activation_enabled" { - type = bool - description = "Enable Windows license activation for Windows workloads." - default = false -} From 263c305aff5053471c4a3dfb51cc4009f63e8155 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 24 Sep 2020 10:31:53 -0300 Subject: [PATCH 12/16] Adds peering project test --- .../business_unit_1/development/README.md | 1 + .../business_unit_1/development/outputs.tf | 5 +++ .../business_unit_1/non-production/README.md | 4 +++ .../business_unit_1/non-production/outputs.tf | 5 +++ .../business_unit_1/production/README.md | 4 +++ .../business_unit_1/production/outputs.tf | 5 +++ .../business_unit_2/development/README.md | 1 + .../business_unit_2/development/outputs.tf | 5 +++ .../business_unit_2/non-production/README.md | 4 +++ .../business_unit_2/non-production/outputs.tf | 5 +++ .../business_unit_2/production/README.md | 4 +++ .../business_unit_2/production/outputs.tf | 5 +++ test/fixtures/projects/outputs.tf | 31 +++++++++++++++++++ .../projects/controls/gcp_projects.rb | 17 ++++++++++ test/integration/projects/inspec.yml | 18 +++++++++++ 15 files changed, 114 insertions(+) diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md index c4ffa16c0..be3144e20 100644 --- a/4-projects/business_unit_1/development/README.md +++ b/4-projects/business_unit_1/development/README.md @@ -23,6 +23,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_1/development/outputs.tf b/4-projects/business_unit_1/development/outputs.tf index f4e434fe1..0560c167c 100644 --- a/4-projects/business_unit_1/development/outputs.tf +++ b/4-projects/business_unit_1/development/outputs.tf @@ -24,6 +24,11 @@ output "floating_project" { value = module.floating_project.project_id } +output "peering_project" { + description = "Project sample peering project id." + value = module.peering_project.project_id +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_1/non-production/README.md b/4-projects/business_unit_1/non-production/README.md index 4b63c9028..be3144e20 100644 --- a/4-projects/business_unit_1/non-production/README.md +++ b/4-projects/business_unit_1/non-production/README.md @@ -5,12 +5,15 @@ |------|-------------|:----:|:-----:|:-----:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR-ORGANIZATION_ID --format="value(name)"`. | string | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | bool | `"true"` | no | +| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | bool | `"false"` | no | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | +| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | bool | `"false"` | no | ## Outputs @@ -20,6 +23,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_1/non-production/outputs.tf b/4-projects/business_unit_1/non-production/outputs.tf index f4e434fe1..0560c167c 100644 --- a/4-projects/business_unit_1/non-production/outputs.tf +++ b/4-projects/business_unit_1/non-production/outputs.tf @@ -24,6 +24,11 @@ output "floating_project" { value = module.floating_project.project_id } +output "peering_project" { + description = "Project sample peering project id." + value = module.peering_project.project_id +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md index 08210e67e..e804dfaef 100644 --- a/4-projects/business_unit_1/production/README.md +++ b/4-projects/business_unit_1/production/README.md @@ -6,12 +6,15 @@ | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR-ORGANIZATION_ID --format="value(name)"`. | string | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | | env\_code | A short form of the environment field | string | `"p"` | no | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | bool | `"true"` | no | +| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | bool | `"false"` | no | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | +| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | bool | `"false"` | no | ## Outputs @@ -21,6 +24,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_1/production/outputs.tf b/4-projects/business_unit_1/production/outputs.tf index f4e434fe1..0560c167c 100644 --- a/4-projects/business_unit_1/production/outputs.tf +++ b/4-projects/business_unit_1/production/outputs.tf @@ -24,6 +24,11 @@ output "floating_project" { value = module.floating_project.project_id } +output "peering_project" { + description = "Project sample peering project id." + value = module.peering_project.project_id +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_2/development/README.md b/4-projects/business_unit_2/development/README.md index c4ffa16c0..be3144e20 100644 --- a/4-projects/business_unit_2/development/README.md +++ b/4-projects/business_unit_2/development/README.md @@ -23,6 +23,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_2/development/outputs.tf b/4-projects/business_unit_2/development/outputs.tf index f4e434fe1..0560c167c 100644 --- a/4-projects/business_unit_2/development/outputs.tf +++ b/4-projects/business_unit_2/development/outputs.tf @@ -24,6 +24,11 @@ output "floating_project" { value = module.floating_project.project_id } +output "peering_project" { + description = "Project sample peering project id." + value = module.peering_project.project_id +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_2/non-production/README.md b/4-projects/business_unit_2/non-production/README.md index 4b63c9028..be3144e20 100644 --- a/4-projects/business_unit_2/non-production/README.md +++ b/4-projects/business_unit_2/non-production/README.md @@ -5,12 +5,15 @@ |------|-------------|:----:|:-----:|:-----:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR-ORGANIZATION_ID --format="value(name)"`. | string | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | bool | `"true"` | no | +| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | bool | `"false"` | no | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | +| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | bool | `"false"` | no | ## Outputs @@ -20,6 +23,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_2/non-production/outputs.tf b/4-projects/business_unit_2/non-production/outputs.tf index f4e434fe1..0560c167c 100644 --- a/4-projects/business_unit_2/non-production/outputs.tf +++ b/4-projects/business_unit_2/non-production/outputs.tf @@ -24,6 +24,11 @@ output "floating_project" { value = module.floating_project.project_id } +output "peering_project" { + description = "Project sample peering project id." + value = module.peering_project.project_id +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_2/production/README.md b/4-projects/business_unit_2/production/README.md index 4b63c9028..be3144e20 100644 --- a/4-projects/business_unit_2/production/README.md +++ b/4-projects/business_unit_2/production/README.md @@ -5,12 +5,15 @@ |------|-------------|:----:|:-----:|:-----:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR-ORGANIZATION_ID --format="value(name)"`. | string | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | string | n/a | yes | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | bool | `"true"` | no | +| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | bool | `"false"` | no | | org\_id | The organization id for the associated services | string | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | string | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | list | `` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | string | n/a | yes | +| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | bool | `"false"` | no | ## Outputs @@ -20,6 +23,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | diff --git a/4-projects/business_unit_2/production/outputs.tf b/4-projects/business_unit_2/production/outputs.tf index f4e434fe1..0560c167c 100644 --- a/4-projects/business_unit_2/production/outputs.tf +++ b/4-projects/business_unit_2/production/outputs.tf @@ -24,6 +24,11 @@ output "floating_project" { value = module.floating_project.project_id } +output "peering_project" { + description = "Project sample peering project id." + value = module.peering_project.project_id +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/test/fixtures/projects/outputs.tf b/test/fixtures/projects/outputs.tf index 6cae49ab2..1c1b1e917 100644 --- a/test/fixtures/projects/outputs.tf +++ b/test/fixtures/projects/outputs.tf @@ -24,6 +24,11 @@ output "dev_bu1_project_floating" { value = module.projects_bu1_dev.floating_project } +output "dev_bu1_project_peering" { + description = "Project sample peering project." + value = module.projects_bu1_dev.peering_project +} + output "dev_bu1_project_restricted" { description = "Project sample restricted project." value = module.projects_bu1_dev.restricted_shared_vpc_project @@ -54,6 +59,12 @@ output "dev_bu2_project_floating" { value = module.projects_bu2_dev.floating_project } +output "dev_bu2_project_peering" { + description = "Project sample peering project." + value = module.projects_bu2_dev.peering_project +} + + output "dev_bu1_restricted_vpc_service_control_perimeter_name" { description = "VPC Service Control name." @@ -85,6 +96,11 @@ output "nonprod_bu1_project_floating" { value = module.projects_bu1_nonprod.floating_project } +output "nonprod_bu1_project_peering" { + description = "Project sample peering project." + value = module.projects_bu1_nonprod.peering_project +} + output "nonprod_bu1_project_restricted" { description = "Project sample restricted project." value = module.projects_bu1_nonprod.restricted_shared_vpc_project @@ -115,6 +131,11 @@ output "nonprod_bu2_project_floating" { value = module.projects_bu2_nonprod.floating_project } +output "nonprod_bu2_project_peering" { + description = "Project sample peering project." + value = module.projects_bu2_nonprod.peering_project +} + output "nonprod_bu1_restricted_vpc_service_control_perimeter_name" { description = "VPC Service Control name." value = module.projects_bu1_nonprod.vpc_service_control_perimeter_name @@ -145,6 +166,11 @@ output "prod_bu1_project_floating" { value = module.projects_bu1_prod.floating_project } +output "prod_bu1_project_peering" { + description = "Project sample peering project." + value = module.projects_bu1_prod.peering_project +} + output "prod_bu1_project_restricted" { description = "Project sample restricted project." value = module.projects_bu1_prod.restricted_shared_vpc_project @@ -175,6 +201,11 @@ output "prod_bu2_project_floating" { value = module.projects_bu2_prod.floating_project } +output "prod_bu2_project_peering" { + description = "Project sample peering project." + value = module.projects_bu2_prod.peering_project +} + output "prod_bu1_restricted_vpc_service_control_perimeter_name" { description = "VPC Service Control name." value = module.projects_bu1_prod.vpc_service_control_perimeter_name diff --git a/test/integration/projects/controls/gcp_projects.rb b/test/integration/projects/controls/gcp_projects.rb