From 532f1ecfc4393ec2247736a9b555e450c3769131 Mon Sep 17 00:00:00 2001 From: Simone Ruffilli Date: Tue, 28 May 2024 17:27:28 +0200 Subject: [PATCH] Merge FAST C and E network stages into a new B stage. (#2309) Merge FAST C and E network stages into a new B stage. --- fast/stages/2-networking-a-simple/README.md | 2 +- .../README.md | 224 +- .../data/bgp-config.tftpl | 0 .../data/cidrs.yaml | 0 .../data/dashboards/firewall_insights.json | 0 .../vpc_and_vpc_peering_group_quotas.json | 0 .../data/dashboards/vpn.json | 0 .../data/dns-policy-rules.yaml | 0 .../firewall-rules/dev/default-ingress.yaml | 0 .../data/firewall-rules/dev/rules.yaml | 0 .../data/firewall-rules/dmz/bgp.yaml | 23 + .../firewall-rules/dmz/default-ingress.yaml | 0 .../data/firewall-rules/dmz/rules.yaml | 0 .../data/firewall-rules/landing/bgp.yaml | 15 + .../landing/default-ingress.yaml | 0 .../data/firewall-rules/landing/rules.yaml | 0 .../firewall-rules/prod/default-ingress.yaml | 0 .../data/hierarchical-ingress-rules.yaml | 0 .../subnets/dev/dev-dataplatform-ew1.yaml | 0 .../data/subnets/dev/dev-default-ew1.yaml | 0 .../data/subnets/dev/dev-default-ew4.yaml | 0 .../data/subnets/dev/dev-gke-nodes-ew1.yaml | 0 .../data/subnets/dmz/dmz-default-ew1.yaml} | 0 .../data/subnets/dmz/dmz-default-ew4.yaml} | 0 .../subnets/landing/landing-default-ew1.yaml | 0 .../subnets/landing/landing-default-ew4.yaml | 0 .../data/subnets/prod/prod-default-ew1.yaml | 0 .../data/subnets/prod/prod-default-ew4.yaml | 0 .../diagram-ncc.png} | Bin .../diagram-ncc.svg} | 0 .../diagram-simple.png} | Bin .../diagram-simple.svg} | 0 .../dns-dev.tf | 0 .../dns-landing.tf | 0 .../dns-prod.tf | 0 .../main.tf | 1 + .../monitoring-vpn-onprem.tf | 0 .../monitoring.tf | 0 .../net-dev.tf | 2 +- .../net-landing.tf | 0 .../net-prod.tf | 2 +- .../nva-bgp-ncc.tf} | 47 +- .../nva.tf => 2-networking-b-nva/nva-bgp.tf} | 46 +- .../nva-simple.tf} | 38 +- .../outputs.tf | 7 + .../regions.tf | 0 .../test-resources.tf | 0 .../variables-fast.tf | 0 .../variables.tf | 30 +- .../vpn-onprem.tf | 0 fast/stages/2-networking-c-nva/README.md | 491 --- fast/stages/2-networking-c-nva/main.tf | 68 - fast/stages/2-networking-c-nva/regions.tf | 42 - .../2-networking-c-nva/variables-fast.tf | 89 - fast/stages/2-networking-c-nva/variables.tf | 239 -- .../2-networking-d-separate-envs/README.md | 2 +- .../2-networking-e-nva-bgp/data/cidrs.yaml | 30 - .../data/dashboards/firewall_insights.json | 68 - .../vpc_and_vpc_peering_group_quotas.json | 253 -- .../data/dashboards/vpn.json | 322 -- .../data/dns-policy-rules.yaml | 119 - .../firewall-rules/dev/default-ingress.yaml | 9 - .../data/firewall-rules/dev/rules.yaml | 24 - .../firewall-rules/dmz/default-ingress.yaml | 9 - .../data/firewall-rules/dmz/rules.yaml | 34 - .../landing/default-ingress.yaml | 9 - .../data/firewall-rules/landing/rules.yaml | 34 - .../firewall-rules/prod/default-ingress.yaml | 9 - .../data/hierarchical-ingress-rules.yaml | 49 - .../subnets/dev/dev-dataplatform-ew1.yaml | 9 - .../data/subnets/dev/dev-default-ew1.yaml | 6 - .../data/subnets/dev/dev-default-ew4.yaml | 6 - .../data/subnets/dev/dev-gke-nodes-ew1.yaml | 9 - .../data/subnets/dmz/dmz-default-ew1.yaml | 6 - .../data/subnets/dmz/dmz-default-ew4.yaml | 6 - .../subnets/landing/landing-default-ew1.yaml | 6 - .../subnets/landing/landing-default-ew4.yaml | 6 - .../data/subnets/prod/prod-default-ew1.yaml | 6 - .../data/subnets/prod/prod-default-ew4.yaml | 6 - fast/stages/2-networking-e-nva-bgp/dns-dev.tf | 72 - .../2-networking-e-nva-bgp/dns-landing.tf | 101 - .../stages/2-networking-e-nva-bgp/dns-prod.tf | 72 - .../monitoring-vpn-onprem.tf | 99 - .../2-networking-e-nva-bgp/monitoring.tf | 32 - fast/stages/2-networking-e-nva-bgp/net-dev.tf | 111 - .../2-networking-e-nva-bgp/net-landing.tf | 132 - .../stages/2-networking-e-nva-bgp/net-prod.tf | 109 - fast/stages/2-networking-e-nva-bgp/outputs.tf | 128 - .../2-networking-e-nva-bgp/test-resources.tf | 243 -- .../2-networking-e-nva-bgp/vpn-onprem.tf | 56 - fast/stages/3-project-factory/dev/README.md | 2 +- fast/stages/README.md | 4 +- .../ncc-ra.tfvars} | 6 +- .../stages/s2_networking_b_nva/ncc-ra.yaml | 53 + .../simple.tfvars | 6 +- .../simple.yaml | 4 +- .../tftest.yaml | 5 +- .../s2_networking_e_nva_bgp/simple.yaml | 3703 ----------------- .../s2_networking_e_nva_bgp/tftest.yaml | 18 - 99 files changed, 330 insertions(+), 7029 deletions(-) rename fast/stages/{2-networking-e-nva-bgp => 2-networking-b-nva}/README.md (76%) rename fast/stages/{2-networking-e-nva-bgp => 2-networking-b-nva}/data/bgp-config.tftpl (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/cidrs.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/dashboards/firewall_insights.json (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/dashboards/vpc_and_vpc_peering_group_quotas.json (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/dashboards/vpn.json (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/dns-policy-rules.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/firewall-rules/dev/default-ingress.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/firewall-rules/dev/rules.yaml (100%) create mode 100644 fast/stages/2-networking-b-nva/data/firewall-rules/dmz/bgp.yaml rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/firewall-rules/dmz/default-ingress.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/firewall-rules/dmz/rules.yaml (100%) create mode 100644 fast/stages/2-networking-b-nva/data/firewall-rules/landing/bgp.yaml rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/firewall-rules/landing/default-ingress.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/firewall-rules/landing/rules.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/firewall-rules/prod/default-ingress.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/hierarchical-ingress-rules.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/subnets/dev/dev-dataplatform-ew1.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/subnets/dev/dev-default-ew1.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/subnets/dev/dev-default-ew4.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/subnets/dev/dev-gke-nodes-ew1.yaml (100%) rename fast/stages/{2-networking-c-nva/data/subnets/dmz/dmz-ew1.yaml => 2-networking-b-nva/data/subnets/dmz/dmz-default-ew1.yaml} (100%) rename fast/stages/{2-networking-c-nva/data/subnets/dmz/dmz-ew4.yaml => 2-networking-b-nva/data/subnets/dmz/dmz-default-ew4.yaml} (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/subnets/landing/landing-default-ew1.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/subnets/landing/landing-default-ew4.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/subnets/prod/prod-default-ew1.yaml (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/data/subnets/prod/prod-default-ew4.yaml (100%) rename fast/stages/{2-networking-e-nva-bgp/diagram.png => 2-networking-b-nva/diagram-ncc.png} (100%) rename fast/stages/{2-networking-e-nva-bgp/diagram.svg => 2-networking-b-nva/diagram-ncc.svg} (100%) rename fast/stages/{2-networking-c-nva/diagram.png => 2-networking-b-nva/diagram-simple.png} (100%) rename fast/stages/{2-networking-c-nva/diagram.svg => 2-networking-b-nva/diagram-simple.svg} (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/dns-dev.tf (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/dns-landing.tf (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/dns-prod.tf (100%) rename fast/stages/{2-networking-e-nva-bgp => 2-networking-b-nva}/main.tf (98%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/monitoring-vpn-onprem.tf (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/monitoring.tf (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/net-dev.tf (99%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/net-landing.tf (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/net-prod.tf (99%) rename fast/stages/{2-networking-e-nva-bgp/ncc.tf => 2-networking-b-nva/nva-bgp-ncc.tf} (75%) rename fast/stages/{2-networking-e-nva-bgp/nva.tf => 2-networking-b-nva/nva-bgp.tf} (86%) rename fast/stages/{2-networking-c-nva/nva.tf => 2-networking-b-nva/nva-simple.tf} (82%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/outputs.tf (95%) rename fast/stages/{2-networking-e-nva-bgp => 2-networking-b-nva}/regions.tf (100%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/test-resources.tf (100%) rename fast/stages/{2-networking-e-nva-bgp => 2-networking-b-nva}/variables-fast.tf (100%) rename fast/stages/{2-networking-e-nva-bgp => 2-networking-b-nva}/variables.tf (94%) rename fast/stages/{2-networking-c-nva => 2-networking-b-nva}/vpn-onprem.tf (100%) delete mode 100644 fast/stages/2-networking-c-nva/README.md delete mode 100644 fast/stages/2-networking-c-nva/main.tf delete mode 100644 fast/stages/2-networking-c-nva/regions.tf delete mode 100644 fast/stages/2-networking-c-nva/variables-fast.tf delete mode 100644 fast/stages/2-networking-c-nva/variables.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/dashboards/firewall_insights.json delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/dashboards/vpc_and_vpc_peering_group_quotas.json delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/dashboards/vpn.json delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/default-ingress.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/rules.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/default-ingress.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/rules.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew1.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew4.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew1.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew4.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml delete mode 100644 fast/stages/2-networking-e-nva-bgp/dns-dev.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/dns-landing.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/dns-prod.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/monitoring-vpn-onprem.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/monitoring.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/net-dev.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/net-landing.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/net-prod.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/outputs.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/test-resources.tf delete mode 100644 fast/stages/2-networking-e-nva-bgp/vpn-onprem.tf rename tests/fast/stages/{s2_networking_e_nva_bgp/simple.tfvars => s2_networking_b_nva/ncc-ra.tfvars} (94%) create mode 100644 tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml rename tests/fast/stages/{s2_networking_c_nva => s2_networking_b_nva}/simple.tfvars (94%) rename tests/fast/stages/{s2_networking_c_nva => s2_networking_b_nva}/simple.yaml (97%) rename tests/fast/stages/{s2_networking_c_nva => s2_networking_b_nva}/tftest.yaml (84%) delete mode 100644 tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml delete mode 100644 tests/fast/stages/s2_networking_e_nva_bgp/tftest.yaml diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 17bf8750d7..038ffb283d 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -85,7 +85,7 @@ This is a summary of the main options: - [HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) (implemented here) - Pros: simple compatibility with GCP services that leverage peering internally, better control on routes, avoids peering groups shared quotas and limits - Cons: additional cost, marginal increase in latency, requires multiple tunnels for full bandwidth -- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (implemented by [2-networking-c-nva](../2-networking-c-nva/) and [2-networking-e-nva-bgp](../2-networking-e-nva-bgp/)) +- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (implemented by [2-networking-b-nva](../2-networking-b-nva/) - Pros: additional security features (e.g. IPS), potentially better integration with on-prem systems by using the same vendor - Cons: complex HA/failover setup, limited by VM bandwidth and scale, additional costs for VMs and licenses, out of band management of a critical cloud component diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-b-nva/README.md similarity index 76% rename from fast/stages/2-networking-e-nva-bgp/README.md rename to fast/stages/2-networking-b-nva/README.md index 8018aa7808..5a78a4b9cd 100644 --- a/fast/stages/2-networking-e-nva-bgp/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -2,33 +2,32 @@ This stage sets up the shared network infrastructure for the whole organization. -It is designed for those who would like to leverage Network Virtual Appliances (NVAs) between trusted and untrusted areas of the network, for example for Intrusion Prevention System (IPS) purposes. - -We use Network Connectivity Center Router Appliance (NCC-RA) and BGP appliances (for the sake of the demo [FRRouting](https://frrouting.org/)) to avoid different limitations that static routes bring (more [here](https://medium.com/google-cloud/gcp-routing-adventures-vol-2-enterprise-multi-regional-deployments-in-google-cloud-3968e9591d59)). The goals of this design include: - -- Avoid using network tags to route traffic. -- Route traffic symmetrically to prevent breaking stateful NVAs. -- Avoid unnecessary NAT traffic at the NVAs. -- Avoid cross-regional traffic unless absolutely necessary for disaster recovery. -- Automatically send all traffic through the cross-regional NVAs if the ones in-region fail. -- Keep the trusted hub VPC unique, rather than having one per region. +It is designed for those who would like to leverage Network Virtual Appliances (NVAs) to control traffic flowing across different security contexts, for example for Intrusion Prevention System (IPS) purposes. It adopts the common “hub and spoke” reference design, which is well suited for multiple scenarios, and it offers several advantages versus other designs: -- the "trusted hub" VPC centralizes the external connectivity towards trusted network resources (e.g. on-prem, other cloud environments and the spokes), and it is ready to host cross-environment services like CI/CD, code repositories, and monitoring probes +- the "landing" or "trusted" hub VPC centralizes the external connectivity towards trusted network resources (e.g. on-prem, other cloud environments and the spokes), and it is ready to host cross-environment services like CI/CD, code repositories, and monitoring probes +- the "dmz" or "untrusted" VPC centralizes the external connectivity towards untrusted network resources, such as Internet (inbound and outbound) or 3P service providers or parties connected through VPN or Interconnect. - the "spoke" VPCs allow partitioning workloads (e.g. by environment like in this setup), while still retaining controlled access to central connectivity and services - Shared VPCs -both in hub and spokes- split the management of the network resources into specific (host) projects, while still allowing them to be consumed from the workload (service) projects - the design facilitates DNS centralization Connectivity between the hub and the spokes is established via [VPC network peerings](https://cloud.google.com/vpc/docs/vpc-peering), which offer uncapped bandwidth, lower latencies, at no additional costs and with a very low management overhead. Different ways of implementing connectivity, and related some pros and cons, are discussed below. -The diagram shows the high-level design and it should be used as a reference throughout the following sections. +The diagram shows the high-level designs of the two proposed flavors ("Simple NVA" and "NCC-RA") and it should be used as a reference throughout the following sections. The final number of subnets, and their IP addressing will depend on the user-specific requirements. It can be easily changed via variables or external data files, without any need to edit the code.

- Networking diagram + Simple NVA +
Simple NVA diagram

+
+

+ NCC-RA diagram +
NCC-RA diagram +

+ ## Table of contents @@ -37,10 +36,13 @@ The final number of subnets, and their IP addressing will depend on the user-spe - [Design overview and choices](#design-overview-and-choices) - [Multi-regional deployment](#multi-regional-deployment) - [VPC design](#vpc-design) - - [NCC, NVAs and BGP sessions](#ncc-nvas-and-bgp-sessions) + - [Simple NVA](#simple-nva) + - [NCC-RA](#ncc-ra) - [External connectivity](#external-connectivity) - [Internal connectivity](#internal-connectivity) - [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing) + - [Simple NVA](#simple-nva-1) + - [NCC-RA](#ncc-ra-1) - [Internet egress](#internet-egress) - [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall) - [DNS](#dns) @@ -48,6 +50,8 @@ The final number of subnets, and their IP addressing will depend on the user-spe - [VPCs](#vpcs) - [VPNs](#vpns) - [Routing and BGP](#routing-and-bgp) + - [Simple NVA](#simple-nva-2) + - [NCC-RA](#ncc-ra-2) - [Firewall](#firewall) - [DNS architecture](#dns-architecture) - [Cloud environment](#cloud-environment) @@ -73,8 +77,16 @@ The final number of subnets, and their IP addressing will depend on the user-spe ### Multi-regional deployment -The stage deploys the the infrastructure in two regions. By default, europe-west1 and europe-west4. Regional resources include NVAs and test VMs. This provides enough redundancy to be resilient to regional failures. -In case of a regional failure, the corresponding dynamic routes are withdrawn and traffic will failover in the secondary region. +This stage deploys networking resources in two different regions, deployed and configured in order to allow for a manual ("simple" mode) or automated ("ncc-ra") failover in case of failures. +Two different architectural flavors are provided which, while similar, implement a completely different routing strategy: + +- **Simple NVA**, where the network appliances are configured behind a "ILB Sandwitch" (two different network passthrough internal load balancers on each of `dmz` and `landing` VPCs), with static routes sending traffic for specific destinations to specific network appliances group through the load balancer. +- **NCC-RA**, where the network appliances establish BGP sessions with a Cloud Router on both `dmz` and `landing` VPCs, which comes with the following benefits, at the cost of additional initial setup complexity: + - avoid using network tags to route traffic + - automatically send all traffic through the cross-regional NVAs if the ones in-region fail + - avoid cross-regional traffic unless absolutely necessary for disaster recovery + +Switching between the two different models is controlled by `var.enable_ncc_ra`. ### VPC design @@ -83,8 +95,29 @@ The "landing zone" is divided into two VPC networks: - the landing VPC: the connectivity hub towards other trusted networks - the DMZ VPC: the connectivity hub towards any other untrusted network -### NCC, NVAs and BGP sessions +By default, the design assumes the following: + +- on-premise networks (and related resources) are considered trusted. As such, the VPNs connecting with on-premises are terminated in GCP, in the landing VPC +- the public Internet is considered untrusted. As such [Cloud NAT](https://cloud.google.com/nat/docs/overview) is deployed in the dmz landing VPC only +- cross-environment traffic and traffic from any dmz network to any landing network (and vice versa) pass through the NVAs. For demo purposes, the current NVA performs simple routing/natting only +- any traffic from a landing network to an dmz network (e.g. Internet) is natted by the NVAs. Users can configure further exclusions +The landing landing VPC acts as a hub: it bridges internal resources with the outside world and it hosts the shared services consumed by the spoke VPCs, connected to the hub through VPC network peerings. Spokes are used to partition the environments. By default: + +- one spoke VPC hosts the development environment resources +- one spoke VPC hosts the production environment resources + +Each virtual network is a [shared VPC](https://cloud.google.com/vpc/docs/shared-vpc): shared VPCs are managed in dedicated *host projects* and shared with other *service projects* that consume the network resources. +Shared VPC lets organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls. + +Users can easily extend the design to host additional environments, or adopt different logical mappings for the spokes (for example, in order to create a new spoke for each company entity). Adding spokes is trivial and it does not increase the design complexity. The steps to add more spokes are provided in the following sections. +In multi-organization scenarios, where production and non-production resources use different Cloud Identity and GCP organizations, the hub/landing VPC is usually part of the production organization. It establishes connections with the production spokes within the same organization, and with non-production spokes in a different organization. + +#### Simple NVA +The VPCs are connected with two sets of sample NVA machines, grouped in regional (multi-zone) [Managed Instance Groups (MIGs)](https://cloud.google.com/compute/docs/instance-groups). The appliances are plain Linux machines, performing simple routing/natting, leveraging some standard Linux features, such as *ip route* or *iptables*. The appliances are suited for demo purposes only and they should be replaced with enterprise-grade solutions before moving to production. +The traffic destined to the VMs in each MIG is mediated through regional internal load balancers, both in the landing and in the dmz networks. + +#### NCC-RA The VPCs connect through two sets of sample NVA machines: one per region, each containing two instances. The appliances run [Container-Optimized OS](https://cloud.google.com/container-optimized-os/docs) and a container with [FRRouting](https://frrouting.org/). We leverage NCC-RA to allow the NVAs to establish BGP sessions with Cloud Routers in the untrusted and in the trusted VPCs. This allows Cloud Routers to advertise routes to the NVAs, and the NVAs to announce routes to the Cloud Router, so it can program them in the VPC. @@ -99,30 +132,12 @@ NVAs establish **extra BGP sessions with both cross-regional NVAs**. In this cas Following the majority of real-life deployments, **we assume appliances to be stateful and not able to synchronize sessions between multiple NVAs within the same regional cluster**. For this reason, within each regional cluster, NVAs announce the same routes with different MED costs (1 point of difference between the primary and the secondary). This will cause traffic to go deterministically through one applaiance at the time within each region. You can change this default behavior modifying the cost settings in the [NVAs BGP configuration file](./data/bgp-config.tftpl). -By default, the design assumes that: - -- on-premise networks (and related resources) are considered trusted. As such, the VPNs connecting with on-premises are terminated in GCP, in the landing -- the public Internet is considered untrusted. As such [Cloud NAT](https://cloud.google.com/nat/docs/overview) is deployed in the DMZ VPC only. Also, the default route is set to carry traffic from the trusted VPCs, through the NVAs, to the DMZ. -- cross-spoke (environment) traffic and traffic from any untrusted network to any trusted network (and vice versa) pass through the NVAs. -- any traffic from a trusted network to an untrusted network (e.g. Internet) is natted by the NVAs. Users can configure further exclusions. - -The trusted landing VPC acts as a hub: it bridges internal resources with the outside world and it hosts the shared services consumed by the spoke VPCs, connected to the hub through VPC network peerings. Spokes are used to partition the environments. By default: - -- one spoke VPC hosts the development environment resources -- one spoke VPC hosts the production environment resources - -Each virtual network is a [shared VPC](https://cloud.google.com/vpc/docs/shared-vpc): shared VPCs are managed in dedicated *host projects* and shared with other *service projects* that consume the network resources. -Shared VPCs let organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls. - -Users can easily extend the design to host additional environments, or adopt different logical mappings for the spokes (for example, in order to create a new spoke for each company entity). Adding spokes is trivial and it does not increase the design complexity. The steps to add more spokes are provided in the following sections. - -In multi-organization scenarios, where production and non-production resources use different Cloud Identity and GCP organizations, the hub/landing VPC is usually part of the production organization. It establishes connections with the production spokes within the same organization, and with non-production spokes in a different organization. ### External connectivity External connectivity to on-prem is implemented leveraging [Cloud HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) (two tunnels per region). This is what users normally deploy as a final solution, or to validate routing and to transfer data, while waiting for [interconnects](https://cloud.google.com/network-connectivity/docs/interconnect) to be provisioned. -Connectivity to additional on-prem sites or to other cloud providers should be implemented in a similar fashion, via VPN tunnels or interconnects, in the landing VPC (either trusted or untrusted, depending by the nature of the peers), sharing the same regional routers. +Connectivity to additional on-prem sites or to other cloud providers should be implemented in a similar fashion, via VPN tunnels or interconnects, in the landing VPC (either landing or dmz, depending by the nature of the peers), sharing the same regional routers. ### Internal connectivity @@ -135,8 +150,8 @@ This is an options summary: - Cons: no transitivity (e.g. to GKE masters, Cloud SQL, etc.), no selective exchange of routes, several quotas and limits shared between VPCs in a peering group - [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (used here to connect the trusted landing and DMZ) - Pros: provides additional security features (e.g. IPS), potentially better integration with on-prem systems by using the same vendor - - Cons: complex HA/failover setup, limited by VM bandwidth and scale, additional costs for VMs and licenses, out of band management of a critical cloud component -- [HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) + - Cons: complex HA/failover setup (for the "Simple NVA" setup), limited by VM bandwidth and scale, additional costs for VMs and licenses, out of band management of a critical cloud component +- [HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) (used by [02-networking-a-simple](../2-networking-a-simple/) in VPN mode) - Pros: simple compatibility with GCP services that leverage peering internally, better control on routes, avoids peering groups shared quotas and limits - Cons: additional costs, marginal increase in latency, requires multiple tunnels for full bandwidth @@ -152,45 +167,53 @@ The first /24 range in every area is allocated for a default subnet, which can b This is a summary of the subnets allocated by default in this setup: -| name | description | CIDR | -|---|---|---| -| landing-default-ew1 | Trusted landing subnet - europe-west1 | 10.128.64.0/24 | -| landing-default-ew4 | Trusted landing subnet - europe-west4 | 10.128.96.0/24 | -| dmz-default-ew1 | Untrusted landing subnet - europe-west1 | 10.128.0.0/24 | -| dmz-default-ew4 | Untrusted landing subnet - europe-west4 | 10.128.32.0/24 | -| dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.68.0.0/24 | -| dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.253.0/24 | -| dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.254.0/24 | -| dev-default-ew1 | Free (L7 ILB) - europe-west1 | 10.68.255.0/24 | -| dev-default-ew4 | Dev spoke subnet - europe-west4 | 10.84.0.0/24 | -| dev-default-ew4 | Free (PSA) - europe-west4 | 10.84.253.0/24 | -| dev-default-ew4 | Free (PSA) - europe-west4 | 10.84.254.0/24 | -| dev-default-ew4 | Free (L7 ILB) - europe-west4 | 10.84.255.0/24 | -| prod-default-ew1 | Prod spoke subnet - europe-west1 | 10.72.0.0/24 | -| prod-default-ew1 | Free (PSA) - europe-west1 | 10.72.253.0/24 | -| prod-default-ew1 | Free (PSA) - europe-west1 | 10.72.254.0/24 | -| prod-default-ew1 | Free (L7 ILB) - europe-west1 | 10.72.255.0/24 | -| prod-default-ew4 | Prod spoke subnet - europe-west4 | 10.88.0.0/24 | -| prod-default-ew4 | Free (PSA) - europe-west4 | 10.88.253.0/24 | -| prod-default-ew4 | Free (PSA) - europe-west4 | 10.88.254.0/24 | -| prod-default-ew4 | Free (L7 ILB) - europe-west4 | 10.88.255.0/24 | +| name | description | CIDR | +| ------------------- | --------------------------------------- | -------------- | +| landing-default-ew1 | Trusted landing subnet - europe-west1 | 10.128.64.0/24 | +| landing-default-ew4 | Trusted landing subnet - europe-west4 | 10.128.96.0/24 | +| dmz-default-ew1 | Untrusted landing subnet - europe-west1 | 10.128.0.0/24 | +| dmz-default-ew4 | Untrusted landing subnet - europe-west4 | 10.128.32.0/24 | +| dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.68.0.0/24 | +| dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.253.0/24 | +| dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.254.0/24 | +| dev-default-ew1 | Free (L7 ILB) - europe-west1 | 10.68.255.0/24 | +| dev-default-ew4 | Dev spoke subnet - europe-west4 | 10.84.0.0/24 | +| dev-default-ew4 | Free (PSA) - europe-west4 | 10.84.253.0/24 | +| dev-default-ew4 | Free (PSA) - europe-west4 | 10.84.254.0/24 | +| dev-default-ew4 | Free (L7 ILB) - europe-west4 | 10.84.255.0/24 | +| prod-default-ew1 | Prod spoke subnet - europe-west1 | 10.72.0.0/24 | +| prod-default-ew1 | Free (PSA) - europe-west1 | 10.72.253.0/24 | +| prod-default-ew1 | Free (PSA) - europe-west1 | 10.72.254.0/24 | +| prod-default-ew1 | Free (L7 ILB) - europe-west1 | 10.72.255.0/24 | +| prod-default-ew4 | Prod spoke subnet - europe-west4 | 10.88.0.0/24 | +| prod-default-ew4 | Free (PSA) - europe-west4 | 10.88.253.0/24 | +| prod-default-ew4 | Free (PSA) - europe-west4 | 10.88.254.0/24 | +| prod-default-ew4 | Free (L7 ILB) - europe-west4 | 10.88.255.0/24 | These subnets can be advertised to on-premises as an aggregate /11 range (10.64.0.0/11). Refer to the `var.vpn_onprem_primary_config.router_config` and `var.vpn_onprem_secondary_config.router_config` variables to configure it. Routes in GCP are either automatically created (for example, when a subnet is added to a VPC), manually created via static routes, dynamically exchanged through VPC peerings, or dynamically programmed by [Cloud Routers](https://cloud.google.com/network-connectivity/docs/router#docs) when a BGP session is established. BGP sessions can be configured to advertise VPC ranges, and/or custom ranges via custom advertisements. -In this setup: +The Cloud Routers (connected to the VPN gateways in the landing VPC) are configured to exclude the default advertisement of VPC ranges and they only advertise their respective aggregate ranges, via custom advertisements. This greatly simplifies the routing configuration and avoids quota or limit issues, by keeping the number of routes small, instead of making it proportional to the subnets and to the secondary ranges in the VPCs. + +#### Simple NVA + +- routes between multiple subnets within the same VPC are automatically exchanged by GCP +- the spokes and the trusted landing VPC exchange routes through VPC peerings +- on-premises is connected to the landing landing VPC and it dynamically exchanges BGP routes with GCP (with the landing VPC) using HA VPN +- for cross-environment (spokes) communications, and for connections to on-premises and to the Internet, the spokes leverage some default tagged routes that send the traffic of each region (whose machines are identified by a dedicated network tag, e.g. *ew1*) to a corresponding regional NVA in the landing VPC, through an ILB (whose VIP is set as the route next-hop) +- the spokes are configured with backup default routes, so if the NVAs in the same region become unavailable, more routes to the NVAs in the other region are already available. Current routes are not able to understand if the next-hop ILBs become unhealthy. As such, in case of a regional failure, users will need to manually withdraw the primary default routes, so the secondaries will take over +- the NVAs are configured with static routes that allow the communication with on-premises and between the GCP resources (including the cross-environment communication) +#### NCC-RA - routes between multiple subnets within the same VPC are automatically exchanged by GCP - the spokes and the trusted landing VPC exchange dynamic routes through VPC peerings - on-premises is connected to the trusted landing VPC and it dynamically exchanges BGP routes with GCP (with the landing) using HA VPN - the NVAs exchange dynamic routes using BGP with Cloud Routers in the DMZ, Cloud Routers in the landing and cross-regional NVAs. This allows VMs in different environments and different regions to communicate. -The Cloud Routers (connected to the VPN gateways in the landing) are configured to exclude the default advertisement of VPC ranges and they only advertise their respective aggregate ranges, via custom advertisements. This greatly simplifies the routing configuration and avoids quota or limit issues, by keeping the number of routes small, instead of making it proportional to the subnets and to the secondary ranges in the VPCs. - ### Internet egress -In this setup, Internet egress is realized through [Cloud NAT](https://cloud.google.com/nat/docs/overview), deployed in the untrusted landing VPC. This allows instances in all other VPCs to reach the Internet, passing through the NVAs (being the public Internet considered untrusted). Cloud NAT is disabled by default; enable it by setting the `enable_cloud_nat` variable +In this setup, Internet egress is realized through [Cloud NAT](https://cloud.google.com/nat/docs/overview), deployed in the dmz landing VPC. This allows instances in all other VPCs to reach the Internet, passing through the NVAs (being the public Internet considered dmz). Cloud NAT is disabled by default; enable it by setting the `enable_cloud_nat` variable Several other scenarios are possible, with various degrees of complexity: @@ -235,32 +258,35 @@ This configuration is battle-tested, and flexible enough to lend itself to simpl ### VPCs -VPCs are defined in separate files, one for `landing` (trusted and untrusted), one for `prod` and one for `dev`. +VPCs are defined in separate files, one for `landing` (landing and dmz), one for `prod` and one for `dev`. These files contain different resources: - **project** ([`projects`](../../../modules/project)): the "[host projects](https://cloud.google.com/vpc/docs/shared-vpc)" containing the VPCs and enabling the required APIs. -- **VPCs** ([`net-vpc`](../../../modules/net-vpc)): manages the subnets, the explicit routes for `{private,restricted}.googleapis.com` and the DNS inbound policy for the trusted landing VPC. Non-infrastructural subnets are created leveraging resource factories. Sample subnets are shipped in [data/subnets](./data/subnets) and can be easily customized to fit users' needs. [PSA](https://cloud.google.com/vpc/docs/configure-private-services-access#allocating-range) are configured by the variable `psa_ranges` if managed services are needed. -- **Cloud NAT** ([`net-cloudnat`](../../../modules/net-cloudnat)) (in the untrusted landing VPC only): it manages the networking infrastructure required to enable the Internet egress. +- **VPCs** ([`net-vpc`](../../../modules/net-vpc)): manages the subnets, the explicit routes for `{private,restricted}.googleapis.com` and the DNS inbound policy for the landing (trusted) VPC. Non-infrastructural subnets are created leveraging resource factories. Sample subnets are shipped in [data/subnets](./data/subnets) and can be easily customized to fit users' needs. [PSA](https://cloud.google.com/vpc/docs/configure-private-services-access#allocating-range) are configured by the variable `psa_ranges` if managed services are needed. +- **Cloud NAT** ([`net-cloudnat`](../../../modules/net-cloudnat)) (in the dmz landing VPC only): it manages the networking infrastructure required to enable the Internet egress. ### VPNs -The connectivity between on-premises and GCP (the trusted landing VPC) is implemented with Cloud HA VPN ([`net-vpn`](../../../modules/net-vpn-ha)) and defined in [`vpn-onprem.tf`](./vpn-onprem.tf). The file implements a single logical connection between on-premises and the trusted landing VPC, both in `europe-west1` and `europe-west4`. The relevant parameters for its configuration are found in the variables `vpn_onprem_primary_config` and `vpn_onprem_secondary_config`. +The connectivity between on-premises and GCP (in the landing VPC) is implemented with Cloud HA VPN ([`net-vpn`](../../../modules/net-vpn-ha)) and defined in [`vpn-onprem.tf`](./vpn-onprem.tf). The file implements a single logical connection between on-premises and the landing landing VPC, both in `europe-west1` and `europe-west4`. The