diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md index 4b8ea0ac6..d986568dc 100644 --- a/4-projects/business_unit_1/development/README.md +++ b/4-projects/business_unit_1/development/README.md @@ -4,29 +4,16 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | -| alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` |
[
0.5,
0.75,
0.9,
0.95
]
| no | | app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| budget\_amount | The amount to use as the budget | `number` | `1000` | no | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no | -| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no | -| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | -| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no | -| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | -| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | -| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | | org\_id | The organization id for the associated services | `string` | n/a | yes | | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | | project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | -| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | -| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/4-projects/business_unit_1/development/example_floating_project.tf b/4-projects/business_unit_1/development/example_floating_project.tf deleted file mode 100644 index 878cd31f5..000000000 --- a/4-projects/business_unit_1/development/example_floating_project.tf +++ /dev/null @@ -1,36 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "floating_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "development" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-floating" - application_name = "bu1-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} diff --git a/4-projects/business_unit_1/development/example_peering_project.tf b/4-projects/business_unit_1/development/example_peering_project.tf deleted file mode 100644 index 08066eedd..000000000 --- a/4-projects/business_unit_1/development/example_peering_project.tf +++ /dev/null @@ -1,255 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - shared_vpc_mode = var.enable_hub_and_spoke ? "-spoke" : "" -} - -data "google_projects" "projects" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=development lifecycleState=ACTIVE" -} - -data "google_compute_network" "shared_vpc" { - name = "vpc-d-shared-base${local.shared_vpc_mode}" - project = data.google_projects.projects.projects[0].project_id -} - -data "google_netblock_ip_ranges" "legacy_health_checkers" { - range_type = "legacy-health-checkers" -} - -data "google_netblock_ip_ranges" "health_checkers" { - range_type = "health-checkers" -} - -data "google_netblock_ip_ranges" "iap_forwarders" { - range_type = "iap-forwarders" -} - -module "peering_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "development" - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-peering" - application_name = "bu1-sample-peering" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} - -module "peering_network" { - source = "terraform-google-modules/network/google" - version = "~> 3.0" - project_id = module.peering_project.project_id - network_name = "vpc-d-peering-base" - shared_vpc_host = "false" - delete_default_internet_gateway_routes = "true" - subnets = [] -} - -module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 3.0" - prefix = "bu1-d" - local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc.self_link - module_depends_on = var.peering_module_depends_on -} - -/****************************************** - Mandatory firewall rules - *****************************************/ - -resource "google_compute_firewall" "deny_all_egress" { - name = "fw-d-peering-base-65535-e-d-all-all-tcp-udp" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65535 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - deny { - protocol = "tcp" - } - - deny { - protocol = "udp" - } - - destination_ranges = ["0.0.0.0/0"] -} - - -resource "google_compute_firewall" "allow_private_api_egress" { - name = "fw-d-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65534 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["443"] - } - - destination_ranges = ["199.36.153.8/30"] - - target_tags = ["allow-google-apis"] -} - - -/****************************************** - Optional firewall rules - *****************************************/ - -// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. -resource "google_compute_firewall" "allow_iap_ssh" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-d-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["22"] - } - - target_tags = ["allow-iap-ssh"] -} - -// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. -resource "google_compute_firewall" "allow_iap_rdp" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-d-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["3389"] - } - - target_tags = ["allow-iap-rdp"] -} - -// Allow access to kms.windows.googlecloud.com for Windows license activation -resource "google_compute_firewall" "allow_windows_activation" { - count = var.windows_activation_enabled ? 1 : 0 - name = "fw-d-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 0 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["1688"] - } - - destination_ranges = ["35.190.247.13/32"] - - target_tags = ["allow-win-activation"] -} - -// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. -resource "google_compute_firewall" "allow_lb" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-d-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) - - // Allow common app ports by default. - allow { - protocol = "tcp" - ports = ["80", "8080", "443"] - } - - target_tags = ["allow-lb"] -} diff --git a/4-projects/business_unit_1/development/example_restricted_shared_vpc_project.tf b/4-projects/business_unit_1/development/example_restricted_shared_vpc_project.tf deleted file mode 100644 index e45d1f718..000000000 --- a/4-projects/business_unit_1/development/example_restricted_shared_vpc_project.tf +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "restricted_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "development" - vpc_type = "restricted" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - - activate_apis = ["accesscontextmanager.googleapis.com"] - vpc_service_control_attach_enabled = "true" - vpc_service_control_perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.perimeter_name}" - - # Metadata - project_suffix = "sample-restrict" - application_name = "bu1-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} diff --git a/4-projects/business_unit_1/development/example_storage_cmek.tf b/4-projects/business_unit_1/development/example_storage_cmek.tf deleted file mode 100644 index f6ba1de4d..000000000 --- a/4-projects/business_unit_1/development/example_storage_cmek.tf +++ /dev/null @@ -1,79 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "env_secrets_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "development" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_suffix = var.secrets_prj_suffix - project_prefix = var.project_prefix - - activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"] - - # Metadata - application_name = "bu1-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} - -data "google_storage_project_service_account" "gcs_account" { - project = module.base_shared_vpc_project.project_id -} - -module "kms" { - source = "terraform-google-modules/kms/google" - version = "~> 1.2" - - project_id = module.env_secrets_project.project_id - keyring = var.keyring_name - location = var.location_kms - keys = [var.key_name] - key_rotation_period = var.key_rotation_period - encrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_encrypters_for = [var.key_name] - decrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_decrypters_for = [var.key_name] - prevent_destroy = "false" -} - -resource "random_string" "bucket_name" { - length = 5 - upper = false - number = true - lower = true - special = false -} - -module "gcs_buckets" { - depends_on = [module.kms] - source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 1.7" - project_id = module.base_shared_vpc_project.project_id - location = var.location_gcs - name = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}" - bucket_policy_only = true - encryption = { - default_kms_key_name = module.kms.keys[var.key_name] - } -} diff --git a/4-projects/business_unit_1/development/folder.tf b/4-projects/business_unit_1/development/folder.tf deleted file mode 100644 index 405c9a814..000000000 --- a/4-projects/business_unit_1/development/folder.tf +++ /dev/null @@ -1,21 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-development" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} - diff --git a/4-projects/business_unit_1/development/main.tf b/4-projects/business_unit_1/development/main.tf new file mode 100644 index 000000000..07e28f1ab --- /dev/null +++ b/4-projects/business_unit_1/development/main.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +module "env" { + source = "../../modules/base_env" + + env = "development" + business_code = "bu1" + business_unit = "business_unit_1" + terraform_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + access_context_manager_policy_id = var.access_context_manager_policy_id + parent_folder = var.parent_folder + perimeter_name = var.perimeter_name + peering_module_depends_on = var.peering_module_depends_on + project_prefix = var.project_prefix + folder_prefix = var.folder_prefix + enable_hub_and_spoke = var.enable_hub_and_spoke + app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa +} diff --git a/4-projects/business_unit_1/development/outputs.tf b/4-projects/business_unit_1/development/outputs.tf index 8ac6b5e4f..77681648a 100644 --- a/4-projects/business_unit_1/development/outputs.tf +++ b/4-projects/business_unit_1/development/outputs.tf @@ -16,37 +16,37 @@ output "base_shared_vpc_project" { description = "Project sample base project." - value = module.base_shared_vpc_project.project_id + value = module.env.base_shared_vpc_project } output "base_shared_vpc_project_sa" { description = "Project sample base project SA." - value = module.base_shared_vpc_project.sa + value = module.env.base_shared_vpc_project_sa } output "floating_project" { description = "Project sample floating project." - value = module.floating_project.project_id + value = module.env.floating_project } output "peering_project" { description = "Project sample peering project id." - value = module.peering_project.project_id + value = module.env.peering_project } output "peering_network" { description = "Peer network peering resource." - value = module.peering.peer_network_peering + value = module.env.peering_network } output "restricted_shared_vpc_project" { description = "Project sample restricted project id." - value = module.restricted_shared_vpc_project.project_id + value = module.env.restricted_shared_vpc_project } output "restricted_shared_vpc_project_number" { description = "Project sample restricted project." - value = module.restricted_shared_vpc_project.project_number + value = module.env.restricted_shared_vpc_project_number } output "vpc_service_control_perimeter_name" { @@ -56,7 +56,7 @@ output "vpc_service_control_perimeter_name" { output "restricted_enabled_apis" { description = "Activated APIs." - value = module.restricted_shared_vpc_project.enabled_apis + value = module.env.restricted_enabled_apis } output "access_context_manager_policy_id" { @@ -66,25 +66,25 @@ output "access_context_manager_policy_id" { output "peering_complete" { description = "Output to be used as a module dependency." - value = module.peering.complete + value = module.env.peering_complete } output "env_secrets_project" { description = "Project sample peering project id." - value = module.env_secrets_project.project_id + value = module.env.env_secrets_project } output "keyring" { description = "The name of the keyring." - value = module.kms.keyring + value = module.env.keyring } output "keys" { description = "List of created key names." - value = keys(module.kms.keys) + value = module.env.keys } output "bucket" { description = "The created storage bucket" - value = module.gcs_buckets.bucket + value = module.env.bucket } diff --git a/4-projects/business_unit_1/development/variables.tf b/4-projects/business_unit_1/development/variables.tf index f1f113aab..be54660c8 100644 --- a/4-projects/business_unit_1/development/variables.tf +++ b/4-projects/business_unit_1/development/variables.tf @@ -51,42 +51,6 @@ variable "peering_module_depends_on" { default = [] } -variable "firewall_enable_logging" { - type = bool - description = "Toggle firewall logging for VPC Firewalls." - default = true -} - -variable "optional_fw_rules_enabled" { - type = bool - description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." - default = false -} - -variable "windows_activation_enabled" { - type = bool - description = "Enable Windows license activation for Windows workloads." - default = false -} - -variable "alert_spent_percents" { - description = "A list of percentages of the budget to alert on when threshold is exceeded" - type = list(number) - default = [0.5, 0.75, 0.9, 0.95] -} - -variable "alert_pubsub_topic" { - description = "The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`" - type = string - default = null -} - -variable "budget_amount" { - description = "The amount to use as the budget" - type = number - default = 1000 -} - variable "project_prefix" { description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." type = string @@ -109,45 +73,3 @@ variable "app_infra_pipeline_cloudbuild_sa" { description = "Cloud Build SA used for deploying infrastructure" type = string } - -variable "secrets_prj_suffix" { - description = "Name suffix to use for secrets project created." - type = string - default = "env-secrets" -} - -variable "location_kms" { - description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" - type = string - default = "us" -} - -variable "location_gcs" { - description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" - type = string - default = "US" -} - -variable "keyring_name" { - description = "Name to be used for KMS Keyring" - type = string - default = "sample-keyring" -} - -variable "key_name" { - description = "Name to be used for KMS Key" - type = string - default = "crypto-key-example" -} - -variable "key_rotation_period" { - description = "Rotation period in seconds to be used for KMS Key" - type = string - default = "7776000s" -} - -variable "gcs_bucket_prefix" { - description = "Name prefix to be used for GCS Bucket" - type = string - default = "cmek-encrypted-bucket" -} diff --git a/4-projects/business_unit_1/non-production/README.md b/4-projects/business_unit_1/non-production/README.md index 4b8ea0ac6..d986568dc 100644 --- a/4-projects/business_unit_1/non-production/README.md +++ b/4-projects/business_unit_1/non-production/README.md @@ -4,29 +4,16 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | -| alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` |
