diff --git a/fast/stages/02-networking-nva/README.md b/fast/stages/02-networking-nva/README.md
index 91071b2c0c..84c236cf9e 100644
--- a/fast/stages/02-networking-nva/README.md
+++ b/fast/stages/02-networking-nva/README.md
@@ -352,7 +352,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [landing.tf](./landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder | |
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
-| [nva.tf](./nva.tf) | None | compute-mig · compute-vm · net-ilb | |
+| [nva.tf](./nva.tf) | None | compute-mig · compute-vm · simple-nva | |
| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file |
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | google_project_iam_binding |
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | google_project_iam_binding |
diff --git a/fast/stages/02-networking-nva/nva.tf b/fast/stages/02-networking-nva/nva.tf
index b7dd698816..4e70d02fb4 100644
--- a/fast/stages/02-networking-nva/nva.tf
+++ b/fast/stages/02-networking-nva/nva.tf
@@ -15,181 +15,97 @@
*/
locals {
- _subnets = var.data_dir == null ? tomap({}) : {
- for f in fileset("${var.data_dir}/subnets", "**/*.yaml") :
- trimsuffix(basename(f), ".yaml") => yamldecode(file("${var.data_dir}/subnets/${f}"))
- }
- subnets = merge(
- { for k, v in local._subnets : "${k}-cidr" => v.ip_cidr_range },
- { for k, v in local._subnets : "${k}-gw" => cidrhost(v.ip_cidr_range, 1) }
- )
-}
-
-# europe-west1
-
-module "nva-template-ew1" {
- source = "../../../modules/compute-vm"
- project_id = module.landing-project.project_id
- name = "nva-template"
- zone = "europe-west1-b"
- tags = ["nva"]
- can_ip_forward = true
- network_interfaces = [
+ # routing_config should be aligned to the NVA network interfaces - i.e.
+ # local.routing_config[0] sets up the first interface, and so on.
+ routing_config = [
{
- network = module.landing-untrusted-vpc.self_link
- subnetwork = module.landing-untrusted-vpc.subnet_self_links["europe-west1/landing-untrusted-default-ew1"]
+ name = "untrusted"
+ routes = [
+ var.custom_adv.gcp_landing_untrusted_ew1,
+ var.custom_adv.gcp_landing_untrusted_ew4,
+ ]
},
{
- network = module.landing-trusted-vpc.self_link
- subnetwork = module.landing-trusted-vpc.subnet_self_links["europe-west1/landing-trusted-default-ew1"]
- }
+ name = "trusted"
+ routes = [
+ var.custom_adv.gcp_dev_ew1,
+ var.custom_adv.gcp_dev_ew4,
+ var.custom_adv.gcp_landing_trusted_ew1,
+ var.custom_adv.gcp_landing_trusted_ew4,
+ var.custom_adv.gcp_prod_ew1,
+ var.custom_adv.gcp_prod_ew4,
+ ]
+ },
]
- boot_disk = {
- image = "projects/debian-cloud/global/images/family/debian-10"
- }
- create_template = true
- instance_type = "f1-micro"
- options = {
- spot = true
- termination_action = "STOP"
- }
- metadata = {
- startup-script = templatefile(
- "${path.module}/data/nva-startup-script.tftpl",
- {
- dev-default-ew1-cidr = local.subnets.dev-default-ew1-cidr
- dev-default-ew4-cidr = local.subnets.dev-default-ew4-cidr
- gateway-trusted = local.subnets.landing-trusted-default-ew1-gw
- gateway-untrusted = local.subnets.landing-untrusted-default-ew1-gw
- landing-trusted-other-region = local.subnets.landing-trusted-default-ew4-cidr
- landing-untrusted-other-region = local.subnets.landing-untrusted-default-ew4-cidr
- onprem-main-cidr = var.onprem_cidr.main
- prod-default-ew1-cidr = local.subnets.prod-default-ew1-cidr
- prod-default-ew4-cidr = local.subnets.prod-default-ew4-cidr
- }
- )
+ nva_locality = {
+ europe-west1-b = { region = "europe-west1", trigram = "ew1", zone = "b" },
+ europe-west1-c = { region = "europe-west1", trigram = "ew1", zone = "c" },
+ europe-west4-b = { region = "europe-west4", trigram = "ew4", zone = "b" },
+ europe-west4-c = { region = "europe-west4", trigram = "ew4", zone = "c" },
}
-}
-module "nva-mig-ew1" {
- source = "../../../modules/compute-mig"
- project_id = module.landing-project.project_id
- regional = true
- location = "europe-west1"
- name = "nva-ew1"
- target_size = 2
- auto_healing_policies = {
- health_check = module.nva-mig-ew1.health_check.self_link
- initial_delay_sec = 30
- }
- health_check_config = {
- type = "tcp"
- check = { port = 22 }
- config = {}
- logging = true
- }
- default_version = {
- instance_template = module.nva-template-ew1.template.self_link
- name = "default"
- }
}
-module "ilb-nva-untrusted-ew1" {
- source = "../../../modules/net-ilb"
- project_id = module.landing-project.project_id
- region = "europe-west1"