index 0b07fad25..4a4fec0ee 100644 --- a/test/integration/projects/controls/gcp_projects.rb +++ b/test/integration/projects/controls/gcp_projects.rb @@ -14,23 +14,29 @@ dev_bu1_project_base = attribute('dev_bu1_project_base') dev_bu1_project_floating = attribute('dev_bu1_project_floating') +dev_bu1_project_peering = attribute('dev_bu1_project_peering') dev_bu1_project_restricted_id = attribute('dev_bu1_project_restricted') dev_bu2_project_base = attribute('dev_bu2_project_base') dev_bu2_project_floating = attribute('dev_bu2_project_floating') +dev_bu2_project_peering = attribute('dev_bu2_project_peering') dev_bu2_project_restricted_id = attribute('dev_bu2_project_restricted') nonprod_bu1_project_base = attribute('nonprod_bu1_project_base') nonprod_bu1_project_floating = attribute('nonprod_bu1_project_floating') +nonprod_bu1_project_peering = attribute('nonprod_bu1_project_peering') nonprod_bu1_project_restricted_id = attribute('nonprod_bu1_project_restricted') nonprod_bu2_project_base = attribute('nonprod_bu2_project_base') nonprod_bu2_project_floating = attribute('nonprod_bu2_project_floating') +nonprod_bu2_project_peering = attribute('nonprod_bu2_project_peering') nonprod_bu2_project_restricted_id = attribute('nonprod_bu2_project_restricted') prod_bu1_project_base = attribute('prod_bu1_project_base') prod_bu1_project_floating = attribute('prod_bu1_project_floating') +prod_bu1_project_peering = attribute('prod_bu1_project_peering') prod_bu1_project_restricted_id = attribute('prod_bu1_project_restricted') prod_bu2_project_base = attribute('prod_bu2_project_base') prod_bu2_project_floating = attribute('prod_bu2_project_floating') +prod_bu2_project_peering = attribute('prod_bu2_project_peering') prod_bu2_project_restricted_id = attribute('prod_bu2_project_restricted') restricted_enabled_apis = ['accesscontextmanager.googleapis.com', 'billingbudgets.googleapis.com'] @@ -55,6 +61,12 @@ 'p' => { 'bu1' => prod_bu1_project_floating, 'bu2' => prod_bu2_project_floating } } +peering_projects_id = { + 'd' => { 'bu1' => dev_bu1_project_peering, 'bu2' => dev_bu2_project_peering }, + 'n' => { 'bu1' => nonprod_bu1_project_peering, 'bu2' => nonprod_bu2_project_peering }, + 'p' => { 'bu1' => prod_bu1_project_peering, 'bu2' => prod_bu2_project_peering } +} + control 'gcp-projects' do title 'gcp step 4-projects tests' @@ -75,6 +87,11 @@ its('lifecycle_state') { should cmp 'ACTIVE' } end + describe google_project(project: peering_projects_id[environment_code][business_unit]) do + it { should exist } + its('lifecycle_state') { should cmp 'ACTIVE' } + end + restricted_enabled_apis.each do |api| describe google_project_service( project: restricted_projects_id[environment_code][business_unit], diff --git a/test/integration/projects/inspec.yml b/test/integration/projects/inspec.yml index efbf9d9e8..0dd01a4c6 100644 --- a/test/integration/projects/inspec.yml +++ b/test/integration/projects/inspec.yml @@ -9,6 +9,9 @@ attributes: - name: dev_bu1_project_floating required: true type: string + - name: dev_bu1_project_peering + required: true + type: string - name: dev_bu1_project_restricted required: true type: string @@ -30,6 +33,9 @@ attributes: - name: dev_bu2_project_floating required: true type: string + - name: dev_bu2_project_peering + required: true + type: string - name: dev_bu2_project_restricted required: true type: string @@ -48,6 +54,9 @@ attributes: - name: nonprod_bu1_project_floating required: true type: string + - name: nonprod_bu1_project_peering + required: true + type: string - name: nonprod_bu1_project_restricted required: true type: string @@ -69,6 +78,9 @@ attributes: - name: nonprod_bu2_project_floating required: true type: string + - name: nonprod_bu2_project_peering + required: true + type: string - name: nonprod_bu2_project_restricted required: true type: string @@ -87,6 +99,9 @@ attributes: - name: prod_bu1_project_floating required: true type: string + - name: prod_bu1_project_peering + required: true + type: string - name: prod_bu1_project_restricted required: true type: string @@ -108,6 +123,9 @@ attributes: - name: prod_bu2_project_floating required: true type: string + - name: prod_bu2_project_peering + required: true + type: string - name: prod_bu2_project_restricted required: true type: string From 48149b0186ce03fb2d0c4133b41aa04f5ef94d95 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 24 Sep 2020 11:23:41 -0300 Subject: [PATCH 13/16] Adds module dependency --- .../development/example_peering_project.tf | 12 ++++++------ .../non-production/example_peering_project.tf | 12 ++++++------ .../production/example_peering_project.tf | 12 ++++++------ .../development/example_peering_project.tf | 12 ++++++------ 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/4-projects/business_unit_1/development/example_peering_project.tf b/4-projects/business_unit_1/development/example_peering_project.tf index fde742133..50d0f9182 100644 --- a/4-projects/business_unit_1/development/example_peering_project.tf +++ b/4-projects/business_unit_1/development/example_peering_project.tf @@ -79,7 +79,7 @@ module "peering" { resource "google_compute_firewall" "deny_all_egress" { name = "fw-d-peering-base-65535-e-d-all-all-tcp-udp" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65535 @@ -108,7 +108,7 @@ resource "google_compute_firewall" "deny_all_egress" { resource "google_compute_firewall" "allow_private_api_egress" { name = "fw-d-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65534 @@ -142,7 +142,7 @@ resource "google_compute_firewall" "allow_private_api_egress" { resource "google_compute_firewall" "allow_iap_ssh" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-d-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -170,7 +170,7 @@ resource "google_compute_firewall" "allow_iap_ssh" { resource "google_compute_firewall" "allow_iap_rdp" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-d-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -198,7 +198,7 @@ resource "google_compute_firewall" "allow_iap_rdp" { resource "google_compute_firewall" "allow_windows_activation" { count = var.windows_activation_enabled ? 