[
0.5,
0.75,
0.9,
0.95
]
| no | | app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| budget\_amount | The amount to use as the budget | `number` | `1000` | no | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no | -| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no | -| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | -| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no | -| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | -| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | -| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | | org\_id | The organization id for the associated services | `string` | n/a | yes | | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | | project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | -| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | -| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/4-projects/business_unit_1/non-production/example_base_shared_vpc_project.tf b/4-projects/business_unit_1/non-production/example_base_shared_vpc_project.tf deleted file mode 100644 index 33c92a99c..000000000 --- a/4-projects/business_unit_1/non-production/example_base_shared_vpc_project.tf +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "base_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "non-production" - vpc_type = "base" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - sa_roles = ["roles/editor"] - enable_cloudbuild_deploy = true - cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa - activate_apis = [ - "iam.googleapis.com", - "cloudresourcemanager.googleapis.com" - ] - - # Metadata - project_suffix = "sample-base" - application_name = "bu1-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} diff --git a/4-projects/business_unit_1/non-production/example_floating_project.tf b/4-projects/business_unit_1/non-production/example_floating_project.tf deleted file mode 100644 index 5de04e2bf..000000000 --- a/4-projects/business_unit_1/non-production/example_floating_project.tf +++ /dev/null @@ -1,36 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "floating_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "non-production" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-floating" - application_name = "bu1-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} diff --git a/4-projects/business_unit_1/non-production/example_restricted_shared_vpc_project.tf b/4-projects/business_unit_1/non-production/example_restricted_shared_vpc_project.tf deleted file mode 100644 index 136407672..000000000 --- a/4-projects/business_unit_1/non-production/example_restricted_shared_vpc_project.tf +++ /dev/null @@ -1,43 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "restricted_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "non-production" - vpc_type = "restricted" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - - activate_apis = ["accesscontextmanager.googleapis.com"] - vpc_service_control_attach_enabled = "true" - vpc_service_control_perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.perimeter_name}" - - # Metadata - project_suffix = "sample-restrict" - application_name = "bu1-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} - diff --git a/4-projects/business_unit_1/non-production/folder.tf b/4-projects/business_unit_1/non-production/folder.tf deleted file mode 100644 index 63f388207..000000000 --- a/4-projects/business_unit_1/non-production/folder.tf +++ /dev/null @@ -1,21 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-non-production" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} - diff --git a/4-projects/business_unit_1/non-production/main.tf b/4-projects/business_unit_1/non-production/main.tf new file mode 100644 index 000000000..4aed69e23 --- /dev/null +++ b/4-projects/business_unit_1/non-production/main.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +module "env" { + source = "../../modules/base_env" + + env = "non-production" + business_code = "bu1" + business_unit = "business_unit_1" + terraform_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + access_context_manager_policy_id = var.access_context_manager_policy_id + parent_folder = var.parent_folder + perimeter_name = var.perimeter_name + peering_module_depends_on = var.peering_module_depends_on + project_prefix = var.project_prefix + folder_prefix = var.folder_prefix + enable_hub_and_spoke = var.enable_hub_and_spoke + app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa +} diff --git a/4-projects/business_unit_1/non-production/outputs.tf b/4-projects/business_unit_1/non-production/outputs.tf index 8ac6b5e4f..77681648a 100644 --- a/4-projects/business_unit_1/non-production/outputs.tf +++ b/4-projects/business_unit_1/non-production/outputs.tf @@ -16,37 +16,37 @@ output "base_shared_vpc_project" { description = "Project sample base project." - value = module.base_shared_vpc_project.project_id + value = module.env.base_shared_vpc_project } output "base_shared_vpc_project_sa" { description = "Project sample base project SA." - value = module.base_shared_vpc_project.sa + value = module.env.base_shared_vpc_project_sa } output "floating_project" { description = "Project sample floating project." - value = module.floating_project.project_id + value = module.env.floating_project } output "peering_project" { description = "Project sample peering project id." - value = module.peering_project.project_id + value = module.env.peering_project } output "peering_network" { description = "Peer network peering resource." - value = module.peering.peer_network_peering + value = module.env.peering_network } output "restricted_shared_vpc_project" { description = "Project sample restricted project id." - value = module.restricted_shared_vpc_project.project_id + value = module.env.restricted_shared_vpc_project } output "restricted_shared_vpc_project_number" { description = "Project sample restricted project." - value = module.restricted_shared_vpc_project.project_number + value = module.env.restricted_shared_vpc_project_number } output "vpc_service_control_perimeter_name" { @@ -56,7 +56,7 @@ output "vpc_service_control_perimeter_name" { output "restricted_enabled_apis" { description = "Activated APIs." - value = module.restricted_shared_vpc_project.enabled_apis + value = module.env.restricted_enabled_apis } output "access_context_manager_policy_id" { @@ -66,25 +66,25 @@ output "access_context_manager_policy_id" { output "peering_complete" { description = "Output to be used as a module dependency." - value = module.peering.complete + value = module.env.peering_complete } output "env_secrets_project" { description = "Project sample peering project id." - value = module.env_secrets_project.project_id + value = module.env.env_secrets_project } output "keyring" { description = "The name of the keyring." - value = module.kms.keyring + value = module.env.keyring } output "keys" { description = "List of created key names." - value = keys(module.kms.keys) + value = module.env.keys } output "bucket" { description = "The created storage bucket" - value = module.gcs_buckets.bucket + value = module.env.bucket } diff --git a/4-projects/business_unit_1/non-production/variables.tf b/4-projects/business_unit_1/non-production/variables.tf index f1f113aab..be54660c8 100644 --- a/4-projects/business_unit_1/non-production/variables.tf +++ b/4-projects/business_unit_1/non-production/variables.tf @@ -51,42 +51,6 @@ variable "peering_module_depends_on" { default = [] } -variable "firewall_enable_logging" { - type = bool - description = "Toggle firewall logging for VPC Firewalls." - default = true -} - -variable "optional_fw_rules_enabled" { - type = bool - description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." - default = false -} - -variable "windows_activation_enabled" { - type = bool - description = "Enable Windows license activation for Windows workloads." - default = false -} - -variable "alert_spent_percents" { - description = "A list of percentages of the budget to alert on when threshold is exceeded" - type = list(number) - default = [0.5, 0.75, 0.9, 0.95] -} - -variable "alert_pubsub_topic" { - description = "The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`" - type = string - default = null -} - -variable "budget_amount" { - description = "The amount to use as the budget" - type = number - default = 1000 -} - variable "project_prefix" { description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." type = string @@ -109,45 +73,3 @@ variable "app_infra_pipeline_cloudbuild_sa" { description = "Cloud Build SA used for deploying infrastructure" type = string } - -variable "secrets_prj_suffix" { - description = "Name suffix to use for secrets project created." - type = string - default = "env-secrets" -} - -variable "location_kms" { - description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" - type = string - default = "us" -} - -variable "location_gcs" { - description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" - type = string - default = "US" -} - -variable "keyring_name" { - description = "Name to be used for KMS Keyring" - type = string - default = "sample-keyring" -} - -variable "key_name" { - description = "Name to be used for KMS Key" - type = string - default = "crypto-key-example" -} - -variable "key_rotation_period" { - description = "Rotation period in seconds to be used for KMS Key" - type = string - default = "7776000s" -} - -variable "gcs_bucket_prefix" { - description = "Name prefix to be used for GCS Bucket" - type = string - default = "cmek-encrypted-bucket" -} diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md index 6f2b8c08b..d986568dc 100644 --- a/4-projects/business_unit_1/production/README.md +++ b/4-projects/business_unit_1/production/README.md @@ -4,30 +4,16 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | -| alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` |
[
0.5,
0.75,
0.9,
0.95
]