- name = "ilb-nva-untrusted-ew1"
- service_label = var.prefix
- global_access = true
- network = module.landing-untrusted-vpc.self_link
- subnetwork = module.landing-untrusted-vpc.subnet_self_links["europe-west1/landing-untrusted-default-ew1"]
- backends = [{
- failover = false
- group = module.nva-mig-ew1.group_manager.instance_group
- balancing_mode = "CONNECTION"
- }]
- health_check_config = {
- type = "tcp", check = { port = 22 }, config = {}, logging = false
- }
+# NVA config
+module "nva-cloud-config" {
+ source = "../../../modules/cloud-config-container/simple-nva"
+ enable_health_checks = true
+ network_interfaces = local.routing_config
}
-module "ilb-nva-trusted-ew1" {
- source = "../../../modules/net-ilb"
- project_id = module.landing-project.project_id
- region = "europe-west1"
- name = "ilb-nva-trusted-ew1"
- service_label = var.prefix
- global_access = true
- network = module.landing-trusted-vpc.self_link
- subnetwork = module.landing-trusted-vpc.subnet_self_links["europe-west1/landing-trusted-default-ew1"]
- backends = [{
- failover = false
- group = module.nva-mig-ew1.group_manager.instance_group
- balancing_mode = "CONNECTION"
- }]
- health_check_config = {
- type = "tcp", check = { port = 22 }, config = {}, logging = false
- }
-}
-
-# europe-west4
-
-module "nva-template-ew4" {
- source = "../../../modules/compute-vm"
- project_id = module.landing-project.project_id
- name = "nva-template"
- zone = "europe-west4-a"
- tags = ["nva"]
- can_ip_forward = true
+module "nva-template" {
+ for_each = local.nva_locality
+ source = "../../../modules/compute-vm"
+ project_id = module.landing-project.project_id
+ name = "nva-template-${each.value.trigram}-${each.value.zone}"
+ zone = "${each.value.region}-${each.value.zone}"
+ instance_type = "e2-standard-2"
+ tags = ["nva"]
+ create_template = true
+ can_ip_forward = true
network_interfaces = [
{
network = module.landing-untrusted-vpc.self_link
- subnetwork = module.landing-untrusted-vpc.subnet_self_links["europe-west4/landing-untrusted-default-ew4"]
+ subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.trigram}"]
nat = false
addresses = null
},
{
network = module.landing-trusted-vpc.self_link
- subnetwork = module.landing-trusted-vpc.subnet_self_links["europe-west4/landing-trusted-default-ew4"]
+ subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.trigram}"]
nat = false
addresses = null
}
]
boot_disk = {
- image = "projects/debian-cloud/global/images/family/debian-10"
- type = "pd-balanced"
+ image = "projects/cos-cloud/global/images/family/cos-stable"
size = 10
+ type = "pd-balanced"
+ }
+ options = {
+ allow_stopping_for_update = true
+ deletion_protection = false
+ spot = true
+ termination_action = "STOP"
}
- create_template = true
metadata = {
- startup-script = templatefile(
- "${path.module}/data/nva-startup-script.tftpl",
- {
- dev-default-ew1-cidr = local.subnets.dev-default-ew1-cidr
- dev-default-ew4-cidr = local.subnets.dev-default-ew4-cidr
- gateway-trusted = local.subnets.landing-trusted-default-ew4-gw
- gateway-untrusted = local.subnets.landing-untrusted-default-ew4-gw
- landing-trusted-other-region = local.subnets.landing-trusted-default-ew1-cidr
- landing-untrusted-other-region = local.subnets.landing-untrusted-default-ew1-cidr
- onprem-main-cidr = var.onprem_cidr.main
- prod-default-ew1-cidr = local.subnets.prod-default-ew1-cidr
- prod-default-ew4-cidr = local.subnets.prod-default-ew4-cidr
- }
- )
+ user-data = module.nva-cloud-config.cloud_config
}
}
-module "nva-mig-ew4" {
+module "nva-mig" {
+ for_each = local.nva_locality
source = "../../../modules/compute-mig"
project_id = module.landing-project.project_id
regional = true
- location = "europe-west4"
- name = "nva-ew4"
- target_size = 2
- auto_healing_policies = {
- health_check = module.nva-mig-ew4.health_check.self_link
- initial_delay_sec = 30
- }
+ location = each.value.region
+ name = "nva-cos-${each.value.trigram}-${each.value.zone}"
+ target_size = 1
+ # FIXME: cycle
+ # auto_healing_policies = {
+ # health_check = module.nva-mig[each.key].health_check.self_link
+ # initial_delay_sec = 30
+ # }
health_check_config = {
type = "tcp"
check = { port = 22 }
@@ -197,45 +113,51 @@ module "nva-mig-ew4" {
logging = true
}
default_version = {
- instance_template = module.nva-template-ew4.template.self_link
+ instance_template = module.nva-template[each.key].template.self_link
name = "default"
}
}