1 : 0 name = "fw-d-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 0 @@ -227,7 +227,7 @@ resource "google_compute_firewall" "allow_windows_activation" { resource "google_compute_firewall" "allow_lb" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-d-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { diff --git a/4-projects/business_unit_1/non-production/example_peering_project.tf b/4-projects/business_unit_1/non-production/example_peering_project.tf index f6036fc6a..94f281da5 100644 --- a/4-projects/business_unit_1/non-production/example_peering_project.tf +++ b/4-projects/business_unit_1/non-production/example_peering_project.tf @@ -80,7 +80,7 @@ module "peering" { resource "google_compute_firewall" "deny_all_egress" { name = "fw-n-peering-base-65535-e-n-all-all-tcp-udp" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65535 @@ -109,7 +109,7 @@ resource "google_compute_firewall" "deny_all_egress" { resource "google_compute_firewall" "allow_private_api_egress" { name = "fw-n-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65534 @@ -143,7 +143,7 @@ resource "google_compute_firewall" "allow_private_api_egress" { resource "google_compute_firewall" "allow_iap_ssh" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-n-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -171,7 +171,7 @@ resource "google_compute_firewall" "allow_iap_ssh" { resource "google_compute_firewall" "allow_iap_rdp" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-n-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -199,7 +199,7 @@ resource "google_compute_firewall" "allow_iap_rdp" { resource "google_compute_firewall" "allow_windows_activation" { count = var.windows_activation_enabled ? 1 : 0 name = "fw-n-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 0 @@ -228,7 +228,7 @@ resource "google_compute_firewall" "allow_windows_activation" { resource "google_compute_firewall" "allow_lb" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-n-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { diff --git a/4-projects/business_unit_1/production/example_peering_project.tf b/4-projects/business_unit_1/production/example_peering_project.tf index afb827532..822740846 100644 --- a/4-projects/business_unit_1/production/example_peering_project.tf +++ b/4-projects/business_unit_1/production/example_peering_project.tf @@ -78,7 +78,7 @@ module "peering" { resource "google_compute_firewall" "deny_all_egress" { name = "fw-p-peering-base-65535-e-p-all-all-tcp-udp" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65535 @@ -107,7 +107,7 @@ resource "google_compute_firewall" "deny_all_egress" { resource "google_compute_firewall" "allow_private_api_egress" { name = "fw-p-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65534 @@ -141,7 +141,7 @@ resource "google_compute_firewall" "allow_private_api_egress" { resource "google_compute_firewall" "allow_iap_ssh" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-p-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -169,7 +169,7 @@ resource "google_compute_firewall" "allow_iap_ssh" { resource "google_compute_firewall" "allow_iap_rdp" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-p-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -197,7 +197,7 @@ resource "google_compute_firewall" "allow_iap_rdp" { resource "google_compute_firewall" "allow_windows_activation" { count = var.windows_activation_enabled ? 1 : 0 name = "fw-p-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 0 @@ -226,7 +226,7 @@ resource "google_compute_firewall" "allow_windows_activation" { resource "google_compute_firewall" "allow_lb" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-p-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { diff --git a/4-projects/business_unit_2/development/example_peering_project.tf b/4-projects/business_unit_2/development/example_peering_project.tf index 2ae6a1a77..486e1be76 100644 --- a/4-projects/business_unit_2/development/example_peering_project.tf +++ b/4-projects/business_unit_2/development/example_peering_project.tf @@ -79,7 +79,7 @@ module "peering" { resource "google_compute_firewall" "deny_all_egress" { name = "fw-d-peering-base-65535-e-d-all-all-tcp-udp" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65535 @@ -108,7 +108,7 @@ resource "google_compute_firewall" "deny_all_egress" { resource "google_compute_firewall" "allow_private_api_egress" { name = "fw-d-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65534 @@ -142,7 +142,7 @@ resource "google_compute_firewall" "allow_private_api_egress" { resource "google_compute_firewall" "allow_iap_ssh" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-d-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -170,7 +170,7 @@ resource "google_compute_firewall" "allow_iap_ssh" { resource "google_compute_firewall" "allow_iap_rdp" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-d-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -198,7 +198,7 @@ resource "google_compute_firewall" "allow_iap_rdp" { resource "google_compute_firewall" "allow_windows_activation" { count = var.windows_activation_enabled ? 