relevant parameters for its configuration are found in the variables `vpn_onprem_primary_config` and `vpn_onprem_secondary_config`. ### Routing and BGP -Each VPC network ([`net-vpc`](../../../modules/net-vpc)) manages a separate routing table, where you can define static routes (e.g. to private.googleapis.com) and receives dynamic routes through VPC peering and BGP sessions established with the neighbor networks (e.g. NCC routers, routers on-premises). +Each VPC network ([`net-vpc`](../../../modules/net-vpc)) manages a separate routing table, which can define static routes (e.g. to private.googleapis.com) and receives dynamic routes through VPC peering and BGP sessions established with the neighbor networks (e.g. the landing landing VPC receives routes from on-premises, and the spokes receive RFC1918 from the landing landing VPC). +BGP sessions for landing to on-premises are configured through the variable `vpn_onprem_configs`. +#### Simple NVA +Static routes are defined in `vpc-*.tf` files in the `routes` section of each `net-vpc` module. + +#### NCC-RA NCC/Cloud Router BGP settings are defined in `ncc.tf`. NVA BGP settings are defined in the [bpg-config.tftpl template file](./data/bgp-config.tftpl). -The variable `ncc_asn` allows to change the Autonomous System Number (ASN) assigned to the DMZ Cloud Routers, to the landing VPC Cloud Routers and to the NVAs. - -BGP sessions for trusted landing to on-premises are configured through the variable `vpn_onprem_configs`. +The local `ncc_asn` allows to change the Autonomous System Number (ASN) assigned to the DMZ Cloud Routers, to the landing VPC Cloud Routers and to the NVAs. ### Firewall **VPC firewall rules** ([`net-vpc-firewall`](../../../modules/net-vpc-firewall)) are defined per-vpc on each `vpc-*.tf` file and leverage a resource factory to massively create rules. -To add a new firewall rule, create a new file or edit an existing one in the `data_folder` directory defined in the module `net-vpc-firewall`, following the examples of the "[Rules factory](../../../modules/net-vpc-firewall#rules-factory)" section of the module documentation. Sample firewall rules are shipped in [data/firewall-rules/landing-untrusted](./data/firewall-rules/dmz) and in [data/firewall-rules/landing-trusted](./data/firewall-rules/landing), and can be easily customized. +To add a new firewall rule, create a new file or edit an existing one in the `data_folder` directory defined in the module `net-vpc-firewall`, following the examples of the "[Rules factory](../../../modules/net-vpc-firewall#rules-factory)" section of the module documentation. Sample firewall rules are shipped in [data/firewall-rules/dmz](./data/firewall-rules/dmz) and in [data/firewall-rules/landing](./data/firewall-rules/landing), and can be easily customized. **Hierarchical firewall policies** ([`folder`](../../../modules/folder)) are defined in `main.tf` and managed through a policy factory implemented by the `net-firewall-policy` module, which is then applied to the `Networking` folder containing all the core networking infrastructure. Policies are defined in the `rules_file` file, to define a new one simply use the [firewall policy module documentation](../../../modules/net-firewall-policy/README.md#factory)". Sample hierarchical firewall rules are shipped in [data/hierarchical-ingress-rules.yaml](./data/hierarchical-ingress-rules.yaml) and can be easily customised. @@ -273,7 +299,7 @@ Cloud DNS manages onprem forwarding, the main GCP zone (in this example `gcp.exa #### Cloud environment The root DNS zone defined in the landing project acts as the source of truth for DNS within the Cloud environment. The resources defined in the spoke VPCs consume the landing DNS infrastructure through DNS peering (e.g. `prod-landing-root-dns-peering`). -The spokes can optionally define private zones (e.g. `prod-dns-private-zone`). Granting visibility both to the trusted and untrusted landing VPCs ensures that the whole cloud environment can query such zones. +The spokes can optionally define private zones (e.g. `prod-dns-private-zone`). Granting visibility both to the landing and dmz VPCs ensures that the whole cloud environment can query such zones. #### Cloud to on-prem @@ -283,7 +309,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19 #### On-prem to cloud -The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. +The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *landing VPC module* ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. ## How to run this stage @@ -293,6 +319,8 @@ It's of course possible to run this stage in isolation, but that's outside the s Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. +Note that by default the "Simple NVA" architecture is deployed - in order to enable the "NCC-RA" features, variable `enable_ncc_ra` should be set to `true`. + ### Provider and Terraform variables As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. @@ -375,7 +403,7 @@ terraform apply [Private Google Access](https://cloud.google.com/vpc/docs/private-google-access) (or PGA) enables VMs and on-prem systems to consume Google APIs from within the Google network, and is already fully configured on this environment: - DNS response policies in the landing project implement rules for all supported domains reachable via PGA -- routes for the private and restricted ranges are defined in all VPCs except untrusted +- routes for the private and restricted ranges are defined in all VPCs except dmz To enable PGA access from on premises advertise the private/restricted ranges via the `vpn_onprem_primary_config` and `vpn_onprem_secondary_config` variables, using router or tunnel custom advertisements. @@ -447,11 +475,11 @@ Adapt the new file by replacing the value "prod" with the value "staging". Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ. The new VPC requires a set of dedicated CIDRs, one per region, added to variable `gcp_ranges` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`). -`gcp_ranges` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing. - +>`gcp_ranges` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing. +> Variables managing L7 Internal Load Balancers (`l7ilb_subnets`) and Private Service Access (`psa_ranges`) should also be adapted, and subnets and firewall rules for the new spoke should be added, as described above. -Configure the NVAs deployed updating the sample BGP [config file](./data/bgp-config.tftpl). +If NCC-RA is enabled, you can configure the NVAs deployed updating the sample BGP [config file](./data/bgp-config.tftpl). DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS resolution to Landing through DNS peering, and optionally define a private zone (e.g. `dev.gcp.example.com`) which the landing peers to. To configure DNS for a new environment, copy one of the other environments DNS files [e.g. (dns-dev.tf)](dns-dev.tf) into a new `dns-*.tf` file suffixed with the environment name (e.g. `dns-staging.tf`), and update its content accordingly. Don't forget to add a peering zone from the landing to the newly created environment private zone. @@ -467,14 +495,15 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | | | [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy | | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | -| [ncc.tf](./ncc.tf) | None | ncc-spoke-ra | google_network_connectivity_hub | | [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | | [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | -| [nva.tf](./nva.tf) | None | compute-vm · simple-nva | google_compute_address | +| [nva-bgp-ncc.tf](./nva-bgp-ncc.tf) | None | | google_network_connectivity_hub | +| [nva-bgp.tf](./nva-bgp.tf) | None | | google_compute_address | +| [nva-simple.tf](./nva-simple.tf) | None | simple-nva | | | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | -| [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | +| [test-resources.tf](./test-resources.tf) | Temporary instances for testing | | | | [variables-fast.tf](./variables-fast.tf) | None | | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | @@ -489,21 +518,21 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [organization](variables-fast.tf#L67) | Organization details. | object({…}) | ✓ | | 0-bootstrap | | [prefix](variables-fast.tf#L77) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | +| [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | -| [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | | -| [enable_cloud_nat](variables.tf#L52) | Deploy Cloud NAT. | bool | | false | | -| [essential_contacts](variables.tf#L59) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L65) | Configuration for network resource factories. | object({…}) | | {…} | | +| [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | +| [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | +| [enable_ncc_ra](variables.tf#L65) | Deploy NCC Router Appliance to create a BGP session between core VPCs and the appliances. | bool | | false | | +| [essential_contacts](variables.tf#L72) | Email used for essential contacts, unset if null. | string | | null | | +| [factories_config](variables.tf#L78) | Configuration for network resource factories. | object({…}) | | {…} | | | [fast_features](variables-fast.tf#L47) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | -| [gcp_ranges](variables.tf#L86) | GCP address ranges in name => range format. | map(string) | | {…} | | -| [ncc_asn](variables.tf#L101) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | | -| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L118) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | -| [regions](variables.tf#L138) | Region definitions. | object({…}) | | {…} | | +| [gcp_ranges](variables.tf#L99) | GCP address ranges in name => range format. | map(string) | | {…} | | +| [outputs_location](variables.tf#L114) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L120) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | +| [regions](variables.tf#L140) | Region definitions. | object({…}) | | {…} | | | [service_accounts](variables-fast.tf#L87) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_primary_config](variables.tf#L150) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | -| [vpn_onprem_secondary_config](variables.tf#L193) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | -| [zones](variables.tf#L236) | Zones in which NVAs are deployed. | list(string) | | ["b", "c"] | | +| [vpn_onprem_primary_config](variables.tf#L152) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | +| [vpn_onprem_secondary_config](variables.tf#L195) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | ## Outputs @@ -511,7 +540,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS |---|---|:---:|---| | [host_project_ids](outputs.tf#L95) | Network project ids. | | | | [host_project_numbers](outputs.tf#L100) | Network project numbers. | | | -| [shared_vpc_self_links](outputs.tf#L105) | Shared VPC host projects. | | | -| [tfvars](outputs.tf#L110) | Terraform variables file for the following stages. | ✓ | | -| [vpn_gateway_endpoints](outputs.tf#L116) | External IP Addresses for the GCP VPN gateways. | | | +| [ping_commands](outputs.tf#L105) | Ping commands for test instances to be run to check VPC reachability. | | | +| [shared_vpc_self_links](outputs.tf#L110) | Shared VPC host projects. | | | +| [tfvars](outputs.tf#L115) | Terraform variables file for the following stages. | ✓ | | +| [vpn_gateway_endpoints](outputs.tf#L121) | External IP Addresses for the GCP VPN gateways. | | | diff --git a/fast/stages/2-networking-e-nva-bgp/data/bgp-config.tftpl b/fast/stages/2-networking-b-nva/data/bgp-config.tftpl similarity index 100% rename from fast/stages/2-networking-e-nva-bgp/data/bgp-config.tftpl rename to fast/stages/2-networking-b-nva/data/bgp-config.tftpl diff --git a/fast/stages/2-networking-c-nva/data/cidrs.yaml b/fast/stages/2-networking-b-nva/data/cidrs.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/cidrs.yaml rename to fast/stages/2-networking-b-nva/data/cidrs.yaml diff --git a/fast/stages/2-networking-c-nva/data/dashboards/firewall_insights.json b/fast/stages/2-networking-b-nva/data/dashboards/firewall_insights.json similarity index 100% rename from fast/stages/2-networking-c-nva/data/dashboards/firewall_insights.json rename to fast/stages/2-networking-b-nva/data/dashboards/firewall_insights.json diff --git a/fast/stages/2-networking-c-nva/data/dashboards/vpc_and_vpc_peering_group_quotas.json b/fast/stages/2-networking-b-nva/data/dashboards/vpc_and_vpc_peering_group_quotas.json similarity index 100% rename from fast/stages/2-networking-c-nva/data/dashboards/vpc_and_vpc_peering_group_quotas.json rename to fast/stages/2-networking-b-nva/data/dashboards/vpc_and_vpc_peering_group_quotas.json diff --git a/fast/stages/2-networking-c-nva/data/dashboards/vpn.json b/fast/stages/2-networking-b-nva/data/dashboards/vpn.json similarity index 100% rename from fast/stages/2-networking-c-nva/data/dashboards/vpn.json rename to fast/stages/2-networking-b-nva/data/dashboards/vpn.json diff --git a/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml b/fast/stages/2-networking-b-nva/data/dns-policy-rules.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml rename to fast/stages/2-networking-b-nva/data/dns-policy-rules.yaml diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-b-nva/data/firewall-rules/dev/default-ingress.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/firewall-rules/dev/default-ingress.yaml rename to fast/stages/2-networking-b-nva/data/firewall-rules/dev/default-ingress.yaml diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-b-nva/data/firewall-rules/dev/rules.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml rename to fast/stages/2-networking-b-nva/data/firewall-rules/dev/rules.yaml diff --git a/fast/stages/2-networking-b-nva/data/firewall-rules/dmz/bgp.yaml b/fast/stages/2-networking-b-nva/data/firewall-rules/dmz/bgp.yaml new file mode 100644 index 0000000000..4e64c626de --- /dev/null +++ b/fast/stages/2-networking-b-nva/data/firewall-rules/dmz/bgp.yaml @@ -0,0 +1,23 @@ +# skip boilerplate check +# This is only relevant when using NCC-RA, and can be safely removed otherwise +ingress: + allow-ncc-nva-bgp-dmz: + description: "Allow BGP traffic from NCC Cloud Routers to NVAs" + source_ranges: + - 10.128.0.201/32 + - 10.128.0.202/32 + - 10.128.32.201/32 + - 10.128.32.202/32 + targets: ["nva"] + rules: + - protocol: tcp + ports: + - 179 + allow-nva-nva-bgp-dmz: + description: "Allow BGP traffic from cross-regional NVAs" + sources: ["nva"] + targets: ["nva"] + rules: + - protocol: tcp + ports: + - 179 diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/dmz/default-ingress.yaml b/fast/stages/2-networking-b-nva/data/firewall-rules/dmz/default-ingress.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/firewall-rules/dmz/default-ingress.yaml rename to fast/stages/2-networking-b-nva/data/firewall-rules/dmz/default-ingress.yaml diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/dmz/rules.yaml b/fast/stages/2-networking-b-nva/data/firewall-rules/dmz/rules.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/firewall-rules/dmz/rules.yaml rename to fast/stages/2-networking-b-nva/data/firewall-rules/dmz/rules.yaml diff --git a/fast/stages/2-networking-b-nva/data/firewall-rules/landing/bgp.yaml b/fast/stages/2-networking-b-nva/data/firewall-rules/landing/bgp.yaml new file mode 100644 index 0000000000..8195a91d8a --- /dev/null +++ b/fast/stages/2-networking-b-nva/data/firewall-rules/landing/bgp.yaml @@ -0,0 +1,15 @@ +# skip boilerplate check +# This is only relevant when using NCC-RA, and can be safely removed otherwise +ingress: + allow-ncc-nva-bgp-landing: + description: "Allow BGP traffic from NCC Cloud Routers to NVAs" + source_ranges: + - 10.128.64.201/32 + - 10.128.64.202/32 + - 10.128.96.201/32 + - 10.128.96.202/32 + targets: ["nva"] + rules: + - protocol: tcp + ports: + - 179 diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing/default-ingress.yaml b/fast/stages/2-networking-b-nva/data/firewall-rules/landing/default-ingress.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/firewall-rules/landing/default-ingress.yaml rename to fast/stages/2-networking-b-nva/data/firewall-rules/landing/default-ingress.yaml diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing/rules.yaml b/fast/stages/2-networking-b-nva/data/firewall-rules/landing/rules.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/firewall-rules/landing/rules.yaml rename to fast/stages/2-networking-b-nva/data/firewall-rules/landing/rules.yaml diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-b-nva/data/firewall-rules/prod/default-ingress.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/firewall-rules/prod/default-ingress.yaml rename to fast/stages/2-networking-b-nva/data/firewall-rules/prod/default-ingress.yaml diff --git a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-b-nva/data/hierarchical-ingress-rules.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml rename to fast/stages/2-networking-b-nva/data/hierarchical-ingress-rules.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-b-nva/data/subnets/dev/dev-dataplatform-ew1.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml rename to fast/stages/2-networking-b-nva/data/subnets/dev/dev-dataplatform-ew1.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-b-nva/data/subnets/dev/dev-default-ew1.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml rename to fast/stages/2-networking-b-nva/data/subnets/dev/dev-default-ew1.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml b/fast/stages/2-networking-b-nva/data/subnets/dev/dev-default-ew4.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml rename to fast/stages/2-networking-b-nva/data/subnets/dev/dev-default-ew4.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-b-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml rename to fast/stages/2-networking-b-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew1.yaml b/fast/stages/2-networking-b-nva/data/subnets/dmz/dmz-default-ew1.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew1.yaml rename to fast/stages/2-networking-b-nva/data/subnets/dmz/dmz-default-ew1.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew4.yaml b/fast/stages/2-networking-b-nva/data/subnets/dmz/dmz-default-ew4.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/dmz/dmz-ew4.yaml rename to fast/stages/2-networking-b-nva/data/subnets/dmz/dmz-default-ew4.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew1.yaml b/fast/stages/2-networking-b-nva/data/subnets/landing/landing-default-ew1.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew1.yaml rename to fast/stages/2-networking-b-nva/data/subnets/landing/landing-default-ew1.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew4.yaml b/fast/stages/2-networking-b-nva/data/subnets/landing/landing-default-ew4.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/landing/landing-default-ew4.yaml rename to fast/stages/2-networking-b-nva/data/subnets/landing/landing-default-ew4.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-b-nva/data/subnets/prod/prod-default-ew1.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml rename to fast/stages/2-networking-b-nva/data/subnets/prod/prod-default-ew1.yaml diff --git a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml b/fast/stages/2-networking-b-nva/data/subnets/prod/prod-default-ew4.yaml similarity index 100% rename from fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml rename to fast/stages/2-networking-b-nva/data/subnets/prod/prod-default-ew4.yaml diff --git a/fast/stages/2-networking-e-nva-bgp/diagram.png b/fast/stages/2-networking-b-nva/diagram-ncc.png similarity index 100% rename from fast/stages/2-networking-e-nva-bgp/diagram.png rename to fast/stages/2-networking-b-nva/diagram-ncc.png diff --git a/fast/stages/2-networking-e-nva-bgp/diagram.svg b/fast/stages/2-networking-b-nva/diagram-ncc.svg similarity index 100% rename from fast/stages/2-networking-e-nva-bgp/diagram.svg rename to fast/stages/2-networking-b-nva/diagram-ncc.svg diff --git a/fast/stages/2-networking-c-nva/diagram.png b/fast/stages/2-networking-b-nva/diagram-simple.png similarity index 100% rename from fast/stages/2-networking-c-nva/diagram.png rename to fast/stages/2-networking-b-nva/diagram-simple.png diff --git a/fast/stages/2-networking-c-nva/diagram.svg b/fast/stages/2-networking-b-nva/diagram-simple.svg similarity index 100% rename from fast/stages/2-networking-c-nva/diagram.svg rename to fast/stages/2-networking-b-nva/diagram-simple.svg diff --git a/fast/stages/2-networking-c-nva/dns-dev.tf b/fast/stages/2-networking-b-nva/dns-dev.tf similarity index 100% rename from fast/stages/2-networking-c-nva/dns-dev.tf rename to fast/stages/2-networking-b-nva/dns-dev.tf diff --git a/fast/stages/2-networking-c-nva/dns-landing.tf b/fast/stages/2-networking-b-nva/dns-landing.tf similarity index 100% rename from fast/stages/2-networking-c-nva/dns-landing.tf rename to fast/stages/2-networking-b-nva/dns-landing.tf diff --git a/fast/stages/2-networking-c-nva/dns-prod.tf b/fast/stages/2-networking-b-nva/dns-prod.tf similarity index 100% rename from fast/stages/2-networking-c-nva/dns-prod.tf rename to fast/stages/2-networking-b-nva/dns-prod.tf diff --git a/fast/stages/2-networking-e-nva-bgp/main.tf b/fast/stages/2-networking-b-nva/main.tf similarity index 98% rename from fast/stages/2-networking-e-nva-bgp/main.tf rename to fast/stages/2-networking-b-nva/main.tf index dc58000c7d..fc514d00cb 100644 --- a/fast/stages/2-networking-e-nva-bgp/main.tf +++ b/fast/stages/2-networking-b-nva/main.tf @@ -18,6 +18,7 @@ locals { custom_roles = coalesce(var.custom_roles, {}) + nva_zones = ["b", "c"] # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), diff --git a/fast/stages/2-networking-c-nva/monitoring-vpn-onprem.tf b/fast/stages/2-networking-b-nva/monitoring-vpn-onprem.tf similarity index 100% rename from fast/stages/2-networking-c-nva/monitoring-vpn-onprem.tf rename to fast/stages/2-networking-b-nva/monitoring-vpn-onprem.tf diff --git a/fast/stages/2-networking-c-nva/monitoring.tf b/fast/stages/2-networking-b-nva/monitoring.tf similarity index 100% rename from fast/stages/2-networking-c-nva/monitoring.tf rename to fast/stages/2-networking-b-nva/monitoring.tf diff --git a/fast/stages/2-networking-c-nva/net-dev.tf b/fast/stages/2-networking-b-nva/net-dev.tf similarity index 99% rename from fast/stages/2-networking-c-nva/net-dev.tf rename to fast/stages/2-networking-b-nva/net-dev.tf index 07b427e299..d887f0729d 100644 --- a/fast/stages/2-networking-c-nva/net-dev.tf +++ b/fast/stages/2-networking-b-nva/net-dev.tf @@ -89,7 +89,7 @@ module "dev-spoke-vpc" { private = true restricted = true } - routes = { + routes = var.enable_ncc_ra ? null : { nva-primary-to-primary = { dest_range = "0.0.0.0/0" priority = 1000 diff --git a/fast/stages/2-networking-c-nva/net-landing.tf b/fast/stages/2-networking-b-nva/net-landing.tf similarity index 100% rename from fast/stages/2-networking-c-nva/net-landing.tf rename to fast/stages/2-networking-b-nva/net-landing.tf diff --git a/fast/stages/2-networking-c-nva/net-prod.tf b/fast/stages/2-networking-b-nva/net-prod.tf similarity index 99% rename from fast/stages/2-networking-c-nva/net-prod.tf rename to fast/stages/2-networking-b-nva/net-prod.tf index 0444fa13ca..9e92ef200c 100644 --- a/fast/stages/2-networking-c-nva/net-prod.tf +++ b/fast/stages/2-networking-b-nva/net-prod.tf @@ -87,7 +87,7 @@ module "prod-spoke-vpc" { private = true restricted = true } - routes = { + routes = var.enable_ncc_ra ? null : { nva-primary-to-primary = { dest_range = "0.0.0.0/0" priority = 1000 diff --git a/fast/stages/2-networking-e-nva-bgp/ncc.tf b/fast/stages/2-networking-b-nva/nva-bgp-ncc.tf similarity index 75% rename from fast/stages/2-networking-e-nva-bgp/ncc.tf rename to fast/stages/2-networking-b-nva/nva-bgp-ncc.tf index dfcceda0d4..c34033e275 100644 --- a/fast/stages/2-networking-e-nva-bgp/ncc.tf +++ b/fast/stages/2-networking-b-nva/nva-bgp-ncc.tf @@ -14,20 +14,31 @@ * limitations under the License. */ +locals { + ncc_asn = { + dmz = 64512 + landing = 64515 + nva_primary = 64513 + nva_secondary = 64514 + } +} + resource "google_network_connectivity_hub" "hub_landing" { + count = var.enable_ncc_ra ? 1 : 0 name = "prod-hub-landing" description = "Prod hub landing (trusted)" project = module.landing-project.project_id } resource "google_network_connectivity_hub" "hub_dmz" { + count = var.enable_ncc_ra ? 1 : 0 name = "prod-hub-dmz" description = "Prod hub DMZ (untrusted)" project = module.landing-project.project_id } -module "spokes-landing" { - for_each = var.regions +module "ncc-spokes-landing" { + for_each = var.enable_ncc_ra ? var.regions : {} source = "../../../modules/ncc-spoke-ra" name = "prod-spoke-landing-${local.region_shortnames[each.value]}" project_id = module.landing-project.project_id @@ -35,19 +46,19 @@ module "spokes-landing" { hub = { create = false, - id = google_network_connectivity_hub.hub_landing.id + id = google_network_connectivity_hub.hub_landing[0].id } router_appliances = [ - for key, config in local.nva_configs : + for key, config in local.bgp_nva_configs : { - internal_ip = module.nva[key].internal_ips[1] - vm_self_link = module.nva[key].self_link + internal_ip = module.nva-bgp[key].internal_ips[1] + vm_self_link = module.nva-bgp[key].self_link } if config.region == each.value ] router_config = { - asn = var.ncc_asn.landing + asn = local.ncc_asn.landing ip_interface0 = cidrhost( module.landing-vpc.subnet_ips["${each.value}/landing-default"], 201 ) @@ -56,8 +67,8 @@ module "spokes-landing" { ) peer_asn = ( each.key == "primary" - ? var.ncc_asn.nva_primary - : var.ncc_asn.nva_secondary + ? local.ncc_asn.nva_primary + : local.ncc_asn.nva_secondary ) routes_priority = 100 @@ -80,8 +91,8 @@ module "spokes-landing" { } } -module "spokes-dmz" { - for_each = var.regions +module "ncc-spokes-dmz" { + for_each = var.enable_ncc_ra ? var.regions : {} source = "../../../modules/ncc-spoke-ra" name = "prod-spoke-dmz-${local.region_shortnames[each.value]}" project_id = module.landing-project.project_id @@ -89,19 +100,19 @@ module "spokes-dmz" { hub = { create = false, - id = google_network_connectivity_hub.hub_dmz.id + id = google_network_connectivity_hub.hub_dmz[0].id } router_appliances = [ - for key, config in local.nva_configs : + for key, config in local.bgp_nva_configs : { - internal_ip = module.nva[key].internal_ips[0] - vm_self_link = module.nva[key].self_link + internal_ip = module.nva-bgp[key].internal_ips[0] + vm_self_link = module.nva-bgp[key].self_link } if config.region == each.value ] router_config = { - asn = var.ncc_asn.dmz + asn = local.ncc_asn.dmz ip_interface0 = cidrhost( module.dmz-vpc.subnet_ips["${each.value}/dmz-default"], 201 ) @@ -110,8 +121,8 @@ module "spokes-dmz" { ) peer_asn = ( each.key == "primary" - ? var.ncc_asn.nva_primary - : var.ncc_asn.nva_secondary + ? local.ncc_asn.nva_primary + : local.ncc_asn.nva_secondary ) routes_priority = 100 diff --git a/fast/stages/2-networking-e-nva-bgp/nva.tf b/fast/stages/2-networking-b-nva/nva-bgp.tf similarity index 86% rename from fast/stages/2-networking-e-nva-bgp/nva.tf rename to fast/stages/2-networking-b-nva/nva-bgp.tf index 78e15100b8..4c30bc0f64 100644 --- a/fast/stages/2-networking-e-nva-bgp/nva.tf +++ b/fast/stages/2-networking-b-nva/nva-bgp.tf @@ -15,19 +15,17 @@ */ locals { - _nva_zones = ["b", "c"] - # The configurations used to create the NVA VMs. # # Rendered as following: - # nva_configs = { + # bgp_nva_configs = { # primary-b = {...} # primary-c = {...} # secondary-b = {...} # secondary-c = {...} # } - nva_configs = { - for v in setproduct(keys(var.regions), local._nva_zones) : + bgp_nva_configs = { + for v in setproduct(keys(var.regions), local.nva_zones) : join("-", v) => { # Each NVA announces its trusted regional subnets announce-to-nva = upper(v[0]) @@ -35,16 +33,16 @@ locals { # and peer with cross-regional NVAs. asn_nva = ( v[0] == "primary" - ? var.ncc_asn.nva_primary - : var.ncc_asn.nva_secondary + ? local.ncc_asn.nva_primary + : local.ncc_asn.nva_secondary ) asn_nva_cross_region = ( v[0] == "primary" - ? var.ncc_asn.nva_secondary - : var.ncc_asn.nva_primary + ? local.ncc_asn.nva_secondary + : local.ncc_asn.nva_primary ) - asn_landing = var.ncc_asn.landing - asn_dmz = var.ncc_asn.dmz + asn_landing = local.ncc_asn.landing + asn_dmz = local.ncc_asn.dmz # To guarantee traffic to remain symmetric, # NVAs need to advertise cross-region routes with a higher cost (10100) cost_primary = v[0] == "primary" ? "100" : "10100" @@ -82,11 +80,11 @@ locals { # in the landing and in the DMZ VPCs. ip_landing = cidrhost( module.landing-vpc.subnet_ips["${var.regions[v[0]]}/landing-default"], - 101 + index(var.zones, v[1]) + 101 + index(local.nva_zones, v[1]) ) ip_dmz = cidrhost( module.dmz-vpc.subnet_ips["${var.regions[v[0]]}/dmz-default"], - 101 + index(var.zones, v[1]) + 101 + index(local.nva_zones, v[1]) ) # Either primary or secondary name = v[0] @@ -100,11 +98,11 @@ locals { } } - # The routing_config should be aligned to the NVA NICs. + # The bgp_routing_config should be aligned to the NVA NICs. # For example: - # local.routing_config[0] configures eth0; - # local.routing_config[0] configures eth1. - routing_config = [ + # local.bgp_routing_config[0] configures eth0; + # local.bgp_routing_config[0] configures eth1. + bgp_routing_config = [ { enable_masquerading = true name = "dmz" @@ -124,10 +122,10 @@ locals { } module "nva-bgp-cloud-config" { - for_each = local.nva_configs + for_each = var.enable_ncc_ra ? local.bgp_nva_configs : {} source = "../../../modules/cloud-config-container/simple-nva" enable_health_checks = true - network_interfaces = local.routing_config + network_interfaces = local.bgp_routing_config frr_config = { config_file = templatefile("data/bgp-config.tftpl", each.value) daemons_enabled = ["bgpd"] @@ -137,7 +135,7 @@ module "nva-bgp-cloud-config" { # TODO: use address module resource "google_compute_address" "nva_static_ip_landing" { - for_each = local.nva_configs + for_each = var.enable_ncc_ra ? local.bgp_nva_configs : {} name = "nva-ip-landing-${each.value.shortname}-${each.value.zone}" project = module.landing-project.project_id subnetwork = module.landing-vpc.subnet_self_links["${each.value.region}/landing-default"] @@ -147,7 +145,7 @@ resource "google_compute_address" "nva_static_ip_landing" { } resource "google_compute_address" "nva_static_ip_dmz" { - for_each = local.nva_configs + for_each = var.enable_ncc_ra ? local.bgp_nva_configs : {} name = "nva-ip-dmz-${each.value.shortname}-${each.value.zone}" project = module.landing-project.project_id subnetwork = module.dmz-vpc.subnet_self_links["${each.value.region}/dmz-default"] @@ -156,12 +154,12 @@ resource "google_compute_address" "nva_static_ip_dmz" { region = each.value.region } -module "nva" { - for_each = local.nva_configs +module "nva-bgp" { + for_each = var.enable_ncc_ra ? local.bgp_nva_configs : {} source = "../../../modules/compute-vm" project_id = module.landing-project.project_id name = "nva-${each.value.shortname}-${each.value.zone}" - instance_type = "e2-standard-2" + instance_type = "e2-micro" can_ip_forward = true zone = "${each.value.region}-${each.value.zone}" tags = ["nva"] diff --git a/fast/stages/2-networking-c-nva/nva.tf b/fast/stages/2-networking-b-nva/nva-simple.tf similarity index 82% rename from fast/stages/2-networking-c-nva/nva.tf rename to fast/stages/2-networking-b-nva/nva-simple.tf index c2f1deae48..ba4c5a6909 100644 --- a/fast/stages/2-networking-c-nva/nva.tf +++ b/fast/stages/2-networking-b-nva/nva-simple.tf @@ -16,8 +16,8 @@ locals { # routing_config should be aligned to the NVA network interfaces - i.e. - # local.routing_config[0] sets up the first interface, and so on. - routing_config = [ + # local.simple_routing_config[0] sets up the first interface, and so on. + simple_routing_config = [ { name = "dmz" enable_masquerading = true @@ -31,8 +31,8 @@ locals { routes = [ var.gcp_ranges.gcp_dev_primary, var.gcp_ranges.gcp_dev_secondary, - var.gcp_ranges.gcp_landing_landing_primary, - var.gcp_ranges.gcp_landing_landing_secondary, + var.gcp_ranges.gcp_landing_primary, + var.gcp_ranges.gcp_landing_secondary, var.gcp_ranges.gcp_prod_primary, var.gcp_ranges.gcp_prod_secondary, ] @@ -46,23 +46,23 @@ locals { zone = v[1] } } - nva_zones = ["b", "c"] } # NVA config -module "nva-cloud-config" { +module "nva-simple-cloud-config" { + count = var.enable_ncc_ra ? 0 : 1 source = "../../../modules/cloud-config-container/simple-nva" enable_health_checks = true - network_interfaces = local.routing_config + network_interfaces = local.simple_routing_config } -module "nva-template" { - for_each = local.nva_locality +module "nva-simple-template" { + for_each = var.enable_ncc_ra ? {} : local.nva_locality source = "../../../modules/compute-vm" project_id = module.landing-project.project_id - name = "nva-template-${each.key}" + name = "nva-simple-template-${each.key}" zone = "${each.value.region}-${each.value.zone}" - instance_type = "e2-standard-2" + instance_type = "e2-micro" tags = ["nva"] create_template = true can_ip_forward = true @@ -96,17 +96,17 @@ module "nva-template" { termination_action = "STOP" } metadata = { - user-data = module.nva-cloud-config.cloud_config + user-data = module.nva-simple-cloud-config[0].cloud_config } } -module "nva-mig" { - for_each = local.nva_locality +module "nva-simple-mig" { + for_each = var.enable_ncc_ra ? {} : local.nva_locality source = "../../../modules/compute-mig" project_id = module.landing-project.project_id location = each.value.region name = "nva-cos-${each.key}" - instance_template = module.nva-template[each.key].template.self_link + instance_template = module.nva-simple-template[each.key].template.self_link target_size = 1 auto_healing_policies = { initial_delay_sec = 30 @@ -120,7 +120,7 @@ module "nva-mig" { } module "ilb-nva-dmz" { - for_each = { + for_each = var.enable_ncc_ra ? {} : { for k, v in var.regions : k => { region = v subnet = "${v}/dmz-default" @@ -141,7 +141,7 @@ module "ilb-nva-dmz" { subnetwork = try(module.dmz-vpc.subnet_self_links[each.value.subnet], null) } backends = [ - for k, v in module.nva-mig : + for k, v in module.nva-simple-mig : { group = v.group_manager.instance_group } if startswith(k, each.key) ] @@ -154,7 +154,7 @@ module "ilb-nva-dmz" { } module "ilb-nva-landing" { - for_each = { + for_each = var.enable_ncc_ra ? {} : { for k, v in var.regions : k => { region = v subnet = "${v}/landing-default" @@ -175,7 +175,7 @@ module "ilb-nva-landing" { subnetwork = try(module.landing-vpc.subnet_self_links[each.value.subnet], null) } backends = [ - for k, v in module.nva-mig : + for k, v in module.nva-simple-mig : { group = v.group_manager.instance_group } if startswith(k, each.key) ] diff --git a/fast/stages/2-networking-c-nva/outputs.tf b/fast/stages/2-networking-b-nva/outputs.tf similarity index 95% rename from fast/stages/2-networking-c-nva/outputs.tf rename to fast/stages/2-networking-b-nva/outputs.tf index 42fe5d0649..e3c2be07ce 100644 --- a/fast/stages/2-networking-c-nva/outputs.tf +++ b/fast/stages/2-networking-b-nva/outputs.tf @@ -26,11 +26,15 @@ locals { prod-spoke-0 = module.prod-spoke-project.number } subnet_self_links = { + prod-dmz = module.dmz-vpc.subnet_self_links prod-landing = module.landing-vpc.subnet_self_links dev-spoke-0 = module.dev-spoke-vpc.subnet_self_links prod-spoke-0 = module.prod-spoke-vpc.subnet_self_links } subnet_proxy_only_self_links = { + prod-dmz = { + for k, v in module.dmz-vpc.subnets_proxy_only : k => v.id + } prod-landing = { for k, v in module.landing-vpc.subnets_proxy_only : k => v.id } @@ -42,6 +46,9 @@ locals { } } subnet_psc_self_links = { + prod-dmz = { + for k, v in module.dmz-vpc.subnets_psc : k => v.id + } prod-landing = { for k, v in module.landing-vpc.subnets_psc : k => v.id } diff --git a/fast/stages/2-networking-e-nva-bgp/regions.tf b/fast/stages/2-networking-b-nva/regions.tf similarity index 100% rename from fast/stages/2-networking-e-nva-bgp/regions.tf rename to fast/stages/2-networking-b-nva/regions.tf diff --git a/fast/stages/2-networking-c-nva/test-resources.tf b/fast/stages/2-networking-b-nva/test-resources.tf similarity index 100% rename from fast/stages/2-networking-c-nva/test-resources.tf rename to fast/stages/2-networking-b-nva/test-resources.tf diff --git a/fast/stages/2-networking-e-nva-bgp/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf similarity index 100% rename from fast/stages/2-networking-e-nva-bgp/variables-fast.tf rename to fast/stages/2-networking-b-nva/variables-fast.tf diff --git a/fast/stages/2-networking-e-nva-bgp/variables.tf b/fast/stages/2-networking-b-nva/variables.tf similarity index 94% rename from fast/stages/2-networking-e-nva-bgp/variables.tf rename to fast/stages/2-networking-b-nva/variables.tf index 920e7a24f9..bb2fab1899 100644 --- a/fast/stages/2-networking-e-nva-bgp/variables.tf +++ b/fast/stages/2-networking-b-nva/variables.tf @@ -39,6 +39,12 @@ variable "alert_config" { } } +variable "create_test_instances" { + description = "Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity." + type = bool + default = false +} + variable "dns" { description = "DNS configuration." type = object({ @@ -56,6 +62,13 @@ variable "enable_cloud_nat" { nullable = false } +variable "enable_ncc_ra" { + description = "Deploy NCC Router Appliance to create a BGP session between core VPCs and the appliances." + type = bool + default = false + nullable = false +} + variable "essential_contacts" { description = "Email used for essential contacts, unset if null." type = string @@ -98,17 +111,6 @@ variable "gcp_ranges" { } } -variable "ncc_asn" { - description = "The NCC Cloud Routers ASN configuration." - type = map(number) - default = { - nva_primary = 64513 - nva_secondary = 64514 - landing = 64515 - dmz = 64512 - } -} - variable "outputs_location" { description = "Path where providers and tfvars files for the following stages are written. Leave empty to disable." type = string @@ -232,9 +234,3 @@ variable "vpn_onprem_secondary_config" { }) default = null } - -variable "zones" { - description = "Zones in which NVAs are deployed." - type = list(string) - default = ["b", "c"] -} diff --git a/fast/stages/2-networking-c-nva/vpn-onprem.tf b/fast/stages/2-networking-b-nva/vpn-onprem.tf similarity index 100% rename from fast/stages/2-networking-c-nva/vpn-onprem.tf rename to fast/stages/2-networking-b-nva/vpn-onprem.tf diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md deleted file mode 100644 index 1376301da0..0000000000 --- a/fast/stages/2-networking-c-nva/README.md +++ /dev/null @@ -1,491 +0,0 @@ -# Networking with Network Virtual Appliance - -This stage sets up the shared network infrastructure for the whole organization. - -It is designed for those who would like to leverage Network Virtual Appliances (NVAs) between landing and dmz areas of the network, for example for Intrusion Prevention System (IPS) purposes. - -It adopts the common “hub and spoke” reference design, which is well suited for multiple scenarios, and it offers several advantages versus other designs: - -- the "landing hub" VPC centralizes the external connectivity towards landing network resources (e.g. on-prem, other cloud environments and the spokes), and it is ready to host cross-environment services like CI/CD, code repositories, and monitoring probes -- the "spoke" VPCs allow partitioning workloads (e.g. by environment like in this setup), while still retaining controlled access to central connectivity and services -- Shared VPCs -both in hub and spokes- split the management of the network resources into specific (host) projects, while still allowing them to be consumed from the workload (service) projects -- the design facilitates DNS centralization - -Connectivity between the hub and the spokes is established via [VPC network peerings](https://cloud.google.com/vpc/docs/vpc-peering), which offer uncapped bandwidth, lower latencies, at no additional costs and with a very low management overhead. Different ways of implementing connectivity, and related some pros and cons, are discussed below. - -The diagram shows the high-level design and it should be used as a reference throughout the following sections. - -The final number of subnets, and their IP addressing will depend on the user-specific requirements. It can be easily changed via variables or external data files, without any need to edit the code. - -