-module "ilb-nva-untrusted-ew4" {
+module "ilb-nva-untrusted" {
+ for_each = { for l in local.nva_locality : l.region => l.trigram... }
source = "../../../modules/net-ilb"
project_id = module.landing-project.project_id
- region = "europe-west4"
- name = "ilb-nva-untrusted-ew4"
+ region = each.key
+ name = "nva-untrusted-${each.value.0}"
service_label = var.prefix
global_access = true
network = module.landing-untrusted-vpc.self_link
- subnetwork = module.landing-untrusted-vpc.subnet_self_links["europe-west4/landing-untrusted-default-ew4"]
- backends = [{
- failover = false
- group = module.nva-mig-ew4.group_manager.instance_group
- balancing_mode = "CONNECTION"
- }]
+ subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.key}/landing-untrusted-default-${each.value.0}"]
+ backends = [for key, _ in local.nva_locality :
+ {
+ failover = false
+ group = module.nva-mig[key].group_manager.instance_group
+ balancing_mode = "CONNECTION"
+ } if local.nva_locality[key].region == each.key]
health_check_config = {
type = "tcp", check = { port = 22 }, config = {}, logging = false
}
}
-module "ilb-nva-trusted-ew4" {
+
+module "ilb-nva-trusted" {
+ for_each = { for l in local.nva_locality : l.region => l.trigram... }
source = "../../../modules/net-ilb"
project_id = module.landing-project.project_id
- region = "europe-west4"
- name = "ilb-nva-trusted-ew4"
+ region = each.key
+ name = "nva-trusted-${each.value.0}"
service_label = var.prefix
global_access = true
network = module.landing-trusted-vpc.self_link
- subnetwork = module.landing-trusted-vpc.subnet_self_links["europe-west4/landing-trusted-default-ew4"]
- backends = [{
- failover = false
- group = module.nva-mig-ew4.group_manager.instance_group
- balancing_mode = "CONNECTION"
- }]
+ subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.key}/landing-trusted-default-${each.value.0}"]
+ backends = [for key, _ in local.nva_locality :
+ {
+ failover = false
+ group = module.nva-mig[key].group_manager.instance_group
+ balancing_mode = "CONNECTION"
+ } if local.nva_locality[key].region == each.key]
health_check_config = {
type = "tcp", check = { port = 22 }, config = {}, logging = false
}
}
+
diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf
index ba11cd8e52..3499206f5f 100644
--- a/fast/stages/02-networking-nva/spoke-dev.tf
+++ b/fast/stages/02-networking-nva/spoke-dev.tf
@@ -72,28 +72,28 @@ module "dev-spoke-vpc" {
priority = 1000
tags = ["ew1"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted-ew1.forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["europe-west1"].forwarding_rule_address
}
nva-ew4-to-ew4 = {
dest_range = "0.0.0.0/0"
priority = 1000
tags = ["ew4"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted-ew4.forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["europe-west4"].forwarding_rule_address
}
nva-ew1-to-ew4 = {
dest_range = "0.0.0.0/0"
priority = 1001
tags = ["ew1"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted-ew4.forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["europe-west4"].forwarding_rule_address
}
nva-ew4-to-ew1 = {
dest_range = "0.0.0.0/0"
priority = 1001
tags = ["ew4"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted-ew1.forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["europe-west1"].forwarding_rule_address
}
}
}
diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf
index 7150195ebc..6a0c26c8b2 100644
--- a/fast/stages/02-networking-nva/spoke-prod.tf
+++ b/fast/stages/02-networking-nva/spoke-prod.tf
@@ -72,28 +72,28 @@ module "prod-spoke-vpc" {
priority = 1000
tags = ["ew1"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted-ew1.forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["europe-west1"].forwarding_rule_address
}
nva-ew4-to-ew4 = {
dest_range = "0.0.0.0/0"
priority = 1000
tags = ["ew4"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted-ew4.forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["europe-west4"].forwarding_rule_address
}
nva-ew1-to-ew4 = {
dest_range = "0.0.0.0/0"
priority = 1001
tags = ["ew1"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted-ew4.forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["europe-west4"].forwarding_rule_address
}
nva-ew4-to-ew1 = {
dest_range = "0.0.0.0/0"
priority = 1001
tags = ["ew4"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted-ew1.forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["europe-west1"].forwarding_rule_address
}
}
}