1 : 0 name = "fw-d-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 0 @@ -227,7 +227,7 @@ resource "google_compute_firewall" "allow_windows_activation" { resource "google_compute_firewall" "allow_lb" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-d-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = "vpc-d-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { From a7bf109b16ec79424b31e83cbe8686fb8a2983cd Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 24 Sep 2020 12:10:56 -0300 Subject: [PATCH 14/16] Adds module dependency --- .../non-production/example_peering_project.tf | 12 ++++++------ .../production/example_peering_project.tf | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/4-projects/business_unit_2/non-production/example_peering_project.tf b/4-projects/business_unit_2/non-production/example_peering_project.tf index 49e51237a..722898590 100644 --- a/4-projects/business_unit_2/non-production/example_peering_project.tf +++ b/4-projects/business_unit_2/non-production/example_peering_project.tf @@ -78,7 +78,7 @@ module "peering" { resource "google_compute_firewall" "deny_all_egress" { name = "fw-n-peering-base-65535-e-n-all-all-tcp-udp" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65535 @@ -107,7 +107,7 @@ resource "google_compute_firewall" "deny_all_egress" { resource "google_compute_firewall" "allow_private_api_egress" { name = "fw-n-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65534 @@ -141,7 +141,7 @@ resource "google_compute_firewall" "allow_private_api_egress" { resource "google_compute_firewall" "allow_iap_ssh" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-n-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -169,7 +169,7 @@ resource "google_compute_firewall" "allow_iap_ssh" { resource "google_compute_firewall" "allow_iap_rdp" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-n-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -197,7 +197,7 @@ resource "google_compute_firewall" "allow_iap_rdp" { resource "google_compute_firewall" "allow_windows_activation" { count = var.windows_activation_enabled ? 1 : 0 name = "fw-n-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 0 @@ -226,7 +226,7 @@ resource "google_compute_firewall" "allow_windows_activation" { resource "google_compute_firewall" "allow_lb" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-n-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = "vpc-n-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { diff --git a/4-projects/business_unit_2/production/example_peering_project.tf b/4-projects/business_unit_2/production/example_peering_project.tf index 88dc194a0..6c438ec31 100644 --- a/4-projects/business_unit_2/production/example_peering_project.tf +++ b/4-projects/business_unit_2/production/example_peering_project.tf @@ -78,7 +78,7 @@ module "peering" { resource "google_compute_firewall" "deny_all_egress" { name = "fw-p-peering-base-65535-e-p-all-all-tcp-udp" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65535 @@ -107,7 +107,7 @@ resource "google_compute_firewall" "deny_all_egress" { resource "google_compute_firewall" "allow_private_api_egress" { name = "fw-p-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 65534 @@ -141,7 +141,7 @@ resource "google_compute_firewall" "allow_private_api_egress" { resource "google_compute_firewall" "allow_iap_ssh" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-p-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -169,7 +169,7 @@ resource "google_compute_firewall" "allow_iap_ssh" { resource "google_compute_firewall" "allow_iap_rdp" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-p-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { @@ -197,7 +197,7 @@ resource "google_compute_firewall" "allow_iap_rdp" { resource "google_compute_firewall" "allow_windows_activation" { count = var.windows_activation_enabled ? 1 : 0 name = "fw-p-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" priority = 0 @@ -226,7 +226,7 @@ resource "google_compute_firewall" "allow_windows_activation" { resource "google_compute_firewall" "allow_lb" { count = var.optional_fw_rules_enabled ? 1 : 0 name = "fw-p-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = "vpc-p-peering-base" + network = module.peering_network.network_name project = module.peering_project.project_id dynamic "log_config" { From 4282b2adbf51d3fe54788da49a5fa19b4b457074 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Mon, 28 Sep 2020 12:37:12 -0300 Subject: [PATCH 15/16] Adds peering test --- .../business_unit_1/development/README.md | 1 + .../business_unit_1/development/outputs.tf | 5 ++ .../business_unit_1/non-production/README.md | 1 + .../business_unit_1/non-production/outputs.tf | 5 ++ .../business_unit_1/production/README.md | 1 + .../business_unit_1/production/outputs.tf | 5 ++ .../business_unit_2/development/README.md | 1 + .../business_unit_2/development/outputs.tf | 5 ++ .../business_unit_2/non-production/README.md | 1 + .../business_unit_2/non-production/outputs.tf | 5 ++ .../business_unit_2/production/README.md | 1 + .../business_unit_2/production/outputs.tf | 5 ++ test/fixtures/projects/outputs.tf | 30 +++++++++++- .../projects/controls/gcloud_projects.rb | 47 +++++++++++++++++++ test/integration/projects/inspec.yml | 18 +++++++ 15 files changed, 130 insertions(+), 1 deletion(-) diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md index b31ed65d0..22316d2a1 100644 --- a/4-projects/business_unit_1/development/README.md +++ b/4-projects/business_unit_1/development/README.md @@ -26,6 +26,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_network | Peer network peering resource. | | peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | diff --git a/4-projects/business_unit_1/development/outputs.tf b/4-projects/business_unit_1/development/outputs.tf index 0560c167c..ddc58c3b0 100644 --- a/4-projects/business_unit_1/development/outputs.tf +++ b/4-projects/business_unit_1/development/outputs.tf @@ -29,6 +29,11 @@ output "peering_project" { value = module.peering_project.project_id } +output "peering_network" { + description = "Peer network peering resource." + value = module.peering.peer_network_peering +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_1/non-production/README.md b/4-projects/business_unit_1/non-production/README.md index b31ed65d0..22316d2a1 100644 --- a/4-projects/business_unit_1/non-production/README.md +++ b/4-projects/business_unit_1/non-production/README.md @@ -26,6 +26,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_network | Peer network peering resource. | | peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | diff --git a/4-projects/business_unit_1/non-production/outputs.tf b/4-projects/business_unit_1/non-production/outputs.tf index 0560c167c..ddc58c3b0 100644 --- a/4-projects/business_unit_1/non-production/outputs.tf +++ b/4-projects/business_unit_1/non-production/outputs.tf @@ -29,6 +29,11 @@ output "peering_project" { value = module.peering_project.project_id } +output "peering_network" { + description = "Peer network peering resource." + value = module.peering.peer_network_peering +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md index e2ef67415..4d60723f0 100644 --- a/4-projects/business_unit_1/production/README.md +++ b/4-projects/business_unit_1/production/README.md @@ -27,6 +27,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_network | Peer network peering resource. | | peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | diff --git a/4-projects/business_unit_1/production/outputs.tf b/4-projects/business_unit_1/production/outputs.tf index 0560c167c..ddc58c3b0 100644 --- a/4-projects/business_unit_1/production/outputs.tf +++ b/4-projects/business_unit_1/production/outputs.tf @@ -29,6 +29,11 @@ output "peering_project" { value = module.peering_project.project_id } +output "peering_network" { + description = "Peer network peering resource." + value = module.peering.peer_network_peering +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_2/development/README.md b/4-projects/business_unit_2/development/README.md index b31ed65d0..22316d2a1 100644 --- a/4-projects/business_unit_2/development/README.md +++ b/4-projects/business_unit_2/development/README.md @@ -26,6 +26,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_network | Peer network peering resource. | | peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | diff --git a/4-projects/business_unit_2/development/outputs.tf b/4-projects/business_unit_2/development/outputs.tf index 0560c167c..ddc58c3b0 100644 --- a/4-projects/business_unit_2/development/outputs.tf +++ b/4-projects/business_unit_2/development/outputs.tf @@ -29,6 +29,11 @@ output "peering_project" { value = module.peering_project.project_id } +output "peering_network" { + description = "Peer network peering resource." + value = module.peering.peer_network_peering +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_2/non-production/README.md b/4-projects/business_unit_2/non-production/README.md index b31ed65d0..22316d2a1 100644 --- a/4-projects/business_unit_2/non-production/README.md +++ b/4-projects/business_unit_2/non-production/README.md @@ -26,6 +26,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_network | Peer network peering resource. | | peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | diff --git a/4-projects/business_unit_2/non-production/outputs.tf b/4-projects/business_unit_2/non-production/outputs.tf index 0560c167c..ddc58c3b0 100644 --- a/4-projects/business_unit_2/non-production/outputs.tf +++ b/4-projects/business_unit_2/non-production/outputs.tf @@ -29,6 +29,11 @@ output "peering_project" { value = module.peering_project.project_id } +output "peering_network" { + description = "Peer network peering resource." + value = module.peering.peer_network_peering +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/4-projects/business_unit_2/production/README.md b/4-projects/business_unit_2/production/README.md index b31ed65d0..22316d2a1 100644 --- a/4-projects/business_unit_2/production/README.md +++ b/4-projects/business_unit_2/production/README.md @@ -26,6 +26,7 @@ | base\_shared\_vpc\_project | Project sample base project. | | floating\_project | Project sample floating project. | | peering\_complete | Output to be used as a module dependency. | +| peering\_network | Peer network peering