| no | | app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| budget\_amount | The amount to use as the budget | `number` | `1000` | no | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| env\_code | A short form of the environment field | `string` | `"p"` | no | -| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no | -| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no | -| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | -| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no | -| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | -| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | -| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | | org\_id | The organization id for the associated services | `string` | n/a | yes | | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | | project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | -| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | -| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/4-projects/business_unit_1/production/example_base_shared_vpc_project.tf b/4-projects/business_unit_1/production/example_base_shared_vpc_project.tf deleted file mode 100644 index 0ee4d3aa3..000000000 --- a/4-projects/business_unit_1/production/example_base_shared_vpc_project.tf +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "base_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "production" - vpc_type = "base" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - sa_roles = ["roles/editor"] - enable_cloudbuild_deploy = true - cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa - activate_apis = [ - "iam.googleapis.com", - "cloudresourcemanager.googleapis.com" - ] - - # Metadata - project_suffix = "sample-base" - application_name = "bu1-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} diff --git a/4-projects/business_unit_1/production/example_peering_project.tf b/4-projects/business_unit_1/production/example_peering_project.tf deleted file mode 100644 index 7582ae2ac..000000000 --- a/4-projects/business_unit_1/production/example_peering_project.tf +++ /dev/null @@ -1,255 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - shared_vpc_mode = var.enable_hub_and_spoke ? "-spoke" : "" -} - -data "google_projects" "projects" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=production lifecycleState=ACTIVE" -} - -data "google_compute_network" "shared_vpc" { - name = "vpc-p-shared-base${local.shared_vpc_mode}" - project = data.google_projects.projects.projects[0].project_id -} - -data "google_netblock_ip_ranges" "legacy_health_checkers" { - range_type = "legacy-health-checkers" -} - -data "google_netblock_ip_ranges" "health_checkers" { - range_type = "health-checkers" -} - -data "google_netblock_ip_ranges" "iap_forwarders" { - range_type = "iap-forwarders" -} - -module "peering_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "production" - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-peering" - application_name = "bu1-sample-peering" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} - -module "peering_network" { - source = "terraform-google-modules/network/google" - version = "~> 3.0" - project_id = module.peering_project.project_id - network_name = "vpc-p-peering-base" - shared_vpc_host = "false" - delete_default_internet_gateway_routes = "true" - subnets = [] -} - -module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 3.0" - prefix = "bu1-p" - local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc.self_link - module_depends_on = var.peering_module_depends_on -} - -/****************************************** - Mandatory firewall rules - *****************************************/ - -resource "google_compute_firewall" "deny_all_egress" { - name = "fw-p-peering-base-65535-e-p-all-all-tcp-udp" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65535 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - deny { - protocol = "tcp" - } - - deny { - protocol = "udp" - } - - destination_ranges = ["0.0.0.0/0"] -} - - -resource "google_compute_firewall" "allow_private_api_egress" { - name = "fw-p-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65534 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["443"] - } - - destination_ranges = ["199.36.153.8/30"] - - target_tags = ["allow-google-apis"] -} - - -/****************************************** - Optional firewall rules - *****************************************/ - -// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. -resource "google_compute_firewall" "allow_iap_ssh" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-p-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["22"] - } - - target_tags = ["allow-iap-ssh"] -} - -// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. -resource "google_compute_firewall" "allow_iap_rdp" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-p-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["3389"] - } - - target_tags = ["allow-iap-rdp"] -} - -// Allow access to kms.windows.googlecloud.com for Windows license activation -resource "google_compute_firewall" "allow_windows_activation" { - count = var.windows_activation_enabled ? 1 : 0 - name = "fw-p-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 0 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["1688"] - } - - destination_ranges = ["35.190.247.13/32"] - - target_tags = ["allow-win-activation"] -} - -// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. -resource "google_compute_firewall" "allow_lb" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-p-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) - - // Allow common app ports by default. - allow { - protocol = "tcp" - ports = ["80", "8080", "443"] - } - - target_tags = ["allow-lb"] -} diff --git a/4-projects/business_unit_1/production/example_restricted_shared_vpc_project.tf b/4-projects/business_unit_1/production/example_restricted_shared_vpc_project.tf deleted file mode 100644 index 9e58963c4..000000000 --- a/4-projects/business_unit_1/production/example_restricted_shared_vpc_project.tf +++ /dev/null @@ -1,43 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "restricted_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "production" - vpc_type = "restricted" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - - activate_apis = ["accesscontextmanager.googleapis.com"] - vpc_service_control_attach_enabled = "true" - vpc_service_control_perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.perimeter_name}" - - # Metadata - project_suffix = "sample-restrict" - application_name = "bu1-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} - diff --git a/4-projects/business_unit_1/production/example_storage_cmek.tf b/4-projects/business_unit_1/production/example_storage_cmek.tf deleted file mode 100644 index 1c1807a0e..000000000 --- a/4-projects/business_unit_1/production/example_storage_cmek.tf +++ /dev/null @@ -1,79 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "env_secrets_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "production" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_suffix = var.secrets_prj_suffix - project_prefix = var.project_prefix - - activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"] - - # Metadata - application_name = "bu1-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu1" -} - -data "google_storage_project_service_account" "gcs_account" { - project = module.base_shared_vpc_project.project_id -} - -module "kms" { - source = "terraform-google-modules/kms/google" - version = "~> 1.2" - - project_id = module.env_secrets_project.project_id - keyring = var.keyring_name - location = var.location_kms - keys = [var.key_name] - key_rotation_period = var.key_rotation_period - encrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_encrypters_for = [var.key_name] - decrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_decrypters_for = [var.key_name] - prevent_destroy = "false" -} - -resource "random_string" "bucket_name" { - length = 5 - upper = false - number = true - lower = true - special = false -} - -module "gcs_buckets" { - depends_on = [module.kms] - source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 1.7" - project_id = module.base_shared_vpc_project.project_id - location = var.location_gcs - name = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}" - bucket_policy_only = true - encryption = { - default_kms_key_name = module.kms.keys[var.key_name] - } -} diff --git a/4-projects/business_unit_1/production/main.tf b/4-projects/business_unit_1/production/main.tf new file mode 100644 index 000000000..89399b398 --- /dev/null +++ b/4-projects/business_unit_1/production/main.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +module "env" { + source = "../../modules/base_env" + + env = "production" + business_code = "bu1" + business_unit = "business_unit_1" + terraform_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + access_context_manager_policy_id = var.access_context_manager_policy_id + parent_folder = var.parent_folder + perimeter_name = var.perimeter_name + peering_module_depends_on = var.peering_module_depends_on + project_prefix = var.project_prefix + folder_prefix = var.folder_prefix + enable_hub_and_spoke = var.enable_hub_and_spoke + app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa +} diff --git a/4-projects/business_unit_1/production/outputs.tf b/4-projects/business_unit_1/production/outputs.tf index 8ac6b5e4f..77681648a 100644 --- a/4-projects/business_unit_1/production/outputs.tf +++ b/4-projects/business_unit_1/production/outputs.tf @@ -16,37 +16,37 @@ output "base_shared_vpc_project" { description = "Project sample base project." - value = module.base_shared_vpc_project.project_id + value = module.env.base_shared_vpc_project } output "base_shared_vpc_project_sa" { description = "Project sample base project SA." - value = module.base_shared_vpc_project.sa + value = module.env.base_shared_vpc_project_sa } output "floating_project" { description = "Project sample floating project." - value = module.floating_project.project_id + value = module.env.floating_project } output "peering_project" { description = "Project sample peering project id." - value = module.peering_project.project_id + value = module.env.peering_project } output "peering_network" { description = "Peer network peering resource." - value = module.peering.peer_network_peering + value = module.env.peering_network } output "restricted_shared_vpc_project" { description = "Project sample restricted project id." - value = module.restricted_shared_vpc_project.project_id + value = module.env.restricted_shared_vpc_project } output "restricted_shared_vpc_project_number" { description = "Project sample restricted project." - value = module.restricted_shared_vpc_project.project_number + value = module.env.restricted_shared_vpc_project_number } output "vpc_service_control_perimeter_name" { @@ -56,7 +56,7 @@ output "vpc_service_control_perimeter_name" { output "restricted_enabled_apis" { description = "Activated APIs." - value = module.restricted_shared_vpc_project.enabled_apis + value = module.env.restricted_enabled_apis } output "access_context_manager_policy_id" { @@ -66,25 +66,25 @@ output "access_context_manager_policy_id" { output "peering_complete" { description = "Output to be used as a module dependency." - value = module.peering.complete + value = module.env.peering_complete } output "env_secrets_project" { description = "Project sample peering project id." - value = module.env_secrets_project.project_id + value = module.env.env_secrets_project } output "keyring" { description = "The name of the keyring." - value = module.kms.keyring + value = module.env.keyring } output "keys" { description = "List of created key names." - value = keys(module.kms.keys) + value = module.env.keys } output "bucket" { description = "The created storage bucket" - value = module.gcs_buckets.bucket + value = module.env.bucket } diff --git a/4-projects/business_unit_1/production/variables.tf b/4-projects/business_unit_1/production/variables.tf index bbbd586ac..be54660c8 100644 --- a/4-projects/business_unit_1/production/variables.tf +++ b/4-projects/business_unit_1/production/variables.tf @@ -29,12 +29,6 @@ variable "billing_account" { type = string } -variable "env_code" { - description = "A short form of the environment field" - type = string - default = "p" -} - variable "access_context_manager_policy_id" { type = string description = "The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." @@ -57,42 +51,6 @@ variable "peering_module_depends_on" { default = [] } -variable "firewall_enable_logging" { - type = bool - description = "Toggle firewall logging for VPC Firewalls." - default = true -} - -variable "optional_fw_rules_enabled" { - type = bool - description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." - default = false -} - -variable "windows_activation_enabled" { - type = bool - description = "Enable Windows license activation for Windows workloads." - default = false -} - -variable "alert_spent_percents" { - description = "A list of percentages of the budget to alert on when threshold is exceeded" - type = list(number) - default = [0.5, 0.75, 0.9, 0.95] -} - -variable "alert_pubsub_topic" { - description = "The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`" - type = string - default = null -} - -variable "budget_amount" { - description = "The amount to use as the budget" - type = number - default = 1000 -} - variable "project_prefix" { description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." type = string @@ -115,45 +73,3 @@ variable "app_infra_pipeline_cloudbuild_sa" { description = "Cloud Build SA used for deploying infrastructure" type = string } - -variable "secrets_prj_suffix" { - description = "Name suffix to use for secrets project created." - type = string - default = "env-secrets" -} - -variable "location_kms" { - description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" - type = string - default = "us" -} - -variable "location_gcs" { - description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" - type = string - default = "US" -} - -variable "keyring_name" { - description = "Name to be used for KMS Keyring" - type = string - default = "sample-keyring" -} - -variable "key_name" { - description = "Name to be used for KMS Key" - type = string - default = "crypto-key-example" -} - -variable "key_rotation_period" { - description = "Rotation period in seconds to be used for KMS Key" - type = string - default = "7776000s" -} - -variable "gcs_bucket_prefix" { - description = "Name prefix to be used for GCS Bucket" - type = string - default = "cmek-encrypted-bucket" -} diff --git a/4-projects/business_unit_2/development/README.md b/4-projects/business_unit_2/development/README.md index c8a167625..d986568dc 100644 --- a/4-projects/business_unit_2/development/README.md +++ b/4-projects/business_unit_2/development/README.md @@ -4,29 +4,16 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | -| alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` |
[
0.5,
0.75,
0.9,
0.95
]