- Networking diagram -

- -## Table of contents - -- [Networking with Network Virtual Appliance](#networking-with-network-virtual-appliance) - - [Table of contents](#table-of-contents) - - [Design overview and choices](#design-overview-and-choices) - - [Multi-regional deployment](#multi-regional-deployment) - - [VPC design](#vpc-design) - - [External connectivity](#external-connectivity) - - [Internal connectivity](#internal-connectivity) - - [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing) - - [Internet egress](#internet-egress) - - [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall) - - [DNS](#dns) - - [Stage structure and files layout](#stage-structure-and-files-layout) - - [VPCs](#vpcs) - - [VPNs](#vpns) - - [Routing and BGP](#routing-and-bgp) - - [Firewall](#firewall) - - [DNS architecture](#dns-architecture) - - [Cloud environment](#cloud-environment) - - [Cloud to on-prem](#cloud-to-on-prem) - - [On-prem to cloud](#on-prem-to-cloud) - - [How to run this stage](#how-to-run-this-stage) - - [Provider and Terraform variables](#provider-and-terraform-variables) - - [Impersonating the automation service account](#impersonating-the-automation-service-account) - - [Variable configuration](#variable-configuration) - - [Using delayed billing association for projects](#using-delayed-billing-association-for-projects) - - [Running the stage](#running-the-stage) - - [Post-deployment activities](#post-deployment-activities) - - [Private Google Access](#private-google-access) - - [Customizations](#customizations) - - [Changing default regions](#changing-default-regions) - - [Configuring the VPNs to on prem](#configuring-the-vpns-to-on-prem) - - [Adding an environment](#adding-an-environment) - - [Files](#files) - - [Variables](#variables) - - [Outputs](#outputs) - -## Design overview and choices - -### Multi-regional deployment - -The stage deploys the the infrastructure in two regions. By default, europe-west1 and europe-west4. Regional resources include NVAs (templates, MIGs, LBs) and test VMs. -This provides enough redundancy to be resilient to regional failures. - -### VPC design - -The "landing zone" is divided into two VPC networks: - -- the landing VPC: the connectivity hub towards other landing networks -- the dmz VPC: the connectivity hub towards any other dmz network - -The VPCs are connected with two sets of sample NVA machines, grouped in regional (multi-zone) [Managed Instance Groups (MIGs)](https://cloud.google.com/compute/docs/instance-groups). The appliances are plain Linux machines, performing simple routing/natting, leveraging some standard Linux features, such as *ip route* or *iptables*. The appliances are suited for demo purposes only and they should be replaced with enterprise-grade solutions before moving to production. -The traffic destined to the VMs in each MIG is mediated through regional internal load balancers, both in the landing and in the dmz networks. - -By default, the design assumes the following: - -- on-premise networks (and related resources) are considered landing. As such, the VPNs connecting with on-premises are terminated in GCP, in the landing VPC -- the public Internet is considered dmz. As such [Cloud NAT](https://cloud.google.com/nat/docs/overview) is deployed in the dmz landing VPC only -- cross-environment traffic and traffic from any dmz network to any landing network (and vice versa) pass through the NVAs. For demo purposes, the current NVA performs simple routing/natting only -- any traffic from a landing network to an dmz network (e.g. Internet) is natted by the NVAs. Users can configure further exclusions - -The landing landing VPC acts as a hub: it bridges internal resources with the outside world and it hosts the shared services consumed by the spoke VPCs, connected to the hub through VPC network peerings. Spokes are used to partition the environments. By default: - -- one spoke VPC hosts the development environment resources -- one spoke VPC hosts the production environment resources - -Each virtual network is a [shared VPC](https://cloud.google.com/vpc/docs/shared-vpc): shared VPCs are managed in dedicated *host projects* and shared with other *service projects* that consume the network resources. -Shared VPC lets organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls. - -Users can easily extend the design to host additional environments, or adopt different logical mappings for the spokes (for example, in order to create a new spoke for each company entity). Adding spokes is trivial and it does not increase the design complexity. The steps to add more spokes are provided in the following sections. - -In multi-organization scenarios, where production and non-production resources use different Cloud Identity and GCP organizations, the hub/landing VPC is usually part of the production organization. It establishes connections with the production spokes within the same organization, and with non-production spokes in a different organization. - -### External connectivity - -External connectivity to on-prem is implemented leveraging [Cloud HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) (two tunnels per region). This is what users normally deploy as a final solution, or to validate routing and to transfer data, while waiting for [interconnects](https://cloud.google.com/network-connectivity/docs/interconnect) to be provisioned. - -Connectivity to additional on-prem sites or to other cloud providers should be implemented in a similar fashion, via VPN tunnels or interconnects, in the landing VPC (either landing or dmz, depending by the nature of the peers), sharing the same regional routers. - -### Internal connectivity - -Internal connectivity (e.g. between the landing landing VPC and the spokes) is realized with VPC network peerings. As mentioned, there are other ways to implement connectivity. These can be easily retrofitted with minimal code changes, although they introduce additional considerations on service interoperability, quotas and management. - -This is an options summary: - -- [VPC Peering](https://cloud.google.com/vpc/docs/vpc-peering) (used here to connect the landing landing VPC with the spokes, also used by [02-networking-a-simple](../2-networking-a-simple/)) - - Pros: no additional costs, full bandwidth with no configurations, no extra latency - - Cons: no transitivity (e.g. to GKE masters, Cloud SQL, etc.), no selective exchange of routes, several quotas and limits shared between VPCs in a peering group -- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (used here to connect the landing landing and dmz VPCs) and multi-NIC appliances with NCC/BGP support implemented [here](../2-networking-e-nva-bgp/) - - Pros: provides additional security features (e.g. IPS), potentially better integration with on-prem systems by using the same vendor - - Cons: complex HA/failover setup, limited by VM bandwidth and scale, additional costs for VMs and licenses, out of band management of a critical cloud component -- [HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) (used by [02-networking-a-simple](../2-networking-a-simple/) in VPN mode) - - Pros: simple compatibility with GCP services that leverage peering internally, better control on routes, avoids peering groups shared quotas and limits - - Cons: additional costs, marginal increase in latency, requires multiple tunnels for full bandwidth - -### IP ranges, subnetting, routing - -Minimizing the number of routes (and subnets) in the cloud environment is important, as it simplifies management and it avoids hitting [Cloud Router](https://cloud.google.com/network-connectivity/docs/router/quotas) and [VPC](https://cloud.google.com/vpc/docs/quota) quotas and limits. For this reason, we recommend to carefully plan the IP space used in your cloud environment. This allows the use of larger IP CIDR blocks in routes, whenever possible. - -This stage uses a dedicated /11 block (10.64.0.0/11), which should be sized to the own needs. The subnets created in each VPC derive from this range. - -The /11 block is evenly split in eight, smaller /16 blocks, assigned to different areas of the GCP network: *landing dmz europe-west1*, *landing dmz europe-west4*, *landing landing europe-west1*, *landing dmz europe-west4*, *development europe-west1*, *development europe-west4*, *production europe-west1*, *production europe-west4*. - -The first /24 range in every area is allocated for a default subnet, which can be removed or modified as needed. The last three /24 ranges can be used for [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access)via the `psa_ranges` variable, or for [Internal Application Load Balancers (L7 LBs)](https://cloud.google.com/load-balancing/docs/l7-internal) subnets via the factory. - -This is a summary of the subnets allocated by default in this setup: - -| name | description | CIDR | -|---|---|---| -| landing-default-ew1 | landing landing subnet - europe-west1 | 10.128.64.0/24 | -| landing-default-ew4 | landing landing subnet - europe-west4 | 10.128.96.0/24 | -| dmz-default-ew1 | dmz landing subnet - europe-west1 | 10.128.0.0/24 | -| dmz-default-ew4 | dmz landing subnet - europe-west4 | 10.128.32.0/24 | -| dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.68.0.0/24 | -| dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.253.0/24 | -| dev-default-ew1 | Free (PSA) - europe-west1 | 10.68.254.0/24 | -| dev-default-ew1 | Free (L7 ILB) - europe-west1 | 10.68.255.0/24 | -| dev-default-ew4 | Dev spoke subnet - europe-west4 | 10.84.0.0/24 | -| dev-default-ew4 | Free (PSA) - europe-west4 | 10.84.253.0/24 | -| dev-default-ew4 | Free (PSA) - europe-west4 | 10.84.254.0/24 | -| dev-default-ew4 | Free (L7 ILB) - europe-west4 | 10.84.255.0/24 | -| prod-default-ew1 | Prod spoke subnet - europe-west1 | 10.72.0.0/24 | -| prod-default-ew1 | Free (PSA) - europe-west1 | 10.72.253.0/24 | -| prod-default-ew1 | Free (PSA) - europe-west1 | 10.72.254.0/24 | -| prod-default-ew1 | Free (L7 ILB) - europe-west1 | 10.72.255.0/24 | -| prod-default-ew4 | Prod spoke subnet - europe-west4 | 10.88.0.0/24 | -| prod-default-ew4 | Free (PSA) - europe-west4 | 10.88.253.0/24 | -| prod-default-ew4 | Free (PSA) - europe-west4 | 10.88.254.0/24 | -| prod-default-ew4 | Free (L7 ILB) - europe-west4 | 10.88.255.0/24 | - -These subnets can be advertised to on-premises as an aggregate /11 range (10.64.0.0/11). Refer to the `var.vpn_onprem_primary_config.router_config` and `var.vpn_onprem_secondary_config.router_config` variables to configure it. - -Routes in GCP are either automatically created (for example, when a subnet is added to a VPC), manually created via static routes, dynamically exchanged through VPC peerings, or dynamically programmed by [Cloud Routers](https://cloud.google.com/network-connectivity/docs/router#docs) when a BGP session is established. BGP sessions can be configured to advertise VPC ranges, and/or custom ranges via custom advertisements. - -In this setup: - -- routes between multiple subnets within the same VPC are automatically exchanged by GCP -- the spokes and the landing landing VPC exchange routes through VPC peerings -- on-premises is connected to the landing landing VPC and it dynamically exchanges BGP routes with GCP (with the landing VPC) using HA VPN -- for cross-environment (spokes) communications, and for connections to on-premises and to the Internet, the spokes leverage some default tagged routes that send the traffic of each region (whose machines are identified by a dedicated network tag, e.g. *ew1*) to a corresponding regional NVA in the landing VPC, through an ILB (whose VIP is set as the route next-hop) -- the spokes are configured with backup default routes, so if the NVAs in the same region become unavailable, more routes to the NVAs in the other region are already available. Current routes are not able to understand if the next-hop ILBs become unhealthy. As such, in case of a regional failure, users will need to manually withdraw the primary default routes, so the secondaries will take over -- the NVAs are configured with static routes that allow the communication with on-premises and between the GCP resources (including the cross-environment communication) - -The Cloud Routers (connected to the VPN gateways in the landing VPC) are configured to exclude the default advertisement of VPC ranges and they only advertise their respective aggregate ranges, via custom advertisements. This greatly simplifies the routing configuration and avoids quota or limit issues, by keeping the number of routes small, instead of making it proportional to the subnets and to the secondary ranges in the VPCs. - -### Internet egress - -In this setup, Internet egress is realized through [Cloud NAT](https://cloud.google.com/nat/docs/overview), deployed in the dmz landing VPC. This allows instances in all other VPCs to reach the Internet, passing through the NVAs (being the public Internet considered dmz). Cloud NAT is disabled by default; enable it by setting the `enable_cloud_nat` variable - -Several other scenarios are possible, with various degrees of complexity: - -- deploy Cloud NAT in every VPC -- add forwarding proxies, with optional URL filters -- send Internet traffic to on-premises, so the existing egress infrastructure can be leveraged - -Future pluggable modules will allow users to easily experiment with the above scenarios. - -### VPC and Hierarchical Firewall - -The GCP Firewall is a stateful, distributed feature that allows the creation of L4 policies, either via VPC-level rules or -more recently- via hierarchical policies, applied on the resource hierarchy (organization, folders). - -The current setup adopts both firewall types. Hierarchical firewall rules are applied in the networking folder for common ingress rules (egress is open by default): for example, it allows the health checks and the IAP forwarders traffic to reach the VMs. - -Rules and policies are defined in simple YAML files, described below. - -### DNS - -DNS goes hand in hand with networking, especially on GCP where Cloud DNS zones and policies are associated at the VPC level. This setup implements both DNS flows: - -- on-prem to cloud via private zones for cloud-managed domains, and an [inbound policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) used as forwarding target or via delegation (requires some extra configuration) from on-prem DNS resolvers -- cloud to on-prem via forwarding zones for the on-prem managed domains - -DNS configuration is further centralized by leveraging peering zones, so that - -- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com) -- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing. -- Private Google Access is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for most of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options) - -To complete the configuration, the 35.199.192.0/19 range should be routed to the VPN tunnels from on-premises, and the following names should be configured for DNS forwarding to cloud: - -- `private.googleapis.com` -- `restricted.googleapis.com` -- `gcp.example.com` (used as a placeholder) - -In GCP, a forwarding zone in the landing project is configured to forward queries to the placeholder domain `onprem.example.com` to on-premises. - -This configuration is battle-tested, and flexible enough to lend itself to simple modifications without subverting its design. - -## Stage structure and files layout - -### VPCs - -VPCs are defined in separate files, one for `landing` (landing and dmz), one for `prod` and one for `dev`. - -These files contain different resources: - -- **project** ([`projects`](../../../modules/project)): the "[host projects](https://cloud.google.com/vpc/docs/shared-vpc)" containing the VPCs and enabling the required APIs. -- **VPCs** ([`net-vpc`](../../../modules/net-vpc)): manages the subnets, the explicit routes for `{private,restricted}.googleapis.com` and the DNS inbound policy for the landing landing VPC. Non-infrastructural subnets are created leveraging resource factories. Sample subnets are shipped in [data/subnets](./data/subnets) and can be easily customized to fit users' needs. [PSA](https://cloud.google.com/vpc/docs/configure-private-services-access#allocating-range) are configured by the variable `psa_ranges` if managed services are needed. -- **Cloud NAT** ([`net-cloudnat`](../../../modules/net-cloudnat)) (in the dmz landing VPC only): it manages the networking infrastructure required to enable the Internet egress. - -### VPNs - -The connectivity between on-premises and GCP (the landing landing VPC) is implemented with Cloud HA VPN ([`net-vpn`](../../../modules/net-vpn-ha)) and defined in [`vpn-onprem.tf`](./vpn-onprem.tf). The file implements a single logical connection between on-premises and the landing landing VPC, both in `europe-west1` and `europe-west4`. The relevant parameters for its configuration are found in the variables `vpn_onprem_primary_config` and `vpn_onprem_secondary_config`. - -### Routing and BGP - -Each VPC network ([`net-vpc`](../../../modules/net-vpc)) manages a separate routing table, which can define static routes (e.g. to private.googleapis.com) and receives dynamic routes through VPC peering and BGP sessions established with the neighbor networks (e.g. the landing landing VPC receives routes from on-premises, and the spokes receive RFC1918 from the landing landing VPC). - -Static routes are defined in `vpc-*.tf` files in the `routes` section of each `net-vpc` module. - -BGP sessions for landing landing to on-premises are configured through the variable `vpn_onprem_configs`. - -### Firewall - -**VPC firewall rules** ([`net-vpc-firewall`](../../../modules/net-vpc-firewall)) are defined per-vpc on each `vpc-*.tf` file and leverage a resource factory to massively create rules. -To add a new firewall rule, create a new file or edit an existing one in the `data_folder` directory defined in the module `net-vpc-firewall`, following the examples of the "[Rules factory](../../../modules/net-vpc-firewall#rules-factory)" section of the module documentation. Sample firewall rules are shipped in [data/firewall-rules/dmz](./data/firewall-rules/dmz) and in [data/firewall-rules/landing](./data/firewall-rules/landing), and can be easily customized. - -**Hierarchical firewall policies** ([`folder`](../../../modules/folder)) are defined in `main.tf` and managed through a policy factory implemented by the `net-firewall-policy` module, which is then applied to the `Networking` folder containing all the core networking infrastructure. Policies are defined in the `rules_file` file, to define a new one simply use the [firewall policy module documentation](../../../modules/net-firewall-policy/README.md#factory)". Sample hierarchical firewall rules are shipped in [data/hierarchical-ingress-rules.yaml](./data/hierarchical-ingress-rules.yaml) and can be easily customised. - -### DNS architecture - -The DNS ([`dns`](../../../modules/dns)) infrastructure is defined in [`dns-*.tf`] files. - -Cloud DNS manages onprem forwarding, the main GCP zone (in this example `gcp.example.com`) and environment-specific zones (i.e. `dev.gcp.example.com` and `prod.gcp.example.com`). - -#### Cloud environment - -The root DNS zone defined in the landing project acts as the source of truth for DNS within the Cloud environment. The resources defined in the spoke VPCs consume the landing DNS infrastructure through DNS peering (e.g. `prod-landing-root-dns-peering`). -The spokes can optionally define private zones (e.g. `prod-dns-private-zone`). Granting visibility both to the landing and dmz landing VPCs ensures that the whole cloud environment can query such zones. - -#### Cloud to on-prem - -Leveraging the forwarding zone defined in the landing project (e.g. `onprem-example-dns-forwarding` and `reverse-10-dns-forwarding`), the cloud environment can resolve `in-addr.arpa.` and `onprem.example.com.` using the on-premise DNS infrastructure. On-premise resolver IPs are set in the variable `dns.onprem`. - -DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19` source range. - -#### On-prem to cloud - -The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *landing landing VPC module* ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. - -## How to run this stage - -This stage is meant to be executed after the [resource management](../1-resman) stage has run, as it leverages the automation service account and bucket created there, and additional resources configured in the [bootstrap](../0-bootstrap) stage. - -It's of course possible to run this stage in isolation, but that's outside the scope of this document, and you would need to refer to the code for the previous stages for the environmental requirements. - -Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. - -### Provider and Terraform variables - -As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. - -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. - -```bash -../../stage-links.sh ~/fast-config - -# copy and paste the following commands for '2-networking-*' - -ln -s ~/fast-config/providers/2-networking-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ -``` - -```bash -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 - -# copy and paste the following commands for '2-networking-*' - -gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/providers/2-networking-providers.tf ./ -gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ -gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ -gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ -``` - -### Impersonating the automation service account - -The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The `gcp-devops` and `organization-admins` groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups. - -### Variable configuration - -Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets: - -- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the `0-globals.auto.tfvars.json` file linked or copied above -- variables which refer to resources managed by previous stage, which are prepopulated here via the `0-bootstrap.auto.tfvars.json` and `1-resman.auto.tfvars.json` files linked or copied above -- and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file - -The latter set is explained in the [Customization](#customizations) sections below, and the full list can be found in the [Variables](#variables) table at the bottom of this document. - -Note that the `outputs_location` variable is disabled by default, you need to explicitly set it in your `terraform.tfvars` file if you want output files to be generated by this stage. This is a sample `terraform.tfvars` that configures it, refer to the [bootstrap stage documentation](../0-bootstrap/README.md#output-files-and-cross-stage-variables) for more details: - -```tfvars -outputs_location = "~/fast-config" -``` - -### Using delayed billing association for projects - -This configuration is possible but unsupported and only exists for development purposes, use at your own risk: - -- temporarily switch `billing_account.id` to `null` in `0-globals.auto.tfvars.json` -- for each project resources in the project modules used in this stage (`dev-spoke-project`, `landing-project`, `prod-spoke-project`) - - apply using `-target`, for example - `terraform apply -target 'module.landing-project.google_project.project[0]'` - - untaint the project resource after applying, for example - `terraform untaint 'module.landing-project.google_project.project[0]'` -- go through the process to associate the billing account with the two projects -- switch `billing_account.id` back to the real billing account id -- resume applying normally - -### Running the stage - -Once provider and variable values are in place and the correct user is configured, the stage can be run: - -```bash -terraform init -terraform apply -``` - -### Post-deployment activities - -- On-prem routers should be configured to advertise all relevant CIDRs to the GCP environments. To avoid hitting GCP quotas, we recommend aggregating routes as much as possible. -- On-prem routers should accept BGP sessions from their cloud peers. -- On-prem DNS servers should have forward zones for GCP-managed ones. - -#### Private Google Access - -[Private Google Access](https://cloud.google.com/vpc/docs/private-google-access) (or PGA) enables VMs and on-prem systems to consume Google APIs from within the Google network, and is already fully configured on this environment: - -- DNS response policies in the landing project implement rules for all supported domains reachable via PGA -- routes for the private and restricted ranges are defined in all VPCs except dmz - -To enable PGA access from on premises advertise the private/restricted ranges via the `vpn_onprem_primary_config` and `vpn_onprem_secondary_config` variables, using router or tunnel custom advertisements. - -## Customizations - -### Changing default regions - -Regions are defined via the `regions` variable which sets up a mapping between the `regions.primary` and `regions.secondary` logical names and actual GCP region names. If you need to change regions from the defaults: - -- change the values of the mappings in the `regions` variable to the regions you are going to use -- change the regions in the factory subnet files in the `data` folder - -### Configuring the VPNs to on prem - -This stage includes basic support for an HA VPN connecting the landing zone in the primary region to on prem. Configuration is via the `vpn_onprem_primary_config` and `vpn_onprem_secondary_config` variables, that closely mirrors the variables defined in the [`net-vpn-ha`](../../../modules/net-vpn-ha/). - -Support for the onprem VPNs is disabled by default so that no resources are created, this is an example of how to configure one variable to enable the VPN in the primary region: - -```tfvars -vpn_onprem_primary_config = { - peer_external_gateways = { - default = { - redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" - interfaces = ["8.8.8.8"] - } - } - router_config = { - asn = 65501 - custom_advertise = { - all_subnets = false - ip_ranges = { - "10.1.0.0/16" = "gcp" - "35.199.192.0/19" = "gcp-dns" - "199.36.153.4/30" = "gcp-restricted" - } - } - } - tunnels = { - "0" = { - bgp_peer = { - address = "169.254.1.1" - asn = 65500 - } - bgp_session_range = "169.254.1.2/30" - peer_external_gateway_interface = 0 - shared_secret = "foo" - vpn_gateway_interface = 0 - } - "1" = { - bgp_peer = { - address = "169.254.2.1" - asn = 64513 - } - bgp_session_range = "169.254.2.2/30" - peer_external_gateway_interface = 1 - shared_secret = "foo" - vpn_gateway_interface = 1 - } - } -} -``` - -### Adding an environment - -To create a new environment (e.g. `staging`), a few changes are required: - -Create a `net-staging.tf` file by copying `net-prod.tf` file. -Adapt the new file by replacing the value "prod" with the value "staging". -Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ. - -The new VPC requires a set of dedicated CIDRs, one per region, added to variable `gcp_ranges` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`). ->`gcp_ranges` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing. -> -Variables managing L7 Internal Load Balancers (`l7ilb_subnets`) and Private Service Access (`psa_ranges`) should also be adapted, and subnets and firewall rules for the new spoke should be added, as described above. - -DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS resolution to Landing through DNS peering, and optionally define a private zone (e.g. `dev.gcp.example.com`) which the landing peers to. To configure DNS for a new environment, copy one of the other environments DNS files [e.g. (dns-dev.tf)](dns-dev.tf) into a new `dns-*.tf` file suffixed with the environment name (e.g. `dns-staging.tf`), and update its content accordingly. Don't forget to add a peering zone from the landing to the newly created environment private zone. - - - -## Files - -| name | description | modules | resources | -|---|---|---|---| -| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | | -| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | | -| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | | -| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | | -| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy | -| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | -| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | -| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | -| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | -| [nva.tf](./nva.tf) | None | compute-mig · compute-vm · simple-nva | | -| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | -| [regions.tf](./regions.tf) | Compute short names for regions. | | | -| [test-resources.tf](./test-resources.tf) | Temporary instances for testing | | | -| [variables-fast.tf](./variables-fast.tf) | None | | | -| [variables.tf](./variables.tf) | Module variables. | | | -| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | - -## Variables - -| name | description | type | required | default | producer | -|---|---|:---:|:---:|:---:|:---:| -| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables.tf#L107) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L67) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | -| [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | -| [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | -| [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | -| [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | -| [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L47) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | -| [gcp_ranges](variables.tf#L92) | GCP address ranges in name => range format. | map(string) | | {…} | | -| [outputs_location](variables.tf#L117) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L123) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | -| [regions](variables.tf#L143) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L77) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_primary_config](variables.tf#L155) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | -| [vpn_onprem_secondary_config](variables.tf#L198) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | - -## Outputs - -| name | description | sensitive | consumers | -|---|---|:---:|---| -| [host_project_ids](outputs.tf#L88) | Network project ids. | | | -| [host_project_numbers](outputs.tf#L93) | Network project numbers. | | | -| [ping_commands](outputs.tf#L98) | Ping commands for test instances to be run to check VPC reachability. | | | -| [shared_vpc_self_links](outputs.tf#L103) | Shared VPC host projects. | | | -| [tfvars](outputs.tf#L108) | Terraform variables file for the following stages. | ✓ | | -| [vpn_gateway_endpoints](outputs.tf#L114) | External IP Addresses for the GCP VPN gateways. | | | - diff --git a/fast/stages/2-networking-c-nva/main.tf b/fast/stages/2-networking-c-nva/main.tf deleted file mode 100644 index dc58000c7d..0000000000 --- a/fast/stages/2-networking-c-nva/main.tf +++ /dev/null @@ -1,68 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Networking folder and hierarchical policy. - -locals { - custom_roles = coalesce(var.custom_roles, {}) - # combine all regions from variables and subnets - regions = distinct(concat( - values(var.regions), - values(module.dev-spoke-vpc.subnet_regions), - values(module.landing-vpc.subnet_regions), - values(module.dmz-vpc.subnet_regions), - values(module.prod-spoke-vpc.subnet_regions), - )) - service_accounts = { - for k, v in coalesce(var.service_accounts, {}) : - k => "serviceAccount:${v}" if v != null - } - stage3_sas_delegated_grants = [ - "roles/composer.sharedVpcAgent", - "roles/compute.networkUser", - "roles/compute.networkViewer", - "roles/container.hostServiceAgentUser", - "roles/multiclusterservicediscovery.serviceAgent", - "roles/vpcaccess.user", - ] -} - -module "folder" { - source = "../../../modules/folder" - parent = "organizations/${var.organization.id}" - name = "Networking" - folder_create = var.folder_ids.networking == null - id = var.folder_ids.networking - contacts = ( - var.essential_contacts == null - ? {} - : { (var.essential_contacts) = ["ALL"] } - ) - firewall_policy = { - name = "default" - policy = module.firewall-policy-default.id - } -} - -module "firewall-policy-default" { - source = "../../../modules/net-firewall-policy" - name = var.factories_config.firewall_policy_name - parent_id = module.folder.id - factories_config = { - cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml" - ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml" - } -} diff --git a/fast/stages/2-networking-c-nva/regions.tf b/fast/stages/2-networking-c-nva/regions.tf deleted file mode 100644 index c49b9a1c04..0000000000 --- a/fast/stages/2-networking-c-nva/regions.tf +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Compute short names for regions. - -locals { - # only map when the first character would not work - _region_cardinal = { - southeast = "se" - } - # only map when the first character would not work - _region_geo = { - australia = "o" - } - # split in [geo, cardinal, number] tokens - _region_tokens = { - for v in local.regions : v => regexall("(?:[a-z]+)|(?:[0-9]+)", v) - } - region_shortnames = { - for k, v in local._region_tokens : k => join("", [ - # first token via geo alias map or first character - lookup(local._region_geo, v[0], substr(v[0], 0, 1)), - # first token via cardinal alias map or first character - lookup(local._region_cardinal, v[1], substr(v[1], 0, 1)), - # region number as is - v[2] - ]) - } -} diff --git a/fast/stages/2-networking-c-nva/variables-fast.tf b/fast/stages/2-networking-c-nva/variables-fast.tf deleted file mode 100644 index 22c9cffa96..0000000000 --- a/fast/stages/2-networking-c-nva/variables-fast.tf +++ /dev/null @@ -1,89 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - -variable "custom_roles" { - # tfdoc:variable:source 0-bootstrap - description = "Custom roles defined at the org level, in