resource. | | peering\_project | Project sample peering project id. | | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | diff --git a/4-projects/business_unit_2/production/outputs.tf b/4-projects/business_unit_2/production/outputs.tf index 0560c167c..ddc58c3b0 100644 --- a/4-projects/business_unit_2/production/outputs.tf +++ b/4-projects/business_unit_2/production/outputs.tf @@ -29,6 +29,11 @@ output "peering_project" { value = module.peering_project.project_id } +output "peering_network" { + description = "Peer network peering resource." + value = module.peering.peer_network_peering +} + output "restricted_shared_vpc_project" { description = "Project sample restricted project id." value = module.restricted_shared_vpc_project.project_id diff --git a/test/fixtures/projects/outputs.tf b/test/fixtures/projects/outputs.tf index 1c1b1e917..47387bb1a 100644 --- a/test/fixtures/projects/outputs.tf +++ b/test/fixtures/projects/outputs.tf @@ -29,6 +29,11 @@ output "dev_bu1_project_peering" { value = module.projects_bu1_dev.peering_project } +output "dev_bu1_network_peering" { + description = "Peer network peering resource." + value = module.projects_bu1_dev.peering_network +} + output "dev_bu1_project_restricted" { description = "Project sample restricted project." value = module.projects_bu1_dev.restricted_shared_vpc_project @@ -64,7 +69,10 @@ output "dev_bu2_project_peering" { value = module.projects_bu2_dev.peering_project } - +output "dev_bu2_network_peering" { + description = "Peer network peering resource." + value = module.projects_bu2_dev.peering_network +} output "dev_bu1_restricted_vpc_service_control_perimeter_name" { description = "VPC Service Control name." @@ -101,6 +109,11 @@ output "nonprod_bu1_project_peering" { value = module.projects_bu1_nonprod.peering_project } +output "nonprod_bu1_network_peering" { + description = "Peer network peering resource." + value = module.projects_bu1_nonprod.peering_network +} + output "nonprod_bu1_project_restricted" { description = "Project sample restricted project." value = module.projects_bu1_nonprod.restricted_shared_vpc_project @@ -136,6 +149,11 @@ output "nonprod_bu2_project_peering" { value = module.projects_bu2_nonprod.peering_project } +output "nonprod_bu2_network_peering" { + description = "Peer network peering resource." + value = module.projects_bu2_nonprod.peering_network +} + output "nonprod_bu1_restricted_vpc_service_control_perimeter_name" { description = "VPC Service Control name." value = module.projects_bu1_nonprod.vpc_service_control_perimeter_name @@ -171,6 +189,11 @@ output "prod_bu1_project_peering" { value = module.projects_bu1_prod.peering_project } +output "prod_bu1_network_peering" { + description = "Peer network peering resource." + value = module.projects_bu1_prod.peering_network +} + output "prod_bu1_project_restricted" { description = "Project sample restricted project." value = module.projects_bu1_prod.restricted_shared_vpc_project @@ -206,6 +229,11 @@ output "prod_bu2_project_peering" { value = module.projects_bu2_prod.peering_project } +output "prod_bu2_network_peering" { + description = "Peer network peering resource." + value = module.projects_bu2_prod.peering_network +} + output "prod_bu1_restricted_vpc_service_control_perimeter_name" { description = "VPC Service Control name." value = module.projects_bu1_prod.vpc_service_control_perimeter_name diff --git a/test/integration/projects/controls/gcloud_projects.rb b/test/integration/projects/controls/gcloud_projects.rb index d67cc52ac..a005bb5b7 100644 --- a/test/integration/projects/controls/gcloud_projects.rb +++ b/test/integration/projects/controls/gcloud_projects.rb @@ -14,33 +14,45 @@ dev_bu1_project_base = attribute('dev_bu1_project_base') dev_bu1_project_floating = attribute('dev_bu1_project_floating') +dev_bu1_project_peering = attribute('dev_bu1_project_peering') +dev_bu1_network_peering = attribute('dev_bu1_network_peering') dev_bu1_project_restricted_id = attribute('dev_bu1_project_restricted') dev_bu1_project_restricted_number = attribute('dev_bu1_project_restricted_number') dev_bu1_restricted_vpc_service_control_perimeter_name = attribute('dev_bu1_restricted_vpc_service_control_perimeter_name') dev_bu2_project_base = attribute('dev_bu2_project_base') dev_bu2_project_floating = attribute('dev_bu2_project_floating') +dev_bu2_project_peering = attribute('dev_bu2_project_peering') +dev_bu2_network_peering = attribute('dev_bu2_network_peering') dev_bu2_project_restricted_id = attribute('dev_bu2_project_restricted') dev_bu2_project_restricted_number = attribute('dev_bu2_project_restricted_number') dev_bu2_restricted_vpc_service_control_perimeter_name = attribute('dev_bu2_restricted_vpc_service_control_perimeter_name') nonprod_bu1_project_base = attribute('nonprod_bu1_project_base') nonprod_bu1_project_floating = attribute('nonprod_bu1_project_floating') +nonprod_bu1_project_peering = attribute('nonprod_bu1_project_peering') +nonprod_bu1_network_peering = attribute('nonprod_bu1_network_peering') nonprod_bu1_project_restricted_id = attribute('nonprod_bu1_project_restricted') nonprod_bu1_project_restricted_number = attribute('nonprod_bu1_project_restricted_number') nonprod_bu1_restricted_vpc_service_control_perimeter_name = attribute('nonprod_bu1_restricted_vpc_service_control_perimeter_name') nonprod_bu2_project_base = attribute('nonprod_bu2_project_base') nonprod_bu2_project_floating = attribute('nonprod_bu2_project_floating') +nonprod_bu2_project_peering = attribute('nonprod_bu2_project_peering') +nonprod_bu2_network_peering = attribute('nonprod_bu2_network_peering') nonprod_bu2_project_restricted_id = attribute('nonprod_bu2_project_restricted') nonprod_bu2_project_restricted_number = attribute('nonprod_bu2_project_restricted_number') nonprod_bu2_restricted_vpc_service_control_perimeter_name = attribute('nonprod_bu2_restricted_vpc_service_control_perimeter_name') prod_bu1_project_base = attribute('prod_bu1_project_base') prod_bu1_project_floating = attribute('prod_bu1_project_floating') +prod_bu1_project_peering = attribute('prod_bu1_project_peering') +prod_bu1_network_peering = attribute('prod_bu1_network_peering') prod_bu1_project_restricted_id = attribute('prod_bu1_project_restricted') prod_bu1_project_restricted_number = attribute('prod_bu1_project_restricted_number') prod_bu1_restricted_vpc_service_control_perimeter_name = attribute('prod_bu1_restricted_vpc_service_control_perimeter_name') prod_bu2_project_base = attribute('prod_bu2_project_base') prod_bu2_project_floating = attribute('prod_bu2_project_floating') +prod_bu2_project_peering = attribute('prod_bu2_project_peering') +prod_bu2_network_peering = attribute('prod_bu2_network_peering') prod_bu2_project_restricted_id = attribute('prod_bu2_project_restricted') prod_bu2_project_restricted_number = attribute('prod_bu2_project_restricted_number') prod_bu2_restricted_vpc_service_control_perimeter_name = attribute('prod_bu2_restricted_vpc_service_control_perimeter_name') @@ -80,12 +92,24 @@ 'p' => { 'bu1' => prod_bu1_project_floating, 'bu2' => prod_bu2_project_floating } } +peering_projects_id = { + 'd' => { 'bu1' => dev_bu1_project_peering, 'bu2' => dev_bu2_project_peering }, + 'n' => { 'bu1' => nonprod_bu1_project_peering, 'bu2' => nonprod_bu2_project_peering }, + 'p' => { 'bu1' => prod_bu1_project_peering, 'bu2' => prod_bu2_project_peering } +} + restricted_projects_number = { 'd' => { 'bu1' => dev_bu1_project_restricted_number, 'bu2' => dev_bu2_project_restricted_number }, 'n' => { 'bu1' => nonprod_bu1_project_restricted_number, 'bu2' => nonprod_bu2_project_restricted_number }, 'p' => { 'bu1' => prod_bu1_project_restricted_number, 'bu2' => prod_bu2_project_restricted_number } } +peering_networks = { + 'd' => { 'bu1' => dev_bu1_network_peering, 'bu2' => dev_bu2_network_peering }, + 'n' => { 'bu1' => nonprod_bu1_network_peering, 'bu2' => nonprod_bu2_network_peering }, + 'p' => { 'bu1' => prod_bu1_network_peering, 'bu2' => prod_bu2_network_peering } +} + control 'gcloud-projects' do title 'gcloud step 4-projects tests' environment_codes.each do |environment_code| @@ -195,6 +219,29 @@ end end end + + describe command("gcloud compute networks peerings list --project #{peering_projects_id[environment_code][business_unit]} --format=json") do + its(:exit_status) { should eq 0 } + its(:stderr) { should eq '' } + + let(:data) do + if subject.exit_status.zero? + JSON.parse(subject.stdout) + else + {} + end + end + + describe "Verifies if #{peering_projects_id[environment_code][business_unit]}" do + it 'has a network' do + expect(data).to_not be_empty + end + + it "has a peering with #{peering_networks[environment_code][business_unit]['network']}" do + expect(data[0]['peerings'][0]['network'].should eq peering_networks[environment_code][business_unit]['network']) + end + end + end end end end diff --git a/test/integration/projects/inspec.yml b/test/integration/projects/inspec.yml index 0dd01a4c6..04d098e6d 100644 --- a/test/integration/projects/inspec.yml +++ b/test/integration/projects/inspec.yml @@ -12,6 +12,9 @@ attributes: - name: dev_bu1_project_peering required: true type: string + - name: dev_bu1_network_peering + required: true + type: hash - name: dev_bu1_project_restricted required: true type: string @@ -36,6 +39,9 @@ attributes: - name: dev_bu2_project_peering required: true type: string + - name: dev_bu2_network_peering + required: true + type: hash - name: dev_bu2_project_restricted required: true type: string @@ -57,6 +63,9 @@ attributes: - name: nonprod_bu1_project_peering required: true type: string + - name: nonprod_bu1_network_peering + required: true + type: hash - name: nonprod_bu1_project_restricted required: true type: string @@ -81,6 +90,9 @@ attributes: - name: nonprod_bu2_project_peering required: true type: string + - name: nonprod_bu2_network_peering + required: true + type: hash - name: nonprod_bu2_project_restricted required: true type: string @@ -102,6 +114,9 @@ attributes: - name: prod_bu1_project_peering required: true type: string + - name: prod_bu1_network_peering + required: true + type: hash - name: prod_bu1_project_restricted required: true type: string @@ -126,6 +141,9 @@ attributes: - name: prod_bu2_project_peering required: true type: string + - name: prod_bu2_network_peering + required: true + type: hash - name: prod_bu2_project_restricted required: true type: string From 2601bad46d14b167b059d85dab97bf369a480964 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Mon, 28 Sep 2020 16:21:10 -0300 Subject: [PATCH 16/16] Increases build timeout --- build/int.cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 4c45bd33a..6a65792c0 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -timeout: 3600s +timeout: 12600s steps: - id: prepare name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'