| no | | app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| budget\_amount | The amount to use as the budget | `number` | `1000` | no | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | -| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no | -| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no | -| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | -| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no | -| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | -| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | -| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | +| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | +| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no | -| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no | +| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | -| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/4-projects/business_unit_2/development/example_base_shared_vpc_project.tf b/4-projects/business_unit_2/development/example_base_shared_vpc_project.tf deleted file mode 100644 index f4fa9fb27..000000000 --- a/4-projects/business_unit_2/development/example_base_shared_vpc_project.tf +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "base_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "development" - vpc_type = "base" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - sa_roles = ["roles/editor"] - enable_cloudbuild_deploy = true - cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa - activate_apis = [ - "iam.googleapis.com", - "cloudresourcemanager.googleapis.com" - ] - - # Metadata - project_suffix = "sample-base" - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} diff --git a/4-projects/business_unit_2/development/example_floating_project.tf b/4-projects/business_unit_2/development/example_floating_project.tf deleted file mode 100644 index f58d0d3a1..000000000 --- a/4-projects/business_unit_2/development/example_floating_project.tf +++ /dev/null @@ -1,36 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "floating_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "development" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-floating" - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} diff --git a/4-projects/business_unit_2/development/example_peering_project.tf b/4-projects/business_unit_2/development/example_peering_project.tf deleted file mode 100644 index 111c80b5b..000000000 --- a/4-projects/business_unit_2/development/example_peering_project.tf +++ /dev/null @@ -1,255 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - shared_vpc_mode = var.enable_hub_and_spoke ? "-spoke" : "" -} - -data "google_projects" "projects" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=development lifecycleState=ACTIVE" -} - -data "google_compute_network" "shared_vpc" { - name = "vpc-d-shared-base${local.shared_vpc_mode}" - project = data.google_projects.projects.projects[0].project_id -} - -data "google_netblock_ip_ranges" "legacy_health_checkers" { - range_type = "legacy-health-checkers" -} - -data "google_netblock_ip_ranges" "health_checkers" { - range_type = "health-checkers" -} - -data "google_netblock_ip_ranges" "iap_forwarders" { - range_type = "iap-forwarders" -} - -module "peering_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "development" - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-peering" - application_name = "bu2-sample-peering" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} - -module "peering_network" { - source = "terraform-google-modules/network/google" - version = "~> 3.0" - project_id = module.peering_project.project_id - network_name = "vpc-d-peering-base" - shared_vpc_host = "false" - delete_default_internet_gateway_routes = "true" - subnets = [] -} - -module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 3.0" - prefix = "bu2-d" - local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc.self_link - module_depends_on = var.peering_module_depends_on -} - -/****************************************** - Mandatory firewall rules - *****************************************/ - -resource "google_compute_firewall" "deny_all_egress" { - name = "fw-d-peering-base-65535-e-d-all-all-tcp-udp" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65535 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - deny { - protocol = "tcp" - } - - deny { - protocol = "udp" - } - - destination_ranges = ["0.0.0.0/0"] -} - - -resource "google_compute_firewall" "allow_private_api_egress" { - name = "fw-d-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65534 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["443"] - } - - destination_ranges = ["199.36.153.8/30"] - - target_tags = ["allow-google-apis"] -} - - -/****************************************** - Optional firewall rules - *****************************************/ - -// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. -resource "google_compute_firewall" "allow_iap_ssh" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-d-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["22"] - } - - target_tags = ["allow-iap-ssh"] -} - -// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. -resource "google_compute_firewall" "allow_iap_rdp" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-d-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["3389"] - } - - target_tags = ["allow-iap-rdp"] -} - -// Allow access to kms.windows.googlecloud.com for Windows license activation -resource "google_compute_firewall" "allow_windows_activation" { - count = var.windows_activation_enabled ? 1 : 0 - name = "fw-d-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 0 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["1688"] - } - - destination_ranges = ["35.190.247.13/32"] - - target_tags = ["allow-win-activation"] -} - -// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. -resource "google_compute_firewall" "allow_lb" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-d-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) - - // Allow common app ports by default. - allow { - protocol = "tcp" - ports = ["80", "8080", "443"] - } - - target_tags = ["allow-lb"] -} diff --git a/4-projects/business_unit_2/development/example_storage_cmek.tf b/4-projects/business_unit_2/development/example_storage_cmek.tf deleted file mode 100644 index 96ab0c59f..000000000 --- a/4-projects/business_unit_2/development/example_storage_cmek.tf +++ /dev/null @@ -1,79 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "env_secrets_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "development" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_suffix = var.secrets_prj_suffix - project_prefix = var.project_prefix - - activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"] - - # Metadata - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} - -data "google_storage_project_service_account" "gcs_account" { - project = module.base_shared_vpc_project.project_id -} - -module "kms" { - source = "terraform-google-modules/kms/google" - version = "~> 1.2" - - project_id = module.env_secrets_project.project_id - keyring = var.keyring_name - location = var.location_kms - keys = [var.key_name] - key_rotation_period = var.key_rotation_period - encrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_encrypters_for = [var.key_name] - decrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_decrypters_for = [var.key_name] - prevent_destroy = "false" -} - -resource "random_string" "bucket_name" { - length = 5 - upper = false - number = true - lower = true - special = false -} - -module "gcs_buckets" { - depends_on = [module.kms] - source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 1.7" - project_id = module.base_shared_vpc_project.project_id - location = var.location_gcs - name = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}" - bucket_policy_only = true - encryption = { - default_kms_key_name = module.kms.keys[var.key_name] - } -} diff --git a/4-projects/business_unit_2/development/folder.tf b/4-projects/business_unit_2/development/folder.tf deleted file mode 100644 index 405c9a814..000000000 --- a/4-projects/business_unit_2/development/folder.tf +++ /dev/null @@ -1,21 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-development" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} - diff --git a/4-projects/business_unit_2/development/main.tf b/4-projects/business_unit_2/development/main.tf new file mode 100644 index 000000000..b3c1eebfd --- /dev/null +++ b/4-projects/business_unit_2/development/main.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +module "env" { + source = "../../modules/base_env" + + env = "development" + business_code = "bu2" + business_unit = "business_unit_2" + terraform_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + access_context_manager_policy_id = var.access_context_manager_policy_id + parent_folder = var.parent_folder + perimeter_name = var.perimeter_name + peering_module_depends_on = var.peering_module_depends_on + project_prefix = var.project_prefix + folder_prefix = var.folder_prefix + enable_hub_and_spoke = var.enable_hub_and_spoke + app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa +} diff --git a/4-projects/business_unit_2/development/outputs.tf b/4-projects/business_unit_2/development/outputs.tf index 8ac6b5e4f..77681648a 100644 --- a/4-projects/business_unit_2/development/outputs.tf +++ b/4-projects/business_unit_2/development/outputs.tf @@ -16,37 +16,37 @@ output "base_shared_vpc_project" { description = "Project sample base project." - value = module.base_shared_vpc_project.project_id + value = module.env.base_shared_vpc_project } output "base_shared_vpc_project_sa" { description = "Project sample base project SA." - value = module.base_shared_vpc_project.sa + value = module.env.base_shared_vpc_project_sa } output "floating_project" { description = "Project sample floating project." - value = module.floating_project.project_id + value = module.env.floating_project } output "peering_project" { description = "Project sample peering project id." - value = module.peering_project.project_id + value = module.env.peering_project } output "peering_network" { description = "Peer network peering resource." - value = module.peering.peer_network_peering + value = module.env.peering_network } output "restricted_shared_vpc_project" { description = "Project sample restricted project id." - value = module.restricted_shared_vpc_project.project_id + value = module.env.restricted_shared_vpc_project } output "restricted_shared_vpc_project_number" { description = "Project sample restricted project." - value = module.restricted_shared_vpc_project.project_number + value = module.env.restricted_shared_vpc_project_number } output "vpc_service_control_perimeter_name" { @@ -56,7 +56,7 @@ output "vpc_service_control_perimeter_name" { output "restricted_enabled_apis" { description = "Activated APIs." - value = module.restricted_shared_vpc_project.enabled_apis + value = module.env.restricted_enabled_apis } output "access_context_manager_policy_id" { @@ -66,25 +66,25 @@ output "access_context_manager_policy_id" { output "peering_complete" { description = "Output to be used as a module dependency." - value = module.peering.complete + value = module.env.peering_complete } output "env_secrets_project" { description = "Project sample peering project id." - value = module.env_secrets_project.project_id + value = module.env.env_secrets_project } output "keyring" { description = "The name of the keyring." - value = module.kms.keyring + value = module.env.keyring } output "keys" { description = "List of created key names." - value = keys(module.kms.keys) + value = module.env.keys } output "bucket" { description = "The created storage bucket" - value = module.gcs_buckets.bucket + value = module.env.bucket } diff --git a/4-projects/business_unit_2/development/variables.tf b/4-projects/business_unit_2/development/variables.tf index ff7aaf165..be54660c8 100644 --- a/4-projects/business_unit_2/development/variables.tf +++ b/4-projects/business_unit_2/development/variables.tf @@ -35,7 +35,7 @@ variable "access_context_manager_policy_id" { } variable "parent_folder" { - description = "Optional - if using a folder for testing." + description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." type = string default = "" } @@ -51,50 +51,14 @@ variable "peering_module_depends_on" { default = [] } -variable "firewall_enable_logging" { - type = bool - description = "Toggle firewall logging for VPC Firewalls." - default = true -} - -variable "optional_fw_rules_enabled" { - type = bool - description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." - default = false -} - -variable "windows_activation_enabled" { - type = bool - description = "Enable Windows license activation for Windows workloads." - default = false -} - -variable "alert_spent_percents" { - description = "A list of percentages of the budget to alert on when threshold is exceeded" - type = list(number) - default = [0.5, 0.75, 0.9, 0.95] -} - -variable "alert_pubsub_topic" { - description = "The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`" - type = string - default = null -} - -variable "budget_amount" { - description = "The amount to use as the budget" - type = number - default = 1000 -} - variable "project_prefix" { - description = "Name prefix to use for projects created." + description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." type = string default = "prj" } variable "folder_prefix" { - description = "Name prefix to use for folders created." + description = "Name prefix to use for folders created. Should be the same in all steps." type = string default = "fldr" } @@ -109,45 +73,3 @@ variable "app_infra_pipeline_cloudbuild_sa" { description = "Cloud Build SA used for deploying infrastructure" type = string } - -variable "secrets_prj_suffix" { - description = "Name suffix to use for secrets project created." - type = string - default = "env-secrets" -} - -variable "location_kms" { - description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" - type = string - default = "us" -} - -variable "location_gcs" { - description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" - type = string - default = "US" -} - -variable "keyring_name" { - description = "Name to be used for KMS Keyring" - type = string - default = "sample-keyring" -} - -variable "key_name" { - description = "Name to be used for KMS Key" - type = string - default = "crypto-key-example" -} - -variable "key_rotation_period" { - description = "Rotation period in seconds to be used for KMS Key" - type = string - default = "7776000s" -} - -variable "gcs_bucket_prefix" { - description = "Name prefix to be used for GCS Bucket" - type = string - default = "cmek-encrypted-bucket" -} diff --git a/4-projects/business_unit_2/non-production/README.md b/4-projects/business_unit_2/non-production/README.md index c8a167625..d986568dc 100644 --- a/4-projects/business_unit_2/non-production/README.md +++ b/4-projects/business_unit_2/non-production/README.md @@ -4,29 +4,16 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | -| alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` |