key => id format." - type = object({ - service_project_network_admin = string - }) - default = null -} - -variable "fast_features" { - # tfdoc:variable:source 0-0-bootstrap - description = "Selective control for top-level FAST features." - type = object({ - gcve = optional(bool, false) - }) - default = {} - nullable = false -} - -variable "folder_ids" { - # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." - type = object({ - networking = string - networking-dev = string - networking-prod = string - }) -} - -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." - type = string - validation { - condition = try(length(var.prefix), 0) < 12 - error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." - } -} - -variable "service_accounts" { - # tfdoc:variable:source 1-resman - description = "Automation service accounts in name => email format." - type = object({ - data-platform-dev = string - data-platform-prod = string - gke-dev = string - gke-prod = string - project-factory-dev = string - project-factory-prod = string - }) - default = null -} diff --git a/fast/stages/2-networking-c-nva/variables.tf b/fast/stages/2-networking-c-nva/variables.tf deleted file mode 100644 index 5e8535c9fe..0000000000 --- a/fast/stages/2-networking-c-nva/variables.tf +++ /dev/null @@ -1,239 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "alert_config" { - description = "Configuration for monitoring alerts." - type = object({ - vpn_tunnel_established = optional(object({ - auto_close = optional(string, null) - duration = optional(string, "120s") - enabled = optional(bool, true) - notification_channels = optional(list(string), []) - user_labels = optional(map(string), {}) - })) - vpn_tunnel_bandwidth = optional(object({ - auto_close = optional(string, null) - duration = optional(string, "120s") - enabled = optional(bool, true) - notification_channels = optional(list(string), []) - threshold_mbys = optional(string, "187.5") - user_labels = optional(map(string), {}) - })) - }) - default = { - vpn_tunnel_established = {} - vpn_tunnel_bandwidth = {} - } -} - -variable "create_test_instances" { - description = "Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity." - type = bool - default = false -} - -variable "dns" { - description = "DNS configuration." - type = object({ - enable_logging = optional(bool, true) - resolvers = optional(list(string), []) - }) - default = {} - nullable = false -} - -variable "enable_cloud_nat" { - description = "Deploy Cloud NAT." - type = bool - default = false - nullable = false -} - -variable "essential_contacts" { - description = "Email used for essential contacts, unset if null." - type = string - default = null -} - -variable "factories_config" { - description = "Configuration for network resource factories." - type = object({ - data_dir = optional(string, "data") - dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml") - firewall_policy_name = optional(string, "net-default") - }) - default = { - data_dir = "data" - } - nullable = false - validation { - condition = var.factories_config.data_dir != null - error_message = "Data folder needs to be non-null." - } - validation { - condition = var.factories_config.firewall_policy_name != null - error_message = "Firewall policy name needs to be non-null." - } -} - -variable "gcp_ranges" { - description = "GCP address ranges in name => range format." - type = map(string) - default = { - gcp_dev_primary = "10.68.0.0/16" - gcp_dev_secondary = "10.84.0.0/16" - gcp_landing_landing_primary = "10.64.0.0/17" - gcp_landing_landing_secondary = "10.80.0.0/17" - gcp_dmz_primary = "10.64.127.0/17" - gcp_dmz_secondary = "10.80.127.0/17" - gcp_prod_primary = "10.72.0.0/16" - gcp_prod_secondary = "10.88.0.0/16" - } -} - -variable "organization" { - # tfdoc:variable:source 0-bootstrap - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - -variable "outputs_location" { - description = "Path where providers and tfvars files for the following stages are written. Leave empty to disable." - type = string - default = null -} - -variable "psa_ranges" { - description = "IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format." - type = object({ - dev = optional(list(object({ - ranges = map(string) - export_routes = optional(bool, false) - import_routes = optional(bool, false) - peered_domains = optional(list(string), []) - })), []) - prod = optional(list(object({ - ranges = map(string) - export_routes = optional(bool, false) - import_routes = optional(bool, false) - peered_domains = optional(list(string), []) - })), []) - }) - nullable = false - default = {} -} - -variable "regions" { - description = "Region definitions." - type = object({ - primary = string - secondary = string - }) - default = { - primary = "europe-west1" - secondary = "europe-west4" - } -} - -variable "vpn_onprem_primary_config" { - description = "VPN gateway configuration for onprem interconnection in the primary region." - type = object({ - peer_external_gateways = map(object({ - redundancy_type = string - interfaces = list(string) - })) - router_config = object({ - create = optional(bool, true) - asn = number - name = optional(string) - keepalive = optional(number) - custom_advertise = optional(object({ - all_subnets = bool - ip_ranges = map(string) - })) - }) - tunnels = map(object({ - bgp_peer = object({ - address = string - asn = number - route_priority = optional(number, 1000) - custom_advertise = optional(object({ - all_subnets = bool - all_vpc_subnets = bool - all_peer_vpc_subnets = bool - ip_ranges = map(string) - })) - }) - # each BGP session on the same Cloud Router must use a unique /30 CIDR - # from the 169.254.0.0/16 block. - bgp_session_range = string - ike_version = optional(number, 2) - peer_external_gateway_interface = optional(number) - peer_gateway = optional(string, "default") - router = optional(string) - shared_secret = optional(string) - vpn_gateway_interface = number - })) - }) - default = null -} - -variable "vpn_onprem_secondary_config" { - description = "VPN gateway configuration for onprem interconnection in the secondary region." - type = object({ - peer_external_gateways = map(object({ - redundancy_type = string - interfaces = list(string) - })) - router_config = object({ - create = optional(bool, true) - asn = number - name = optional(string) - keepalive = optional(number) - custom_advertise = optional(object({ - all_subnets = bool - ip_ranges = map(string) - })) - }) - tunnels = map(object({ - bgp_peer = object({ - address = string - asn = number - route_priority = optional(number, 1000) - custom_advertise = optional(object({ - all_subnets = bool - all_vpc_subnets = bool - all_peer_vpc_subnets = bool - ip_ranges = map(string) - })) - }) - # each BGP session on the same Cloud Router must use a unique /30 CIDR - # from the 169.254.0.0/16 block. - bgp_session_range = string - ike_version = optional(number, 2) - peer_external_gateway_interface = optional(number) - peer_gateway = optional(string, "default") - router = optional(string) - shared_secret = optional(string) - vpn_gateway_interface = number - })) - }) - default = null -} diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md index a01237dec0..7b92b8e688 100644 --- a/fast/stages/2-networking-d-separate-envs/README.md +++ b/fast/stages/2-networking-d-separate-envs/README.md @@ -6,7 +6,7 @@ While no communication between environment is implemented on this design, that c - [VPC Peering](https://cloud.google.com/vpc/docs/vpc-peering) - which is not recommended as it would effectively create a full line of sight between workloads belonging to different environments - [VPN HA](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) tunnels between environments, exchanging a subset of well-defined routes. -- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) implemented in [2-networking-c-nva](../2-networking-c-nva) and [2-networking-e-nva-bgp](../2-networking-e-nva-bgp) connecting the different environments, allowing the use of NVAs to enforce networking policies. +- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) implemented in [2-networking-b-nva](../2-networking-b-nva) connecting the different environments, allowing the use of NVAs to enforce networking policies. The following diagram illustrates the high-level design, and should be used as a reference for the following sections. The final number of subnets, and their IP addressing design will of course depend on customer-specific requirements, and can be easily changed via variables or external data files without having to edit the actual code. diff --git a/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml b/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml deleted file mode 100644 index 15d17f9419..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# skip boilerplate check ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - -healthchecks: - - 35.191.0.0/16 - - 130.211.0.0/22 - - 209.85.152.0/22 - - 209.85.204.0/22 - -ncc_cloud_routers_landing: - - 10.128.64.201/32 - - 10.128.64.202/32 - - 10.128.96.201/32 - - 10.128.96.202/32 - -ncc_cloud_routers_dmz: - - 10.128.0.201/32 - - 10.128.0.202/32 - - 10.128.32.201/32 - - 10.128.32.202/32 - -rfc1918: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - -onprem_probes: - - 10.255.255.254/32 diff --git a/fast/stages/2-networking-e-nva-bgp/data/dashboards/firewall_insights.json b/fast/stages/2-networking-e-nva-bgp/data/dashboards/firewall_insights.json deleted file mode 100644 index 4c0ebe2878..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/dashboards/firewall_insights.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "displayName": "Firewall Insights Monitoring", - "gridLayout": { - "columns": "2", - "widgets": [ - { - "title": "Subnet Firewall Hit Counts", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_RATE" - }, - "filter": "metric.type=\"firewallinsights.googleapis.com/subnet/firewall_hit_count\" resource.type=\"gce_subnetwork\"", - "secondaryAggregation": {} - }, - "unitOverride": "1" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - }, - { - "title": "VM Firewall Hit Counts", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_RATE" - }, - "filter": "metric.type=\"firewallinsights.googleapis.com/vm/firewall_hit_count\" resource.type=\"gce_instance\"", - "secondaryAggregation": {} - }, - "unitOverride": "1" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - } - ] - } -} diff --git a/fast/stages/2-networking-e-nva-bgp/data/dashboards/vpc_and_vpc_peering_group_quotas.json b/fast/stages/2-networking-e-nva-bgp/data/dashboards/vpc_and_vpc_peering_group_quotas.json deleted file mode 100644 index 7312cd5599..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/dashboards/vpc_and_vpc_peering_group_quotas.json +++ /dev/null @@ -1,253 +0,0 @@ -{ - "dashboardFilters": [], - "displayName": "VPC & VPC Peering Group Quotas", - "labels": {}, - "mosaicLayout": { - "columns": 12, - "tiles": [ - { - "height": 4, - "widget": { - "title": "Internal network (L4) Load Balancers per VPC Peering Group", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "breakdowns": [], - "dimensions": [], - "measures": [], - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesQueryLanguage": "fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")", - "unitOverride": "" - } - } - ], - "thresholds": [], - "timeshiftDuration": "0s", - "yAxis": { - "label": "", - "scale": "LINEAR" - } - } - }, - "width": 6, - "xPos": 6 - }, - { - "height": 4, - "widget": { - "title": "Internal network (L4) Load Balancers per VPC", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesQueryLanguage": "fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")", - "unitOverride": "" - } - } - ], - "thresholds": [], - "timeshiftDuration": "0s", - "yAxis": { - "label": "", - "scale": "LINEAR" - } - } - }, - "width": 6 - }, - { - "height": 4, - "widget": { - "title": "Internal application (L7) Load Balancers per VPC", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "breakdowns": [], - "dimensions": [], - "measures": [], - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesQueryLanguage": "fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")", - "unitOverride": "" - } - } - ], - "thresholds": [], - "timeshiftDuration": "0s", - "yAxis": { - "label": "", - "scale": "LINEAR" - } - } - }, - "width": 6, - "yPos": 4 - }, - { - "height": 4, - "widget": { - "title": "Internal application (L7) Load Balancers per VPC Peering Group", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "breakdowns": [], - "dimensions": [], - "measures": [], - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesQueryLanguage": "fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")", - "unitOverride": "" - } - } - ], - "thresholds": [], - "timeshiftDuration": "0s", - "yAxis": { - "label": "", - "scale": "LINEAR" - } - } - }, - "width": 6, - "xPos": 6, - "yPos": 4 - }, - { - "height": 4, - "widget": { - "title": "Instances per VPC", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesQueryLanguage": "fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_vpc_network/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/instances_per_vpc_network/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\") ", - "unitOverride": "" - } - } - ], - "thresholds": [], - "timeshiftDuration": "0s", - "yAxis": { - "label": "", - "scale": "LINEAR" - } - } - }, - "width": 6, - "yPos": 8 - }, - { - "height": 4, - "widget": { - "title": "Instances per VPC Peering Group", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesQueryLanguage": "fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_peering_group/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/instances_per_peering_group/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")", - "unitOverride": "" - } - } - ], - "thresholds": [], - "timeshiftDuration": "0s", - "yAxis": { - "label": "", - "scale": "LINEAR" - } - } - }, - "width": 6, - "xPos": 6, - "yPos": 8 - }, - { - "height": 4, - "widget": { - "title": "Subnet ranges per VPC", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesQueryLanguage": "fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\")", - "unitOverride": "" - } - } - ], - "thresholds": [], - "timeshiftDuration": "0s", - "yAxis": { - "label": "", - "scale": "LINEAR" - } - } - }, - "width": 6, - "yPos": 12 - }, - { - "height": 4, - "widget": { - "title": "Subnet ranges per VPC Peering Group", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesQueryLanguage": "fetch compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/usage\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/limit\n | align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], .min() }\n| ratio\n| value cast_units(val()*100, \"%\") ", - "unitOverride": "" - } - } - ], - "thresholds": [], - "timeshiftDuration": "0s", - "yAxis": { - "label": "", - "scale": "LINEAR" - } - } - }, - "width": 6, - "xPos": 6, - "yPos": 12 - } - ] - } -} \ No newline at end of file diff --git a/fast/stages/2-networking-e-nva-bgp/data/dashboards/vpn.json b/fast/stages/2-networking-e-nva-bgp/data/dashboards/vpn.json deleted file mode 100644 index 4c86a30747..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/dashboards/vpn.json +++ /dev/null @@ -1,322 +0,0 @@ -{ - "displayName": "VPN Monitoring", - "mosaicLayout": { - "columns": 12, - "tiles": [ - { - "height": 4, - "widget": { - "title": "Number of connections", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_MEAN" - }, - "filter": "metric.type=\"vpn.googleapis.com/gateway/connections\" resource.type=\"vpn_gateway\"", - "secondaryAggregation": {} - }, - "unitOverride": "1" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - }, - "width": 4 - }, - { - "height": 4, - "widget": { - "title": "Tunnel established", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_MEAN" - }, - "filter": "metric.type=\"vpn.googleapis.com/tunnel_established\" resource.type=\"vpn_gateway\"", - "secondaryAggregation": {} - }, - "unitOverride": "1" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - }, - "width": 4, - "xPos": 4 - }, - { - "height": 4, - "widget": { - "title": "VPN Tunnel Bandwidth usage", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesQueryLanguage": "fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count; metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)| group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition val() > 187.5 \"MBy/s\"" - } - } - ], - "thresholds": [ - { - "targetAxis": "Y1", - "value": 187500000 - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "scale": "LINEAR" - } - } - }, - "width": 4, - "xPos": 8 - }, - { - "height": 4, - "widget": { - "title": "Cloud VPN Gateway - Received bytes", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_RATE" - }, - "filter": "metric.type=\"vpn.googleapis.com/network/received_bytes_count\" resource.type=\"vpn_gateway\"", - "secondaryAggregation": {} - }, - "unitOverride": "By" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - }, - "width": 6, - "yPos": 4 - }, - { - "height": 4, - "widget": { - "title": "Cloud VPN Gateway - Sent bytes", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_RATE" - }, - "filter": "metric.type=\"vpn.googleapis.com/network/sent_bytes_count\" resource.type=\"vpn_gateway\"", - "secondaryAggregation": {} - }, - "unitOverride": "By" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - }, - "width": 6, - "xPos": 6, - "yPos": 4 - }, - { - "height": 4, - "widget": { - "title": "Cloud VPN Gateway - Received packets", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_RATE" - }, - "filter": "metric.type=\"vpn.googleapis.com/network/received_packets_count\" resource.type=\"vpn_gateway\"", - "secondaryAggregation": {} - }, - "unitOverride": "{packets}" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - }, - "width": 6, - "yPos": 8 - }, - { - "height": 4, - "widget": { - "title": "Cloud VPN Gateway - Sent packets", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_RATE" - }, - "filter": "metric.type=\"vpn.googleapis.com/network/sent_packets_count\" resource.type=\"vpn_gateway\"", - "secondaryAggregation": {} - }, - "unitOverride": "{packets}" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - }, - "width": 6, - "xPos": 6, - "yPos": 8 - }, - { - "height": 4, - "widget": { - "title": "Incoming packets dropped", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_RATE" - }, - "filter": "metric.type=\"vpn.googleapis.com/network/dropped_received_packets_count\" resource.type=\"vpn_gateway\"", - "secondaryAggregation": {} - }, - "unitOverride": "1" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - }, - "width": 6, - "xPos": 6, - "yPos": 12 - }, - { - "height": 4, - "widget": { - "title": "Outgoing packets dropped", - "xyChart": { - "chartOptions": { - "mode": "COLOR" - }, - "dataSets": [ - { - "minAlignmentPeriod": "60s", - "plotType": "LINE", - "targetAxis": "Y1", - "timeSeriesQuery": { - "timeSeriesFilter": { - "aggregation": { - "perSeriesAligner": "ALIGN_RATE" - }, - "filter": "metric.type=\"vpn.googleapis.com/network/dropped_sent_packets_count\" resource.type=\"vpn_gateway\"", - "secondaryAggregation": {} - }, - "unitOverride": "1" - } - } - ], - "timeshiftDuration": "0s", - "yAxis": { - "label": "y1Axis", - "scale": "LINEAR" - } - } - }, - "width": 6, - "yPos": 12 - } - ] - } -} diff --git a/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml deleted file mode 100644 index 94cfb4f840..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml +++ /dev/null @@ -1,119 +0,0 @@ -# skip boilerplate check ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - -accounts: - dns_name: "accounts.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -backupdr-cloud: - dns_name: "backupdr.cloud.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -backupdr-cloud-all: - dns_name: "*.backupdr.cloud.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -backupdr-gu: - dns_name: "backupdr.googleusercontent.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -backupdr-gu-all: - dns_name: "*.backupdr.googleusercontent.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -cloudfunctions: - dns_name: "*.cloudfunctions.net." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -cloudproxy: - dns_name: "*.cloudproxy.app." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -composer-cloud-all: - dns_name: "*.composer.cloud.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -composer-gu-all: - dns_name: "*.composer.googleusercontent.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -datafusion-all: - dns_name: "*.datafusion.cloud.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -datafusion-gu-all: - dns_name: "*.datafusion.googleusercontent.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -dataproc: - dns_name: "dataproc.cloud.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -dataproc-all: - dns_name: "*.dataproc.cloud.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -dataproc-gu: - dns_name: "dataproc.googleusercontent.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -dataproc-gu-all: - dns_name: "*.dataproc.googleusercontent.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -dl: - dns_name: "dl.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -gcr: - dns_name: "gcr.io." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -gcr-all: - dns_name: "*.gcr.io." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -googleapis-all: - dns_name: "*.googleapis.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -googleapis-private: - dns_name: "private.googleapis.com." - local_data: - A: - rrdatas: - - 199.36.153.8 - - 199.36.153.9 - - 199.36.153.10 - - 199.36.153.11 -googleapis-restricted: - dns_name: "restricted.googleapis.com." - local_data: - A: - rrdatas: - - 199.36.153.4 - - 199.36.153.5 - - 199.36.153.6 - - 199.36.153.7 -gstatic-all: - dns_name: "*.gstatic.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -kernels-gu: - dns_name: "kernels.googleusercontent.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -kernels-gu-all: - dns_name: "*.kernels.googleusercontent.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -notebooks-all: - dns_name: "*.notebooks.cloud.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -notebooks-gu-all: - dns_name: "*.notebooks.googleusercontent.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -packages-cloud: - dns_name: "packages.cloud.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -packages-cloud-all: - dns_name: "*.packages.cloud.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -pkgdev: - dns_name: "pkg.dev." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -pkgdev-all: - dns_name: "*.pkg.dev." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -pkigoog: - dns_name: "pki.goog." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -pkigoog-all: - dns_name: "*.pki.goog." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -run-all: - dns_name: "*.run.app." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } -source: - dns_name: "source.developers.google.com." - local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml deleted file mode 100644 index 946f350aec..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# skip boilerplate check - -ingress: - ingress-default-deny: - description: "Deny and log any unmatched ingress traffic." - deny: true - priority: 65535 - enable_logging: - include_metadata: false diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml deleted file mode 100644 index 68866161c8..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# skip boilerplate check ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - -ingress: - ingress-allow-composer-nodes: - description: "Allow traffic to Composer nodes." - sources: - - composer-worker - targets: - - composer-worker - rules: - - protocol: tcp - ports: [80, 443, 3306, 3307] - ingress-allow-dataflow-load: - description: "Allow traffic to Dataflow nodes." - sources: - - dataflow - targets: - - dataflow - rules: - - protocol: tcp - ports: [12345, 12346] diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/default-ingress.yaml deleted file mode 100644 index e13a249b81..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/default-ingress.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# skip boilerplate check - -ingress: - dmz-ingress-default-deny: - description: "Deny and log any unmatched ingress traffic." - deny: true - priority: 65535 - enable_logging: - include_metadata: false diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/rules.yaml deleted file mode 100644 index f63c07fa5b..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dmz/rules.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# skip boilerplate check ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - -ingress: - allow-hc-nva-ssh-dmz: - description: "Allow traffic from Google healthchecks to NVA appliances" - source_ranges: - - healthchecks - rules: - - protocol: tcp - ports: - - 22 - # these are not really needed, but it's good to have them - # in place if the more generic hierarchical firewall policies - # get deleted - allow-ncc-nva-bgp-dmz: - description: "Allow BGP traffic from NCC Cloud Routers to NVAs" - source_ranges: - - ncc_cloud_routers_dmz - targets: ["nva"] - rules: - - protocol: tcp - ports: - - 179 - allow-nva-nva-bgp-dmz: - description: "Allow BGP traffic from cross-regional NVAs" - sources: ["nva"] - targets: ["nva"] - rules: - - protocol: tcp - ports: - - 179 diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/default-ingress.yaml deleted file mode 100644 index a8fd0c5873..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/default-ingress.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# skip boilerplate check - -ingress: - landing-ingress-default-deny: - description: "Deny and log any unmatched ingress traffic." - deny: true - priority: 65535 - enable_logging: - include_metadata: false diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/rules.yaml deleted file mode 100644 index 588f7e8c89..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing/rules.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# skip boilerplate check ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - -ingress: - allow-hc-nva-ssh-landing: - description: "Allow traffic from Google healthchecks to NVA appliances" - source_ranges: - - healthchecks - rules: - - protocol: tcp - ports: - - 22 - allow-onprem-probes-landing-example: - description: "Allow traffic from onprem probes" - source_ranges: - - onprem_probes - rules: - - protocol: tcp - ports: - - 12345 - # This is not really needed, but it's good to have it - # in place if the more generic hierarchical firewall policies - # get deleted - allow-ncc-nva-bgp-landing: - description: "Allow BGP traffic from NCC Cloud Routers to NVAs" - source_ranges: - - ncc_cloud_routers_landing - targets: ["nva"] - rules: - - protocol: tcp - ports: - - 179 diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml deleted file mode 100644 index 946f350aec..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# skip boilerplate check - -ingress: - ingress-default-deny: - description: "Deny and log any unmatched ingress traffic." - deny: true - priority: 65535 - enable_logging: - include_metadata: false diff --git a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml deleted file mode 100644 index 817be2e99d..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# skip boilerplate check ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - -# allow-admins: -# description: Access from the admin subnet to all subnets -# priority: 1000 -# match: -# source_ranges: -# - rfc1918 - -allow-healthchecks: - description: Enable SSH, HTTP and HTTPS healthchecks - priority: 1001 - match: - source_ranges: - - healthchecks - layer4_configs: - - protocol: tcp - ports: ["22", "80", "443"] - -allow-ssh-from-iap: - description: Enable SSH from IAP - priority: 1002 - enable_logging: true - match: - source_ranges: - - 35.235.240.0/20 - layer4_configs: - - protocol: tcp - ports: ["22"] - -allow-icmp: - description: Enable ICMP - priority: 1003 - match: - source_ranges: - - 0.0.0.0/0 - layer4_configs: - - protocol: icmp - -allow-nat-ranges: - description: Enable NAT ranges for VPC serverless connector - priority: 1004 - match: - source_ranges: - - 107.178.230.64/26 - - 35.199.224.0/19 diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml deleted file mode 100644 index 9b1cfb4684..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# skip boilerplate check - -name: dev-dataplatform -region: europe-west1 -description: Default subnet for dev Data Platform -ip_cidr_range: 10.68.2.0/24 -secondary_ip_ranges: - pods: 100.69.0.0/16 - services: 100.71.2.0/24 diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml deleted file mode 100644 index 735b4c763b..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# skip boilerplate check - -name: dev-default -region: europe-west1 -ip_cidr_range: 10.68.0.0/24 -description: Default europe-west1 subnet for dev diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml deleted file mode 100644 index 4766f837c4..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# skip boilerplate check - -name: dev-default -region: europe-west4 -ip_cidr_range: 10.84.0.0/24 -description: Default europe-west4 subnet for dev diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml deleted file mode 100644 index d0c5155e80..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# skip boilerplate check - -name: dev-gke-nodes -region: europe-west1 -description: Default subnet for prod gke nodes -ip_cidr_range: 10.68.1.0/24 -secondary_ip_ranges: - pods: 100.68.0.0/16 - services: 100.71.1.0/24 diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew1.yaml deleted file mode 100644 index 5436b13584..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew1.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# skip boilerplate check - -name: dmz-default -region: europe-west1 -ip_cidr_range: 10.64.128.0/24 -description: Default europe-west1 subnet for DMZ diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew4.yaml deleted file mode 100644 index a9fd769b50..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dmz/dmz-default-ew4.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# skip boilerplate check - -name: dmz-default -region: europe-west4 -ip_cidr_range: 10.80.128.0/24 -description: Default europe-west4 subnet for DMZ diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew1.yaml deleted file mode 100644 index 7ba6b15ac7..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew1.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# skip boilerplate check - -name: landing-default -region: europe-west1 -ip_cidr_range: 10.64.0.0/24 -description: Default europe-west1 subnet for landing diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew4.yaml deleted file mode 100644 index f6bf1d678d..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing/landing-default-ew4.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# skip boilerplate check - -name: landing-default -region: europe-west4 -ip_cidr_range: 10.80.0.0/24 -description: Default europe-west4 subnet for landing diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml deleted file mode 100644 index 86a6ae6b00..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# skip boilerplate check - -name: prod-default -region: europe-west1 -ip_cidr_range: 10.72.0.0/24 -description: Default europe-west1 subnet for prod diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml deleted file mode 100644 index 6084bc0791..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# skip boilerplate check - -name: prod-default -region: europe-west4 -ip_cidr_range: 10.88.0.0/24 -description: Default europe-west4 subnet for prod diff --git a/fast/stages/2-networking-e-nva-bgp/dns-dev.tf b/fast/stages/2-networking-e-nva-bgp/dns-dev.tf deleted file mode 100644 index 8b1954d652..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/dns-dev.tf +++ /dev/null @@ -1,72 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Development spoke DNS zones and peerings setup. - -# GCP-specific environment zone - -module "dev-dns-private-zone" { - source = "../../../modules/dns" - project_id = module.dev-spoke-project.project_id - name = "dev-gcp-example-com" - zone_config = { - domain = "dev.gcp.example.com." - private = { - client_networks = [module.landing-vpc.self_link, module.dmz-vpc.self_link] - } - } - recordsets = { - "A localhost" = { records = ["127.0.0.1"] } - } -} - -# root zone peering to landing to centralize configuration; remove if unneeded - -moved { - from = module.dev-landing-root-dns-peering - to = module.dev-dns-peer-landing-root -} - -module "dev-dns-peer-landing-root" { - source = "../../../modules/dns" - project_id = module.dev-spoke-project.project_id - name = "dev-root-dns-peering" - zone_config = { - domain = "." - peering = { - client_networks = [module.dev-spoke-vpc.self_link] - peer_network = module.landing-vpc.self_link - } - } -} - -moved { - from = module.dev-reverse-10-dns-peering - to = module.dev-dns-peer-landing-rev-10 -} - -module "dev-dns-peer-landing-rev-10" { - source = "../../../modules/dns" - project_id = module.dev-spoke-project.project_id - name = "dev-reverse-10-dns-peering" - zone_config = { - domain = "10.in-addr.arpa." - peering = { - client_networks = [module.dev-spoke-vpc.self_link] - peer_network = module.landing-vpc.self_link - } - } -} diff --git a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf b/fast/stages/2-networking-e-nva-bgp/dns-landing.tf deleted file mode 100644 index 270280495a..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf +++ /dev/null @@ -1,101 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Landing DNS zones and peerings setup. - -# forwarding to on-prem DNS resolvers - -moved { - from = module.onprem-example-dns-forwarding - to = module.landing-dns-fwd-onprem-example -} - -module "landing-dns-fwd-onprem-example" { - source = "../../../modules/dns" - count = length(var.dns.resolvers) > 0 ? 1 : 0 - project_id = module.landing-project.project_id - name = "example-com" - zone_config = { - domain = "onprem.example.com." - forwarding = { - client_networks = [ - module.dmz-vpc.self_link, - module.landing-vpc.self_link - ] - forwarders = { for ip in var.dns.resolvers : ip => null } - } - } -} - -moved { - from = module.reverse-10-dns-forwarding - to = module.landing-dns-fwd-onprem-rev-10 -} - -module "landing-dns-fwd-onprem-rev-10" { - source = "../../../modules/dns" - count = length(var.dns.resolvers) > 0 ? 1 : 0 - project_id = module.landing-project.project_id - name = "root-reverse-10" - zone_config = { - domain = "10.in-addr.arpa." - forwarding = { - client_networks = [ - module.dmz-vpc.self_link, - module.landing-vpc.self_link - ] - forwarders = { for ip in var.dns.resolvers : ip => null } - } - } -} - -moved { - from = module.gcp-example-dns-private-zone - to = module.landing-dns-priv-gcp -} - -module "landing-dns-priv-gcp" { - source = "../../../modules/dns" - project_id = module.landing-project.project_id - name = "gcp-example-com" - zone_config = { - domain = "gcp.example.com." - private = { - client_networks = [ - module.dmz-vpc.self_link, - module.landing-vpc.self_link - ] - } - } - recordsets = { - "A localhost" = { records = ["127.0.0.1"] } - } -} - -# Google APIs - -module "landing-dns-policy-googleapis" { - source = "../../../modules/dns-response-policy" - project_id = module.landing-project.project_id - name = "googleapis" - factories_config = { - rules = var.factories_config.dns_policy_rules_file - } - networks = { - landing = module.landing-vpc.self_link - dmz = module.dmz-vpc.self_link - } -} diff --git a/fast/stages/2-networking-e-nva-bgp/dns-prod.tf b/fast/stages/2-networking-e-nva-bgp/dns-prod.tf deleted file mode 100644 index ae1a760732..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/dns-prod.tf +++ /dev/null @@ -1,72 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Production spoke DNS zones and peerings setup. - -# GCP-specific environment zone - -module "prod-dns-private-zone" { - source = "../../../modules/dns" - project_id = module.prod-spoke-project.project_id - name = "prod-gcp-example-com" - zone_config = { - domain = "prod.gcp.example.com." - private = { - client_networks = [module.landing-vpc.self_link, module.dmz-vpc.self_link] - } - } - recordsets = { - "A localhost" = { records = ["127.0.0.1"] } - } -} - -# root zone peering to landing to centralize configuration; remove if unneeded - -moved { - from = module.prod-landing-root-dns-peering - to = module.prod-dns-peer-landing-root -} - -module "prod-dns-peer-landing-root" { - source = "../../../modules/dns" - project_id = module.prod-spoke-project.project_id - name = "prod-root-dns-peering" - zone_config = { - domain = "." - peering = { - client_networks = [module.prod-spoke-vpc.self_link] - peer_network = module.landing-vpc.self_link - } - } -} - -moved { - from = module.prod-reverse-10-dns-peering - to = module.prod-dns-peer-landing-rev-10 -} - -module "prod-dns-peer-landing-rev-10" { - source = "../../../modules/dns" - project_id = module.prod-spoke-project.project_id - name = "prod-reverse-10-dns-peering" - zone_config = { - domain = "10.in-addr.arpa." - peering = { - client_networks = [module.prod-spoke-vpc.self_link] - peer_network = module.landing-vpc.self_link - } - } -} diff --git a/fast/stages/2-networking-e-nva-bgp/monitoring-vpn-onprem.tf b/fast/stages/2-networking-e-nva-bgp/monitoring-vpn-onprem.tf deleted file mode 100644 index d63c14d8d8..