FAST: Cleanup/harmonization of Simple and NVA net stages (#2287)

Cleanup/harmonization of Simple and NVA net stages
GoogleCloudPlatform · May 16, 2024 · 21f3b73 · 21f3b73
1 parent 887c7e7
commit 21f3b73
Show file tree

Hide file tree

Showing 26 changed files with 209 additions and 301 deletions.
diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md
@@ -465,7 +465,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
 | [cloud_dns_inbound_policy](outputs.tf#L87) | IP Addresses for Cloud DNS inbound policy. |  |  |
 | [host_project_ids](outputs.tf#L92) | Network project ids. |  |  |
 | [host_project_numbers](outputs.tf#L97) | Network project numbers. |  |  |
-| [shared_vpc_self_links](outputs.tf#L102) | Shared VPC host projects. |  |  |
-| [tfvars](outputs.tf#L107) | Terraform variables file for the following stages. | ✓ |  |
-| [vpn_gateway_endpoints](outputs.tf#L113) | External IP Addresses for the GCP VPN gateways. |  |  |
+| [ping_commands](outputs.tf#L102) | Ping commands for test instances to be run to check VPC reachability. |  |  |
+| [shared_vpc_self_links](outputs.tf#L107) | Shared VPC host projects. |  |  |
+| [tfvars](outputs.tf#L112) | Terraform variables file for the following stages. | ✓ |  |
+| [vpn_gateway_endpoints](outputs.tf#L118) | External IP Addresses for the GCP VPN gateways. |  |  |
 <!-- END TFDOC -->
diff --git a/fast/stages/2-networking-a-simple/data/firewall-rules/landing/default-ingress.yaml b/fast/stages/2-networking-a-simple/data/firewall-rules/landing/default-ingress.yaml
@@ -1,7 +1,7 @@
 # skip boilerplate check
 
 ingress:
-  ingress-default-deny:
+  ingress-default-landing-deny:
     description: "Deny and log any unmatched ingress traffic."
     deny: true
     priority: 65535

diff --git a/fast/stages/2-networking-a-simple/data/firewall-rules/landing/rules.yaml b/fast/stages/2-networking-a-simple/data/firewall-rules/landing/rules.yaml
@@ -4,7 +4,7 @@
 # You can retain `---` (start of the document) to indicate an empty document.
 
 ingress:
-  allow-onprem-probes-example:
+  allow-onprem-probes-landing-example:
     description: "Allow traffic from onprem probes"
     source_ranges:
       - onprem_probes

diff --git a/fast/stages/2-networking-a-simple/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-a-simple/data/subnets/dev/dev-default-ew1.yaml
@@ -3,4 +3,4 @@
 name: dev-default
 region: europe-west1
 ip_cidr_range: 10.68.0.0/24
-description: Default subnet for dev
+description: Default europe-west1 subnet for dev
diff --git a/fast/stages/2-networking-a-simple/data/subnets/landing/landing-default-ew1.yaml b/fast/stages/2-networking-a-simple/data/subnets/landing/landing-default-ew1.yaml
@@ -3,4 +3,4 @@
 name: landing-default
 region: europe-west1
 ip_cidr_range: 10.64.0.0/24
-description: Default subnet for landing
+description: Default europe-west1 subnet for landing
diff --git a/fast/stages/2-networking-a-simple/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-a-simple/data/subnets/prod/prod-default-ew1.yaml
@@ -3,4 +3,4 @@
 name: prod-default
 region: europe-west1
 ip_cidr_range: 10.72.0.0/24
-description: Default subnet for prod
+description: Default europe-west1 subnet for prod
diff --git a/fast/stages/2-networking-a-simple/net-dev.tf b/fast/stages/2-networking-a-simple/net-dev.tf
@@ -89,6 +89,15 @@ module "dev-spoke-vpc" {
     private    = true
     restricted = true
   }
+  delete_default_routes_on_create = true
+  routes = {
+    default = {
+      dest_range    = "0.0.0.0/0"
+      next_hop      = "default-internet-gateway"
+      next_hop_type = "gateway"
+      priority      = 1000
+    }
+  }
 }
 
