diff --git a/3-networks/README.md b/3-networks/README.md index 155c2d0de..7695100f0 100644 --- a/3-networks/README.md +++ b/3-networks/README.md @@ -1,6 +1,6 @@ # 3-networks -The purpose of this step is to : +The purpose of this step is to: - Setup the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones). - Setup base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem dedicated interconnect and baseline firewall rules for each environment. @@ -35,7 +35,7 @@ If you are not able to use dedicated interconnect, you can also use an HA VPN to ### Setup to run via Cloud Build 1. Clone repo `gcloud source repos clone gcp-networks --project=YOUR_CLOUD_BUILD_PROJECT_ID` -1. Change freshly cloned repo and change to non master branch `git checkout -b plan` +1. Change to the freshly cloned repo and change to non-master branch `git checkout -b plan` 1. Copy contents of foundation to new repo `cp -RT ../terraform-example-foundation/3-networks/ .` (modify accordingly based on your current directory). 1. Copy cloud build configuration files for terraform `cp ../terraform-example-foundation/build/cloudbuild-tf-* . ` (modify accordingly based on your current directory) 1. Copy terraform wrapper script `cp ../terraform-example-foundation/build/tf-wrapper.sh . ` to the root of your new repository (modify accordingly based on your current directory). @@ -55,7 +55,7 @@ If you are not able to use dedicated interconnect, you can also use an HA VPN to 1. Review the plan output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID 1. Merge changes to production with `git checkout -b production` and `git push origin production` 1. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID -1. After production has been applied apply development and non-production +1. After production has been applied, apply development and non-production 1. Merge changes to development with `git checkout -b development` and `git push origin development` 1. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID 1. Merge changes to non-production with `git checkout -b non-production` and `git push origin non-production` @@ -90,7 +90,7 @@ If you are not able to use dedicated interconnect, you can also use an HA VPN to 1. Review the plan output in your Master's web UI. 1. Merge changes to production branch with `git checkout -b production` and `git push origin production` 1. Review the apply output in your Master's web UI (You might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI). -1. After production has been applied apply development and non-production +1. After production has been applied, apply development and non-production 1. Merge changes to development with `git checkout -b development` and `git push origin development` 1. Review the apply output in your Master's web UI (You might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI). 1. Merge changes to non-production with `git checkout -b non-production` and `git push origin non-production` @@ -108,7 +108,7 @@ If you are not able to use dedicated interconnect, you can also use an HA VPN to 1. Rename access_context.auto.example.tfvars to access_context.auto.tfvars and update the file with the access_context_manager_policy_id. 1. Update backend.tf with your bucket from bootstrap. You can run ```for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME//' $i; done```. -You can run `terraform output gcs_bucket_tfstate` in the 0-bootstap folder to obtain the bucket name. +You can run `terraform output gcs_bucket_tfstate` in the 0-bootstrap folder to obtain the bucket name. We will now deploy each of our environments(development/production/non-production) using this script. When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch in the repository for 3-networks step diff --git a/3-networks/envs/development/README.md b/3-networks/envs/development/README.md index 48850d39d..91f23c2cd 100644 --- a/3-networks/envs/development/README.md +++ b/3-networks/envs/development/README.md @@ -21,7 +21,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | -| firewall\_enable\_logging | Toggle firewall logginglogging for VPC Firewalls. | `bool` | `true` | no | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no | | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no | @@ -30,7 +30,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | | org\_id | Organization ID | `string` | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | -| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetwoks. | `bool` | `true` | no | +| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | diff --git a/3-networks/envs/development/main.tf b/3-networks/envs/development/main.tf index c811a866e..47e420917 100644 --- a/3-networks/envs/development/main.tf +++ b/3-networks/envs/development/main.tf @@ -19,7 +19,7 @@ locals { env = "development" restricted_project_id = data.google_projects.restricted_host_project.projects[0].project_id restricted_project_number = data.google_project.restricted_host_project.number - base_project_id = data.google_projects.base_project.projects[0].project_id + base_project_id = data.google_projects.base_host_project.projects[0].project_id parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" } @@ -40,7 +40,7 @@ data "google_project" "restricted_host_project" { project_id = data.google_projects.restricted_host_project.projects[0].project_id } -data "google_projects" "base_project" { +data "google_projects" "base_host_project" { filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=${local.env} lifecycleState=ACTIVE" } @@ -149,9 +149,10 @@ module "base_shared_vpc" { } ] secondary_ranges = { - "sb-${local.environment_code}-shared-base-${var.default_region1}" = [{ - range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod" - ip_cidr_range = "192.168.96.0/19" + "sb-${local.environment_code}-shared-base-${var.default_region1}" = [ + { + range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod" + ip_cidr_range = "192.168.96.0/19" }, { range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc" diff --git a/3-networks/envs/development/variables.tf b/3-networks/envs/development/variables.tf index a5e1aa3a2..71c5cd081 100644 --- a/3-networks/envs/development/variables.tf +++ b/3-networks/envs/development/variables.tf @@ -52,13 +52,13 @@ variable "dns_enable_logging" { variable "subnetworks_enable_logging" { type = bool - description = "Toggle subnetworks flow logging for VPC Subnetwoks." + description = "Toggle subnetworks flow logging for VPC Subnetworks." default = true } variable "firewall_enable_logging" { type = bool - description = "Toggle firewall logginglogging for VPC Firewalls." + description = "Toggle firewall logging for VPC Firewalls." default = true } diff --git a/3-networks/envs/non-production/README.md b/3-networks/envs/non-production/README.md index dd8f96f85..0cf10fa0e 100644 --- a/3-networks/envs/non-production/README.md +++ b/3-networks/envs/non-production/README.md @@ -21,7 +21,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | -| firewall\_enable\_logging | Toggle firewall logginglogging for VPC Firewalls. | `bool` | `true` | no | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no | | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no | @@ -30,7 +30,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | | org\_id | Organization ID | `string` | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | -| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetwoks. | `bool` | `true` | no | +| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | diff --git a/3-networks/envs/non-production/main.tf b/3-networks/envs/non-production/main.tf index 34ac1f747..056575ca2 100644 --- a/3-networks/envs/non-production/main.tf +++ b/3-networks/envs/non-production/main.tf @@ -92,13 +92,13 @@ module "restricted_shared_vpc" { } ] secondary_ranges = { - "sb-${local.environment_code}-shared-restricted-${var.default_region2}" = [ + "sb-${local.environment_code}-shared-restricted-${var.default_region1}" = [ { - range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region2}-gke-pod" + range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod" ip_cidr_range = "192.168.0.0/19" }, { - range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region2}-gke-svc" + range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc" ip_cidr_range = "192.168.32.0/23" } ] @@ -106,7 +106,7 @@ module "restricted_shared_vpc" { } /****************************************** - Private shared VPC + Base shared VPC *****************************************/ module "base_shared_vpc" { diff --git a/3-networks/envs/non-production/variables.tf b/3-networks/envs/non-production/variables.tf index a5e1aa3a2..71c5cd081 100644 --- a/3-networks/envs/non-production/variables.tf +++ b/3-networks/envs/non-production/variables.tf @@ -52,13 +52,13 @@ variable "dns_enable_logging" { variable "subnetworks_enable_logging" { type = bool - description = "Toggle subnetworks flow logging for VPC Subnetwoks." + description = "Toggle subnetworks flow logging for VPC Subnetworks." default = true } variable "firewall_enable_logging" { type = bool - description = "Toggle firewall logginglogging for VPC Firewalls." + description = "Toggle firewall logging for VPC Firewalls." default = true } diff --git a/3-networks/envs/production/README.md b/3-networks/envs/production/README.md index e0aa5f0e1..f27f4964f 100644 --- a/3-networks/envs/production/README.md +++ b/3-networks/envs/production/README.md @@ -21,7 +21,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | -| firewall\_enable\_logging | Toggle firewall logginglogging for VPC Firewalls. | `bool` | `true` | no | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no | | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no | @@ -30,7 +30,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | | org\_id | Organization ID | `string` | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | -| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetwoks. | `bool` | `true` | no | +| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | diff --git a/3-networks/envs/production/main.tf b/3-networks/envs/production/main.tf index 2a66992a0..fba7149ad 100644 --- a/3-networks/envs/production/main.tf +++ b/3-networks/envs/production/main.tf @@ -105,7 +105,7 @@ module "restricted_shared_vpc" { } /****************************************** - Private shared VPC + Base shared VPC *****************************************/ module "base_shared_vpc" { @@ -149,9 +149,10 @@ module "base_shared_vpc" { } ] secondary_ranges = { - "sb-${local.environment_code}-shared-base-${var.default_region1}" = [{ - range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod" - ip_cidr_range = "192.168.96.0/19" + "sb-${local.environment_code}-shared-base-${var.default_region1}" = [ + { + range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod" + ip_cidr_range = "192.168.96.0/19" }, { range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc" diff --git a/3-networks/envs/production/variables.tf b/3-networks/envs/production/variables.tf index f4f4020fa..d75c934bd 100644 --- a/3-networks/envs/production/variables.tf +++ b/3-networks/envs/production/variables.tf @@ -52,13 +52,13 @@ variable "dns_enable_logging" { variable "subnetworks_enable_logging" { type = bool - description = "Toggle subnetworks flow logging for VPC Subnetwoks." + description = "Toggle subnetworks flow logging for VPC Subnetworks." default = true } variable "firewall_enable_logging" { type = bool - description = "Toggle firewall logginglogging for VPC Firewalls." + description = "Toggle firewall logging for VPC Firewalls." default = true } variable "dns_enable_inbound_forwarding" {