terraform-google-modules · rjerrems · Dec 15, 2020 · Dec 10, 2020 · Dec 14, 2020 · rjerrems
@@ -1,6 +1,6 @@
 # 3-networks
 
-The purpose of this step is to :
+The purpose of this step is to:
 
 - Setup the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones).
 - Setup base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem dedicated interconnect and baseline firewall rules for each environment.
@@ -35,7 +35,7 @@ If you are not able to use dedicated interconnect, you can also use an HA VPN to
 ### Setup to run via Cloud Build
 
 1. Clone repo `gcloud source repos clone gcp-networks --project=YOUR_CLOUD_BUILD_PROJECT_ID`
-1. Change freshly cloned repo and change to non master branch `git checkout -b plan`
+1. Change to the freshly cloned repo and change to non-master branch `git checkout -b plan`
 1. Copy contents of foundation to new repo `cp -RT ../terraform-example-foundation/3-networks/ .` (modify accordingly based on your current directory).
 1. Copy cloud build configuration files for terraform `cp ../terraform-example-foundation/build/cloudbuild-tf-* . ` (modify accordingly based on your current directory)
 1. Copy terraform wrapper script `cp ../terraform-example-foundation/build/tf-wrapper.sh . ` to the root of your new repository (modify accordingly based on your current directory).
@@ -55,7 +55,7 @@ If you are not able to use dedicated interconnect, you can also use an HA VPN to
     1. Review the plan output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
 1. Merge changes to production with `git checkout -b production` and `git push origin production`
     1. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
-1. After production has been applied apply development and non-production
+1. After production has been applied, apply development and non-production
 1. Merge changes to development with `git checkout -b development` and `git push origin development`
     1. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
 1. Merge changes to non-production with `git checkout -b non-production` and `git push origin non-production`
@@ -90,7 +90,7 @@ If you are not able to use dedicated interconnect, you can also use an HA VPN to
     1. Review the plan output in your Master's web UI.
 1. Merge changes to production branch with `git checkout -b production` and `git push origin production`
     1. Review the apply output in your Master's web UI (You might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI).
-1. After production has been applied apply development and non-production
+1. After production has been applied, apply development and non-production
 1. Merge changes to development with `git checkout -b development` and `git push origin development`
     1. Review the apply output in your Master's web UI (You might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI).
 1. Merge changes to non-production with `git checkout -b non-production` and `git push origin non-production`
@@ -108,7 +108,7 @@ If you are not able to use dedicated interconnect, you can also use an HA VPN to
 1. Rename access_context.auto.example.tfvars to access_context.auto.tfvars and update the file with the access_context_manager_policy_id.
 1. Update backend.tf with your bucket from bootstrap. You can run
 ```for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME/<YOUR-BUCKET-NAME>/' $i; done```.
-You can run `terraform output gcs_bucket_tfstate` in the 0-bootstap folder to obtain the bucket name.
+You can run `terraform output gcs_bucket_tfstate` in the 0-bootstrap folder to obtain the bucket name.
 
 We will now deploy each of our environments(development/production/non-production) using this script.
 When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch in the repository for 3-networks step

@@ -21,7 +21,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
-| firewall\_enable\_logging | Toggle firewall logginglogging for VPC Firewalls. | `bool` | `true` | no |
+| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no |
 | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no |
 | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no |
@@ -30,7 +30,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
-| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetwoks. | `bool` | `true` | no |
+| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes |
 | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
 

@@ -19,7 +19,7 @@ locals {
   env                       = "development"
   restricted_project_id     = data.google_projects.restricted_host_project.projects[0].project_id
   restricted_project_number = data.google_project.restricted_host_project.number
-  base_project_id           = data.google_projects.base_project.projects[0].project_id
+  base_project_id           = data.google_projects.base_host_project.projects[0].project_id
   parent_id                 = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
 }
 
@@ -40,7 +40,7 @@ data "google_project" "restricted_host_project" {