 module "dev-spoke-firewall" {

diff --git a/fast/stages/2-networking-a-simple/net-landing.tf b/fast/stages/2-networking-a-simple/net-landing.tf
@@ -51,14 +51,18 @@ module "landing-vpc" {
     inbound = true
     logging = var.dns.enable_logging
   }
-  # set explicit routes for googleapis in case the default route is deleted
-  create_googleapis_routes = {
-    private    = true
-    restricted = true
-  }
   factories_config = {
     subnets_folder = "${var.factories_config.data_dir}/subnets/landing"
   }
+  delete_default_routes_on_create = true
+  routes = {
+    default = {
+      dest_range    = "0.0.0.0/0"
+      next_hop      = "default-internet-gateway"
+      next_hop_type = "gateway"
+      priority      = 1000
+    }
+  }
 }
 
 module "landing-firewall" {

diff --git a/fast/stages/2-networking-a-simple/net-prod.tf b/fast/stages/2-networking-a-simple/net-prod.tf
@@ -81,11 +81,15 @@ module "prod-spoke-vpc" {
   factories_config = {
     subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
   }
-  psa_configs = var.psa_ranges.prod
-  # set explicit routes for googleapis in case the default route is deleted
-  create_googleapis_routes = {
-    private    = true
-    restricted = true
+  psa_configs                     = var.psa_ranges.prod
+  delete_default_routes_on_create = true
+  routes = {
+    default = {
+      dest_range    = "0.0.0.0/0"
+      next_hop      = "default-internet-gateway"
+      next_hop_type = "gateway"
+      priority      = 1000
+    }
   }
 }
 

diff --git a/fast/stages/2-networking-a-simple/outputs.tf b/fast/stages/2-networking-a-simple/outputs.tf
@@ -99,6 +99,11 @@ output "host_project_numbers" {
   value       = local.host_project_numbers
 }
 
+output "ping_commands" {
+  description = "Ping commands for test instances to be run to check VPC reachability."
+  value       = var.create_test_instances ? join("\n", [for instance, _ in local.test-vms : "ping -c 1 ${module.test-vms[instance].internal_ip} # ${instance}"]) : ""
+}
+
 output "shared_vpc_self_links" {
   description = "Shared VPC host projects."
   value       = local.vpc_self_links

diff --git a/fast/stages/2-networking-a-simple/test-resources.tf b/fast/stages/2-networking-a-simple/test-resources.tf
@@ -18,21 +18,21 @@
 
 locals {
   test-vms = {
-    dev = {
+    dev-spoke-primary = {
       region     = var.regions.primary
       project_id = module.dev-spoke-project.project_id
       zone       = "b"
       network    = module.dev-spoke-vpc.self_link
       subnetwork = module.dev-spoke-vpc.subnet_self_links["${var.regions.primary}/dev-default"]
     }
-    landing = {
+    landing-primary = {
       region     = var.regions.primary
       project_id = module.landing-project.project_id
       zone       = "b"
       network    = module.landing-vpc.self_link
       subnetwork = module.landing-vpc.subnet_self_links["${var.regions.primary}/landing-default"]
     }
-    prod = {
+    prod-spoke-primary = {
       region     = var.regions.primary
       project_id = module.prod-spoke-project.project_id
       zone       = "b"
@@ -72,8 +72,3 @@ module "test-vms" {
     EOF
   }
 }
-
-output "ping_commands" {
-  description = "Ping commands that can be run to check VPC reachability."
-  value       = var.create_test_instances ? join("\n", [for instance, _ in local.test-vms : "ping -c 1 ${module.test-vms[instance].internal_ip} # ${instance}"]) : ""
-}