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/monitoring-vpn-onprem.tf +++ /dev/null @@ -1,99 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description VPN monitoring alerts. - -resource "google_monitoring_alert_policy" "vpn_tunnel_established" { - count = (var.vpn_onprem_primary_config != null && var.alert_config.vpn_tunnel_established != null) ? 1 : 0 - - project = module.landing-project.project_id - display_name = "VPN Tunnel Established" - enabled = var.alert_config.vpn_tunnel_established.enabled - notification_channels = var.alert_config.vpn_tunnel_established.notification_channels - user_labels = var.alert_config.vpn_tunnel_established.user_labels - combiner = "OR" - - conditions { - display_name = "VPN Tunnel Established" - - condition_monitoring_query_language { - query = join("", [ - "fetch vpn_gateway", - "| metric vpn.googleapis.com/tunnel_established", - "| group_by 5m, [value_tunnel_established_max: max(value.tunnel_established)]", - "| every 5m", - "| condition val() < 1 '1'", - ]) - - duration = var.alert_config.vpn_tunnel_established.duration - - trigger { - count = "1" - } - } - } - - dynamic "alert_strategy" { - for_each = var.alert_config.vpn_tunnel_established.auto_close != null ? [1] : [] - - content { - auto_close = var.alert_config.vpn_tunnel_established.auto_close - } - } -} - -# https://cloud.google.com/network-connectivity/docs/vpn/how-to/viewing-logs-metrics#define-bandwidth-alerts -resource "google_monitoring_alert_policy" "vpn_tunnel_bandwidth" { - count = (var.vpn_onprem_primary_config != null && var.alert_config.vpn_tunnel_bandwidth != null) ? 1 : 0 - - project = module.landing-project.project_id - display_name = "VPN Tunnel Bandwidth usage" - enabled = var.alert_config.vpn_tunnel_bandwidth.enabled - notification_channels = var.alert_config.vpn_tunnel_bandwidth.notification_channels - user_labels = var.alert_config.vpn_tunnel_bandwidth.user_labels - combiner = "OR" - - conditions { - display_name = "VPN Tunnel Bandwidth usage" - - condition_monitoring_query_language { - query = join("", [ - "fetch vpn_gateway", - "| { metric vpn.googleapis.com/network/sent_bytes_count", - "; metric vpn.googleapis.com/network/received_bytes_count }", - "| align rate (1m)", - "| group_by [metric.tunnel_name]", - "| outer_join 0,0", - "| value val(0) + val(1)", - "| condition val() > ${var.alert_config.vpn_tunnel_bandwidth.threshold_mbys} \"MBy/s\"", - ]) - - duration = var.alert_config.vpn_tunnel_bandwidth.duration - - trigger { - count = "1" - } - } - } - - dynamic "alert_strategy" { - for_each = var.alert_config.vpn_tunnel_bandwidth.auto_close != null ? [1] : [] - - content { - auto_close = var.alert_config.vpn_tunnel_bandwidth.auto_close - } - } -} diff --git a/fast/stages/2-networking-e-nva-bgp/monitoring.tf b/fast/stages/2-networking-e-nva-bgp/monitoring.tf deleted file mode 100644 index be3a47faac..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/monitoring.tf +++ /dev/null @@ -1,32 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Network monitoring dashboards. - -locals { - dashboard_path = "${var.factories_config.data_dir}/dashboards" - dashboard_files = fileset(local.dashboard_path, "*.json") - dashboards = { - for filename in local.dashboard_files : - filename => "${local.dashboard_path}/${filename}" - } -} - -resource "google_monitoring_dashboard" "dashboard" { - for_each = local.dashboards - project = module.landing-project.project_id - dashboard_json = file(each.value) -} diff --git a/fast/stages/2-networking-e-nva-bgp/net-dev.tf b/fast/stages/2-networking-e-nva-bgp/net-dev.tf deleted file mode 100644 index bb7bd165e9..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/net-dev.tf +++ /dev/null @@ -1,111 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Dev spoke VPC and related resources. - -module "dev-spoke-project" { - source = "../../../modules/project" - billing_account = var.billing_account.id - name = "dev-net-spoke-0" - parent = var.folder_ids.networking-dev - prefix = var.prefix - services = concat([ - "compute.googleapis.com", - "dns.googleapis.com", - "iap.googleapis.com", - "networkmanagement.googleapis.com", - "servicenetworking.googleapis.com", - "stackdriver.googleapis.com", - "vpcaccess.googleapis.com" - ], - ( - var.fast_features.gcve - ? ["vmwareengine.googleapis.com"] - : [] - ) - ) - shared_vpc_host_config = { - enabled = true - } - metric_scopes = [module.landing-project.project_id] - iam = { - "roles/dns.admin" = compact([ - try(local.service_accounts.gke-dev, null), - try(local.service_accounts.project-factory-dev, null), - try(local.service_accounts.project-factory-prod, null), - ]) - } - # allow specific service accounts to assign a set of roles - iam_bindings = { - sa_delegated_grants = { - role = "roles/resourcemanager.projectIamAdmin" - members = compact([ - try(local.service_accounts.data-platform-dev, null), - try(local.service_accounts.project-factory-dev, null), - try(local.service_accounts.project-factory-prod, null), - try(local.service_accounts.gke-dev, null), - ]) - condition = { - title = "dev_stage3_sa_delegated_grants" - description = "Development host project delegated grants." - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - join(",", formatlist("'%s'", local.stage3_sas_delegated_grants)) - ) - } - } - } -} - -module "dev-spoke-vpc" { - source = "../../../modules/net-vpc" - project_id = module.dev-spoke-project.project_id - name = "dev-spoke-0" - mtu = 1500 - dns_policy = { - logging = var.dns.enable_logging - } - factories_config = { - subnets_folder = "${var.factories_config.data_dir}/subnets/dev" - } - delete_default_routes_on_create = true - psa_configs = var.psa_ranges.dev - # Set explicit routes for googleapis; send everything else to NVAs - create_googleapis_routes = { - private = true - restricted = true - } -} - -module "dev-spoke-firewall" { - source = "../../../modules/net-vpc-firewall" - project_id = module.dev-spoke-project.project_id - network = module.dev-spoke-vpc.name - default_rules_config = { - disabled = true - } - factories_config = { - cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/dev" - } -} - -module "peering-dev" { - source = "../../../modules/net-vpc-peering" - prefix = "dev-peering-0" - local_network = module.dev-spoke-vpc.self_link - peer_network = module.landing-vpc.self_link -} diff --git a/fast/stages/2-networking-e-nva-bgp/net-landing.tf b/fast/stages/2-networking-e-nva-bgp/net-landing.tf deleted file mode 100644 index 900bd274db..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/net-landing.tf +++ /dev/null @@ -1,132 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Landing VPC and related resources. - -module "landing-project" { - source = "../../../modules/project" - billing_account = var.billing_account.id - name = "prod-net-landing-0" - parent = var.folder_ids.networking-prod - prefix = var.prefix - services = [ - "compute.googleapis.com", - "dns.googleapis.com", - "iap.googleapis.com", - "networkconnectivity.googleapis.com", - "networkmanagement.googleapis.com", - "stackdriver.googleapis.com" - ] - shared_vpc_host_config = { - enabled = true - } - iam = { - "roles/dns.admin" = compact([ - try(local.service_accounts.project-factory-prod, null) - ]) - (local.custom_roles.service_project_network_admin) = compact([ - try(local.service_accounts.project-factory-prod, null) - ]) - } -} - -# DMZ (untrusted) VPC - -module "dmz-vpc" { - source = "../../../modules/net-vpc" - project_id = module.landing-project.project_id - name = "prod-dmz-0" - mtu = 1500 - dns_policy = { - inbound = true - logging = var.dns.enable_logging - } - create_googleapis_routes = null - factories_config = { - subnets_folder = "${var.factories_config.data_dir}/subnets/dmz" - } -} - -module "dmz-firewall" { - source = "../../../modules/net-vpc-firewall" - project_id = module.landing-project.project_id - network = module.dmz-vpc.name - default_rules_config = { - disabled = true - } - factories_config = { - cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/dmz" - } -} - -# NAT - -module "landing-nat-primary" { - source = "../../../modules/net-cloudnat" - count = var.enable_cloud_nat ? 1 : 0 - project_id = module.landing-project.project_id - region = var.regions.primary - name = local.region_shortnames[var.regions.primary] - router_create = true - router_name = "prod-nat-${local.region_shortnames[var.regions.primary]}" - router_network = module.dmz-vpc.name -} - -module "landing-nat-secondary" { - source = "../../../modules/net-cloudnat" - count = var.enable_cloud_nat ? 1 : 0 - project_id = module.landing-project.project_id - region = var.regions.secondary - name = local.region_shortnames[var.regions.secondary] - router_create = true - router_name = "prod-nat-${local.region_shortnames[var.regions.secondary]}" - router_network = module.dmz-vpc.name -} - -# landing (trusted) VPC - -module "landing-vpc" { - source = "../../../modules/net-vpc" - project_id = module.landing-project.project_id - name = "prod-landing-0" - delete_default_routes_on_create = true - mtu = 1500 - factories_config = { - subnets_folder = "${var.factories_config.data_dir}/subnets/landing" - } - dns_policy = { - inbound = true - } - # Set explicit routes for googleapis in case the default route is deleted - create_googleapis_routes = { - private = true - restricted = true - } -} - -module "landing-firewall" { - source = "../../../modules/net-vpc-firewall" - project_id = module.landing-project.project_id - network = module.landing-vpc.name - default_rules_config = { - disabled = true - } - factories_config = { - cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing" - } -} diff --git a/fast/stages/2-networking-e-nva-bgp/net-prod.tf b/fast/stages/2-networking-e-nva-bgp/net-prod.tf deleted file mode 100644 index 6325c5766a..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/net-prod.tf +++ /dev/null @@ -1,109 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Production spoke VPC and related resources. - -module "prod-spoke-project" { - source = "../../../modules/project" - billing_account = var.billing_account.id - name = "prod-net-spoke-0" - parent = var.folder_ids.networking-prod - prefix = var.prefix - services = concat([ - "compute.googleapis.com", - "dns.googleapis.com", - "iap.googleapis.com", - "networkmanagement.googleapis.com", - "servicenetworking.googleapis.com", - "stackdriver.googleapis.com", - "vpcaccess.googleapis.com" - ], - ( - var.fast_features.gcve - ? ["vmwareengine.googleapis.com"] - : [] - ) - ) - shared_vpc_host_config = { - enabled = true - } - metric_scopes = [module.landing-project.project_id] - iam = { - "roles/dns.admin" = compact([ - try(local.service_accounts.gke-prod, null), - try(local.service_accounts.project-factory-prod, null), - ]) - } - # allow specific service accounts to assign a set of roles - iam_bindings = { - sa_delegated_grants = { - role = "roles/resourcemanager.projectIamAdmin" - members = compact([ - try(local.service_accounts.data-platform-prod, null), - try(local.service_accounts.project-factory-prod, null), - try(local.service_accounts.gke-prod, null), - ]) - condition = { - title = "prod_stage3_sa_delegated_grants" - description = "Production host project delegated grants." - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - join(",", formatlist("'%s'", local.stage3_sas_delegated_grants)) - ) - } - } - } -} - -module "prod-spoke-vpc" { - source = "../../../modules/net-vpc" - project_id = module.prod-spoke-project.project_id - name = "prod-spoke-0" - mtu = 1500 - dns_policy = { - logging = var.dns.enable_logging - } - factories_config = { - subnets_folder = "${var.factories_config.data_dir}/subnets/prod" - } - delete_default_routes_on_create = true - psa_configs = var.psa_ranges.prod - # Set explicit routes for googleapis; send everything else to NVAs - create_googleapis_routes = { - private = true - restricted = true - } -} - -module "prod-spoke-firewall" { - source = "../../../modules/net-vpc-firewall" - project_id = module.prod-spoke-project.project_id - network = module.prod-spoke-vpc.name - default_rules_config = { - disabled = true - } - factories_config = { - cidr_tpl_file = "${var.factories_config.data_dir}/cidrs.yaml" - rules_folder = "${var.factories_config.data_dir}/firewall-rules/prod" - } -} - -module "peering-prod" { - source = "../../../modules/net-vpc-peering" - prefix = "prod-peering-0" - local_network = module.prod-spoke-vpc.self_link - peer_network = module.landing-vpc.self_link -} diff --git a/fast/stages/2-networking-e-nva-bgp/outputs.tf b/fast/stages/2-networking-e-nva-bgp/outputs.tf deleted file mode 100644 index 519000c9b6..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/outputs.tf +++ /dev/null @@ -1,128 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - host_project_ids = { - dev-spoke-0 = module.dev-spoke-project.project_id - prod-landing = module.landing-project.project_id - prod-spoke-0 = module.prod-spoke-project.project_id - } - host_project_numbers = { - dev-spoke-0 = module.dev-spoke-project.number - prod-landing = module.landing-project.number - prod-spoke-0 = module.prod-spoke-project.number - } - subnet_self_links = { - prod-dmz = module.dmz-vpc.subnet_self_links - prod-landing = module.landing-vpc.subnet_self_links - dev-spoke-0 = module.dev-spoke-vpc.subnet_self_links - prod-spoke-0 = module.prod-spoke-vpc.subnet_self_links - } - subnet_proxy_only_self_links = { - prod-dmz = { - for k, v in module.dmz-vpc.subnets_proxy_only : k => v.id - } - prod-landing = { - for k, v in module.landing-vpc.subnets_proxy_only : k => v.id - } - dev-spoke-0 = { - for k, v in module.dev-spoke-vpc.subnets_proxy_only : k => v.id - } - prod-spoke-0 = { - for k, v in module.prod-spoke-vpc.subnets_proxy_only : k => v.id - } - } - subnet_psc_self_links = { - prod-dmz = { - for k, v in module.dmz-vpc.subnets_psc : k => v.id - } - prod-landing = { - for k, v in module.landing-vpc.subnets_psc : k => v.id - } - dev-spoke-0 = { - for k, v in module.dev-spoke-vpc.subnets_psc : k => v.id - } - prod-spoke-0 = { - for k, v in module.prod-spoke-vpc.subnets_psc : k => v.id - } - } - tfvars = { - host_project_ids = local.host_project_ids - host_project_numbers = local.host_project_numbers - subnet_self_links = local.subnet_self_links - subnet_proxy_only_self_links = local.subnet_proxy_only_self_links - subnet_psc_self_links = local.subnet_psc_self_links - vpc_self_links = local.vpc_self_links - } - vpc_self_links = { - prod-landing = module.landing-vpc.self_link - prod-dmz = module.dmz-vpc.self_link - dev-spoke-0 = module.dev-spoke-vpc.self_link - prod-spoke-0 = module.prod-spoke-vpc.self_link - } -} - -# generate tfvars file for subsequent stages - -resource "local_file" "tfvars" { - for_each = var.outputs_location == null ? {} : { 1 = 1 } - file_permission = "0644" - filename = "${try(pathexpand(var.outputs_location), "")}/tfvars/2-networking.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -resource "google_storage_bucket_object" "tfvars" { - bucket = var.automation.outputs_bucket - name = "tfvars/2-networking.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -# outputs - -output "host_project_ids" { - description = "Network project ids." - value = local.host_project_ids -} - -output "host_project_numbers" { - description = "Network project numbers." - value = local.host_project_numbers -} - -output "shared_vpc_self_links" { - description = "Shared VPC host projects." - value = local.vpc_self_links -} - -output "tfvars" { - description = "Terraform variables file for the following stages." - sensitive = true - value = local.tfvars -} - -output "vpn_gateway_endpoints" { - description = "External IP Addresses for the GCP VPN gateways." - value = { - onprem-primary = var.vpn_onprem_primary_config == null ? {} : { - for v in module.landing-to-onprem-primary-vpn[0].gateway.vpn_interfaces : - v.id => v.ip_address - } - onprem-secondary = var.vpn_onprem_secondary_config == null ? {} : { - for v in module.landing-to-onprem-secondary-vpn[0].gateway.vpn_interfaces : - v.id => v.ip_address - } - } -} diff --git a/fast/stages/2-networking-e-nva-bgp/test-resources.tf b/fast/stages/2-networking-e-nva-bgp/test-resources.tf deleted file mode 100644 index 1e96004a00..0000000000 --- a/fast/stages/2-networking-e-nva-bgp/test-resources.tf +++ /dev/null @@ -1,243 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description temporary instances for testing - -# module "test-vm-dmz-primary-0" { -# source = "../../../modules/compute-vm" -# project_id = module.landing-project.project_id -# zone = "${var.regions.primary}-b" -# name = "test-vm-lnd-unt-primary-0" -# network_interfaces = [{ -# network = module.dmz-vpc.self_link -# subnetwork = module.dmz-vpc.subnet_self_links["${var.regions.primary}/dmz-default-${local.region_shortnames[var.regions.primary]}"] -# }] -# tags = ["primary", "ssh"] -# boot_disk = { -# initialize_params = { -# image = "projects/debian-cloud/global/images/family/debian-11" -# } -# } -# options = { -# spot = true -# termination_action = "STOP" -# } -# metadata = { -# startup-script = < { external = v } - } - tunnels = try(var.vpn_onprem_primary_config.tunnels, {}) -} - -module "landing-to-onprem-secondary-vpn" { - count = var.vpn_onprem_secondary_config == null ? 0 : 1 - source = "../../../modules/net-vpn-ha" - project_id = module.landing-project.project_id - network = module.landing-vpc.self_link - region = var.regions.secondary - name = "vpn-to-onprem-${local.region_shortnames[var.regions.secondary]}" - router_config = try(var.vpn_onprem_secondary_config.router_config, {}) - peer_gateways = { - for k, v in local.onprem_peer_gateways.secondary : k => { external = v } - } - tunnels = try(var.vpn_onprem_secondary_config.tunnels, {}) -} diff --git a/fast/stages/3-project-factory/dev/README.md b/fast/stages/3-project-factory/dev/README.md index 9ae2cb1ae0..135ea80857 100644 --- a/fast/stages/3-project-factory/dev/README.md +++ b/fast/stages/3-project-factory/dev/README.md @@ -17,7 +17,7 @@ The project factory stage lightly wraps the underlying [project-factory module]( ## How to run this stage -This stage is meant to be executed after "foundational stages" (i.e., stages [`00-bootstrap`](../../0-bootstrap), [`01-resman`](../../1-resman), 02-networking (either [Peering/VPN](../../2-networking-a-simple), [NVA](../../2-networking-c-nva), [NVA with BGP support](../../2-networking-e-nva-bgp)) and [`02-security`](../../2-security)) have been run. +This stage is meant to be executed after "foundational stages" (i.e., stages [`00-bootstrap`](../../0-bootstrap), [`01-resman`](../../1-resman), 02-networking (either [Peering/VPN](../../2-networking-a-simple), [NVA (w/ optional BGP support)](../../2-networking-b-nva) and [`02-security`](../../2-security)) have been run. It's of course possible to run this stage in isolation, by making sure the architectural prerequisites are satisfied (e.g., networking), and that the Service Account running the stage is granted the appropriate roles. diff --git a/fast/stages/README.md b/fast/stages/README.md index ff78db1b46..82a52d9445 100644 --- a/fast/stages/README.md +++ b/fast/stages/README.md @@ -37,8 +37,8 @@ Implemented as an [add-on stage 1](./1-tenant-factory/), with optional FAST comp - [Security](2-security/README.md) Manages centralized security configurations in a separate stage, and is typically owned by the security team. This stage implements VPC Security Controls via separate perimeters for environments and central services, and creates projects to host centralized KMS keys used by the whole organization. It's meant to be easily extended to include other security-related resources which are required, like Secret Manager.\ Exports: KMS key ids -- Networking ([Peering/VPN](2-networking-a-simple/README.md)/[NVA](2-networking-c-nva/README.md)/[NVA with BGP support](2-networking-e-nva-bgp/README.md)/[Separate environments](2-networking-d-separate-envs/README.md)) - Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage implements a hub-and-spoke design, and includes connectivity via VPN to on-premises, and YAML-based factories for firewall rules (hierarchical and VPC-level) and subnets. It's currently available in four flavors: [spokes connected via VPC peering/VPN](2-networking-a-simple/README.md), [spokes connected via appliances](2-networking-c-nva/README.md), [spokes connected via appliances leveraging NCC and BGP](2-networking-e-nva-bgp/README.md) and [separated network environments](2-networking-d-separate-envs/README.md).\ +- Networking ([Peering/VPN](2-networking-a-simple/README.md)/[NVA (w/ optional BGP support)](2-networking-b-nva/README.md)/[Separate environments](2-networking-d-separate-envs/README.md)) + Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage implements a hub-and-spoke design, and includes connectivity via VPN to on-premises, and YAML-based factories for firewall rules (hierarchical and VPC-level) and subnets. It's currently available in four flavors: [spokes connected via VPC peering/VPN](2-networking-a-simple/README.md), [spokes connected via appliances (w/ optional BGP support)](2-networking-b-nva/README.md) and [separated network environments](2-networking-d-separate-envs/README.md).\ Exports: host project ids and numbers, vpc self links ## Environment-level resources (3) diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars b/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars similarity index 94% rename from tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars rename to tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars index c2a9cef0bd..2b3d63f87e 100644 --- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars @@ -11,8 +11,10 @@ dns = { resolvers = ["10.10.10.10"] enable_logging = true } -enable_cloud_nat = true -essential_contacts = "gcp-network-admins@fast.example.com" +enable_cloud_nat = true +enable_ncc_ra = true +enable_test_instances = true +essential_contacts = "gcp-network-admins@fast.example.com" folder_ids = { networking = null networking-dev = null diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml new file mode 100644 index 0000000000..bfbffc9054 --- /dev/null +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml @@ -0,0 +1,53 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and + +counts: + google_compute_address: 8 + google_compute_external_vpn_gateway: 2 + google_compute_firewall: 12 + google_compute_firewall_policy: 1 + google_compute_firewall_policy_association: 1 + google_compute_firewall_policy_rule: 4 + google_compute_ha_vpn_gateway: 2 + google_compute_instance: 4 + google_compute_network: 4 + google_compute_network_peering: 4 + google_compute_route: 7 + google_compute_router: 8 + google_compute_router_interface: 12 + google_compute_router_nat: 2 + google_compute_router_peer: 20 + google_compute_shared_vpc_host_project: 3 + google_compute_subnetwork: 12 + google_compute_vpn_tunnel: 4 + google_dns_managed_zone: 9 + google_dns_policy: 4 + google_dns_record_set: 3 + google_dns_response_policy: 1 + google_dns_response_policy_rule: 34 + google_essential_contacts_contact: 1 + google_folder: 1 + google_monitoring_alert_policy: 2 + google_monitoring_dashboard: 3 + google_monitoring_monitored_project: 2 + google_network_connectivity_hub: 2 + google_network_connectivity_spoke: 4 + google_project: 3 + google_project_iam_binding: 6 + google_project_iam_member: 2 + google_project_service: 21 + google_project_service_identity: 5 + google_storage_bucket_object: 2 + modules: 39 + random_id: 2 + resources: 219 diff --git a/tests/fast/stages/s2_networking_c_nva/simple.tfvars b/tests/fast/stages/s2_networking_b_nva/simple.tfvars similarity index 94% rename from tests/fast/stages/s2_networking_c_nva/simple.tfvars rename to tests/fast/stages/s2_networking_b_nva/simple.tfvars index c2a9cef0bd..d1dff817d7 100644 --- a/tests/fast/stages/s2_networking_c_nva/simple.tfvars +++ b/tests/fast/stages/s2_networking_b_nva/simple.tfvars @@ -11,8 +11,10 @@ dns = { resolvers = ["10.10.10.10"] enable_logging = true } -enable_cloud_nat = true -essential_contacts = "gcp-network-admins@fast.example.com" +enable_cloud_nat = true +enable_ncc_ra = false +enable_test_instances = true +essential_contacts = "gcp-network-admins@fast.example.com" folder_ids = { networking = null networking-dev = null diff --git a/tests/fast/stages/s2_networking_c_nva/simple.yaml b/tests/fast/stages/s2_networking_b_nva/simple.yaml similarity index 97% rename from tests/fast/stages/s2_networking_c_nva/simple.yaml rename to tests/fast/stages/s2_networking_b_nva/simple.yaml index 482c466163..ce3f4414fb 100644 --- a/tests/fast/stages/s2_networking_c_nva/simple.yaml +++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml @@ -14,7 +14,7 @@ counts: google_compute_external_vpn_gateway: 2 - google_compute_firewall: 9 + google_compute_firewall: 12 google_compute_firewall_policy: 1 google_compute_firewall_policy_association: 1 google_compute_firewall_policy_rule: 4 @@ -53,4 +53,4 @@ counts: google_vpc_access_connector: 2 modules: 43 random_id: 2 - resources: 202 + resources: 205 diff --git a/tests/fast/stages/s2_networking_c_nva/tftest.yaml b/tests/fast/stages/s2_networking_b_nva/tftest.yaml similarity index 84% rename from tests/fast/stages/s2_networking_c_nva/tftest.yaml rename to tests/fast/stages/s2_networking_b_nva/tftest.yaml index a86a8447db..1f01f3a918 100644 --- a/tests/fast/stages/s2_networking_c_nva/tftest.yaml +++ b/tests/fast/stages/s2_networking_b_nva/tftest.yaml @@ -12,9 +12,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -module: fast/stages/2-networking-c-nva +module: fast/stages/2-networking-b-nva tests: simple: extra_files: - ../../plugins/2-networking-serverless-connector/*.tf + ncc-ra: + extra_files: + - ../../plugins/2-networking-serverless-connector/*.tf diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml deleted file mode 100644 index ec19296012..0000000000 --- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml +++ /dev/null @@ -1,3703 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - -values: - google_compute_address.nva_static_ip_dmz["primary-b"]: - address: 10.64.128.101 - address_type: INTERNAL - description: null - ip_version: null - ipv6_endpoint_type: null - labels: null - name: nva-ip-dmz-ew1-b - network: null - project: fast2-prod-net-landing-0 - region: europe-west1 - timeouts: null - google_compute_address.nva_static_ip_dmz["primary-c"]: - address: 10.64.128.102 - address_type: INTERNAL - description: null - ip_version: null - ipv6_endpoint_type: null - labels: null - name: nva-ip-dmz-ew1-c - network: null - project: fast2-prod-net-landing-0 - region: europe-west1 - timeouts: null - google_compute_address.nva_static_ip_dmz["secondary-b"]: - address: 10.80.128.101 - address_type: INTERNAL - description: null - ip_version: null - ipv6_endpoint_type: null - labels: null - name: nva-ip-dmz-ew4-b - network: null - project: fast2-prod-net-landing-0 - region: europe-west4 - timeouts: null - google_compute_address.nva_static_ip_dmz["secondary-c"]: - address: 10.80.128.102 - address_type: INTERNAL - description: null - ip_version: null - ipv6_endpoint_type: null - labels: null - name: nva-ip-dmz-ew4-c - network: null - project: fast2-prod-net-landing-0 - region: europe-west4 - timeouts: null - google_compute_address.nva_static_ip_landing["primary-b"]: - address: 10.64.0.101 - address_type: INTERNAL - description: null - ip_version: null - ipv6_endpoint_type: null - labels: null - name: nva-ip-landing-ew1-b - network: null - project: fast2-prod-net-landing-0 - region: europe-west1 - timeouts: null - google_compute_address.nva_static_ip_landing["primary-c"]: - address: 10.64.0.102 - address_type: INTERNAL - description: null - ip_version: null - ipv6_endpoint_type: null - labels: null - name: nva-ip-landing-ew1-c - network: null - project: fast2-prod-net-landing-0 - region: europe-west1 - timeouts: null - google_compute_address.nva_static_ip_landing["secondary-b"]: - address: 10.80.0.101 - address_type: INTERNAL - description: null - ip_version: null - ipv6_endpoint_type: null - labels: null - name: nva-ip-landing-ew4-b - network: null - project: fast2-prod-net-landing-0 - region: europe-west4 - timeouts: null - google_compute_address.nva_static_ip_landing["secondary-c"]: - address: 10.80.0.102 - address_type: INTERNAL - description: null - ip_version: null - ipv6_endpoint_type: null - labels: null - name: nva-ip-landing-ew4-c - network: null - project: fast2-prod-net-landing-0 - region: europe-west4 - timeouts: null - google_monitoring_alert_policy.vpn_tunnel_bandwidth[0]: - alert_strategy: [] - combiner: OR - conditions: - - condition_absent: [] - condition_matched_log: [] - condition_monitoring_query_language: - - duration: 120s - evaluation_missing_data: null - query: - fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count; - metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)| - group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition - val() > 187.5 "MBy/s" - trigger: - - count: 1 - percent: null - condition_prometheus_query_language: [] - condition_threshold: [] - display_name: VPN Tunnel Bandwidth usage - display_name: VPN Tunnel Bandwidth usage - documentation: [] - enabled: true - notification_channels: [] - project: fast2-prod-net-landing-0 - severity: null - timeouts: null - user_labels: null - google_monitoring_alert_policy.vpn_tunnel_established[0]: - alert_strategy: [] - combiner: OR - conditions: - - condition_absent: [] - condition_matched_log: [] - condition_monitoring_query_language: - - duration: 120s - evaluation_missing_data: null - query: - "fetch vpn_gateway| metric vpn.googleapis.com/tunnel_established| group_by - 5m, [value_tunnel_established_max: max(value.tunnel_established)]| every - 5m| condition val() < 1 '1'" - trigger: - - count: 1 - percent: null - condition_prometheus_query_language: [] - condition_threshold: [] - display_name: VPN Tunnel Established - display_name: VPN Tunnel Established - documentation: [] - enabled: true - notification_channels: [] - project: fast2-prod-net-landing-0 - severity: null - timeouts: null - user_labels: null - google_monitoring_dashboard.dashboard["firewall_insights.json"]: - dashboard_json: - '{"displayName":"Firewall Insights Monitoring","gridLayout":{"columns":"2","widgets":[{"title":"Subnet - Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/subnet/firewall_hit_count\" - resource.type=\"gce_subnetwork\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},{"title":"VM - Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/vm/firewall_hit_count\" - resource.type=\"gce_instance\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}}]}}' - project: fast2-prod-net-landing-0 - timeouts: null - ? google_monitoring_dashboard.dashboard["vpc_and_vpc_peering_group_quotas.json"] - : dashboard_json: - '{"dashboardFilters":[],"displayName":"VPC \u0026 VPC Peering - Group Quotas","labels":{},"mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Internal - network (L4) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch - compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/usage\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/limit\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6},{"height":4,"widget":{"title":"Internal - network (L4) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch - compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/usage\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .max()\n ; metric\n compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/limit\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6},{"height":4,"widget":{"title":"Internal - application (L7) Load Balancers per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch - compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/usage\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/limit\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Internal - application (L7) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch - compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/usage\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .max()\n ; metric\n compute.googleapis.com/quota/internal_managed_forwarding_rules_per_peering_group/limit\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Instances - per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch - compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_vpc_network/usage\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .max()\n ; metric\n compute.googleapis.com/quota/instances_per_vpc_network/limit\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Instances - per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch - compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/instances_per_peering_group/usage\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .max()\n ; metric\n compute.googleapis.com/quota/instances_per_peering_group/limit\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Subnet - ranges per VPC","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch - compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/usage\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_vpc_network/limit\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .min() }\n| ratio\n| value cast_units(val()*100, \"%\")","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"yPos":12},{"height":4,"widget":{"title":"Subnet - ranges per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch - compute.googleapis.com/VpcNetwork\n|{ metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/usage\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .max()\n ; metric\n compute.googleapis.com/quota/subnet_ranges_per_peering_group/limit\n | - align next_older(1d)\n | group_by [resource.resource_container, metric.limit_name], - .min() }\n| ratio\n| value cast_units(val()*100, \"%\") ","unitOverride":""}}],"thresholds":[],"timeshiftDuration":"0s","yAxis":{"label":"","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12}]}}' - project: fast2-prod-net-landing-0 - timeouts: null - google_monitoring_dashboard.dashboard["vpn.json"]: - dashboard_json: - '{"displayName":"VPN Monitoring","mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Number - of connections","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/gateway/connections\" - resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4},{"height":4,"widget":{"title":"Tunnel - established","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/tunnel_established\" - resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4,"xPos":4},{"height":4,"widget":{"title":"VPN - Tunnel Bandwidth usage","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch - vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count; metric vpn.googleapis.com/network/received_bytes_count - }| align rate (1m)| group_by [metric.tunnel_name]| outer_join 0,0| value val(0) - + val(1)| condition val() \u003e 187.5 \"MBy/s\""}}],"thresholds":[{"targetAxis":"Y1","value":187500000}],"timeshiftDuration":"0s","yAxis":{"scale":"LINEAR"}}},"width":4,"xPos":8},{"height":4,"widget":{"title":"Cloud - VPN Gateway - Received bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_bytes_count\" - resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":4},{"height":4,"widget":{"title":"Cloud - VPN Gateway - Sent bytes","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_bytes_count\" - resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"By"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":4},{"height":4,"widget":{"title":"Cloud - VPN Gateway - Received packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/received_packets_count\" - resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":8},{"height":4,"widget":{"title":"Cloud - VPN Gateway - Sent packets","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/sent_packets_count\" - resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"{packets}"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":8},{"height":4,"widget":{"title":"Incoming - packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_received_packets_count\" - resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"xPos":6,"yPos":12},{"height":4,"widget":{"title":"Outgoing - packets dropped","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"vpn.googleapis.com/network/dropped_sent_packets_count\" - resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":6,"yPos":12}]}}' - project: fast2-prod-net-landing-0 - timeouts: null - google_network_connectivity_hub.hub_dmz: - description: Prod hub DMZ (untrusted) - labels: null - name: prod-hub-dmz - project: fast2-prod-net-landing-0 - timeouts: null - google_network_connectivity_hub.hub_landing: - description: Prod hub landing (trusted) - labels: null - name: prod-hub-landing - project: fast2-prod-net-landing-0 - timeouts: null - google_storage_bucket_object.tfvars: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: tfvars/2-networking.auto.tfvars.json - retention: [] - source: null - temporary_hold: null - timeouts: null - ? module.dev-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0] - : cloud_logging_config: - - enable_logging: false - description: Terraform managed. - dns_name: 10.in-addr.arpa. - dnssec_config: [] - force_destroy: false - forwarding_config: [] - labels: null - name: dev-reverse-10-dns-peering - project: fast2-dev-net-spoke-0 - reverse_lookup: false - service_directory_config: [] - timeouts: null - visibility: private - module.dev-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]: - cloud_logging_config: - - enable_logging: false - description: Terraform managed. - dns_name: . - dnssec_config: [] - force_destroy: false - forwarding_config: [] - labels: null - name: dev-root-dns-peering - project: fast2-dev-net-spoke-0 - reverse_lookup: false - service_directory_config: [] - timeouts: null - visibility: private - module.dev-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]: - cloud_logging_config: - - enable_logging: false - description: Terraform managed. - dns_name: dev.gcp.example.com. - dnssec_config: [] - force_destroy: false - forwarding_config: [] - labels: null - name: dev-gcp-example-com - peering_config: [] - project: fast2-dev-net-spoke-0 - service_directory_config: [] - timeouts: null - visibility: private - ? module.dev-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"] - : managed_zone: dev-gcp-example-com - name: localhost.dev.gcp.example.com. - project: fast2-dev-net-spoke-0 - routing_policy: [] - rrdatas: - - 127.0.0.1 - ttl: 300 - type: A - ? module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-composer-nodes"] - : allow: - - ports: - - "80" - - "443" - - "3306" - - "3307" - protocol: tcp - deny: [] - description: Allow traffic to Composer nodes. - direction: INGRESS - disabled: false - log_config: [] - name: ingress-allow-composer-nodes - network: dev-spoke-0 - priority: 1000 - project: fast2-dev-net-spoke-0 - source_ranges: null - source_service_accounts: null - source_tags: - - composer-worker - target_service_accounts: null - target_tags: - - composer-worker - timeouts: null - ? module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-dataflow-load"] - : allow: - - ports: - - "12345" - - "12346" - protocol: tcp - deny: [] - description: Allow traffic to Dataflow nodes. - direction: INGRESS - disabled: false - log_config: [] - name: ingress-allow-dataflow-load - network: dev-spoke-0 - priority: 1000 - project: fast2-dev-net-spoke-0 - source_ranges: null - source_service_accounts: null - source_tags: - - dataflow - target_service_accounts: null - target_tags: - - dataflow - timeouts: null - ? module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"] - : allow: [] - deny: - - ports: [] - protocol: all - description: Deny and log any unmatched ingress traffic. - direction: INGRESS - disabled: false - log_config: - - metadata: EXCLUDE_ALL_METADATA - name: ingress-default-deny - network: dev-spoke-0 - priority: 65535 - project: fast2-dev-net-spoke-0 - source_ranges: - - 0.0.0.0/0 - source_service_accounts: null - source_tags: null - target_service_accounts: null - target_tags: null - timeouts: null - ? module.dev-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0] - : project: fast2-dev-net-spoke-0 - timeouts: null - ? module.dev-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"] - : metrics_scope: fast2-prod-net-landing-0 - name: fast2-dev-net-spoke-0 - timeouts: null - module.dev-spoke-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - folder_id: null - labels: null - name: fast2-dev-net-spoke-0 - org_id: null - project_id: fast2-dev-net-spoke-0 - skip_delete: false - timeouts: null - ? module.dev-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"] - : condition: [] - members: - - serviceAccount:string - project: fast2-dev-net-spoke-0 - role: roles/dns.admin - ? module.dev-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"] - : condition: - - description: Development host project delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']) - title: dev_stage3_sa_delegated_grants - members: - - serviceAccount:string - project: fast2-dev-net-spoke-0 - role: roles/resourcemanager.projectIamAdmin - module.dev-spoke-project.google_project_iam_member.servicenetworking[0]: - condition: [] - project: fast2-dev-net-spoke-0 - role: roles/servicenetworking.serviceAgent - ? module.dev-spoke-project.google_project_service.project_services["compute.