   project_id = data.google_projects.restricted_host_project.projects[0].project_id
 }
 
-data "google_projects" "base_project" {
+data "google_projects" "base_host_project" {
   filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=${local.env} lifecycleState=ACTIVE"
 }
 
@@ -105,7 +105,7 @@ module "restricted_shared_vpc" {
 }
 
 /******************************************
- Base shared VPC
+ Private shared VPC
 *****************************************/
 
 module "base_shared_vpc" {
@@ -149,9 +149,10 @@ module "base_shared_vpc" {
     }
   ]
   secondary_ranges = {
-    "sb-${local.environment_code}-shared-base-${var.default_region1}" = [{
-      range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
-      ip_cidr_range = "192.168.96.0/19"
+    "sb-${local.environment_code}-shared-base-${var.default_region1}" = [
+      {
+        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
+        ip_cidr_range = "192.168.96.0/19"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"

@@ -52,13 +52,13 @@ variable "dns_enable_logging" {
 
 variable "subnetworks_enable_logging" {
   type        = bool
-  description = "Toggle subnetworks flow logging for VPC Subnetwoks."
+  description = "Toggle subnetworks flow logging for VPC Subnetworks."
   default     = true
 }
 
 variable "firewall_enable_logging" {
   type        = bool
-  description = "Toggle firewall logginglogging for VPC Firewalls."
+  description = "Toggle firewall logging for VPC Firewalls."
   default     = true
 }
 

@@ -21,7 +21,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
-| firewall\_enable\_logging | Toggle firewall logginglogging for VPC Firewalls. | `bool` | `true` | no |
+| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no |
 | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no |
 | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no |
@@ -30,7 +30,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
-| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetwoks. | `bool` | `true` | no |
+| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes |
 | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
 

@@ -92,13 +92,13 @@ module "restricted_shared_vpc" {
     }
   ]
   secondary_ranges = {
-    "sb-${local.environment_code}-shared-restricted-${var.default_region2}" = [
+    "sb-${local.environment_code}-shared-restricted-${var.default_region1}" = [
       {
-        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region2}-gke-pod"
+        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
         ip_cidr_range = "192.168.0.0/19"
       },
       {
-        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region2}-gke-svc"
+        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
         ip_cidr_range = "192.168.32.0/23"
       }
     ]

@@ -52,13 +52,13 @@ variable "dns_enable_logging" {
 
 variable "subnetworks_enable_logging" {
   type        = bool
-  description = "Toggle subnetworks flow logging for VPC Subnetwoks."
+  description = "Toggle subnetworks flow logging for VPC Subnetworks."
   default     = true
 }
 
 variable "firewall_enable_logging" {
   type        = bool
-  description = "Toggle firewall logginglogging for VPC Firewalls."
+  description = "Toggle firewall logging for VPC Firewalls."
   default     = true
 }
 

@@ -21,7 +21,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
-| firewall\_enable\_logging | Toggle firewall logginglogging for VPC Firewalls. | `bool` | `true` | no |
+| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no |
 | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no |
 | nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no |
@@ -30,7 +30,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
-| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetwoks. | `bool` | `true` | no |
+| subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes |
 | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
 

@@ -149,9 +149,10 @@ module "base_shared_vpc" {
     }
   ]
   secondary_ranges = {
-    "sb-${local.environment_code}-shared-base-${var.default_region1}" = [{
-      range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
-      ip_cidr_range = "192.168.96.0/19"
+    "sb-${local.environment_code}-shared-base-${var.default_region1}" = [
+      {
+        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
+        ip_cidr_range = "192.168.96.0/19"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"

@@ -52,13 +52,13 @@ variable "dns_enable_logging" {
 
 variable "subnetworks_enable_logging" {
   type        = bool
-  description = "Toggle subnetworks flow logging for VPC Subnetwoks."
+  description = "Toggle subnetworks flow logging for VPC Subnetworks."
   default     = true
 }
 
 variable "firewall_enable_logging" {
   type        = bool
-  description = "Toggle firewall logginglogging for VPC Firewalls."
+  description = "Toggle firewall logging for VPC Firewalls."
   default     = true
 }
 variable "dns_enable_inbound_forwarding" {