[
0.5,
0.75,
0.9,
0.95
]
| no | | app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| budget\_amount | The amount to use as the budget | `number` | `1000` | no | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | -| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no | -| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no | -| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | -| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no | -| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | -| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | -| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | +| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | +| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no | -| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no | +| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | -| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/4-projects/business_unit_2/non-production/example_base_shared_vpc_project.tf b/4-projects/business_unit_2/non-production/example_base_shared_vpc_project.tf deleted file mode 100644 index 7798c2350..000000000 --- a/4-projects/business_unit_2/non-production/example_base_shared_vpc_project.tf +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "base_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "non-production" - vpc_type = "base" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - sa_roles = ["roles/editor"] - enable_cloudbuild_deploy = true - cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa - activate_apis = [ - "iam.googleapis.com", - "cloudresourcemanager.googleapis.com" - ] - - # Metadata - project_suffix = "sample-base" - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} diff --git a/4-projects/business_unit_2/non-production/example_floating_project.tf b/4-projects/business_unit_2/non-production/example_floating_project.tf deleted file mode 100644 index eef30a35f..000000000 --- a/4-projects/business_unit_2/non-production/example_floating_project.tf +++ /dev/null @@ -1,38 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - - -module "floating_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "non-production" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-floating" - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} diff --git a/4-projects/business_unit_2/non-production/example_peering_project.tf b/4-projects/business_unit_2/non-production/example_peering_project.tf deleted file mode 100644 index 26023b584..000000000 --- a/4-projects/business_unit_2/non-production/example_peering_project.tf +++ /dev/null @@ -1,255 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - shared_vpc_mode = var.enable_hub_and_spoke ? "-spoke" : "" -} - -data "google_projects" "projects" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=non-production lifecycleState=ACTIVE" -} - -data "google_compute_network" "shared_vpc" { - name = "vpc-n-shared-base${local.shared_vpc_mode}" - project = data.google_projects.projects.projects[0].project_id -} - -data "google_netblock_ip_ranges" "legacy_health_checkers" { - range_type = "legacy-health-checkers" -} - -data "google_netblock_ip_ranges" "health_checkers" { - range_type = "health-checkers" -} - -data "google_netblock_ip_ranges" "iap_forwarders" { - range_type = "iap-forwarders" -} - -module "peering_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "non-production" - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-peering" - application_name = "bu2-sample-peering" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} - -module "peering_network" { - source = "terraform-google-modules/network/google" - version = "~> 3.0" - project_id = module.peering_project.project_id - network_name = "vpc-n-peering-base" - shared_vpc_host = "false" - delete_default_internet_gateway_routes = "true" - subnets = [] -} - -module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 3.0" - prefix = "bu2-n" - local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc.self_link - module_depends_on = var.peering_module_depends_on -} - -/****************************************** - Mandatory firewall rules - *****************************************/ - -resource "google_compute_firewall" "deny_all_egress" { - name = "fw-n-peering-base-65535-e-n-all-all-tcp-udp" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65535 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - deny { - protocol = "tcp" - } - - deny { - protocol = "udp" - } - - destination_ranges = ["0.0.0.0/0"] -} - - -resource "google_compute_firewall" "allow_private_api_egress" { - name = "fw-n-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65534 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["443"] - } - - destination_ranges = ["199.36.153.8/30"] - - target_tags = ["allow-google-apis"] -} - - -/****************************************** - Optional firewall rules - *****************************************/ - -// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. -resource "google_compute_firewall" "allow_iap_ssh" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-n-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["22"] - } - - target_tags = ["allow-iap-ssh"] -} - -// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. -resource "google_compute_firewall" "allow_iap_rdp" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-n-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["3389"] - } - - target_tags = ["allow-iap-rdp"] -} - -// Allow access to kms.windows.googlecloud.com for Windows license activation -resource "google_compute_firewall" "allow_windows_activation" { - count = var.windows_activation_enabled ? 1 : 0 - name = "fw-n-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 0 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["1688"] - } - - destination_ranges = ["35.190.247.13/32"] - - target_tags = ["allow-win-activation"] -} - -// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. -resource "google_compute_firewall" "allow_lb" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-n-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) - - // Allow common app ports by default. - allow { - protocol = "tcp" - ports = ["80", "8080", "443"] - } - - target_tags = ["allow-lb"] -} diff --git a/4-projects/business_unit_2/non-production/example_restricted_shared_vpc_project.tf b/4-projects/business_unit_2/non-production/example_restricted_shared_vpc_project.tf deleted file mode 100644 index 67c09efcc..000000000 --- a/4-projects/business_unit_2/non-production/example_restricted_shared_vpc_project.tf +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "restricted_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "non-production" - vpc_type = "restricted" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - - activate_apis = ["accesscontextmanager.googleapis.com"] - vpc_service_control_attach_enabled = "true" - vpc_service_control_perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.perimeter_name}" - - # Metadata - project_suffix = "sample-restrict" - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} diff --git a/4-projects/business_unit_2/non-production/example_storage_cmek.tf b/4-projects/business_unit_2/non-production/example_storage_cmek.tf deleted file mode 100644 index e895d8944..000000000 --- a/4-projects/business_unit_2/non-production/example_storage_cmek.tf +++ /dev/null @@ -1,79 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "env_secrets_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "non-production" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_suffix = var.secrets_prj_suffix - project_prefix = var.project_prefix - - activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"] - - # Metadata - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} - -data "google_storage_project_service_account" "gcs_account" { - project = module.base_shared_vpc_project.project_id -} - -module "kms" { - source = "terraform-google-modules/kms/google" - version = "~> 1.2" - - project_id = module.env_secrets_project.project_id - keyring = var.keyring_name - location = var.location_kms - keys = [var.key_name] - key_rotation_period = var.key_rotation_period - encrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_encrypters_for = [var.key_name] - decrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_decrypters_for = [var.key_name] - prevent_destroy = "false" -} - -resource "random_string" "bucket_name" { - length = 5 - upper = false - number = true - lower = true - special = false -} - -module "gcs_buckets" { - depends_on = [module.kms] - source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 1.7" - project_id = module.base_shared_vpc_project.project_id - location = var.location_gcs - name = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}" - bucket_policy_only = true - encryption = { - default_kms_key_name = module.kms.keys[var.key_name] - } -} diff --git a/4-projects/business_unit_2/non-production/folder.tf b/4-projects/business_unit_2/non-production/folder.tf deleted file mode 100644 index 63f388207..000000000 --- a/4-projects/business_unit_2/non-production/folder.tf +++ /dev/null @@ -1,21 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-non-production" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} - diff --git a/4-projects/business_unit_2/non-production/main.tf b/4-projects/business_unit_2/non-production/main.tf new file mode 100644 index 000000000..d5f9c16ca --- /dev/null +++ b/4-projects/business_unit_2/non-production/main.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +module "env" { + source = "../../modules/base_env" + + env = "non-production" + business_code = "bu2" + business_unit = "business_unit_2" + terraform_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + access_context_manager_policy_id = var.access_context_manager_policy_id + parent_folder = var.parent_folder + perimeter_name = var.perimeter_name + peering_module_depends_on = var.peering_module_depends_on + project_prefix = var.project_prefix + folder_prefix = var.folder_prefix + enable_hub_and_spoke = var.enable_hub_and_spoke + app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa +} diff --git a/4-projects/business_unit_2/non-production/outputs.tf b/4-projects/business_unit_2/non-production/outputs.tf index 8ac6b5e4f..77681648a 100644 --- a/4-projects/business_unit_2/non-production/outputs.tf +++ b/4-projects/business_unit_2/non-production/outputs.tf @@ -16,37 +16,37 @@ output "base_shared_vpc_project" { description = "Project sample base project." - value = module.base_shared_vpc_project.project_id + value = module.env.base_shared_vpc_project } output "base_shared_vpc_project_sa" { description = "Project sample base project SA." - value = module.base_shared_vpc_project.sa + value = module.env.base_shared_vpc_project_sa } output "floating_project" { description = "Project sample floating project." - value = module.floating_project.project_id + value = module.env.floating_project } output "peering_project" { description = "Project sample peering project id." - value = module.peering_project.project_id + value = module.env.peering_project } output "peering_network" { description = "Peer network peering resource." - value = module.peering.peer_network_peering + value = module.env.peering_network } output "restricted_shared_vpc_project" { description = "Project sample restricted project id." - value = module.restricted_shared_vpc_project.project_id + value = module.env.restricted_shared_vpc_project } output "restricted_shared_vpc_project_number" { description = "Project sample restricted project." - value = module.restricted_shared_vpc_project.project_number + value = module.env.restricted_shared_vpc_project_number } output "vpc_service_control_perimeter_name" { @@ -56,7 +56,7 @@ output "vpc_service_control_perimeter_name" { output "restricted_enabled_apis" { description = "Activated APIs." - value = module.restricted_shared_vpc_project.enabled_apis + value = module.env.restricted_enabled_apis } output "access_context_manager_policy_id" { @@ -66,25 +66,25 @@ output "access_context_manager_policy_id" { output "peering_complete" { description = "Output to be used as a module dependency." - value = module.peering.complete + value = module.env.peering_complete } output "env_secrets_project" { description = "Project sample peering project id." - value = module.env_secrets_project.project_id + value = module.env.env_secrets_project } output "keyring" { description = "The name of the keyring." - value = module.kms.keyring + value = module.env.keyring } output "keys" { description = "List of created key names." - value = keys(module.kms.keys) + value = module.env.keys } output "bucket" { description = "The created storage bucket" - value = module.gcs_buckets.bucket + value = module.env.bucket } diff --git a/4-projects/business_unit_2/non-production/variables.tf b/4-projects/business_unit_2/non-production/variables.tf index ff7aaf165..be54660c8 100644 --- a/4-projects/business_unit_2/non-production/variables.tf +++ b/4-projects/business_unit_2/non-production/variables.tf @@ -35,7 +35,7 @@ variable "access_context_manager_policy_id" { } variable "parent_folder" { - description = "Optional - if using a folder for testing." + description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." type = string default = "" } @@ -51,50 +51,14 @@ variable "peering_module_depends_on" { default = [] } -variable "firewall_enable_logging" { - type = bool - description = "Toggle firewall logging for VPC Firewalls." - default = true -} - -variable "optional_fw_rules_enabled" { - type = bool - description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." - default = false -} - -variable "windows_activation_enabled" { - type = bool - description = "Enable Windows license activation for Windows workloads." - default = false -} - -variable "alert_spent_percents" { - description = "A list of percentages of the budget to alert on when threshold is exceeded" - type = list(number) - default = [0.5, 0.75, 0.9, 0.95] -} - -variable "alert_pubsub_topic" { - description = "The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`" - type = string - default = null -} - -variable "budget_amount" { - description = "The amount to use as the budget" - type = number - default = 1000 -} - variable "project_prefix" { - description = "Name prefix to use for projects created." + description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." type = string default = "prj" } variable "folder_prefix" { - description = "Name prefix to use for folders created." + description = "Name prefix to use for folders created. Should be the same in all steps." type = string default = "fldr" } @@ -109,45 +73,3 @@ variable "app_infra_pipeline_cloudbuild_sa" { description = "Cloud Build SA used for deploying infrastructure" type = string } - -variable "secrets_prj_suffix" { - description = "Name suffix to use for secrets project created." - type = string - default = "env-secrets" -} - -variable "location_kms" { - description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" - type = string - default = "us" -} - -variable "location_gcs" { - description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" - type = string - default = "US" -} - -variable "keyring_name" { - description = "Name to be used for KMS Keyring" - type = string - default = "sample-keyring" -} - -variable "key_name" { - description = "Name to be used for KMS Key" - type = string - default = "crypto-key-example" -} - -variable "key_rotation_period" { - description = "Rotation period in seconds to be used for KMS Key" - type = string - default = "7776000s" -} - -variable "gcs_bucket_prefix" { - description = "Name prefix to be used for GCS Bucket" - type = string - default = "cmek-encrypted-bucket" -} diff --git a/4-projects/business_unit_2/production/README.md b/4-projects/business_unit_2/production/README.md index c8a167625..d986568dc 100644 --- a/4-projects/business_unit_2/production/README.md +++ b/4-projects/business_unit_2/production/README.md @@ -4,29 +4,16 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | -| alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` |
[
0.5,
0.75,
0.9,
0.95
]
| no | | app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| budget\_amount | The amount to use as the budget | `number` | `1000` | no | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | -| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no | -| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no | -| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | -| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no | -| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | -| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | -| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | +| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | +| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no | -| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no | +| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | -| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/4-projects/business_unit_2/production/example_base_shared_vpc_project.tf b/4-projects/business_unit_2/production/example_base_shared_vpc_project.tf deleted file mode 100644 index f39dd2e2a..000000000 --- a/4-projects/business_unit_2/production/example_base_shared_vpc_project.tf +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "base_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "production" - vpc_type = "base" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - sa_roles = ["roles/editor"] - enable_cloudbuild_deploy = true - cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa - activate_apis = [ - "iam.googleapis.com", - "cloudresourcemanager.googleapis.com" - ] - - # Metadata - project_suffix = "sample-base" - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} diff --git a/4-projects/business_unit_2/production/example_floating_project.tf b/4-projects/business_unit_2/production/example_floating_project.tf deleted file mode 100644 index 3a6a3ddbd..000000000 --- a/4-projects/business_unit_2/production/example_floating_project.tf +++ /dev/null @@ -1,38 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - - -module "floating_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "production" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-floating" - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} diff --git a/4-projects/business_unit_2/production/example_peering_project.tf b/4-projects/business_unit_2/production/example_peering_project.tf deleted file mode 100644 index 1d3fe942d..000000000 --- a/4-projects/business_unit_2/production/example_peering_project.tf +++ /dev/null @@ -1,255 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - shared_vpc_mode = var.enable_hub_and_spoke ? "-spoke" : "" -} - -data "google_projects" "projects" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=production lifecycleState=ACTIVE" -} - -data "google_compute_network" "shared_vpc" { - name = "vpc-p-shared-base${local.shared_vpc_mode}" - project = data.google_projects.projects.projects[0].project_id -} - -data "google_netblock_ip_ranges" "legacy_health_checkers" { - range_type = "legacy-health-checkers" -} - -data "google_netblock_ip_ranges" "health_checkers" { - range_type = "health-checkers" -} - -data "google_netblock_ip_ranges" "iap_forwarders" { - range_type = "iap-forwarders" -} - -module "peering_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "production" - project_prefix = var.project_prefix - - # Metadata - project_suffix = "sample-peering" - application_name = "bu2-sample-peering" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} - -module "peering_network" { - source = "terraform-google-modules/network/google" - version = "~> 3.0" - project_id = module.peering_project.project_id - network_name = "vpc-p-peering-base" - shared_vpc_host = "false" - delete_default_internet_gateway_routes = "true" - subnets = [] -} - -module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 3.0" - prefix = "bu2-p" - local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc.self_link - module_depends_on = var.peering_module_depends_on -} - -/****************************************** - Mandatory firewall rules - *****************************************/ - -resource "google_compute_firewall" "deny_all_egress" { - name = "fw-p-peering-base-65535-e-p-all-all-tcp-udp" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65535 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - deny { - protocol = "tcp" - } - - deny { - protocol = "udp" - } - - destination_ranges = ["0.0.0.0/0"] -} - - -resource "google_compute_firewall" "allow_private_api_egress" { - name = "fw-p-peering-base-65534-e-a-allow-google-apis-all-tcp-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 65534 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["443"] - } - - destination_ranges = ["199.36.153.8/30"] - - target_tags = ["allow-google-apis"] -} - - -/****************************************** - Optional firewall rules - *****************************************/ - -// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. -resource "google_compute_firewall" "allow_iap_ssh" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-p-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["22"] - } - - target_tags = ["allow-iap-ssh"] -} - -// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. -resource "google_compute_firewall" "allow_iap_rdp" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-p-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - // Cloud IAP's TCP forwarding netblock - source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4) - - allow { - protocol = "tcp" - ports = ["3389"] - } - - target_tags = ["allow-iap-rdp"] -} - -// Allow access to kms.windows.googlecloud.com for Windows license activation -resource "google_compute_firewall" "allow_windows_activation" { - count = var.windows_activation_enabled ? 1 : 0 - name = "fw-p-peering-base-0-e-a-allow-win-activation-all-tcp-1688" - network = module.peering_network.network_name - project = module.peering_project.project_id - direction = "EGRESS" - priority = 0 - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - allow { - protocol = "tcp" - ports = ["1688"] - } - - destination_ranges = ["35.190.247.13/32"] - - target_tags = ["allow-win-activation"] -} - -// Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. -resource "google_compute_firewall" "allow_lb" { - count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-p-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" - network = module.peering_network.network_name - project = module.peering_project.project_id - - dynamic "log_config" { - for_each = var.firewall_enable_logging == true ? [{ - metadata = "INCLUDE_ALL_METADATA" - }] : [] - - content { - metadata = log_config.value.metadata - } - } - - source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4) - - // Allow common app ports by default. - allow { - protocol = "tcp" - ports = ["80", "8080", "443"] - } - - target_tags = ["allow-lb"] -} diff --git a/4-projects/business_unit_2/production/example_restricted_shared_vpc_project.tf b/4-projects/business_unit_2/production/example_restricted_shared_vpc_project.tf deleted file mode 100644 index 1fbf38db1..000000000 --- a/4-projects/business_unit_2/production/example_restricted_shared_vpc_project.tf +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "restricted_shared_vpc_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "production" - vpc_type = "restricted" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - - activate_apis = ["accesscontextmanager.googleapis.com"] - vpc_service_control_attach_enabled = "true" - vpc_service_control_perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.perimeter_name}" - - # Metadata - project_suffix = "sample-restrict" - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} diff --git a/4-projects/business_unit_2/production/example_storage_cmek.tf b/4-projects/business_unit_2/production/example_storage_cmek.tf deleted file mode 100644 index 1851f403b..000000000 --- a/4-projects/business_unit_2/production/example_storage_cmek.tf +++ /dev/null @@ -1,79 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "env_secrets_project" { - source = "../../modules/single_project" - impersonate_service_account = var.terraform_service_account - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = "production" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_suffix = var.secrets_prj_suffix - project_prefix = var.project_prefix - - activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"] - - # Metadata - application_name = "bu2-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu2" -} - -data "google_storage_project_service_account" "gcs_account" { - project = module.base_shared_vpc_project.project_id -} - -module "kms" { - source = "terraform-google-modules/kms/google" - version = "~> 1.2" - - project_id = module.env_secrets_project.project_id - keyring = var.keyring_name - location = var.location_kms - keys = [var.key_name] - key_rotation_period = var.key_rotation_period - encrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_encrypters_for = [var.key_name] - decrypters = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"] - set_decrypters_for = [var.key_name] - prevent_destroy = "false" -} - -resource "random_string" "bucket_name" { - length = 5 - upper = false - number = true - lower = true - special = false -} - -module "gcs_buckets" { - depends_on = [module.kms] - source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 1.7" - project_id = module.base_shared_vpc_project.project_id - location = var.location_gcs - name = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}" - bucket_policy_only = true - encryption = { - default_kms_key_name = module.kms.keys[var.key_name] - } -} diff --git a/4-projects/business_unit_2/production/folder.tf b/4-projects/business_unit_2/production/folder.tf deleted file mode 100644 index 17e03ce23..000000000 --- a/4-projects/business_unit_2/production/folder.tf +++ /dev/null @@ -1,20 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-production" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} diff --git a/4-projects/business_unit_2/production/main.tf b/4-projects/business_unit_2/production/main.tf new file mode 100644 index 000000000..9a38941eb --- /dev/null +++ b/4-projects/business_unit_2/production/main.