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-dev-net-spoke-0 - service: compute.googleapis.com - timeouts: null - ? module.dev-spoke-project.google_project_service.project_services["dns.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-dev-net-spoke-0 - service: dns.googleapis.com - timeouts: null - ? module.dev-spoke-project.google_project_service.project_services["iap.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-dev-net-spoke-0 - service: iap.googleapis.com - timeouts: null - ? module.dev-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-dev-net-spoke-0 - service: networkmanagement.googleapis.com - timeouts: null - ? module.dev-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-dev-net-spoke-0 - service: servicenetworking.googleapis.com - timeouts: null - ? module.dev-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-dev-net-spoke-0 - service: stackdriver.googleapis.com - timeouts: null - ? module.dev-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-dev-net-spoke-0 - service: vpcaccess.googleapis.com - timeouts: null - ? module.dev-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"] - : project: fast2-dev-net-spoke-0 - service: iap.googleapis.com - timeouts: null - module.dev-spoke-project.google_project_service_identity.servicenetworking[0]: - project: fast2-dev-net-spoke-0 - service: servicenetworking.googleapis.com - timeouts: null - module.dev-spoke-vpc.google_compute_network.network[0]: - auto_create_subnetworks: false - delete_default_routes_on_create: true - description: Terraform-managed. - enable_ula_internal_ipv6: null - mtu: 1500 - name: dev-spoke-0 - network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL - project: fast2-dev-net-spoke-0 - routing_mode: GLOBAL - timeouts: null - module.dev-spoke-vpc.google_compute_route.gateway["private-googleapis"]: - description: Terraform-managed. - dest_range: 199.36.153.8/30 - name: dev-spoke-0-private-googleapis - network: dev-spoke-0 - next_hop_gateway: default-internet-gateway - next_hop_ilb: null - next_hop_instance: null - next_hop_vpn_tunnel: null - priority: 1000 - project: fast2-dev-net-spoke-0 - tags: null - timeouts: null - module.dev-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]: - description: Terraform-managed. - dest_range: 199.36.153.4/30 - name: dev-spoke-0-restricted-googleapis - network: dev-spoke-0 - next_hop_gateway: default-internet-gateway - next_hop_ilb: null - next_hop_instance: null - next_hop_vpn_tunnel: null - priority: 1000 - project: fast2-dev-net-spoke-0 - tags: null - timeouts: null - ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-dataplatform"] - : description: Default subnet for dev Data Platform - ip_cidr_range: 10.68.2.0/24 - ipv6_access_type: null - log_config: [] - name: dev-dataplatform - network: dev-spoke-0 - private_ip_google_access: true - project: fast2-dev-net-spoke-0 - region: europe-west1 - role: null - secondary_ip_range: - - ip_cidr_range: 100.69.0.0/16 - range_name: pods - - ip_cidr_range: 100.71.2.0/24 - range_name: services - timeouts: null - ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-default"] - : description: Default europe-west1 subnet for dev - ip_cidr_range: 10.68.0.0/24 - ipv6_access_type: null - log_config: [] - name: dev-default - network: dev-spoke-0 - private_ip_google_access: true - project: fast2-dev-net-spoke-0 - region: europe-west1 - role: null - timeouts: null - ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-gke-nodes"] - : description: Default subnet for prod gke nodes - ip_cidr_range: 10.68.1.0/24 - ipv6_access_type: null - log_config: [] - name: dev-gke-nodes - network: dev-spoke-0 - private_ip_google_access: true - project: fast2-dev-net-spoke-0 - region: europe-west1 - role: null - secondary_ip_range: - - ip_cidr_range: 100.68.0.0/16 - range_name: pods - - ip_cidr_range: 100.71.1.0/24 - range_name: services - timeouts: null - ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/dev-default"] - : description: Default europe-west4 subnet for dev - ip_cidr_range: 10.84.0.0/24 - ipv6_access_type: null - log_config: [] - name: dev-default - network: dev-spoke-0 - private_ip_google_access: true - project: fast2-dev-net-spoke-0 - region: europe-west4 - role: null - timeouts: null - module.dev-spoke-vpc.google_dns_policy.default[0]: - alternative_name_server_config: [] - description: Managed by Terraform - enable_inbound_forwarding: null - enable_logging: true - name: dev-spoke-0 - networks: - - {} - project: fast2-dev-net-spoke-0 - timeouts: null - ? module.dmz-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-dmz"] - : allow: - - ports: - - "22" - protocol: tcp - deny: [] - description: Allow traffic from Google healthchecks to NVA appliances - direction: INGRESS - disabled: false - log_config: [] - name: allow-hc-nva-ssh-dmz - network: prod-dmz-0 - priority: 1000 - project: fast2-prod-net-landing-0 - source_ranges: - - 130.211.0.0/22 - - 209.85.152.0/22 - - 209.85.204.0/22 - - 35.191.0.0/16 - source_service_accounts: null - source_tags: null - target_service_accounts: null - target_tags: null - timeouts: null - ? module.dmz-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-dmz"] - : allow: - - ports: - - "179" - protocol: tcp - deny: [] - description: Allow BGP traffic from NCC Cloud Routers to NVAs - direction: INGRESS - disabled: false - log_config: [] - name: allow-ncc-nva-bgp-dmz - network: prod-dmz-0 - priority: 1000 - project: fast2-prod-net-landing-0 - source_ranges: - - 10.128.0.201/32 - - 10.128.0.202/32 - - 10.128.32.201/32 - - 10.128.32.202/32 - source_service_accounts: null - source_tags: null - target_service_accounts: null - target_tags: - - nva - timeouts: null - ? module.dmz-firewall.google_compute_firewall.custom-rules["allow-nva-nva-bgp-dmz"] - : allow: - - ports: - - "179" - protocol: tcp - deny: [] - description: Allow BGP traffic from cross-regional NVAs - direction: INGRESS - disabled: false - log_config: [] - name: allow-nva-nva-bgp-dmz - network: prod-dmz-0 - priority: 1000 - project: fast2-prod-net-landing-0 - source_ranges: null - source_service_accounts: null - source_tags: - - nva - target_service_accounts: null - target_tags: - - nva - timeouts: null - ? module.dmz-firewall.google_compute_firewall.custom-rules["dmz-ingress-default-deny"] - : allow: [] - deny: - - ports: [] - protocol: all - description: Deny and log any unmatched ingress traffic. - direction: INGRESS - disabled: false - log_config: - - metadata: EXCLUDE_ALL_METADATA - name: dmz-ingress-default-deny - network: prod-dmz-0 - priority: 65535 - project: fast2-prod-net-landing-0 - source_ranges: - - 0.0.0.0/0 - source_service_accounts: null - source_tags: null - target_service_accounts: null - target_tags: null - timeouts: null - module.dmz-vpc.google_compute_network.network[0]: - auto_create_subnetworks: false - delete_default_routes_on_create: false - description: Terraform-managed. - enable_ula_internal_ipv6: null - mtu: 1500 - name: prod-dmz-0 - network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL - project: fast2-prod-net-landing-0 - routing_mode: GLOBAL - timeouts: null - ? module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west1/dmz-default"] - : description: Default europe-west1 subnet for DMZ - ip_cidr_range: 10.64.128.0/24 - ipv6_access_type: null - log_config: [] - name: dmz-default - network: prod-dmz-0 - private_ip_google_access: true - project: fast2-prod-net-landing-0 - region: europe-west1 - role: null - timeouts: null - ? module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west4/dmz-default"] - : description: Default europe-west4 subnet for DMZ - ip_cidr_range: 10.80.128.0/24 - ipv6_access_type: null - log_config: [] - name: dmz-default - network: prod-dmz-0 - private_ip_google_access: true - project: fast2-prod-net-landing-0 - region: europe-west4 - role: null - timeouts: null - module.dmz-vpc.google_dns_policy.default[0]: - alternative_name_server_config: [] - description: Managed by Terraform - enable_inbound_forwarding: true - enable_logging: true - name: prod-dmz-0 - networks: - - {} - project: fast2-prod-net-landing-0 - timeouts: null - module.firewall-policy-default.google_compute_firewall_policy.hierarchical[0]: - description: null - short_name: net-default - timeouts: null - ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"] - : action: allow - description: Enable SSH, HTTP and HTTPS healthchecks - direction: INGRESS - disabled: false - enable_logging: null - match: - - dest_address_groups: null - dest_fqdns: null - dest_ip_ranges: null - dest_region_codes: null - dest_threat_intelligences: null - layer4_configs: - - ip_protocol: tcp - ports: - - "22" - - "80" - - "443" - src_address_groups: null - src_fqdns: null - src_ip_ranges: - - 35.191.0.0/16 - - 130.211.0.0/22 - - 209.85.152.0/22 - - 209.85.204.0/22 - src_region_codes: null - src_threat_intelligences: null - priority: 1001 - target_resources: null - target_service_accounts: null - timeouts: null - ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"] - : action: allow - description: Enable ICMP - direction: INGRESS - disabled: false - enable_logging: null - match: - - dest_address_groups: null - dest_fqdns: null - dest_ip_ranges: null - dest_region_codes: null - dest_threat_intelligences: null - layer4_configs: - - ip_protocol: icmp - ports: [] - src_address_groups: null - src_fqdns: null - src_ip_ranges: - - 0.0.0.0/0 - src_region_codes: null - src_threat_intelligences: null - priority: 1003 - target_resources: null - target_service_accounts: null - timeouts: null - ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"] - : action: allow - description: Enable NAT ranges for VPC serverless connector - direction: INGRESS - disabled: false - enable_logging: null - match: - - dest_address_groups: null - dest_fqdns: null - dest_ip_ranges: null - dest_region_codes: null - dest_threat_intelligences: null - layer4_configs: - - ip_protocol: all - ports: null - src_address_groups: null - src_fqdns: null - src_ip_ranges: - - 107.178.230.64/26 - - 35.199.224.0/19 - src_region_codes: null - src_threat_intelligences: null - priority: 1004 - target_resources: null - target_service_accounts: null - timeouts: null - ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"] - : action: allow - description: Enable SSH from IAP - direction: INGRESS - disabled: false - enable_logging: true - match: - - dest_address_groups: null - dest_fqdns: null - dest_ip_ranges: null - dest_region_codes: null - dest_threat_intelligences: null - layer4_configs: - - ip_protocol: tcp - ports: - - "22" - src_address_groups: null - src_fqdns: null - src_ip_ranges: - - 35.235.240.0/20 - src_region_codes: null - src_threat_intelligences: null - priority: 1002 - target_resources: null - target_service_accounts: null - timeouts: null - module.folder.google_compute_firewall_policy_association.default[0]: - name: default - timeouts: null - ? module.folder.google_essential_contacts_contact.contact["gcp-network-admins@fast.example.com"] - : email: gcp-network-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - timeouts: null - module.folder.google_folder.folder[0]: - display_name: Networking - parent: organizations/123456789012 - timeouts: null - ? module.landing-dns-fwd-onprem-example[0].google_dns_managed_zone.dns_managed_zone[0] - : cloud_logging_config: - - enable_logging: false - description: Terraform managed. - dns_name: onprem.example.com. - dnssec_config: [] - force_destroy: false - forwarding_config: - - target_name_servers: - - forwarding_path: "" - ipv4_address: 10.10.10.10 - labels: null - name: example-com - peering_config: [] - project: fast2-prod-net-landing-0 - reverse_lookup: false - service_directory_config: [] - timeouts: null - visibility: private - ? module.landing-dns-fwd-onprem-rev-10[0].google_dns_managed_zone.dns_managed_zone[0] - : cloud_logging_config: - - enable_logging: false - description: Terraform managed. - dns_name: 10.in-addr.arpa. - dnssec_config: [] - force_destroy: false - forwarding_config: - - target_name_servers: - - forwarding_path: "" - ipv4_address: 10.10.10.10 - labels: null - name: root-reverse-10 - peering_config: [] - project: fast2-prod-net-landing-0 - reverse_lookup: false - service_directory_config: [] - timeouts: null - visibility: private - module.landing-dns-policy-googleapis.google_dns_response_policy.default[0]: - description: Terraform managed. - gke_clusters: [] - networks: - - {} - - {} - project: fast2-prod-net-landing-0 - response_policy_name: googleapis - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["accounts"] - : behavior: null - dns_name: accounts.google.com. - local_data: - - local_datas: - - name: accounts.google.com. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: accounts - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud"] - : behavior: null - dns_name: backupdr.cloud.google.com. - local_data: - - local_datas: - - name: backupdr.cloud.google.com. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: backupdr-cloud - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud-all"] - : behavior: null - dns_name: "*.backupdr.cloud.google.com." - local_data: - - local_datas: - - name: "*.backupdr.cloud.google.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: backupdr-cloud-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu"] - : behavior: null - dns_name: backupdr.googleusercontent.google.com. - local_data: - - local_datas: - - name: backupdr.googleusercontent.google.com. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: backupdr-gu - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu-all"] - : behavior: null - dns_name: "*.backupdr.googleusercontent.google.com." - local_data: - - local_datas: - - name: "*.backupdr.googleusercontent.google.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: backupdr-gu-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudfunctions"] - : behavior: null - dns_name: "*.cloudfunctions.net." - local_data: - - local_datas: - - name: "*.cloudfunctions.net." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: cloudfunctions - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudproxy"] - : behavior: null - dns_name: "*.cloudproxy.app." - local_data: - - local_datas: - - name: "*.cloudproxy.app." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: cloudproxy - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-cloud-all"] - : behavior: null - dns_name: "*.composer.cloud.google.com." - local_data: - - local_datas: - - name: "*.composer.cloud.google.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: composer-cloud-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-gu-all"] - : behavior: null - dns_name: "*.composer.googleusercontent.com." - local_data: - - local_datas: - - name: "*.composer.googleusercontent.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: composer-gu-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-all"] - : behavior: null - dns_name: "*.datafusion.cloud.google.com." - local_data: - - local_datas: - - name: "*.datafusion.cloud.google.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: datafusion-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-gu-all"] - : behavior: null - dns_name: "*.datafusion.googleusercontent.com." - local_data: - - local_datas: - - name: "*.datafusion.googleusercontent.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: datafusion-gu-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc"] - : behavior: null - dns_name: dataproc.cloud.google.com. - local_data: - - local_datas: - - name: dataproc.cloud.google.com. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: dataproc - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-all"] - : behavior: null - dns_name: "*.dataproc.cloud.google.com." - local_data: - - local_datas: - - name: "*.dataproc.cloud.google.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: dataproc-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu"] - : behavior: null - dns_name: dataproc.googleusercontent.com. - local_data: - - local_datas: - - name: dataproc.googleusercontent.com. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: dataproc-gu - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu-all"] - : behavior: null - dns_name: "*.dataproc.googleusercontent.com." - local_data: - - local_datas: - - name: "*.dataproc.googleusercontent.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: dataproc-gu-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dl"] - : behavior: null - dns_name: dl.google.com. - local_data: - - local_datas: - - name: dl.google.com. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: dl - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr"] - : behavior: null - dns_name: gcr.io. - local_data: - - local_datas: - - name: gcr.io. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: gcr - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr-all"] - : behavior: null - dns_name: "*.gcr.io." - local_data: - - local_datas: - - name: "*.gcr.io." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: gcr-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-all"] - : behavior: null - dns_name: "*.googleapis.com." - local_data: - - local_datas: - - name: "*.googleapis.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: googleapis-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-private"] - : behavior: null - dns_name: private.googleapis.com. - local_data: - - local_datas: - - name: private.googleapis.com. - rrdatas: - - 199.36.153.8 - - 199.36.153.9 - - 199.36.153.10 - - 199.36.153.11 - ttl: null - type: A - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: googleapis-private - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-restricted"] - : behavior: null - dns_name: restricted.googleapis.com. - local_data: - - local_datas: - - name: restricted.googleapis.com. - rrdatas: - - 199.36.153.4 - - 199.36.153.5 - - 199.36.153.6 - - 199.36.153.7 - ttl: null - type: A - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: googleapis-restricted - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gstatic-all"] - : behavior: null - dns_name: "*.gstatic.com." - local_data: - - local_datas: - - name: "*.gstatic.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: gstatic-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu"] - : behavior: null - dns_name: kernels.googleusercontent.com. - local_data: - - local_datas: - - name: kernels.googleusercontent.com. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: kernels-gu - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu-all"] - : behavior: null - dns_name: "*.kernels.googleusercontent.com." - local_data: - - local_datas: - - name: "*.kernels.googleusercontent.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: kernels-gu-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-all"] - : behavior: null - dns_name: "*.notebooks.cloud.google.com." - local_data: - - local_datas: - - name: "*.notebooks.cloud.google.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: notebooks-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-gu-all"] - : behavior: null - dns_name: "*.notebooks.googleusercontent.com." - local_data: - - local_datas: - - name: "*.notebooks.googleusercontent.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: notebooks-gu-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud"] - : behavior: null - dns_name: packages.cloud.google.com. - local_data: - - local_datas: - - name: packages.cloud.google.com. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: packages-cloud - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud-all"] - : behavior: null - dns_name: "*.packages.cloud.google.com." - local_data: - - local_datas: - - name: "*.packages.cloud.google.com." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: packages-cloud-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev"] - : behavior: null - dns_name: pkg.dev. - local_data: - - local_datas: - - name: pkg.dev. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: pkgdev - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev-all"] - : behavior: null - dns_name: "*.pkg.dev." - local_data: - - local_datas: - - name: "*.pkg.dev." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: pkgdev-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog"] - : behavior: null - dns_name: pki.goog. - local_data: - - local_datas: - - name: pki.goog. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: pkigoog - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog-all"] - : behavior: null - dns_name: "*.pki.goog." - local_data: - - local_datas: - - name: "*.pki.goog." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: pkigoog-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["run-all"] - : behavior: null - dns_name: "*.run.app." - local_data: - - local_datas: - - name: "*.run.app." - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: run-all - timeouts: null - ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["source"] - : behavior: null - dns_name: source.developers.google.com. - local_data: - - local_datas: - - name: source.developers.google.com. - rrdatas: - - private.googleapis.com. - ttl: null - type: CNAME - project: fast2-prod-net-landing-0 - response_policy: googleapis - rule_name: source - timeouts: null - module.landing-dns-priv-gcp.google_dns_managed_zone.dns_managed_zone[0]: - cloud_logging_config: - - enable_logging: false - description: Terraform managed. - dns_name: gcp.example.com. - dnssec_config: [] - force_destroy: false - forwarding_config: [] - labels: null - name: gcp-example-com - peering_config: [] - project: fast2-prod-net-landing-0 - service_directory_config: [] - timeouts: null - visibility: private - ? module.landing-dns-priv-gcp.google_dns_record_set.dns_record_set["A localhost"] - : managed_zone: gcp-example-com - name: localhost.gcp.example.com. - project: fast2-prod-net-landing-0 - routing_policy: [] - rrdatas: - - 127.0.0.1 - ttl: 300 - type: A - ? module.landing-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-landing"] - : allow: - - ports: - - "22" - protocol: tcp - deny: [] - description: Allow traffic from Google healthchecks to NVA appliances - direction: INGRESS - disabled: false - log_config: [] - name: allow-hc-nva-ssh-landing - network: prod-landing-0 - priority: 1000 - project: fast2-prod-net-landing-0 - source_ranges: - - 130.211.0.0/22 - - 209.85.152.0/22 - - 209.85.204.0/22 - - 35.191.0.0/16 - source_service_accounts: null - source_tags: null - target_service_accounts: null - target_tags: null - timeouts: null - ? module.landing-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-landing"] - : allow: - - ports: - - "179" - protocol: tcp - deny: [] - description: Allow BGP traffic from NCC Cloud Routers to NVAs - direction: INGRESS - disabled: false - log_config: [] - name: allow-ncc-nva-bgp-landing - network: prod-landing-0 - priority: 1000 - project: fast2-prod-net-landing-0 - source_ranges: - - 10.128.64.201/32 - - 10.128.64.202/32 - - 10.128.96.201/32 - - 10.128.96.202/32 - source_service_accounts: null - source_tags: null - target_service_accounts: null - target_tags: - - nva - timeouts: null - ? module.landing-firewall.google_compute_firewall.custom-rules["allow-onprem-probes-landing-example"] - : allow: - - ports: - - "12345" - protocol: tcp - deny: [] - description: Allow traffic from onprem probes - direction: INGRESS - disabled: false - log_config: [] - name: allow-onprem-probes-landing-example - network: prod-landing-0 - priority: 1000 - project: fast2-prod-net-landing-0 - source_ranges: - - 10.255.255.254/32 - source_service_accounts: null - source_tags: null - target_service_accounts: null - target_tags: null - timeouts: null - ? module.landing-firewall.google_compute_firewall.custom-rules["landing-ingress-default-deny"] - : allow: [] - deny: - - ports: [] - protocol: all - description: Deny and log any unmatched ingress traffic. - direction: INGRESS - disabled: false - log_config: - - metadata: EXCLUDE_ALL_METADATA - name: landing-ingress-default-deny - network: prod-landing-0 - priority: 65535 - project: fast2-prod-net-landing-0 - source_ranges: - - 0.0.0.0/0 - source_service_accounts: null - source_tags: null - target_service_accounts: null - target_tags: null - timeouts: null - module.landing-nat-primary[0].google_compute_router.router[0]: - bgp: [] - description: null - encrypted_interconnect_router: null - name: prod-nat-ew1 - network: prod-dmz-0 - project: fast2-prod-net-landing-0 - region: europe-west1 - timeouts: null - module.landing-nat-primary[0].google_compute_router_nat.nat: - drain_nat_ips: null - enable_dynamic_port_allocation: false - enable_endpoint_independent_mapping: true - icmp_idle_timeout_sec: 30 - log_config: - - enable: false - filter: ALL - name: ew1 - nat_ip_allocate_option: AUTO_ONLY - nat_ips: null - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-nat-ew1 - rules: [] - source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES - subnetwork: [] - tcp_established_idle_timeout_sec: 1200 - tcp_time_wait_timeout_sec: 120 - tcp_transitory_idle_timeout_sec: 30 - timeouts: null - type: PUBLIC - udp_idle_timeout_sec: 30 - module.landing-nat-secondary[0].google_compute_router.router[0]: - bgp: [] - description: null - encrypted_interconnect_router: null - name: prod-nat-ew4 - network: prod-dmz-0 - project: fast2-prod-net-landing-0 - region: europe-west4 - timeouts: null - module.landing-nat-secondary[0].google_compute_router_nat.nat: - drain_nat_ips: null - enable_dynamic_port_allocation: false - enable_endpoint_independent_mapping: true - icmp_idle_timeout_sec: 30 - log_config: - - enable: false - filter: ALL - name: ew4 - nat_ip_allocate_option: AUTO_ONLY - nat_ips: null - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-nat-ew4 - rules: [] - source_subnetwork_ip_ranges_to_nat: ALL_SUBNETWORKS_ALL_IP_RANGES - subnetwork: [] - tcp_established_idle_timeout_sec: 1200 - tcp_time_wait_timeout_sec: 120 - tcp_transitory_idle_timeout_sec: 30 - timeouts: null - type: PUBLIC - udp_idle_timeout_sec: 30 - ? module.landing-project.google_compute_shared_vpc_host_project.shared_vpc_host[0] - : project: fast2-prod-net-landing-0 - timeouts: null - module.landing-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - folder_id: null - labels: null - name: fast2-prod-net-landing-0 - org_id: null - project_id: fast2-prod-net-landing-0 - skip_delete: false - timeouts: null - ? module.landing-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/foo"] - : condition: [] - members: - - serviceAccount:string - project: fast2-prod-net-landing-0 - role: organizations/123456789012/roles/foo - ? module.landing-project.google_project_iam_binding.authoritative["roles/dns.admin"] - : condition: [] - members: - - serviceAccount:string - project: fast2-prod-net-landing-0 - role: roles/dns.admin - ? module.landing-project.google_project_service.project_services["compute.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-landing-0 - service: compute.googleapis.com - timeouts: null - ? module.landing-project.google_project_service.project_services["dns.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-landing-0 - service: dns.googleapis.com - timeouts: null - ? module.landing-project.google_project_service.project_services["iap.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-landing-0 - service: iap.googleapis.com - timeouts: null - ? module.landing-project.google_project_service.project_services["networkconnectivity.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-landing-0 - service: networkconnectivity.googleapis.com - timeouts: null - ? module.landing-project.google_project_service.project_services["networkmanagement.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-landing-0 - service: networkmanagement.googleapis.com - timeouts: null - ? module.landing-project.google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-landing-0 - service: stackdriver.googleapis.com - timeouts: null - ? module.landing-project.google_project_service_identity.jit_si["iap.googleapis.com"] - : project: fast2-prod-net-landing-0 - service: iap.googleapis.com - timeouts: null - ? module.landing-to-onprem-primary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"] - : description: Terraform managed external VPN gateway - interface: - - id: 0 - ip_address: 8.8.8.8 - labels: null - name: vpn-to-onprem-ew1-default - project: fast2-prod-net-landing-0 - redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT - timeouts: null - ? module.landing-to-onprem-primary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0] - : description: Terraform managed external VPN gateway - name: vpn-to-onprem-ew1 - project: fast2-prod-net-landing-0 - region: europe-west1 - stack_type: IPV4_ONLY - timeouts: null - module.landing-to-onprem-primary-vpn[0].google_compute_router.router[0]: - bgp: - - advertise_mode: CUSTOM - advertised_groups: [] - advertised_ip_ranges: - - description: gcp - range: 10.1.0.0/16 - - description: gcp-restricted - range: 199.36.153.4/30 - - description: gcp-dns - range: 35.199.192.0/19 - asn: 65501 - keepalive_interval: 20 - description: null - encrypted_interconnect_router: null - name: vpn-vpn-to-onprem-ew1 - project: fast2-prod-net-landing-0 - region: europe-west1 - timeouts: null - ? module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["0"] - : interconnect_attachment: null - ip_range: 169.254.1.2/30 - name: vpn-to-onprem-ew1-0 - private_ip_address: null - project: fast2-prod-net-landing-0 - region: europe-west1 - router: vpn-vpn-to-onprem-ew1 - subnetwork: null - timeouts: null - vpn_tunnel: vpn-to-onprem-ew1-0 - ? module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["1"] - : interconnect_attachment: null - ip_range: 169.254.2.2/30 - name: vpn-to-onprem-ew1-1 - private_ip_address: null - project: fast2-prod-net-landing-0 - region: europe-west1 - router: vpn-vpn-to-onprem-ew1 - subnetwork: null - timeouts: null - vpn_tunnel: vpn-to-onprem-ew1-1 - ? module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["0"] - : advertise_mode: DEFAULT - advertised_groups: [] - advertised_ip_ranges: [] - advertised_route_priority: 1000 - enable: true - enable_ipv6: false - interface: vpn-to-onprem-ew1-0 - md5_authentication_key: [] - name: vpn-to-onprem-ew1-0 - peer_asn: 65500 - peer_ip_address: 169.254.1.1 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: vpn-vpn-to-onprem-ew1 - router_appliance_instance: null - timeouts: null - ? module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["1"] - : advertise_mode: DEFAULT - advertised_groups: [] - advertised_ip_ranges: [] - advertised_route_priority: 1000 - enable: true - enable_ipv6: false - interface: vpn-to-onprem-ew1-1 - md5_authentication_key: [] - name: vpn-to-onprem-ew1-1 - peer_asn: 64513 - peer_ip_address: 169.254.2.1 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: vpn-vpn-to-onprem-ew1 - router_appliance_instance: null - timeouts: null - ? module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["0"] - : description: null - ike_version: 2 - labels: null - name: vpn-to-onprem-ew1-0 - peer_external_gateway_interface: null - peer_gcp_gateway: null - project: fast2-prod-net-landing-0 - region: europe-west1 - router: vpn-vpn-to-onprem-ew1 - shared_secret: foo - target_vpn_gateway: null - timeouts: null - vpn_gateway_interface: 0 - ? module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["1"] - : description: null - ike_version: 2 - labels: null - name: vpn-to-onprem-ew1-1 - peer_external_gateway_interface: null - peer_gcp_gateway: null - project: fast2-prod-net-landing-0 - region: europe-west1 - router: vpn-vpn-to-onprem-ew1 - shared_secret: foo - target_vpn_gateway: null - timeouts: null - vpn_gateway_interface: 1 - module.landing-to-onprem-primary-vpn[0].random_id.secret: - byte_length: 8 - keepers: null - prefix: null - ? module.landing-to-onprem-secondary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"] - : description: Terraform managed external VPN gateway - interface: - - id: 0 - ip_address: 8.8.4.4 - labels: null - name: vpn-to-onprem-ew4-default - project: fast2-prod-net-landing-0 - redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT - timeouts: null - ? module.landing-to-onprem-secondary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0] - : description: Terraform managed external VPN gateway - name: vpn-to-onprem-ew4 - project: fast2-prod-net-landing-0 - region: europe-west4 - stack_type: IPV4_ONLY - timeouts: null - module.landing-to-onprem-secondary-vpn[0].google_compute_router.router[0]: - bgp: - - advertise_mode: CUSTOM - advertised_groups: [] - advertised_ip_ranges: - - description: gcp - range: 10.1.0.0/16 - - description: gcp-restricted - range: 199.36.153.4/30 - - description: gcp-dns - range: 35.199.192.0/19 - asn: 65501 - keepalive_interval: 20 - description: null - encrypted_interconnect_router: null - name: vpn-vpn-to-onprem-ew4 - project: fast2-prod-net-landing-0 - region: europe-west4 - timeouts: null - ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["0"] - : interconnect_attachment: null - ip_range: 169.254.3.2/30 - name: vpn-to-onprem-ew4-0 - private_ip_address: null - project: fast2-prod-net-landing-0 - region: europe-west4 - router: vpn-vpn-to-onprem-ew4 - subnetwork: null - timeouts: null - vpn_tunnel: vpn-to-onprem-ew4-0 - ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["1"] - : interconnect_attachment: null - ip_range: 169.254.4.2/30 - name: vpn-to-onprem-ew4-1 - private_ip_address: null - project: fast2-prod-net-landing-0 - region: europe-west4 - router: vpn-vpn-to-onprem-ew4 - subnetwork: null - timeouts: null - vpn_tunnel: vpn-to-onprem-ew4-1 - ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["0"] - : advertise_mode: DEFAULT - advertised_groups: [] - advertised_ip_ranges: [] - advertised_route_priority: 1000 - enable: true - enable_ipv6: false - interface: vpn-to-onprem-ew4-0 - md5_authentication_key: [] - name: vpn-to-onprem-ew4-0 - peer_asn: 65500 - peer_ip_address: 169.254.1.1 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: vpn-vpn-to-onprem-ew4 - router_appliance_instance: null - timeouts: null - ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["1"] - : advertise_mode: DEFAULT - advertised_groups: [] - advertised_ip_ranges: [] - advertised_route_priority: 1000 - enable: true - enable_ipv6: false - interface: vpn-to-onprem-ew4-1 - md5_authentication_key: [] - name: vpn-to-onprem-ew4-1 - peer_asn: 64513 - peer_ip_address: 169.254.2.1 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: vpn-vpn-to-onprem-ew4 - router_appliance_instance: null - timeouts: null - ? module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["0"] - : description: null - ike_version: 2 - labels: null - name: vpn-to-onprem-ew4-0 - peer_external_gateway_interface: null - peer_gcp_gateway: null - project: fast2-prod-net-landing-0 - region: europe-west4 - router: vpn-vpn-to-onprem-ew4 - shared_secret: foo - target_vpn_gateway: null - timeouts: null - vpn_gateway_interface: 0 - ? module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["1"] - : description: null - ike_version: 2 - labels: null - name: vpn-to-onprem-ew4-1 - peer_external_gateway_interface: null - peer_gcp_gateway: null - project: fast2-prod-net-landing-0 - region: europe-west4 - router: vpn-vpn-to-onprem-ew4 - shared_secret: foo - target_vpn_gateway: null - timeouts: null - vpn_gateway_interface: 1 - module.landing-to-onprem-secondary-vpn[0].random_id.secret: - byte_length: 8 - keepers: null - prefix: null - module.landing-vpc.google_compute_network.network[0]: - auto_create_subnetworks: false - delete_default_routes_on_create: true - description: Terraform-managed. - enable_ula_internal_ipv6: null - mtu: 1500 - name: prod-landing-0 - network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL - project: fast2-prod-net-landing-0 - routing_mode: GLOBAL - timeouts: null - module.landing-vpc.google_compute_route.gateway["private-googleapis"]: - description: Terraform-managed. - dest_range: 199.36.153.8/30 - name: prod-landing-0-private-googleapis - network: prod-landing-0 - next_hop_gateway: default-internet-gateway - next_hop_ilb: null - next_hop_instance: null - next_hop_vpn_tunnel: null - priority: 1000 - project: fast2-prod-net-landing-0 - tags: null - timeouts: null - module.landing-vpc.google_compute_route.gateway["restricted-googleapis"]: - description: Terraform-managed. - dest_range: 199.36.153.4/30 - name: prod-landing-0-restricted-googleapis - network: prod-landing-0 - next_hop_gateway: default-internet-gateway - next_hop_ilb: null - next_hop_instance: null - next_hop_vpn_tunnel: null - priority: 1000 - project: fast2-prod-net-landing-0 - tags: null - timeouts: null - ? module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west1/landing-default"] - : description: Default europe-west1 subnet for landing - ip_cidr_range: 10.64.0.0/24 - ipv6_access_type: null - log_config: [] - name: landing-default - network: prod-landing-0 - private_ip_google_access: true - project: fast2-prod-net-landing-0 - region: europe-west1 - role: null - timeouts: null - ? module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west4/landing-default"] - : description: Default europe-west4 subnet for landing - ip_cidr_range: 10.80.0.0/24 - ipv6_access_type: null - log_config: [] - name: landing-default - network: prod-landing-0 - private_ip_google_access: true - project: fast2-prod-net-landing-0 - region: europe-west4 - role: null - timeouts: null - module.landing-vpc.google_dns_policy.default[0]: - alternative_name_server_config: [] - description: Managed by Terraform - enable_inbound_forwarding: true - enable_logging: null - name: prod-landing-0 - networks: - - {} - project: fast2-prod-net-landing-0 - timeouts: null - module.nva["primary-b"].google_compute_instance.default[0]: - advanced_machine_features: [] - allow_stopping_for_update: true - attached_disk: [] - boot_disk: - - auto_delete: true - disk_encryption_key_raw: null - initialize_params: - - enable_confidential_compute: null - image: projects/cos-cloud/global/images/family/cos-stable - resource_manager_tags: null - size: 10 - type: pd-balanced - mode: READ_WRITE - can_ip_forward: true - deletion_protection: false - description: Managed by the compute-vm Terraform module. - desired_status: null - enable_display: false - hostname: null - labels: null - machine_type: e2-standard-2 - metadata: - user-data: - "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\ - \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ - \ file except in compliance with the License.\n# You may obtain a copy of\ - \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ - # Unless required by applicable law or agreed to in writing, software\n# distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ - \ for the specific language governing permissions and\n# limitations under\ - \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ - \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ - \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ - );\n # you may not use this file except in compliance with the License.\n\ - \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n zebra=no\n\ - \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ - \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ - \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ - \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ - \ script automatically loads\n # the config via \"vtysh -b\" when the\ - \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ - \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ - \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ - \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ - \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ - \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ - \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ - \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ - \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ - \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ - \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ - \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ - \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ - \ of daemons to watch is automatically generated by the init script.\n \ - \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ - \ specify a \"wrap\" command to start instead\n # of starting the daemon\ - \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ - \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ - \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ - \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ - \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ - \ template\n \n log syslog informational\n no ipv6 forwarding\n\ - \ service integrated-vtysh-config\n \n interface lo\n \ - \ ip address 10.64.128.101/32\n \n ip prefix-list DEFAULT seq 10\ - \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ - \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ - \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ - \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ - \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ - \ \n route-map TO-DMZ permit 10\n match ip address prefix-list\ - \ PRIMARY\n set metric 100\n !\n route-map TO-DMZ permit\ - \ 20\n match ip address prefix-list SECONDARY\n set metric 10100\n\ - \ !\n route-map TO-LANDING permit 10\n match ip address prefix-list\ - \ DEFAULT\n set metric 100\n !\n route-map TO-NVA permit\ - \ 10\n match ip address prefix-list PRIMARY\n set metric 50\n\ - \ \n router bgp 64513\n bgp router-id 10.64.128.101\n \ - \ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\ - \ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \ - \ no bgp network import-check\n !\n neighbor 10.64.128.201\ - \ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\ - \ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\ - \ update-source 10.64.0.101\n neighbor 10.64.0.202 remote-as 64515\n\ - \ neighbor 10.64.0.202 update-source 10.64.0.101\n !\n neighbor\ - \ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\ - \ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\ - \ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\ - \ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201 soft-reconfiguration\ - \ inbound\n !\n neighbor 10.64.128.202 route-map TO-DMZ out\n\ - \ neighbor 10.64.128.202 soft-reconfiguration inbound\n !\n \ - \ neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor 10.64.0.201\ - \ soft-reconfiguration inbound\n !\n neighbor 10.64.0.202 route-map\ - \ TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration inbound\n\ - \ !\n neighbor 10.80.128.101 route-map TO-NVA out\n neighbor\ - \ 10.80.128.101 soft-reconfiguration inbound\n !\n neighbor 10.80.128.102\ - \ route-map TO-NVA out\n neighbor 10.80.128.102 soft-reconfiguration\ - \ inbound\n exit-address-family\n \n\n - path: /etc/frr/vtysh.conf\n\ - \ owner: root\n permissions: 0644\n content: |\n # Copyright\ - \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ - \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ - \ with the License.\n # You may obtain a copy of the License at\n \ - \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ - \ # Unless required by applicable law or agreed to in writing, software\n\ - \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ - \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ # See the License for the specific language governing permissions and\n\ - \ # limitations under the License.\n \n # This is a sample\ - \ file used to remove warnings\n # when users open the vtysh console.\n\ - \ \n\n - path: /etc/profile.d/00-aliases.sh\n owner: root\n permissions:\ - \ 0644\n content: |\n alias vtysh='sudo docker exec -it frr sh -c\ - \ vtysh'\n\n - path: /etc/systemd/system/frr.service\n owner: root\n \ - \ permissions: 0644\n content: |\n # Copyright 2023 Google LLC\n\ - \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ - );\n # you may not use this file except in compliance with the License.\n\ - \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n [Unit]\n\ - \ Description=Start FRR container\n After=gcr-online.target docker.socket\n\ - \ Wants=gcr-online.target docker.socket docker-events-collector.service\n\ - \ [Service]\n Environment=\"HOME=/home/frr\"\n ExecStart=/usr/bin/docker\ - \ run --rm --name=frr \\\n --privileged \\\n --network host \\\n\ - \ -v /etc/frr:/etc/frr \\\n frrouting/frr\n ExecStop=/usr/bin/docker\ - \ stop frr\n ExecStopPost=/usr/bin/docker rm frr\n \n\n - path:\ - \ /var/lib/docker/daemon.json\n owner: root\n permissions: 0644\n \ - \ content: |\n {\n \"live-restore\": true,\n\ - \ \"storage-driver\": \"overlay2\",\n \"log-opts\"\ - : {\n \"max-size\": \"1024m\"\n }\n \ - \ }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n owner:\ - \ root\n permissions: 0744\n content: |\n #!/bin/bash\n \n\ - \ # Copyright 2023 Google LLC\n #\n # Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n # you may not use this file\ - \ except in compliance with the License.\n # You may obtain a copy of\ - \ the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n #\ - \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ - \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ - \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ - \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ - \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ - \ Google LLC\n #\n # Licensed under the Apache License, Version\ - \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ - \ with the License.\n # You may obtain a copy of the License at\n \ - \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ - \ # Unless required by applicable law or agreed to in writing, software\n\ - \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ - \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ # See the License for the specific language governing permissions and\n\ - \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ - \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ - \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ - \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ - \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ - \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ - \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ - \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ - n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ - \ do\n # Configure hc routing table if not available for this\ - \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ - \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ - \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ - \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ - \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ - \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ - \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ - \ configure PBR for old LB removed from network interface\n # first\ - \ get list of PBR on this network interface and retrieve LB IP addresses\n\ - \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ - \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ - \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ - \n do\n # check if the PBR LB IP belongs to the current array\ - \ of LB IPs attached to the\n # network interface, if not delete\ - \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ - \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ - \ fi\n done\n sleep 2\n done\n \n\n\n -\ - \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ - \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ - \ [Unit]\n Description=Start routing\n After=network-online.target\n\ - \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ - \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ - \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ - \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ - \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ - \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.64.127.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ - \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ - \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ - \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ - \ systemctl start routing\n - systemctl start frr\n" - metadata_startup_script: null - name: nva-ew1-b - network_interface: - - access_config: [] - alias_ip_range: [] - ipv6_access_config: [] - network_ip: 10.64.128.101 - nic_type: null - queue_count: null - security_policy: null - - access_config: [] - alias_ip_range: [] - ipv6_access_config: [] - network_ip: 10.64.0.101 - nic_type: null - queue_count: null - security_policy: null - network_performance_config: [] - params: [] - project: fast2-prod-net-landing-0 - resource_policies: null - scheduling: - - automatic_restart: true - instance_termination_action: null - local_ssd_recovery_timeout: [] - maintenance_interval: null - max_run_duration: [] - min_node_cpus: null - node_affinities: [] - on_host_maintenance: MIGRATE - preemptible: false - provisioning_model: STANDARD - scratch_disk: [] - service_account: - - scopes: - - https://www.googleapis.com/auth/devstorage.read_only - - https://www.googleapis.com/auth/logging.write - - https://www.googleapis.com/auth/monitoring.write - shielded_instance_config: [] - tags: - - nva - timeouts: null - zone: europe-west1-b - module.nva["primary-c"].google_compute_instance.default[0]: - advanced_machine_features: [] - allow_stopping_for_update: true - attached_disk: [] - boot_disk: - - auto_delete: true - disk_encryption_key_raw: null - initialize_params: - - enable_confidential_compute: null - image: projects/cos-cloud/global/images/family/cos-stable - resource_manager_tags: null - size: 10 - type: pd-balanced - mode: READ_WRITE - can_ip_forward: true - deletion_protection: false - description: Managed by the compute-vm Terraform module. - desired_status: null - enable_display: false - hostname: null - labels: null - machine_type: e2-standard-2 - metadata: - user-data: - "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\ - \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ - \ file except in compliance with the License.\n# You may obtain a copy of\ - \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ - # Unless required by applicable law or agreed to in writing, software\n# distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ - \ for the specific language governing permissions and\n# limitations under\ - \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ - \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ - \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ - );\n # you may not use this file except in compliance with the License.\n\ - \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n zebra=no\n\ - \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ - \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ - \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ - \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ - \ script automatically loads\n # the config via \"vtysh -b\" when the\ - \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ - \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ - \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ - \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ - \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ - \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ - \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ - \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ - \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ - \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ - \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ - \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ - \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ - \ of daemons to watch is automatically generated by the init script.\n \ - \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ - \ specify a \"wrap\" command to start instead\n # of starting the daemon\ - \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ - \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ - \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ - \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ - \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ - \ template\n \n log syslog informational\n no ipv6 forwarding\n\ - \ service integrated-vtysh-config\n \n interface lo\n \ - \ ip address 10.64.128.102/32\n \n ip prefix-list DEFAULT seq 10\ - \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ - \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ - \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ - \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ - \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ - \ \n route-map TO-DMZ permit 10\n match ip address prefix-list\ - \ PRIMARY\n set metric 100\n !\n route-map TO-DMZ permit\ - \ 20\n match ip address prefix-list SECONDARY\n set metric 10100\n\ - \ !\n route-map TO-LANDING permit 10\n match ip address prefix-list\ - \ DEFAULT\n set metric 100\n !\n route-map TO-NVA permit\ - \ 10\n match ip address prefix-list PRIMARY\n set metric 50\n\ - \ \n router bgp 64513\n bgp router-id 10.64.128.102\n \ - \ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\ - \ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \ - \ no bgp network import-check\n !\n neighbor 10.64.128.201\ - \ remote-as 64512\n neighbor 10.64.128.202 remote-as 64512\n !\n\ - \ neighbor 10.64.0.201 remote-as 64515\n neighbor 10.64.0.201\ - \ update-source 10.64.0.102\n neighbor 10.64.0.202 remote-as 64515\n\ - \ neighbor 10.64.0.202 update-source 10.64.0.102\n !\n neighbor\ - \ 10.80.128.101 remote-as 64514\n neighbor 10.80.128.101 ebgp-multihop\ - \ 2\n neighbor 10.80.128.102 remote-as 64514\n neighbor 10.80.128.102\ - \ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\ - \ 10.64.128.201 route-map TO-DMZ out\n neighbor 10.64.128.201 soft-reconfiguration\ - \ inbound\n !\n neighbor 10.64.128.202 route-map TO-DMZ out\n\ - \ neighbor 10.64.128.202 soft-reconfiguration inbound\n !\n \ - \ neighbor 10.64.0.201 route-map TO-LANDING out\n neighbor 10.64.0.201\ - \ soft-reconfiguration inbound\n !\n neighbor 10.64.0.202 route-map\ - \ TO-LANDING out\n neighbor 10.64.0.202 soft-reconfiguration inbound\n\ - \ !\n neighbor 10.80.128.101 route-map TO-NVA out\n neighbor\ - \ 10.80.128.101 soft-reconfiguration inbound\n !\n neighbor 10.80.128.102\ - \ route-map TO-NVA out\n neighbor 10.80.128.102 soft-reconfiguration\ - \ inbound\n exit-address-family\n \n\n - path: /etc/frr/vtysh.conf\n\ - \ owner: root\n permissions: 0644\n content: |\n # Copyright\ - \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ - \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ - \ with the License.\n # You may obtain a copy of the License at\n \ - \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ - \ # Unless required by applicable law or agreed to in writing, software\n\ - \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ - \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ # See the License for the specific language governing permissions and\n\ - \ # limitations under the License.\n \n # This is a sample\ - \ file used to remove warnings\n # when users open the vtysh console.\n\ - \ \n\n - path: /etc/profile.d/00-aliases.sh\n owner: root\n permissions:\ - \ 0644\n content: |\n alias vtysh='sudo docker exec -it frr sh -c\ - \ vtysh'\n\n - path: /etc/systemd/system/frr.service\n owner: root\n \ - \ permissions: 0644\n content: |\n # Copyright 2023 Google LLC\n\ - \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ - );\n # you may not use this file except in compliance with the License.\n\ - \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n [Unit]\n\ - \ Description=Start FRR container\n After=gcr-online.target docker.socket\n\ - \ Wants=gcr-online.target docker.socket docker-events-collector.service\n\ - \ [Service]\n Environment=\"HOME=/home/frr\"\n ExecStart=/usr/bin/docker\ - \ run --rm --name=frr \\\n --privileged \\\n --network host \\\n\ - \ -v /etc/frr:/etc/frr \\\n frrouting/frr\n ExecStop=/usr/bin/docker\ - \ stop frr\n ExecStopPost=/usr/bin/docker rm frr\n \n\n - path:\ - \ /var/lib/docker/daemon.json\n owner: root\n permissions: 0644\n \ - \ content: |\n {\n \"live-restore\": true,\n\ - \ \"storage-driver\": \"overlay2\",\n \"log-opts\"\ - : {\n \"max-size\": \"1024m\"\n }\n \ - \ }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n owner:\ - \ root\n permissions: 0744\n content: |\n #!/bin/bash\n \n\ - \ # Copyright 2023 Google LLC\n #\n # Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n # you may not use this file\ - \ except in compliance with the License.\n # You may obtain a copy of\ - \ the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n #\ - \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ - \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ - \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ - \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ - \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ - \ Google LLC\n #\n # Licensed under the Apache License, Version\ - \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ - \ with the License.\n # You may obtain a copy of the License at\n \ - \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ - \ # Unless required by applicable law or agreed to in writing, software\n\ - \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ - \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ # See the License for the specific language governing permissions and\n\ - \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ - \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ - \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ - \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ - \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ - \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ - \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ - \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ - n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ - \ do\n # Configure hc routing table if not available for this\ - \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ - \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ - \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ - \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ - \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ - \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ - \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ - \ configure PBR for old LB removed from network interface\n # first\ - \ get list of PBR on this network interface and retrieve LB IP addresses\n\ - \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ - \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ - \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ - \n do\n # check if the PBR LB IP belongs to the current array\ - \ of LB IPs attached to the\n # network interface, if not delete\ - \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ - \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ - \ fi\n done\n sleep 2\n done\n \n\n\n -\ - \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ - \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ - \ [Unit]\n Description=Start routing\n After=network-online.target\n\ - \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ - \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ - \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ - \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ - \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ - \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.64.127.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ - \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ - \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ - \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ - \ systemctl start routing\n - systemctl start frr\n" - metadata_startup_script: null - name: nva-ew1-c - network_interface: - - access_config: [] - alias_ip_range: [] - ipv6_access_config: [] - network_ip: 10.64.128.102 - nic_type: null - queue_count: null - security_policy: null - - access_config: [] - alias_ip_range: [] - ipv6_access_config: [] - network_ip: 10.64.0.102 - nic_type: null - queue_count: null - security_policy: null - network_performance_config: [] - params: [] - project: fast2-prod-net-landing-0 - resource_policies: null - scheduling: - - automatic_restart: true - instance_termination_action: null - local_ssd_recovery_timeout: [] - maintenance_interval: null - max_run_duration: [] - min_node_cpus: null - node_affinities: [] - on_host_maintenance: MIGRATE - preemptible: false - provisioning_model: STANDARD - scratch_disk: [] - service_account: - - scopes: - - https://www.googleapis.com/auth/devstorage.read_only - - https://www.googleapis.com/auth/logging.write - - https://www.googleapis.com/auth/monitoring.write - shielded_instance_config: [] - tags: - - nva - timeouts: null - zone: europe-west1-c - module.nva["secondary-b"].google_compute_instance.default[0]: - advanced_machine_features: [] - allow_stopping_for_update: true - attached_disk: [] - boot_disk: - - auto_delete: true - disk_encryption_key_raw: null - initialize_params: - - enable_confidential_compute: null - image: projects/cos-cloud/global/images/family/cos-stable - resource_manager_tags: null - size: 10 - type: pd-balanced - mode: READ_WRITE - can_ip_forward: true - deletion_protection: false - description: Managed by the compute-vm Terraform module. - desired_status: null - enable_display: false - hostname: null - labels: null - machine_type: e2-standard-2 - metadata: - user-data: - "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\ - \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ - \ file except in compliance with the License.\n# You may obtain a copy of\ - \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ - # Unless required by applicable law or agreed to in writing, software\n# distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ - \ for the specific language governing permissions and\n# limitations under\ - \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ - \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ - \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ - );\n # you may not use this file except in compliance with the License.\n\ - \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n zebra=no\n\ - \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ - \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ - \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ - \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ - \ script automatically loads\n # the config via \"vtysh -b\" when the\ - \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ - \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ - \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ - \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ - \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ - \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ - \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ - \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ - \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ - \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ - \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ - \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ - \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ - \ of daemons to watch is automatically generated by the init script.\n \ - \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ - \ specify a \"wrap\" command to start instead\n # of starting the daemon\ - \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ - \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ - \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ - \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ - \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ - \ template\n \n log syslog informational\n no ipv6 forwarding\n\ - \ service integrated-vtysh-config\n \n interface lo\n \ - \ ip address 10.80.128.101/32\n \n ip prefix-list DEFAULT seq 10\ - \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ - \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ - \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ - \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ - \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ - \ \n route-map TO-DMZ permit 10\n match ip address prefix-list\ - \ PRIMARY\n set metric 10100\n !\n route-map TO-DMZ permit\ - \ 20\n match ip address prefix-list SECONDARY\n set metric 100\n\ - \ !\n route-map TO-LANDING permit 10\n match ip address prefix-list\ - \ DEFAULT\n set metric 100\n !\n route-map TO-NVA permit\ - \ 10\n match ip address prefix-list SECONDARY\n set metric 50\n\ - \ \n router bgp 64514\n bgp router-id 10.80.128.101\n \ - \ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\ - \ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \ - \ no bgp network import-check\n !\n neighbor 10.80.128.201\ - \ remote-as 64512\n neighbor 10.80.128.202 remote-as 64512\n !\n\ - \ neighbor 10.80.0.201 remote-as 64515\n neighbor 10.80.0.201\ - \ update-source 10.80.0.101\n neighbor 10.80.0.202 remote-as 64515\n\ - \ neighbor 10.80.0.202 update-source 10.80.0.101\n !\n neighbor\ - \ 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101 ebgp-multihop\ - \ 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor 10.64.128.102\ - \ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\ - \ 10.80.128.201 route-map TO-DMZ out\n neighbor 10.80.128.201 soft-reconfiguration\ - \ inbound\n !\n neighbor 10.80.128.202 route-map TO-DMZ out\n\ - \ neighbor 10.80.128.202 soft-reconfiguration inbound\n !\n \ - \ neighbor 10.80.0.201 route-map TO-LANDING out\n neighbor 10.80.0.201\ - \ soft-reconfiguration inbound\n !\n neighbor 10.80.0.202 route-map\ - \ TO-LANDING out\n neighbor 10.80.0.202 soft-reconfiguration inbound\n\ - \ !\n neighbor 10.64.128.101 route-map TO-NVA out\n neighbor\ - \ 10.64.128.101 soft-reconfiguration inbound\n !\n neighbor 10.64.128.102\ - \ route-map TO-NVA out\n neighbor 10.64.128.102 soft-reconfiguration\ - \ inbound\n exit-address-family\n \n\n - path: /etc/frr/vtysh.conf\n\ - \ owner: root\n permissions: 0644\n content: |\n # Copyright\ - \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ - \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ - \ with the License.\n # You may obtain a copy of the License at\n \ - \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ - \ # Unless required by applicable law or agreed to in writing, software\n\ - \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ - \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ # See the License for the specific language governing permissions and\n\ - \ # limitations under the License.\n \n # This is a sample\ - \ file used to remove warnings\n # when users open the vtysh console.\n\ - \ \n\n - path: /etc/profile.d/00-aliases.sh\n owner: root\n permissions:\ - \ 0644\n content: |\n alias vtysh='sudo docker exec -it frr sh -c\ - \ vtysh'\n\n - path: /etc/systemd/system/frr.service\n owner: root\n \ - \ permissions: 0644\n content: |\n # Copyright 2023 Google LLC\n\ - \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ - );\n # you may not use this file except in compliance with the License.\n\ - \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n [Unit]\n\ - \ Description=Start FRR container\n After=gcr-online.target docker.socket\n\ - \ Wants=gcr-online.target docker.socket docker-events-collector.service\n\ - \ [Service]\n Environment=\"HOME=/home/frr\"\n ExecStart=/usr/bin/docker\ - \ run --rm --name=frr \\\n --privileged \\\n --network host \\\n\ - \ -v /etc/frr:/etc/frr \\\n frrouting/frr\n ExecStop=/usr/bin/docker\ - \ stop frr\n ExecStopPost=/usr/bin/docker rm frr\n \n\n - path:\ - \ /var/lib/docker/daemon.json\n owner: root\n permissions: 0644\n \ - \ content: |\n {\n \"live-restore\": true,\n\ - \ \"storage-driver\": \"overlay2\",\n \"log-opts\"\ - : {\n \"max-size\": \"1024m\"\n }\n \ - \ }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n owner:\ - \ root\n permissions: 0744\n content: |\n #!/bin/bash\n \n\ - \ # Copyright 2023 Google LLC\n #\n # Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n # you may not use this file\ - \ except in compliance with the License.\n # You may obtain a copy of\ - \ the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n #\ - \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ - \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ - \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ - \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ - \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ - \ Google LLC\n #\n # Licensed under the Apache License, Version\ - \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ - \ with the License.