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +module "env" { + source = "../../modules/base_env" + + env = "production" + business_code = "bu2" + business_unit = "business_unit_2" + terraform_service_account = var.terraform_service_account + org_id = var.org_id + billing_account = var.billing_account + access_context_manager_policy_id = var.access_context_manager_policy_id + parent_folder = var.parent_folder + perimeter_name = var.perimeter_name + peering_module_depends_on = var.peering_module_depends_on + project_prefix = var.project_prefix + folder_prefix = var.folder_prefix + enable_hub_and_spoke = var.enable_hub_and_spoke + app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa +} diff --git a/4-projects/business_unit_2/production/outputs.tf b/4-projects/business_unit_2/production/outputs.tf index 8ac6b5e4f..77681648a 100644 --- a/4-projects/business_unit_2/production/outputs.tf +++ b/4-projects/business_unit_2/production/outputs.tf @@ -16,37 +16,37 @@ output "base_shared_vpc_project" { description = "Project sample base project." - value = module.base_shared_vpc_project.project_id + value = module.env.base_shared_vpc_project } output "base_shared_vpc_project_sa" { description = "Project sample base project SA." - value = module.base_shared_vpc_project.sa + value = module.env.base_shared_vpc_project_sa } output "floating_project" { description = "Project sample floating project." - value = module.floating_project.project_id + value = module.env.floating_project } output "peering_project" { description = "Project sample peering project id." - value = module.peering_project.project_id + value = module.env.peering_project } output "peering_network" { description = "Peer network peering resource." - value = module.peering.peer_network_peering + value = module.env.peering_network } output "restricted_shared_vpc_project" { description = "Project sample restricted project id." - value = module.restricted_shared_vpc_project.project_id + value = module.env.restricted_shared_vpc_project } output "restricted_shared_vpc_project_number" { description = "Project sample restricted project." - value = module.restricted_shared_vpc_project.project_number + value = module.env.restricted_shared_vpc_project_number } output "vpc_service_control_perimeter_name" { @@ -56,7 +56,7 @@ output "vpc_service_control_perimeter_name" { output "restricted_enabled_apis" { description = "Activated APIs." - value = module.restricted_shared_vpc_project.enabled_apis + value = module.env.restricted_enabled_apis } output "access_context_manager_policy_id" { @@ -66,25 +66,25 @@ output "access_context_manager_policy_id" { output "peering_complete" { description = "Output to be used as a module dependency." - value = module.peering.complete + value = module.env.peering_complete } output "env_secrets_project" { description = "Project sample peering project id." - value = module.env_secrets_project.project_id + value = module.env.env_secrets_project } output "keyring" { description = "The name of the keyring." - value = module.kms.keyring + value = module.env.keyring } output "keys" { description = "List of created key names." - value = keys(module.kms.keys) + value = module.env.keys } output "bucket" { description = "The created storage bucket" - value = module.gcs_buckets.bucket + value = module.env.bucket } diff --git a/4-projects/business_unit_2/production/variables.tf b/4-projects/business_unit_2/production/variables.tf index ff7aaf165..be54660c8 100644 --- a/4-projects/business_unit_2/production/variables.tf +++ b/4-projects/business_unit_2/production/variables.tf @@ -35,7 +35,7 @@ variable "access_context_manager_policy_id" { } variable "parent_folder" { - description = "Optional - if using a folder for testing." + description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." type = string default = "" } @@ -51,50 +51,14 @@ variable "peering_module_depends_on" { default = [] } -variable "firewall_enable_logging" { - type = bool - description = "Toggle firewall logging for VPC Firewalls." - default = true -} - -variable "optional_fw_rules_enabled" { - type = bool - description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." - default = false -} - -variable "windows_activation_enabled" { - type = bool - description = "Enable Windows license activation for Windows workloads." - default = false -} - -variable "alert_spent_percents" { - description = "A list of percentages of the budget to alert on when threshold is exceeded" - type = list(number) - default = [0.5, 0.75, 0.9, 0.95] -} - -variable "alert_pubsub_topic" { - description = "The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`" - type = string - default = null -} - -variable "budget_amount" { - description = "The amount to use as the budget" - type = number - default = 1000 -} - variable "project_prefix" { - description = "Name prefix to use for projects created." + description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." type = string default = "prj" } variable "folder_prefix" { - description = "Name prefix to use for folders created." + description = "Name prefix to use for folders created. Should be the same in all steps." type = string default = "fldr" } @@ -109,45 +73,3 @@ variable "app_infra_pipeline_cloudbuild_sa" { description = "Cloud Build SA used for deploying infrastructure" type = string } - -variable "secrets_prj_suffix" { - description = "Name suffix to use for secrets project created." - type = string - default = "env-secrets" -} - -variable "location_kms" { - description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" - type = string - default = "us" -} - -variable "location_gcs" { - description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" - type = string - default = "US" -} - -variable "keyring_name" { - description = "Name to be used for KMS Keyring" - type = string - default = "sample-keyring" -} - -variable "key_name" { - description = "Name to be used for KMS Key" - type = string - default = "crypto-key-example" -} - -variable "key_rotation_period" { - description = "Rotation period in seconds to be used for KMS Key" - type = string - default = "7776000s" -} - -variable "gcs_bucket_prefix" { - description = "Name prefix to be used for GCS Bucket" - type = string - default = "cmek-encrypted-bucket" -} diff --git a/4-projects/modules/base_env/README.md b/4-projects/modules/base_env/README.md new file mode 100644 index 000000000..bbb5390f4 --- /dev/null +++ b/4-projects/modules/base_env/README.md @@ -0,0 +1,52 @@ + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | +| alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | +| alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` |
[
0.5,
0.75,
0.9,
0.95
]
| no | +| app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | +| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | +| budget\_amount | The amount to use as the budget | `number` | `1000` | no | +| business\_code | The business code (ex. bu1). | `string` | n/a | yes | +| business\_unit | The business (ex. business\_unit\_1). | `string` | n/a | yes | +| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | +| env | The environment to prepare (ex. development). | `string` | n/a | yes | +| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | +| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | +| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no | +| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no | +| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | +| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no | +| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | +| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | +| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | +| org\_id | The organization id for the associated services | `string` | n/a | yes | +| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | +| perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | +| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | +| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no | +| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | +| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| base\_shared\_vpc\_project | Project sample base project. | +| base\_shared\_vpc\_project\_sa | Project sample base project SA. | +| bucket | The created storage bucket | +| env\_secrets\_project | Project sample peering project id. | +| floating\_project | Project sample floating project. | +| keyring | The name of the keyring. | +| keys | List of created key names. | +| peering\_complete | Output to be used as a module dependency. | +| peering\_network | Peer network peering resource. | +| peering\_project | Project sample peering project id. | +| restricted\_enabled\_apis | Activated APIs. | +| restricted\_shared\_vpc\_project | Project sample restricted project id. | +| restricted\_shared\_vpc\_project\_number | Project sample restricted project. | + + diff --git a/4-projects/business_unit_1/development/example_base_shared_vpc_project.tf b/4-projects/modules/base_env/example_base_shared_vpc_project.tf similarity index 88% rename from 4-projects/business_unit_1/development/example_base_shared_vpc_project.tf rename to 4-projects/modules/base_env/example_base_shared_vpc_project.tf index 019080edc..9e67f6abd 100644 --- a/4-projects/business_unit_1/development/example_base_shared_vpc_project.tf +++ b/4-projects/modules/base_env/example_base_shared_vpc_project.tf @@ -15,12 +15,12 @@ */ module "base_shared_vpc_project" { - source = "../../modules/single_project" + source = "../single_project" impersonate_service_account = var.terraform_service_account org_id = var.org_id billing_account = var.billing_account folder_id = data.google_active_folder.env.name - environment = "development" + environment = var.env vpc_type = "base" alert_spent_percents = var.alert_spent_percents alert_pubsub_topic = var.alert_pubsub_topic @@ -37,10 +37,10 @@ module "base_shared_vpc_project" { # Metadata project_suffix = "sample-base" - application_name = "bu1-sample-application" + application_name = "${var.business_code}-sample-application" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = "bu1" + business_code = var.business_code } diff --git a/4-projects/business_unit_1/production/example_floating_project.tf b/4-projects/modules/base_env/example_floating_project.tf similarity index 86% rename from 4-projects/business_unit_1/production/example_floating_project.tf rename to 4-projects/modules/base_env/example_floating_project.tf index c16a742e1..3a7f65d82 100644 --- a/4-projects/business_unit_1/production/example_floating_project.tf +++ b/4-projects/modules/base_env/example_floating_project.tf @@ -15,12 +15,12 @@ */ module "floating_project" { - source = "../../modules/single_project" + source = "../single_project" impersonate_service_account = var.terraform_service_account org_id = var.org_id billing_account = var.billing_account folder_id = data.google_active_folder.env.name - environment = "production" + environment = var.env alert_spent_percents = var.alert_spent_percents alert_pubsub_topic = var.alert_pubsub_topic budget_amount = var.budget_amount @@ -28,9 +28,9 @@ module "floating_project" { # Metadata project_suffix = "sample-floating" - application_name = "bu1-sample-application" + application_name = "${var.business_code}-sample-application" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = "bu1" + business_code = var.business_code } diff --git a/4-projects/business_unit_1/non-production/example_peering_project.tf b/4-projects/modules/base_env/example_peering_project.tf similarity index 86% rename from 4-projects/business_unit_1/non-production/example_peering_project.tf rename to 4-projects/modules/base_env/example_peering_project.tf index 1e4d1bfc0..b31aba2fe 100644 --- a/4-projects/business_unit_1/non-production/example_peering_project.tf +++ b/4-projects/modules/base_env/example_peering_project.tf @@ -16,14 +16,15 @@ locals { shared_vpc_mode = var.enable_hub_and_spoke ? "-spoke" : "" + env_code = substr(var.env, 0, 1) } data "google_projects" "projects" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=non-production lifecycleState=ACTIVE" + filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=${var.env} lifecycleState=ACTIVE" } data "google_compute_network" "shared_vpc" { - name = "vpc-n-shared-base${local.shared_vpc_mode}" + name = "vpc-${local.env_code}-shared-base${local.shared_vpc_mode}" project = data.google_projects.projects.projects[0].project_id } @@ -40,28 +41,28 @@ data "google_netblock_ip_ranges" "iap_forwarders" { } module "peering_project" { - source = "../../modules/single_project" + source = "../single_project" impersonate_service_account = var.terraform_service_account org_id = var.org_id billing_account = var.billing_account folder_id = data.google_active_folder.env.name - environment = "non-production" + environment = var.env project_prefix = var.project_prefix # Metadata project_suffix = "sample-peering" - application_name = "bu1-sample-peering" + application_name = "${var.business_code}-sample-peering" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = "bu1" + business_code = var.business_code } module "peering_network" { source = "terraform-google-modules/network/google" version = "~> 3.0" project_id = module.peering_project.project_id - network_name = "vpc-n-peering-base" + network_name = "vpc-${local.env_code}-peering-base" shared_vpc_host = "false" delete_default_internet_gateway_routes = "true" subnets = [] @@ -70,19 +71,18 @@ module "peering_network" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" version = "~> 3.0" - prefix = "bu1-n" + prefix = "${var.business_code}-${local.env_code}" local_network = module.peering_network.network_self_link peer_network = data.google_compute_network.shared_vpc.self_link module_depends_on = var.peering_module_depends_on } - /****************************************** Mandatory firewall rules *****************************************/ resource "google_compute_firewall" "deny_all_egress" { - name = "fw-n-peering-base-65535-e-n-all-all-tcp-udp" + name = "fw-${local.env_code}-peering-base-65535-e-d-all-all-tcp-udp" network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" @@ -111,7 +111,7 @@ resource "google_compute_firewall" "deny_all_egress" { resource "google_compute_firewall" "allow_private_api_egress" { - name = "fw-n-peering-base-65534-e-a-allow-google-apis-all-tcp-443" + name = "fw-${local.env_code}-peering-base-65534-e-a-allow-google-apis-all-tcp-443" network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" @@ -145,7 +145,7 @@ resource "google_compute_firewall" "allow_private_api_egress" { // Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads. resource "google_compute_firewall" "allow_iap_ssh" { count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-n-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" + name = "fw-${local.env_code}-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22" network = module.peering_network.network_name project = module.peering_project.project_id @@ -173,7 +173,7 @@ resource "google_compute_firewall" "allow_iap_ssh" { // Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads. resource "google_compute_firewall" "allow_iap_rdp" { count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-n-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" + name = "fw-${local.env_code}-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389" network = module.peering_network.network_name project = module.peering_project.project_id @@ -201,7 +201,7 @@ resource "google_compute_firewall" "allow_iap_rdp" { // Allow access to kms.windows.googlecloud.com for Windows license activation resource "google_compute_firewall" "allow_windows_activation" { count = var.windows_activation_enabled ? 1 : 0 - name = "fw-n-peering-base-0-e-a-allow-win-activation-all-tcp-1688" + name = "fw-${local.env_code}-peering-base-0-e-a-allow-win-activation-all-tcp-1688" network = module.peering_network.network_name project = module.peering_project.project_id direction = "EGRESS" @@ -230,7 +230,7 @@ resource "google_compute_firewall" "allow_windows_activation" { // Allow traffic for Internal & Global load balancing health check and load balancing IP ranges. resource "google_compute_firewall" "allow_lb" { count = var.optional_fw_rules_enabled ? 1 : 0 - name = "fw-n-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" + name = "fw-${local.env_code}-peering-base-1000-i-a-all-allow-lb-tcp-80-8080-443" network = module.peering_network.network_name project = module.peering_project.project_id @@ -254,4 +254,3 @@ resource "google_compute_firewall" "allow_lb" { target_tags = ["allow-lb"] } - diff --git a/4-projects/business_unit_2/development/example_restricted_shared_vpc_project.tf b/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf similarity index 89% rename from 4-projects/business_unit_2/development/example_restricted_shared_vpc_project.tf rename to 4-projects/modules/base_env/example_restricted_shared_vpc_project.tf index b59ff4ee8..636672955 100644 --- a/4-projects/business_unit_2/development/example_restricted_shared_vpc_project.tf +++ b/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf @@ -15,12 +15,12 @@ */ module "restricted_shared_vpc_project" { - source = "../../modules/single_project" + source = "../single_project" impersonate_service_account = var.terraform_service_account org_id = var.org_id billing_account = var.billing_account folder_id = data.google_active_folder.env.name - environment = "development" + environment = var.env vpc_type = "restricted" alert_spent_percents = var.alert_spent_percents alert_pubsub_topic = var.alert_pubsub_topic @@ -34,9 +34,9 @@ module "restricted_shared_vpc_project" { # Metadata project_suffix = "sample-restrict" - application_name = "bu2-sample-application" + application_name = "${var.business_code}-sample-application" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = "bu2" + business_code = var.business_code } diff --git a/4-projects/business_unit_1/non-production/example_storage_cmek.tf b/4-projects/modules/base_env/example_storage_cmek.tf similarity index 93% rename from 4-projects/business_unit_1/non-production/example_storage_cmek.tf rename to 4-projects/modules/base_env/example_storage_cmek.tf index 7ce0c5298..83b3217c0 100644 --- a/4-projects/business_unit_1/non-production/example_storage_cmek.tf +++ b/4-projects/modules/base_env/example_storage_cmek.tf @@ -15,12 +15,12 @@ */ module "env_secrets_project" { - source = "../../modules/single_project" + source = "../single_project" impersonate_service_account = var.terraform_service_account org_id = var.org_id billing_account = var.billing_account folder_id = data.google_active_folder.env.name - environment = "non-production" + environment = var.env alert_spent_percents = var.alert_spent_percents alert_pubsub_topic = var.alert_pubsub_topic budget_amount = var.budget_amount @@ -30,11 +30,11 @@ module "env_secrets_project" { activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"] # Metadata - application_name = "bu1-sample-application" + application_name = "${var.business_code}-sample-application" billing_code = "1234" primary_contact = "example@example.com" secondary_contact = "example2@example.com" - business_code = "bu1" + business_code = var.business_code } data "google_storage_project_service_account" "gcs_account" { diff --git a/4-projects/business_unit_1/production/folder.tf b/4-projects/modules/base_env/folder.tf similarity index 93% rename from 4-projects/business_unit_1/production/folder.tf rename to 4-projects/modules/base_env/folder.tf index 2f142d797..2b81adfe8 100644 --- a/4-projects/business_unit_1/production/folder.tf +++ b/4-projects/modules/base_env/folder.tf @@ -15,7 +15,7 @@ */ data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-production" + display_name = "${var.folder_prefix}-${var.env}" parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" } diff --git a/4-projects/modules/base_env/outputs.tf b/4-projects/modules/base_env/outputs.tf new file mode 100644 index 000000000..52a1786b6 --- /dev/null +++ b/4-projects/modules/base_env/outputs.tf @@ -0,0 +1,80 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "base_shared_vpc_project" { + description = "Project sample base project." + value = module.base_shared_vpc_project.project_id +} + +output "base_shared_vpc_project_sa" { + description = "Project sample base project SA." + value = module.base_shared_vpc_project.sa +} + +output "floating_project" { + description = "Project sample floating project." + value = module.floating_project.project_id +} + +output "peering_project" { + description = "Project sample peering project id." + value = module.peering_project.project_id +} + +output "peering_network" { + description = "Peer network peering resource." + value = module.peering.peer_network_peering +} + +output "restricted_shared_vpc_project" { + description = "Project sample restricted project id." + value = module.restricted_shared_vpc_project.project_id +} + +output "restricted_shared_vpc_project_number" { + description = "Project sample restricted project." + value = module.restricted_shared_vpc_project.project_number +} + +output "restricted_enabled_apis" { + description = "Activated APIs." + value = module.restricted_shared_vpc_project.enabled_apis +} + +output "peering_complete" { + description = "Output to be used as a module dependency." + value = module.peering.complete +} + +output "env_secrets_project" { + description = "Project sample peering project id." + value = module.env_secrets_project.project_id +} + +output "keyring" { + description = "The name of the keyring." + value = module.kms.keyring +} + +output "keys" { + description = "List of created key names." + value = keys(module.kms.keys) +} + +output "bucket" { + description = "The created storage bucket" + value = module.gcs_buckets.bucket +} diff --git a/4-projects/modules/base_env/variables.tf b/4-projects/modules/base_env/variables.tf new file mode 100644 index 000000000..f42ed0d68 --- /dev/null +++ b/4-projects/modules/base_env/variables.tf @@ -0,0 +1,168 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "business_code" { + description = "The business code (ex. bu1)." + type = string +} + +variable "business_unit" { + description = "The business (ex. business_unit_1)." + type = string +} + +variable "env" { + description = "The environment to prepare (ex. development)." + type = string +} + +variable "terraform_service_account" { + description = "Service account email of the account to impersonate to run Terraform" + type = string +} + +variable "org_id" { + description = "The organization id for the associated services" + type = string +} + +variable "billing_account" { + description = "The ID of the billing account to associated this project with" + type = string +} + +variable "access_context_manager_policy_id" { + type = string + description = "The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." +} + +variable "parent_folder" { + description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." + type = string + default = "" +} + +variable "perimeter_name" { + description = "Access context manager service perimeter name to attach the restricted svpc project." + type = string +} + +variable "peering_module_depends_on" { + description = "List of modules or resources peering module depends on." + type = list(any) + default = [] +} + +variable "firewall_enable_logging" { + type = bool + description = "Toggle firewall logging for VPC Firewalls." + default = true +} + +variable "optional_fw_rules_enabled" { + type = bool + description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges." + default = false +} + +variable "windows_activation_enabled" { + type = bool + description = "Enable Windows license activation for Windows workloads." + default = false +} + +variable "alert_spent_percents" { + description = "A list of percentages of the budget to alert on when threshold is exceeded" + type = list(number) + default = [0.5, 0.75, 0.9, 0.95] +} + +variable "alert_pubsub_topic" { + description = "The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`" + type = string + default = null +} + +variable "budget_amount" { + description = "The amount to use as the budget" + type = number + default = 1000 +} + +variable "project_prefix" { + description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." + type = string + default = "prj" +} + +variable "folder_prefix" { + description = "Name prefix to use for folders created. Should be the same in all steps." + type = string + default = "fldr" +} + +variable "enable_hub_and_spoke" { + description = "Enable Hub-and-Spoke architecture." + type = bool + default = false +} + +variable "app_infra_pipeline_cloudbuild_sa" { + description = "Cloud Build SA used for deploying infrastructure" + type = string +} + +variable "secrets_prj_suffix" { + description = "Name suffix to use for secrets project created." + type = string + default = "env-secrets" +} + +variable "location_kms" { + description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" + type = string + default = "us" +} + +variable "location_gcs" { + description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" + type = string + default = "US" +} + +variable "keyring_name" { + description = "Name to be used for KMS Keyring" + type = string + default = "sample-keyring" +} + +variable "key_name" { + description = "Name to be used for KMS Key" + type = string + default = "crypto-key-example" +} + +variable "key_rotation_period" { + description = "Rotation period in seconds to be used for KMS Key" + type = string + default = "7776000s" +} + +variable "gcs_bucket_prefix" { + description = "Name prefix to be used for GCS Bucket" + type = string + default = "cmek-encrypted-bucket" +}