\n # You may obtain a copy of the License at\n \ - \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ - \ # Unless required by applicable law or agreed to in writing, software\n\ - \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ - \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ # See the License for the specific language governing permissions and\n\ - \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ - \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ - \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ - \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ - \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ - \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ - \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ - \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ - n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ - \ do\n # Configure hc routing table if not available for this\ - \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ - \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ - \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ - \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ - \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ - \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ - \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ - \ configure PBR for old LB removed from network interface\n # first\ - \ get list of PBR on this network interface and retrieve LB IP addresses\n\ - \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ - \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ - \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ - \n do\n # check if the PBR LB IP belongs to the current array\ - \ of LB IPs attached to the\n # network interface, if not delete\ - \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ - \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ - \ fi\n done\n sleep 2\n done\n \n\n\n -\ - \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ - \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ - \ [Unit]\n Description=Start routing\n After=network-online.target\n\ - \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ - \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ - \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ - \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ - \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ - \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.64.127.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ - \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ - \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ - \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ - \ systemctl start routing\n - systemctl start frr\n" - metadata_startup_script: null - name: nva-ew4-b - network_interface: - - access_config: [] - alias_ip_range: [] - ipv6_access_config: [] - network_ip: 10.80.128.101 - nic_type: null - queue_count: null - security_policy: null - - access_config: [] - alias_ip_range: [] - ipv6_access_config: [] - network_ip: 10.80.0.101 - nic_type: null - queue_count: null - security_policy: null - network_performance_config: [] - params: [] - project: fast2-prod-net-landing-0 - resource_policies: null - scheduling: - - automatic_restart: true - instance_termination_action: null - local_ssd_recovery_timeout: [] - maintenance_interval: null - max_run_duration: [] - min_node_cpus: null - node_affinities: [] - on_host_maintenance: MIGRATE - preemptible: false - provisioning_model: STANDARD - scratch_disk: [] - service_account: - - scopes: - - https://www.googleapis.com/auth/devstorage.read_only - - https://www.googleapis.com/auth/logging.write - - https://www.googleapis.com/auth/monitoring.write - shielded_instance_config: [] - tags: - - nva - timeouts: null - zone: europe-west4-b - module.nva["secondary-c"].google_compute_instance.default[0]: - advanced_machine_features: [] - allow_stopping_for_update: true - attached_disk: [] - boot_disk: - - auto_delete: true - disk_encryption_key_raw: null - initialize_params: - - enable_confidential_compute: null - image: projects/cos-cloud/global/images/family/cos-stable - resource_manager_tags: null - size: 10 - type: pd-balanced - mode: READ_WRITE - can_ip_forward: true - deletion_protection: false - description: Managed by the compute-vm Terraform module. - desired_status: null - enable_display: false - hostname: null - labels: null - machine_type: e2-standard-2 - metadata: - user-data: - "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\ - \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\ - \ file except in compliance with the License.\n# You may obtain a copy of\ - \ the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n\ - # Unless required by applicable law or agreed to in writing, software\n# distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License\ - \ for the specific language governing permissions and\n# limitations under\ - \ the License.\n\nwrite_files:\n\n - path: /etc/frr/daemons\n owner: root\n\ - \ permissions: 0744\n content: |\n # Copyright 2023 Google LLC\n\ - \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ - );\n # you may not use this file except in compliance with the License.\n\ - \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n zebra=no\n\ - \ bgpd=yes\n ospfd=no\n ospf6d=no\n ripd=no\n ripngd=no\n\ - \ isisd=no\n pimd=no\n ldpd=no\n nhrpd=no\n eigrpd=no\n\ - \ babeld=no\n sharpd=no\n staticd=no\n pbrd=no\n \ - \ bfdd=no\n fabricd=no\n \n # If this option is set the /etc/init.d/frr\ - \ script automatically loads\n # the config via \"vtysh -b\" when the\ - \ servers are started.\n # Check /etc/pam.d/frr if you intend to use\ - \ \"vtysh\"!\n \n vtysh_enable=yes\n zebra_options=\" -A 127.0.0.1\ - \ -s 90000000\"\n bgpd_options=\" -A 127.0.0.1\"\n ospfd_options=\"\ - \ --daemon -A 127.0.0.1\"\n ospf6d_options=\" --daemon -A ::1\"\n \ - \ ripd_options=\" --daemon -A 127.0.0.1\"\n ripngd_options=\" --daemon\ - \ -A ::1\"\n isisd_options=\" --daemon -A 127.0.0.1\"\n pimd_options=\"\ - \ --daemon -A 127.0.0.1\"\n ldpd_options=\" --daemon -A 127.0.0.1\"\ - \n nhrpd_options=\" --daemon -A 127.0.0.1\"\n eigrpd_options=\"\ - \ --daemon -A 127.0.0.1\"\n babeld_options=\" --daemon -A 127.0.0.1\"\ - \n sharpd_options=\" --daemon -A 127.0.0.1\"\n staticd_options=\"\ - \ --daemon -A 127.0.0.1\"\n pbrd_options=\" --daemon -A 127.0.0.1\"\ - \n bfdd_options=\" --daemon -A 127.0.0.1\"\n fabricd_options=\"\ - \ --daemon -A 127.0.0.1\"\n \n #MAX_FDS=1024\n # The list\ - \ of daemons to watch is automatically generated by the init script.\n \ - \ #watchfrr_options=\"\"\n \n # for debugging purposes, you can\ - \ specify a \"wrap\" command to start instead\n # of starting the daemon\ - \ directly, e.g. to use valgrind on ospfd:\n # ospfd_wrap=\"/usr/bin/valgrind\"\ - \n # or you can use \"all_wrap\" for all daemons, e.g. to use perf record:\n\ - \ # all_wrap=\"/usr/bin/perf record --call-graph -\"\n # the normal\ - \ daemon command is added to this at the end.\n \n\n - path: /etc/frr/frr.conf\n\ - \ owner: root\n permissions: 0744\n content: |\n # NVAs configuration\ - \ template\n \n log syslog informational\n no ipv6 forwarding\n\ - \ service integrated-vtysh-config\n \n interface lo\n \ - \ ip address 10.80.128.102/32\n \n ip prefix-list DEFAULT seq 10\ - \ permit 0.0.0.0/0\n !\n ip prefix-list PRIMARY seq 10 permit 10.64.0.0/17\n\ - \ ip prefix-list PRIMARY seq 20 permit 10.68.0.0/16\n ip prefix-list\ - \ PRIMARY seq 30 permit 10.72.0.0/16\n !\n ip prefix-list SECONDARY\ - \ seq 10 permit 10.80.0.0/17\n ip prefix-list SECONDARY seq 20 permit\ - \ 10.84.0.0/16\n ip prefix-list SECONDARY seq 30 permit 10.88.0.0/16\n\ - \ \n route-map TO-DMZ permit 10\n match ip address prefix-list\ - \ PRIMARY\n set metric 10100\n !\n route-map TO-DMZ permit\ - \ 20\n match ip address prefix-list SECONDARY\n set metric 100\n\ - \ !\n route-map TO-LANDING permit 10\n match ip address prefix-list\ - \ DEFAULT\n set metric 100\n !\n route-map TO-NVA permit\ - \ 10\n match ip address prefix-list SECONDARY\n set metric 50\n\ - \ \n router bgp 64514\n bgp router-id 10.80.128.102\n \ - \ bgp bestpath as-path ignore\n bgp disable-ebgp-connected-route-check\n\ - \ bgp timers 20 60\n !\n no bgp ebgp-requires-policy\n \ - \ no bgp network import-check\n !\n neighbor 10.80.128.201\ - \ remote-as 64512\n neighbor 10.80.128.202 remote-as 64512\n !\n\ - \ neighbor 10.80.0.201 remote-as 64515\n neighbor 10.80.0.201\ - \ update-source 10.80.0.102\n neighbor 10.80.0.202 remote-as 64515\n\ - \ neighbor 10.80.0.202 update-source 10.80.0.102\n !\n neighbor\ - \ 10.64.128.101 remote-as 64513\n neighbor 10.64.128.101 ebgp-multihop\ - \ 2\n neighbor 10.64.128.102 remote-as 64513\n neighbor 10.64.128.102\ - \ ebgp-multihop 2\n !\n address-family ipv4 unicast\n neighbor\ - \ 10.80.128.201 route-map TO-DMZ out\n neighbor 10.80.128.201 soft-reconfiguration\ - \ inbound\n !\n neighbor 10.80.128.202 route-map TO-DMZ out\n\ - \ neighbor 10.80.128.202 soft-reconfiguration inbound\n !\n \ - \ neighbor 10.80.0.201 route-map TO-LANDING out\n neighbor 10.80.0.201\ - \ soft-reconfiguration inbound\n !\n neighbor 10.80.0.202 route-map\ - \ TO-LANDING out\n neighbor 10.80.0.202 soft-reconfiguration inbound\n\ - \ !\n neighbor 10.64.128.101 route-map TO-NVA out\n neighbor\ - \ 10.64.128.101 soft-reconfiguration inbound\n !\n neighbor 10.64.128.102\ - \ route-map TO-NVA out\n neighbor 10.64.128.102 soft-reconfiguration\ - \ inbound\n exit-address-family\n \n\n - path: /etc/frr/vtysh.conf\n\ - \ owner: root\n permissions: 0644\n content: |\n # Copyright\ - \ 2023 Google LLC\n #\n # Licensed under the Apache License, Version\ - \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ - \ with the License.\n # You may obtain a copy of the License at\n \ - \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ - \ # Unless required by applicable law or agreed to in writing, software\n\ - \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ - \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ # See the License for the specific language governing permissions and\n\ - \ # limitations under the License.\n \n # This is a sample\ - \ file used to remove warnings\n # when users open the vtysh console.\n\ - \ \n\n - path: /etc/profile.d/00-aliases.sh\n owner: root\n permissions:\ - \ 0644\n content: |\n alias vtysh='sudo docker exec -it frr sh -c\ - \ vtysh'\n\n - path: /etc/systemd/system/frr.service\n owner: root\n \ - \ permissions: 0644\n content: |\n # Copyright 2023 Google LLC\n\ - \ #\n # Licensed under the Apache License, Version 2.0 (the \"License\"\ - );\n # you may not use this file except in compliance with the License.\n\ - \ # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n [Unit]\n\ - \ Description=Start FRR container\n After=gcr-online.target docker.socket\n\ - \ Wants=gcr-online.target docker.socket docker-events-collector.service\n\ - \ [Service]\n Environment=\"HOME=/home/frr\"\n ExecStart=/usr/bin/docker\ - \ run --rm --name=frr \\\n --privileged \\\n --network host \\\n\ - \ -v /etc/frr:/etc/frr \\\n frrouting/frr\n ExecStop=/usr/bin/docker\ - \ stop frr\n ExecStopPost=/usr/bin/docker rm frr\n \n\n - path:\ - \ /var/lib/docker/daemon.json\n owner: root\n permissions: 0644\n \ - \ content: |\n {\n \"live-restore\": true,\n\ - \ \"storage-driver\": \"overlay2\",\n \"log-opts\"\ - : {\n \"max-size\": \"1024m\"\n }\n \ - \ }\n \n\n - path: /var/run/nva/ipprefix_by_netmask.sh\n owner:\ - \ root\n permissions: 0744\n content: |\n #!/bin/bash\n \n\ - \ # Copyright 2023 Google LLC\n #\n # Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n # you may not use this file\ - \ except in compliance with the License.\n # You may obtain a copy of\ - \ the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n\ - \ #\n # Unless required by applicable law or agreed to in writing,\ - \ software\n # distributed under the License is distributed on an \"\ - AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either\ - \ express or implied.\n # See the License for the specific language governing\ - \ permissions and\n # limitations under the License.\n \n #\ - \ https://stackoverflow.com/questions/50413579/bash-convert-netmask-in-cidr-notation\n\ - \ c=0 x=0$(printf '%o' ${1//./ })\n while [ $x -gt 0 ]; do\n \ - \ let c+=$((x % 2)) 'x>>=1'\n done\n echo $c\n \n\n -\ - \ path: /var/run/nva/policy_based_routing.sh\n owner: root\n permissions:\ - \ 0744\n content: |\n #!/bin/bash\n \n # Copyright 2023\ - \ Google LLC\n #\n # Licensed under the Apache License, Version\ - \ 2.0 (the \"License\");\n # you may not use this file except in compliance\ - \ with the License.\n # You may obtain a copy of the License at\n \ - \ #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n\ - \ # Unless required by applicable law or agreed to in writing, software\n\ - \ # distributed under the License is distributed on an \"AS IS\" BASIS,\n\ - \ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ # See the License for the specific language governing permissions and\n\ - \ # limitations under the License.\n \n IF_NAME=$1\n IF_NUMBER=$(echo\ - \ $IF_NAME | sed -e s/eth//)\n IF_GW=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/gateway\ - \ -H \"Metadata-Flavor: Google\")\n IF_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/ip\ - \ -H \"Metadata-Flavor: Google\")\n IF_NETMASK=$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IF_NUMBER/subnetmask\ - \ -H \"Metadata-Flavor: Google\")\n IF_IP_PREFIX=$(/var/run/nva/ipprefix_by_netmask.sh\ - \ $IF_NETMASK)\n \n # Sleep while there's no load balancer IP route\ - \ for this IF\n while true\n do\n IPS_LB_STR=$(ip r show\ - \ table local | grep \"$IF_NAME proto 66\" | cut -f 2 -d \" \" | tr -s '\\\ - n' ' ')\n IPS_LB=($IPS_LB_STR)\n for IP in \"${IPS_LB[@]}\"\n\ - \ do\n # Configure hc routing table if not available for this\ - \ network interface\n grep -qxF \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ - \ /etc/iproute2/rt_tables || {\n echo \"$((200 + $IF_NUMBER)) hc-$IF_NAME\"\ - \ >>/etc/iproute2/rt_tables\n ip route add $IF_GW src $IF_IP dev\ - \ $IF_NAME table hc-$IF_NAME\n ip route add default via $IF_GW\ - \ dev $IF_NAME table hc-$IF_NAME\n }\n \n # configure\ - \ PBR route for LB\n ip rule list | grep -qF \"$IP\" || ip rule add\ - \ from $IP/32 table hc-$IF_NAME\n done\n \n # remove previously\ - \ configure PBR for old LB removed from network interface\n # first\ - \ get list of PBR on this network interface and retrieve LB IP addresses\n\ - \ PBR_LB_IPS_STR=$(ip rule list | grep \"hc-$IF_NAME\" | cut -f 2 -d\ - \ \" \" | tr -s '\\n' ' ')\n PBR_LB_IPS=($PBR_LB_IPS_STR)\n \n\ - \ # iterate over PBR LB IP addresses\n for PBR_IP in \"${PBR_LB_IPS[@]}\"\ - \n do\n # check if the PBR LB IP belongs to the current array\ - \ of LB IPs attached to the\n # network interface, if not delete\ - \ the corresponding PBR rule\n if [ -z \"$IPS_LB\" ] || ! echo ${IPS_LB[@]}\ - \ | grep --quiet \"$PBR_IP\" ; then\n ip rule del from $PBR_IP\n\ - \ fi\n done\n sleep 2\n done\n \n\n\n -\ - \ path: /etc/systemd/system/routing.service\n permissions: 0644\n owner:\ - \ root\n content: |\n [Install]\n WantedBy=multi-user.target\n\ - \ [Unit]\n Description=Start routing\n After=network-online.target\n\ - \ Wants=network-online.target\n [Service]\n RemainAfterExit=true\n\ - \ ExecStart=/bin/sh -c \"/var/run/nva/start-routing.sh\"\n - path: /var/run/nva/start-routing.sh\n\ - \ permissions: 0744\n owner: root\n content: |\n iptables --policy\ - \ FORWARD ACCEPT\n /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\ - \ &\n iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n ip\ - \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.64.127.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n ip route add 10.80.127.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth0\n /var/run/nva/policy_based_routing.sh\ - \ eth1 &>/dev/null &\n ip route add 10.64.0.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth1\n ip route add 10.80.0.0/17\ - \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway\ - \ -H \"Metadata-Flavor:Google\"` dev eth1\n iptables -A INPUT -p tcp\ - \ --dport 179 -j ACCEPT\n\nbootcmd:\n - systemctl start node-problem-detector\n\ - \nruncmd:\n - systemctl daemon-reload\n - systemctl enable routing\n -\ - \ systemctl start routing\n - systemctl start frr\n" - metadata_startup_script: null - name: nva-ew4-c - network_interface: - - access_config: [] - alias_ip_range: [] - ipv6_access_config: [] - network_ip: 10.80.128.102 - nic_type: null - queue_count: null - security_policy: null - - access_config: [] - alias_ip_range: [] - ipv6_access_config: [] - network_ip: 10.80.0.102 - nic_type: null - queue_count: null - security_policy: null - network_performance_config: [] - params: [] - project: fast2-prod-net-landing-0 - resource_policies: null - scheduling: - - automatic_restart: true - instance_termination_action: null - local_ssd_recovery_timeout: [] - maintenance_interval: null - max_run_duration: [] - min_node_cpus: null - node_affinities: [] - on_host_maintenance: MIGRATE - preemptible: false - provisioning_model: STANDARD - scratch_disk: [] - service_account: - - scopes: - - https://www.googleapis.com/auth/devstorage.read_only - - https://www.googleapis.com/auth/logging.write - - https://www.googleapis.com/auth/monitoring.write - shielded_instance_config: [] - tags: - - nva - timeouts: null - zone: europe-west4-c - module.peering-dev.google_compute_network_peering.local_network_peering: - export_custom_routes: true - export_subnet_routes_with_public_ip: true - import_custom_routes: true - import_subnet_routes_with_public_ip: null - stack_type: IPV4_ONLY - timeouts: null - module.peering-dev.google_compute_network_peering.peer_network_peering[0]: - export_custom_routes: true - export_subnet_routes_with_public_ip: true - import_custom_routes: true - import_subnet_routes_with_public_ip: null - stack_type: IPV4_ONLY - timeouts: null - module.peering-prod.google_compute_network_peering.local_network_peering: - export_custom_routes: true - export_subnet_routes_with_public_ip: true - import_custom_routes: true - import_subnet_routes_with_public_ip: null - stack_type: IPV4_ONLY - timeouts: null - module.peering-prod.google_compute_network_peering.peer_network_peering[0]: - export_custom_routes: true - export_subnet_routes_with_public_ip: true - import_custom_routes: true - import_subnet_routes_with_public_ip: null - stack_type: IPV4_ONLY - timeouts: null - ? module.prod-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0] - : cloud_logging_config: - - enable_logging: false - description: Terraform managed. - dns_name: 10.in-addr.arpa. - dnssec_config: [] - force_destroy: false - forwarding_config: [] - labels: null - name: prod-reverse-10-dns-peering - project: fast2-prod-net-spoke-0 - reverse_lookup: false - service_directory_config: [] - timeouts: null - visibility: private - module.prod-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]: - cloud_logging_config: - - enable_logging: false - description: Terraform managed. - dns_name: . - dnssec_config: [] - force_destroy: false - forwarding_config: [] - labels: null - name: prod-root-dns-peering - project: fast2-prod-net-spoke-0 - reverse_lookup: false - service_directory_config: [] - timeouts: null - visibility: private - module.prod-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]: - cloud_logging_config: - - enable_logging: false - description: Terraform managed. - dns_name: prod.gcp.example.com. - dnssec_config: [] - force_destroy: false - forwarding_config: [] - labels: null - name: prod-gcp-example-com - peering_config: [] - project: fast2-prod-net-spoke-0 - service_directory_config: [] - timeouts: null - visibility: private - ? module.prod-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"] - : managed_zone: prod-gcp-example-com - name: localhost.prod.gcp.example.com. - project: fast2-prod-net-spoke-0 - routing_policy: [] - rrdatas: - - 127.0.0.1 - ttl: 300 - type: A - ? module.prod-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"] - : allow: [] - deny: - - ports: [] - protocol: all - description: Deny and log any unmatched ingress traffic. - direction: INGRESS - disabled: false - log_config: - - metadata: EXCLUDE_ALL_METADATA - name: ingress-default-deny - network: prod-spoke-0 - priority: 65535 - project: fast2-prod-net-spoke-0 - source_ranges: - - 0.0.0.0/0 - source_service_accounts: null - source_tags: null - target_service_accounts: null - target_tags: null - timeouts: null - ? module.prod-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0] - : project: fast2-prod-net-spoke-0 - timeouts: null - ? module.prod-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"] - : metrics_scope: fast2-prod-net-landing-0 - name: fast2-prod-net-spoke-0 - timeouts: null - module.prod-spoke-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - folder_id: null - labels: null - name: fast2-prod-net-spoke-0 - org_id: null - project_id: fast2-prod-net-spoke-0 - skip_delete: false - timeouts: null - ? module.prod-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"] - : condition: [] - members: - - serviceAccount:string - project: fast2-prod-net-spoke-0 - role: roles/dns.admin - ? module.prod-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"] - : condition: - - description: Production host project delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']) - title: prod_stage3_sa_delegated_grants - members: - - serviceAccount:string - project: fast2-prod-net-spoke-0 - role: roles/resourcemanager.projectIamAdmin - module.prod-spoke-project.google_project_iam_member.servicenetworking[0]: - condition: [] - project: fast2-prod-net-spoke-0 - role: roles/servicenetworking.serviceAgent - ? module.prod-spoke-project.google_project_service.project_services["compute.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-spoke-0 - service: compute.googleapis.com - timeouts: null - ? module.prod-spoke-project.google_project_service.project_services["dns.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-spoke-0 - service: dns.googleapis.com - timeouts: null - ? module.prod-spoke-project.google_project_service.project_services["iap.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-spoke-0 - service: iap.googleapis.com - timeouts: null - ? module.prod-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-spoke-0 - service: networkmanagement.googleapis.com - timeouts: null - ? module.prod-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-spoke-0 - service: servicenetworking.googleapis.com - timeouts: null - ? module.prod-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-spoke-0 - service: stackdriver.googleapis.com - timeouts: null - ? module.prod-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: fast2-prod-net-spoke-0 - service: vpcaccess.googleapis.com - timeouts: null - ? module.prod-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"] - : project: fast2-prod-net-spoke-0 - service: iap.googleapis.com - timeouts: null - ? module.prod-spoke-project.google_project_service_identity.servicenetworking[0] - : project: fast2-prod-net-spoke-0 - service: servicenetworking.googleapis.com - timeouts: null - module.prod-spoke-vpc.google_compute_network.network[0]: - auto_create_subnetworks: false - delete_default_routes_on_create: true - description: Terraform-managed. - enable_ula_internal_ipv6: null - mtu: 1500 - name: prod-spoke-0 - network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL - project: fast2-prod-net-spoke-0 - routing_mode: GLOBAL - timeouts: null - module.prod-spoke-vpc.google_compute_route.gateway["private-googleapis"]: - description: Terraform-managed. - dest_range: 199.36.153.8/30 - name: prod-spoke-0-private-googleapis - network: prod-spoke-0 - next_hop_gateway: default-internet-gateway - next_hop_ilb: null - next_hop_instance: null - next_hop_vpn_tunnel: null - priority: 1000 - project: fast2-prod-net-spoke-0 - tags: null - timeouts: null - module.prod-spoke-vpc.google_compute_route.gateway["restricted-googleapis"]: - description: Terraform-managed. - dest_range: 199.36.153.4/30 - name: prod-spoke-0-restricted-googleapis - network: prod-spoke-0 - next_hop_gateway: default-internet-gateway - next_hop_ilb: null - next_hop_instance: null - next_hop_vpn_tunnel: null - priority: 1000 - project: fast2-prod-net-spoke-0 - tags: null - timeouts: null - ? module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/prod-default"] - : description: Default europe-west1 subnet for prod - ip_cidr_range: 10.72.0.0/24 - ipv6_access_type: null - log_config: [] - name: prod-default - network: prod-spoke-0 - private_ip_google_access: true - project: fast2-prod-net-spoke-0 - region: europe-west1 - role: null - timeouts: null - ? module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/prod-default"] - : description: Default europe-west4 subnet for prod - ip_cidr_range: 10.88.0.0/24 - ipv6_access_type: null - log_config: [] - name: prod-default - network: prod-spoke-0 - private_ip_google_access: true - project: fast2-prod-net-spoke-0 - region: europe-west4 - role: null - timeouts: null - module.prod-spoke-vpc.google_dns_policy.default[0]: - alternative_name_server_config: [] - description: Managed by Terraform - enable_inbound_forwarding: null - enable_logging: true - name: prod-spoke-0 - networks: - - {} - project: fast2-prod-net-spoke-0 - timeouts: null - module.spokes-dmz["primary"].google_compute_router.cr: - bgp: - - advertise_mode: CUSTOM - advertised_groups: [] - advertised_ip_ranges: - - description: Default route. - range: 0.0.0.0/0 - asn: 64512 - keepalive_interval: 20 - description: null - encrypted_interconnect_router: null - name: prod-spoke-dmz-ew1-cr - project: fast2-prod-net-landing-0 - region: europe-west1 - timeouts: null - module.spokes-dmz["primary"].google_compute_router_interface.intf_0: - interconnect_attachment: null - name: prod-spoke-dmz-ew1-cr-intf0 - private_ip_address: 10.64.128.201 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-dmz-ew1-cr - timeouts: null - vpn_tunnel: null - module.spokes-dmz["primary"].google_compute_router_interface.intf_1: - interconnect_attachment: null - name: prod-spoke-dmz-ew1-cr-intf1 - private_ip_address: 10.64.128.202 - project: fast2-prod-net-landing-0 - redundant_interface: prod-spoke-dmz-ew1-cr-intf0 - region: europe-west1 - router: prod-spoke-dmz-ew1-cr - timeouts: null - vpn_tunnel: null - module.spokes-dmz["primary"].google_compute_router_peer.peer_0["0"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-dmz-ew1-cr-intf0 - md5_authentication_key: [] - peer_asn: 64513 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-dmz-ew1-cr - timeouts: null - module.spokes-dmz["primary"].google_compute_router_peer.peer_0["1"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-dmz-ew1-cr-intf0 - md5_authentication_key: [] - peer_asn: 64513 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-dmz-ew1-cr - timeouts: null - module.spokes-dmz["primary"].google_compute_router_peer.peer_1["0"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-dmz-ew1-cr-intf1 - md5_authentication_key: [] - peer_asn: 64513 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-dmz-ew1-cr - timeouts: null - module.spokes-dmz["primary"].google_compute_router_peer.peer_1["1"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-dmz-ew1-cr-intf1 - md5_authentication_key: [] - peer_asn: 64513 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-dmz-ew1-cr - timeouts: null - module.spokes-dmz["primary"].google_network_connectivity_spoke.spoke-ra: - description: null - labels: null - linked_interconnect_attachments: [] - linked_router_appliance_instances: - - instances: - - {} - - {} - site_to_site_data_transfer: false - linked_vpc_network: [] - linked_vpn_tunnels: [] - location: europe-west1 - name: prod-spoke-dmz-ew1 - project: fast2-prod-net-landing-0 - timeouts: null - module.spokes-dmz["secondary"].google_compute_router.cr: - bgp: - - advertise_mode: CUSTOM - advertised_groups: [] - advertised_ip_ranges: - - description: Default route. - range: 0.0.0.0/0 - asn: 64512 - keepalive_interval: 20 - description: null - encrypted_interconnect_router: null - name: prod-spoke-dmz-ew4-cr - project: fast2-prod-net-landing-0 - region: europe-west4 - timeouts: null - module.spokes-dmz["secondary"].google_compute_router_interface.intf_0: - interconnect_attachment: null - name: prod-spoke-dmz-ew4-cr-intf0 - private_ip_address: 10.80.128.201 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-dmz-ew4-cr - timeouts: null - vpn_tunnel: null - module.spokes-dmz["secondary"].google_compute_router_interface.intf_1: - interconnect_attachment: null - name: prod-spoke-dmz-ew4-cr-intf1 - private_ip_address: 10.80.128.202 - project: fast2-prod-net-landing-0 - redundant_interface: prod-spoke-dmz-ew4-cr-intf0 - region: europe-west4 - router: prod-spoke-dmz-ew4-cr - timeouts: null - vpn_tunnel: null - module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["0"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-dmz-ew4-cr-intf0 - md5_authentication_key: [] - peer_asn: 64514 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-dmz-ew4-cr - timeouts: null - module.spokes-dmz["secondary"].google_compute_router_peer.peer_0["1"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-dmz-ew4-cr-intf0 - md5_authentication_key: [] - peer_asn: 64514 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-dmz-ew4-cr - timeouts: null - module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["0"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-dmz-ew4-cr-intf1 - md5_authentication_key: [] - peer_asn: 64514 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-dmz-ew4-cr - timeouts: null - module.spokes-dmz["secondary"].google_compute_router_peer.peer_1["1"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-dmz-ew4-cr-intf1 - md5_authentication_key: [] - peer_asn: 64514 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-dmz-ew4-cr - timeouts: null - module.spokes-dmz["secondary"].google_network_connectivity_spoke.spoke-ra: - description: null - labels: null - linked_interconnect_attachments: [] - linked_router_appliance_instances: - - instances: - - {} - - {} - site_to_site_data_transfer: false - linked_vpc_network: [] - linked_vpn_tunnels: [] - location: europe-west4 - name: prod-spoke-dmz-ew4 - project: fast2-prod-net-landing-0 - timeouts: null - module.spokes-landing["primary"].google_compute_router.cr: - bgp: - - advertise_mode: CUSTOM - advertised_groups: [] - advertised_ip_ranges: - - description: GCP landing primary. - range: 10.64.0.0/17 - - description: GCP dev primary. - range: 10.68.0.0/16 - - description: GCP prod primary. - range: 10.72.0.0/16 - - description: GCP landing secondary. - range: 10.80.0.0/17 - - description: GCP dev secondary. - range: 10.84.0.0/16 - - description: GCP prod secondary. - range: 10.88.0.0/16 - asn: 64515 - keepalive_interval: 20 - description: null - encrypted_interconnect_router: null - name: prod-spoke-landing-ew1-cr - project: fast2-prod-net-landing-0 - region: europe-west1 - timeouts: null - module.spokes-landing["primary"].google_compute_router_interface.intf_0: - interconnect_attachment: null - name: prod-spoke-landing-ew1-cr-intf0 - private_ip_address: 10.64.0.201 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-landing-ew1-cr - timeouts: null - vpn_tunnel: null - module.spokes-landing["primary"].google_compute_router_interface.intf_1: - interconnect_attachment: null - name: prod-spoke-landing-ew1-cr-intf1 - private_ip_address: 10.64.0.202 - project: fast2-prod-net-landing-0 - redundant_interface: prod-spoke-landing-ew1-cr-intf0 - region: europe-west1 - router: prod-spoke-landing-ew1-cr - timeouts: null - vpn_tunnel: null - module.spokes-landing["primary"].google_compute_router_peer.peer_0["0"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-landing-ew1-cr-intf0 - md5_authentication_key: [] - peer_asn: 64513 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-landing-ew1-cr - timeouts: null - module.spokes-landing["primary"].google_compute_router_peer.peer_0["1"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-landing-ew1-cr-intf0 - md5_authentication_key: [] - peer_asn: 64513 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-landing-ew1-cr - timeouts: null - module.spokes-landing["primary"].google_compute_router_peer.peer_1["0"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-landing-ew1-cr-intf1 - md5_authentication_key: [] - peer_asn: 64513 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-landing-ew1-cr - timeouts: null - module.spokes-landing["primary"].google_compute_router_peer.peer_1["1"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-landing-ew1-cr-intf1 - md5_authentication_key: [] - peer_asn: 64513 - project: fast2-prod-net-landing-0 - region: europe-west1 - router: prod-spoke-landing-ew1-cr - timeouts: null - module.spokes-landing["primary"].google_network_connectivity_spoke.spoke-ra: - description: null - labels: null - linked_interconnect_attachments: [] - linked_router_appliance_instances: - - instances: - - {} - - {} - site_to_site_data_transfer: false - linked_vpc_network: [] - linked_vpn_tunnels: [] - location: europe-west1 - name: prod-spoke-landing-ew1 - project: fast2-prod-net-landing-0 - timeouts: null - module.spokes-landing["secondary"].google_compute_router.cr: - bgp: - - advertise_mode: CUSTOM - advertised_groups: [] - advertised_ip_ranges: - - description: GCP landing primary. - range: 10.64.0.0/17 - - description: GCP dev primary. - range: 10.68.0.0/16 - - description: GCP prod primary. - range: 10.72.0.0/16 - - description: GCP landing secondary. - range: 10.80.0.0/17 - - description: GCP dev secondary. - range: 10.84.0.0/16 - - description: GCP prod secondary. - range: 10.88.0.0/16 - asn: 64515 - keepalive_interval: 20 - description: null - encrypted_interconnect_router: null - name: prod-spoke-landing-ew4-cr - project: fast2-prod-net-landing-0 - region: europe-west4 - timeouts: null - module.spokes-landing["secondary"].google_compute_router_interface.intf_0: - interconnect_attachment: null - name: prod-spoke-landing-ew4-cr-intf0 - private_ip_address: 10.80.0.201 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-landing-ew4-cr - timeouts: null - vpn_tunnel: null - module.spokes-landing["secondary"].google_compute_router_interface.intf_1: - interconnect_attachment: null - name: prod-spoke-landing-ew4-cr-intf1 - private_ip_address: 10.80.0.202 - project: fast2-prod-net-landing-0 - redundant_interface: prod-spoke-landing-ew4-cr-intf0 - region: europe-west4 - router: prod-spoke-landing-ew4-cr - timeouts: null - vpn_tunnel: null - module.spokes-landing["secondary"].google_compute_router_peer.peer_0["0"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-landing-ew4-cr-intf0 - md5_authentication_key: [] - peer_asn: 64514 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-landing-ew4-cr - timeouts: null - module.spokes-landing["secondary"].google_compute_router_peer.peer_0["1"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-landing-ew4-cr-intf0 - md5_authentication_key: [] - peer_asn: 64514 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-landing-ew4-cr - timeouts: null - module.spokes-landing["secondary"].google_compute_router_peer.peer_1["0"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-landing-ew4-cr-intf1 - md5_authentication_key: [] - peer_asn: 64514 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-landing-ew4-cr - timeouts: null - module.spokes-landing["secondary"].google_compute_router_peer.peer_1["1"]: - advertise_mode: DEFAULT - advertised_groups: null - advertised_ip_ranges: [] - advertised_route_priority: 100 - enable: true - enable_ipv6: false - interface: prod-spoke-landing-ew4-cr-intf1 - md5_authentication_key: [] - peer_asn: 64514 - project: fast2-prod-net-landing-0 - region: europe-west4 - router: prod-spoke-landing-ew4-cr - timeouts: null - module.spokes-landing["secondary"].google_network_connectivity_spoke.spoke-ra: - description: null - labels: null - linked_interconnect_attachments: [] - linked_router_appliance_instances: - - instances: - - {} - - {} - site_to_site_data_transfer: false - linked_vpc_network: [] - linked_vpn_tunnels: [] - location: europe-west4 - name: prod-spoke-landing-ew4 - project: fast2-prod-net-landing-0 - timeouts: null - -counts: - google_compute_address: 8 - google_compute_external_vpn_gateway: 2 - google_compute_firewall: 12 - google_compute_firewall_policy: 1 - google_compute_firewall_policy_association: 1 - google_compute_firewall_policy_rule: 4 - google_compute_ha_vpn_gateway: 2 - google_compute_instance: 4 - google_compute_network: 4 - google_compute_network_peering: 4 - google_compute_route: 6 - google_compute_router: 8 - google_compute_router_interface: 12 - google_compute_router_nat: 2 - google_compute_router_peer: 20 - google_compute_shared_vpc_host_project: 3 - google_compute_subnetwork: 10 - google_compute_vpn_tunnel: 4 - google_dns_managed_zone: 9 - google_dns_policy: 4 - google_dns_record_set: 3 - google_dns_response_policy: 1 - google_dns_response_policy_rule: 34 - google_essential_contacts_contact: 1 - google_folder: 1 - google_monitoring_alert_policy: 2 - google_monitoring_dashboard: 3 - google_monitoring_monitored_project: 2 - google_network_connectivity_hub: 2 - google_network_connectivity_spoke: 4 - google_project: 3 - google_project_iam_binding: 6 - google_project_iam_member: 2 - google_project_service: 20 - google_project_service_identity: 5 - google_storage_bucket_object: 1 - modules: 37 - random_id: 2 - resources: 212 - -outputs: - host_project_ids: - dev-spoke-0: fast2-dev-net-spoke-0 - prod-landing: fast2-prod-net-landing-0 - prod-spoke-0: fast2-prod-net-spoke-0 - host_project_numbers: __missing__ - shared_vpc_self_links: __missing__ - tfvars: __missing__ - vpn_gateway_endpoints: __missing__ diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/tftest.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/tftest.yaml deleted file mode 100644 index 2aaeb06095..0000000000 --- a/tests/fast/stages/s2_networking_e_nva_bgp/tftest.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: fast/stages/2-networking-e-nva-bgp - -tests: - simple: