diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4ee7824bd7..4766a9fbe4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -107,4 +107,4 @@ repos: rev: v2.2.6 hooks: - id: codespell - exclude: requirements.txt$|excalidraw$ + exclude: (requirements.txt$|excalidraw$|package-lock\.json$|go\.sum$) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6bbd4351ae..c438a635e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -100,7 +100,7 @@ All notable changes to this project will be documented in this file. - [[#2497](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2497)] Net vpc firewall factory schema ([ludoo](https://github.com/ludoo)) - [[#2494](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2494)] Additional module schemas ([ludoo](https://github.com/ludoo)) - [[#2491](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2491)] Organization module factory schemas ([ludoo](https://github.com/ludoo)) -- [[#2483](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2483)] Add boostrap output with log destination ids ([juliocc](https://github.com/juliocc)) +- [[#2483](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2483)] Add bootstrap output with log destination ids ([juliocc](https://github.com/juliocc)) - [[#2482](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2482)] [FAST] Rename netsec stage to nsec ([LucaPrete](https://github.com/LucaPrete)) - [[#2477](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2477)] VPC-SC factory JSON Schemas ([ludoo](https://github.com/ludoo)) - [[#2471](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2471)] Rename 1-vpc-sc stage to 1-vpcsc ([juliocc](https://github.com/juliocc)) @@ -475,7 +475,7 @@ All notable changes to this project will be documented in this file. - [[#2185](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2185)] Fix failing e2e tests for Cloud Run CMEK ([wiktorn](https://github.com/wiktorn)) - [[#2182](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2182)] **incompatible change:** Fix default nodepool defaults in gke standard module ([ludoo](https://github.com/ludoo)) - [[#2177](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2177)] add cmek option for cloud_run_v2 ([SalehElnagarSecurrency](https://github.com/SalehElnagarSecurrency)) -- [[#2175](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2175)] feat(gke-cluster-standard): Set optionnal `default_node_pool` configuration ([anthonyhaussman](https://github.com/anthonyhaussman)) +- [[#2175](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2175)] feat(gke-cluster-standard): Set optional `default_node_pool` configuration ([anthonyhaussman](https://github.com/anthonyhaussman)) - [[#2174](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2174)] Bump provider version to 5.18 to fix non-empty plan for google_notebooks_instance ([wiktorn](https://github.com/wiktorn)) - [[#2171](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2171)] **incompatible change:** Fix subnet configuration in cloud nat module ([ludoo](https://github.com/ludoo)) - [[#2170](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2170)] Support optional secondary ranges in net-cloudnat module ([ludoo](https://github.com/ludoo)) @@ -635,7 +635,7 @@ All notable changes to this project will be documented in this file. - [[#2004](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2004)] **incompatible change:** Remove default region for Cloud Function and Cloud Run ([wiktorn](https://github.com/wiktorn)) - [[#1977](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1977)] Add example to FAST GKE stage, streamline GKE Hub module variables and usage ([ludoo](https://github.com/ludoo)) - [[#1992](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1992)] Fix Data platform foundation ([lcaggio](https://github.com/lcaggio)) -- [[#1976](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1976)] Network dashboard - fixing 2 bugs: overriden variable and page token … ([aurelienlegrand](https://github.com/aurelienlegrand)) +- [[#1976](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1976)] Network dashboard - fixing 2 bugs: overridden variable and page token … ([aurelienlegrand](https://github.com/aurelienlegrand)) - [[#1819](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1819)] Serverless networking program ([juliodiez](https://github.com/juliodiez)) - [[#1952](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1952)] Composer blueprints improvements ([wiktorn](https://github.com/wiktorn)) - [[#1939](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1939)] Networking Sandbox Blueprint ([sruffilli](https://github.com/sruffilli)) @@ -762,7 +762,7 @@ All notable changes to this project will be documented in this file. - [[#1914](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1914)] Allow per-module terraform fixtures ([juliocc](https://github.com/juliocc)) - [[#1953](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1953)] Fix variable region ([andybubu](https://github.com/andybubu)) - [[#1950](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1950)] Add version check ([wiktorn](https://github.com/wiktorn)) -- [[#1937](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1937)] Fix always succeding test ([wiktorn](https://github.com/wiktorn)) +- [[#1937](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1937)] Fix always succeeding test ([wiktorn](https://github.com/wiktorn)) - [[#1932](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1932)] Simplify organization tags.tf locals ([juliocc](https://github.com/juliocc)) - [[#1890](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1890)] Use TFTEST_E2E_ instead of TF_VAR variables ([wiktorn](https://github.com/wiktorn)) @@ -870,7 +870,7 @@ All notable changes to this project will be documented in this file. - [[#1804](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1804)] compute-vm: remove old todo ([LucaPrete](https://github.com/LucaPrete)) - [[#1803](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1803)] use the repository format in the image_path output ([Tutuchan](https://github.com/Tutuchan)) - [[#1801](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1801)] Fix Internal App LB serverless NEG backend example ([juliocc](https://github.com/juliocc)) -- [[#1795](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1795)] Allow users to optonally specify address names ([LucaPrete](https://github.com/LucaPrete)) +- [[#1795](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1795)] Allow users to optionally specify address names ([LucaPrete](https://github.com/LucaPrete)) - [[#1792](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1792)] Removed unnecessary try statements from apigee module outputs ([apichick](https://github.com/apichick)) - [[#1786](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1786)] net-lb-ext: add support for multiple forwarding rules (IPs) and dual-stack (IPv4/IPv6) ([LucaPrete](https://github.com/LucaPrete)) - [[#1782](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1782)] Add upper cap to versions, update copyright notices ([sruffilli](https://github.com/sruffilli)) @@ -1148,7 +1148,7 @@ All notable changes to this project will be documented in this file. - [[#1510](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1510)] **incompatible change:** Refactoring of dns module ([apichick](https://github.com/apichick)) - [[#1509](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1509)] Add output to org module with custom constraint details and depends_on ([juliocc](https://github.com/juliocc)) - [[#1503](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1503)] Move IAM grant to function level for trigger SA ([wiktorn](https://github.com/wiktorn)) -- [[#1479](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1479)] Update ncc-spoke-ra module to explicity request ncc hub id when referencing existing hubs ([simonebruzzechesse](https://github.com/simonebruzzechesse)) +- [[#1479](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1479)] Update ncc-spoke-ra module to explicitly request ncc hub id when referencing existing hubs ([simonebruzzechesse](https://github.com/simonebruzzechesse)) - [[#1499](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1499)] Add support for custom description in net-address ([simonebruzzechesse](https://github.com/simonebruzzechesse)) - [[#1497](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1497)] **incompatible change:** Implement proper support for data access logs in resource manager modules ([ludoo](https://github.com/ludoo)) diff --git a/blueprints/apigee/hybrid-gke/ansible/roles/apigee-hybrid/tasks/main.yaml b/blueprints/apigee/hybrid-gke/ansible/roles/apigee-hybrid/tasks/main.yaml index 0907846fd4..e0be85d30a 100644 --- a/blueprints/apigee/hybrid-gke/ansible/roles/apigee-hybrid/tasks/main.yaml +++ b/blueprints/apigee/hybrid-gke/ansible/roles/apigee-hybrid/tasks/main.yaml @@ -105,23 +105,23 @@ - name: Create certificate and private key shell: > - openssl req \ + openssl req \ -nodes \ -new \ -x509 \ -keyout ~/hybrid-files/certs/server.key \ -out ~/hybrid-files/certs/server.crt \ - -subj "/CN=apigee.com' \ + -subj "/CN=apigee.com' \ -addext "subjectAltName={{ hostnames | map('regex_replace', '^', 'DNS:') | join(',') }}"" -days 3650 -- name: Read certificate - slurp: +- name: Read certificate + slurp: src: ~/hybrid-files/certs/server.crt register: certificate_output -- name: Read private ket - slurp: +- name: Read private key + slurp: src: ~/hybrid-files/certs/server.key register: privatekey_output @@ -232,10 +232,10 @@ type: Ready status: True -- name: +- name: kubernetes.core.k8s: - state: present - definition: + state: present + definition: apiVersion: apigee.cloud.google.com/v1alpha1 kind: ApigeeRoute metadata: @@ -252,12 +252,12 @@ mode: SIMPLE selector: app: apigee-ingressgateway - enableNonSniClient: true + enableNonSniClient: true - name: Create google-managed certificate kubernetes.core.k8s: - state: present - definition: + state: present + definition: apiVersion: networking.gke.io/v1 kind: ManagedCertificate metadata: @@ -265,11 +265,11 @@ namespace: apigee spec: domains: "{{ hostnames }}" - + - name: Create backend config kubernetes.core.k8s: - state: present - definition: + state: present + definition: apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: @@ -330,4 +330,4 @@ service: name: apigee-ingressgateway-hybrid port: - number: 443 \ No newline at end of file + number: 443 diff --git a/blueprints/cloud-operations/network-quota-monitoring/src/plugins/series-firewall-rules.py b/blueprints/cloud-operations/network-quota-monitoring/src/plugins/series-firewall-rules.py index b909520ac0..02cd26d685 100644 --- a/blueprints/cloud-operations/network-quota-monitoring/src/plugins/series-firewall-rules.py +++ b/blueprints/cloud-operations/network-quota-monitoring/src/plugins/series-firewall-rules.py @@ -33,7 +33,7 @@ def timeseries(resources): # return a single descriptor for network as we don't have limits yield MetricDescriptor(f'network/firewall_rules_used', 'Firewall rules used per network', ('project', 'name')) - # return used/vailable/ratio descriptors for project + # return used/available/ratio descriptors for project for dtype, name in DESCRIPTOR_ATTRS.items(): yield MetricDescriptor(f'project/{dtype}', name, ('project',), dtype.endswith('ratio')) diff --git a/blueprints/data-solutions/bq-ml/demo/README.md b/blueprints/data-solutions/bq-ml/demo/README.md index f59d55fdfb..3a2ec499ed 100644 --- a/blueprints/data-solutions/bq-ml/demo/README.md +++ b/blueprints/data-solutions/bq-ml/demo/README.md @@ -27,7 +27,7 @@ In this tutorial we will make use of the following main components: - standard: to create a view which contains the model features and the target variable - ML: to train, evaluate and make batch predictions - Vertex AI: - - Pipeline: to define a configurable and re-usable set of steps to train and evaluate a BQML model + - Pipeline: to define a configurable and reusable set of steps to train and evaluate a BQML model - Experiment: to keep track of all the trainings done via the Pipeline - Model Registry: to keep track of the trained versions of a specific model - Endpoint: to serve the model via API @@ -37,4 +37,4 @@ In this tutorial we will make use of the following main components: 1. Access the Vertex AI Workbench 2. clone this repository -2. run the [`bmql_pipeline.ipynb`](bmql_pipeline.ipynb) Jupyter Notebook \ No newline at end of file +2. run the [`bmql_pipeline.ipynb`](bmql_pipeline.ipynb) Jupyter Notebook diff --git a/blueprints/data-solutions/bq-ml/demo/bmql_pipeline.ipynb b/blueprints/data-solutions/bq-ml/demo/bmql_pipeline.ipynb index 1acfe267f2..7683f7e647 100644 --- a/blueprints/data-solutions/bq-ml/demo/bmql_pipeline.ipynb +++ b/blueprints/data-solutions/bq-ml/demo/bmql_pipeline.ipynb @@ -435,7 +435,7 @@ "# Conclusions\n", "\n", "Thanks to this tutorial we were able to:\n", - "- Define a re-usable Vertex AI pipeline to train and evaluate BQ ML models\n", + "- Define a reusable Vertex AI pipeline to train and evaluate BQ ML models\n", "- Use a Vertex AI Experiment to keep track of multiple trainings for the same model with different parameters (in this case a different split for train/test data)\n", "- Deploy the preferred model on a Vertex AI managed Endpoint in order to serve the model for real-time use cases via API\n", "- Make batch prediction via Big Query and see what are the top 5 features which influenced the algorithm output" diff --git a/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-witness.ps1 b/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-witness.ps1 index b318216d63..4a8c334bd4 100644 --- a/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-witness.ps1 +++ b/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-witness.ps1 @@ -22,11 +22,11 @@ $BackupPath = "C:\Backup" if (-not(Test-Path -Path $InitialSetup -PathType Leaf)) { Write-Output "Performing initial setup for witness" - + All-Instances-Ready if (-not(Test-Path -Path $WitnessPath -PathType Container)) { - Write-Log "Creatin witness directory $WitnessPath and share..." + Write-Log "Creating witness directory $WitnessPath and share..." New-Item $WitnessPath -type directory New-SmbShare -Name QWitness -Path $WitnessPath -Description "SQL File Share Quorum Witness" -FullAccess ${node_netbios_1}$,${node_netbios_2}$ Start-Sleep -s 10 @@ -40,7 +40,7 @@ if (-not(Test-Path -Path $InitialSetup -PathType Leaf)) { } icacls $WitnessPath /t /grant '${node_netbios_1}$:(OI)(CI)(M)' - icacls $WitnessPath /t /grant '${node_netbios_2}$:(OI)(CI)(M)' + icacls $WitnessPath /t /grant '${node_netbios_2}$:(OI)(CI)(M)' Cluster-In-Domain @@ -51,4 +51,4 @@ if (-not(Test-Path -Path $InitialSetup -PathType Leaf)) { New-Item "$WitnessPath\SetupDone.txt" New-Item $InitialSetup -} \ No newline at end of file +} diff --git a/blueprints/gke/patterns/autopilot-cluster/README.md b/blueprints/gke/patterns/autopilot-cluster/README.md index 25006ea41f..6edce7391e 100644 --- a/blueprints/gke/patterns/autopilot-cluster/README.md +++ b/blueprints/gke/patterns/autopilot-cluster/README.md @@ -59,7 +59,7 @@ This blueprint by default deploys an Autopilot cluster with private nodes and pr - Use namespaces to restrict access to cluster resources: this blueprint deploys the underlying infrastructure, namespace handling is left to applications. ### Networking -- Create a custom mode VPC: this blueprint can optinally deploy a new custom VPC with a single subnet. Otherwise, an existing VPC and subnet can be used. +- Create a custom mode VPC: this blueprint can optionally deploy a new custom VPC with a single subnet. Otherwise, an existing VPC and subnet can be used. - Create a proxy-only subnet: the `vpc_create` variable allows the creation of proxy only subnet, if needed. - Configure Shared VPC: by default a new VPC is created within the project, but a Shared VPC can be used when the blueprint handles project creation. - Connect the cluster's VPC network to an on-premises network: skipped, out of scope for this blueprint diff --git a/blueprints/networking/ha-vpn-over-interconnect/README.md b/blueprints/networking/ha-vpn-over-interconnect/README.md index 6eb4d779fe..d428a253cf 100644 --- a/blueprints/networking/ha-vpn-over-interconnect/README.md +++ b/blueprints/networking/ha-vpn-over-interconnect/README.md @@ -4,7 +4,7 @@ This blueprint creates a complete HA VPN over Interconnect setup, which leverage This blueprint supports Dedicated Interconnect and Partner Interconnect. -In case of Partner Interconnect only partial apply is possible at first, which creates the VLAN Attachments. Only once the partner connection is established it is possible to deploy HA VPN Gateway and all dependant resources. +In case of Partner Interconnect only partial apply is possible at first, which creates the VLAN Attachments. Only once the partner connection is established it is possible to deploy HA VPN Gateway and all dependent resources. ## Managed resources and services diff --git a/blueprints/networking/hub-and-spoke-peering/README.md b/blueprints/networking/hub-and-spoke-peering/README.md index d4c0087dcf..5923a85ef6 100644 --- a/blueprints/networking/hub-and-spoke-peering/README.md +++ b/blueprints/networking/hub-and-spoke-peering/README.md @@ -1,5 +1,5 @@ # Hub and spoke via peering VPC architecture -This blueprint was deprecated in the v30.0.0 release, as it's been supersed by the [FAST networking stage](../../../fast/stages/2-networking-a-simple/) that deploys a hub and spoke network via peering (or optionally via VPN), which is regularly updated and can also be deployed as a standalone blueprint. +This blueprint was deprecated in the v30.0.0 release, as it's been superseded by the [FAST networking stage](../../../fast/stages/2-networking-a-simple/) that deploys a hub and spoke network via peering (or optionally via VPN), which is regularly updated and can also be deployed as a standalone blueprint. If you still need to access the legacy blueprint, you can check it out using our [v29.0.0 tag](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/v29.0.0/blueprints/networking/hub-and-spoke-peering). diff --git a/blueprints/networking/hub-and-spoke-vpn/README.md b/blueprints/networking/hub-and-spoke-vpn/README.md index 0179f6242d..eaa015d61c 100644 --- a/blueprints/networking/hub-and-spoke-vpn/README.md +++ b/blueprints/networking/hub-and-spoke-vpn/README.md @@ -1,5 +1,5 @@ # Hub and spoke via VPN VPC architecture -This blueprint was deprecated in the v30.0.0 release, as it's been supersed by the [FAST networking stage](../../../fast/stages/2-networking-a-simple/) that deploys a hub and spoke network via VPN (or optionally via peering), which is regularly updated and can also be deployed as a standalone blueprint. +This blueprint was deprecated in the v30.0.0 release, as it's been superseded by the [FAST networking stage](../../../fast/stages/2-networking-a-simple/) that deploys a hub and spoke network via VPN (or optionally via peering), which is regularly updated and can also be deployed as a standalone blueprint. If you still need to access the legacy blueprint, you can check it out using our [v29.0.0 tag](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/v29.0.0/blueprints/networking/hub-and-spoke-vpn). diff --git a/fast/plugins/2-networking-serverless-connector/README.md b/fast/plugins/2-networking-serverless-connector/README.md index 2a6ad8d5bb..b955d138c5 100644 --- a/fast/plugins/2-networking-serverless-connector/README.md +++ b/fast/plugins/2-networking-serverless-connector/README.md @@ -10,7 +10,7 @@ This plugin does not manage The plugin only requires a specific configuration if the defaults it uses need to be changed: - the connector-specific subnets default to the `10.255.255.0` range -- the machine type, number of instances and thoughput use the API defaults +- the machine type, number of instances and throughput use the API defaults To enable the plugin, simply copy or link its files in the networking stage. diff --git a/fast/stages/0-bootstrap/identity-providers.tf b/fast/stages/0-bootstrap/identity-providers.tf index e62ab657c0..d2c15287e3 100644 --- a/fast/stages/0-bootstrap/identity-providers.tf +++ b/fast/stages/0-bootstrap/identity-providers.tf @@ -73,7 +73,7 @@ resource "google_iam_workload_identity_pool_provider" "default" { oidc { # Setting an empty list configures allowed_audiences to the url of the provider allowed_audiences = each.value.custom_settings.audiences - # If users don't provide an issuer_uri, we set the public one for the platform choosed. + # If users don't provide an issuer_uri, we set the public one for the platform chosen. issuer_uri = ( each.value.custom_settings.issuer_uri != null ? each.value.custom_settings.issuer_uri diff --git a/fast/stages/1-tenant-factory/tenant-fast-identity-providers.tf b/fast/stages/1-tenant-factory/tenant-fast-identity-providers.tf index f6aea0f725..a2b1128d15 100644 --- a/fast/stages/1-tenant-factory/tenant-fast-identity-providers.tf +++ b/fast/stages/1-tenant-factory/tenant-fast-identity-providers.tf @@ -63,7 +63,7 @@ resource "google_iam_workload_identity_pool_provider" "default" { oidc { # Setting an empty list configures allowed_audiences to the url of the provider allowed_audiences = each.value.custom_settings.audiences - # If users don't provide an issuer_uri, we set the public one for the platform choosed. + # If users don't provide an issuer_uri, we set the public one for the platform chosen. issuer_uri = ( each.value.custom_settings.issuer_uri != null ? each.value.custom_settings.issuer_uri diff --git a/fast/stages/1-vpcsc/README.md b/fast/stages/1-vpcsc/README.md index df8cea6976..24e64628d5 100644 --- a/fast/stages/1-vpcsc/README.md +++ b/fast/stages/1-vpcsc/README.md @@ -33,9 +33,9 @@ The approach to VPC-SC design implemented in this stage aims at providing the si This stage uses a single VPC-SC perimeter by default, which is enough to provide protection against data exfiltration and use of credentials from outside of established boundaries, while minimizing operational toil. -The perimeter is set to dry-run mode by default, but the suggestion is to switch to enforced mode immediately after definining the initial set of access level and ingress/egress policies. This prevents the common situation where a complex design is deployed in dry-run mode, and then never enforced as the burden of addressing all violations is too high. A simpler design like the one presented here that employs very coarse access levels can be enforced quickly, and then refined iteratively as operations are streamlined and familiarity with VPC-SC quirks increases. +The perimeter is set to dry-run mode by default, but the suggestion is to switch to enforced mode immediately after defining the initial set of access level and ingress/egress policies. This prevents the common situation where a complex design is deployed in dry-run mode, and then never enforced as the burden of addressing all violations is too high. A simpler design like the one presented here that employs very coarse access levels can be enforced quickly, and then refined iteratively as operations are streamlined and familiarity with VPC-SC quirks increases. -The stage is designed to allow definining additional perimeters via the `perimeters` variable, with a few caveats: +The stage is designed to allow defining additional perimeters via the `perimeters` variable, with a few caveats: - there's no support for perimeter bridges, if those are needed they need to be integrated via code (which is easy enough to do anyway) - resource discovery is only supported for the default perimeter, using the `default` key in the `perimeters` variable (again, that is reasonably easy to change via code if needed) diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index a3d244a866..24f3e29aea 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -10,7 +10,7 @@ It adopts the common “hub and spoke” reference design, which is well suited - the "dmz" or "untrusted" VPC centralizes the external connectivity towards untrusted network resources, such as Internet (inbound and outbound) or 3P service providers or parties connected through VPN or Interconnect. - the "spoke" VPCs allow partitioning workloads (e.g. by environment like in this setup), while still retaining controlled access to central connectivity and services - Shared VPCs -both in hub and spokes- split the management of the network resources into specific (host) projects, while still allowing them to be consumed from the workload (service) projects -- if Regional VPC network mode is selected two additional regional trusted hub VPCs are deployed to provide connectivity to GCP services (eg. GCVE) that don't support multi-regional routing. +- if Regional VPC network mode is selected two additional regional trusted hub VPCs are deployed to provide connectivity to GCP services (eg. GCVE) that don't support multi-regional routing. - the design facilitates DNS centralization Connectivity between the hub and the spokes is established via [VPC network peerings](https://cloud.google.com/vpc/docs/vpc-peering), which offer uncapped bandwidth, lower latencies, at no additional costs and with a very low management overhead. Different ways of implementing connectivity, and related some pros and cons, are discussed below. @@ -82,7 +82,7 @@ The final number of subnets, and their IP addressing will depend on the user-spe ## Design overview and choices ### Deployment models -This stage support three different deployment models that can be controlled by `var.network_mode`. The stage deploys networking resources in two different regions and supports both regional and multi-regional VPCs. Depending on the selected deployment model different routing strategies and NVAs failover modes can be implemented. +This stage support three different deployment models that can be controlled by `var.network_mode`. The stage deploys networking resources in two different regions and supports both regional and multi-regional VPCs. Depending on the selected deployment model different routing strategies and NVAs failover modes can be implemented. - **Simple NVA**: This network mode deploys multi-regional VPCs, the network appliances are configured behind a "ILB Sandwitch" (two different network passthrough internal load balancers on each of `dmz` and `landing` VPCs), with static routes sending traffic for specific destinations to specific network appliances group through the load balancer. - **NCC-RA**: This network mode deploys multi-regional VPCs as the simple mode but provides a different routing strategy. The network appliances establish BGP sessions with a Cloud Router on both `dmz` and `landing` VPCs, which comes with the following benefits, at the cost of additional initial setup complexity: @@ -113,7 +113,7 @@ The landing network area acts as a hub: the multi-region landing VPC bridges int Each virtual network is a [shared VPC](https://cloud.google.com/vpc/docs/shared-vpc): shared VPCs are managed in dedicated *host projects* and shared with other *service projects* that consume the network resources. Shared VPC lets organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls. -When the **regional network mode** is selected, the stage deploys two additional landing VPCs each one with a regional scope. If required the regional VPCs can be exteded as shared VPC and cosumed by other service (spoke) projects. +When the **regional network mode** is selected, the stage deploys two additional landing VPCs each one with a regional scope. If required the regional VPCs can be extended as shared VPC and consumed by other service (spoke) projects. Users can easily extend the design to host additional environments, or adopt different logical mappings for the spokes (for example, in order to create a new spoke for each company entity). Adding spokes is trivial and it does not increase the design complexity. The steps to add more spokes are provided in the following sections. In multi-organization scenarios, where production and non-production resources use different Cloud Identity and GCP organizations, the hub/landing VPC is usually part of the production organization. It establishes connections with the production spokes within the same organization, and with non-production spokes in a different organization. diff --git a/fast/stages/2-networking-b-nva/net-prod.tf b/fast/stages/2-networking-b-nva/net-prod.tf index 2c2d344af2..a97ffa0662 100644 --- a/fast/stages/2-networking-b-nva/net-prod.tf +++ b/fast/stages/2-networking-b-nva/net-prod.tf @@ -24,7 +24,7 @@ locals { primary = (var.network_mode == "regional_vpc" ? module.ilb-regional-nva-landing["primary"].forwarding_rule_addresses[""] : null) secondary = (var.network_mode == "regional_vpc" ? module.ilb-regional-nva-landing["secondary"].forwarding_rule_addresses[""] : null) } - # On the basis of the network modes slects the NVA internal load balacer as next hop for spoke VPC routing + # On the basis of the network modes selects the NVA internal load balancer as next hop for spoke VPC routing nva_load_balancers = (var.network_mode == "ncc_ra") ? null : { primary = (var.network_mode == "simple" ? local._simple_nva_lb.primary : local._regional_nva_lb.primary) secondary = (var.network_mode == "simple" ? local._simple_nva_lb.secondary : local._regional_nva_lb.secondary) diff --git a/fast/stages/2-project-factory/README.md b/fast/stages/2-project-factory/README.md index f1ab1d6e80..3942d58ee1 100644 --- a/fast/stages/2-project-factory/README.md +++ b/fast/stages/2-project-factory/README.md @@ -149,7 +149,7 @@ The YAML data files are self-explanatory and the included [schema files](./schem The project factory manages its folder hierarchy via a filesystem tree, rooted in the path defined via the `factories_config.hierarchy_data` variable. -Filesystem folders which contain a `_config.yaml` file are mapped to folders in the resource management hierarchy. Their YAML configuration files allow definining folder attributes like descriptive name, IAM bindings, organization policies, tag bindings. +Filesystem folders which contain a `_config.yaml` file are mapped to folders in the resource management hierarchy. Their YAML configuration files allow defining folder attributes like descriptive name, IAM bindings, organization policies, tag bindings. This is the simple filesystem hierarchy provided here as an example. diff --git a/fast/stages/3-data-platform/dev/README.md b/fast/stages/3-data-platform/dev/README.md index 0227364f77..419b020ca7 100644 --- a/fast/stages/3-data-platform/dev/README.md +++ b/fast/stages/3-data-platform/dev/README.md @@ -46,7 +46,7 @@ A Shared VPC is used here, either from one of the FAST networking stages (e.g. [ ### Encryption -Cloud KMS crypto keys can be configured wither from the [FAST security stage](../../2-security) or from an external source. This step is optional and depends on customer policies and security best practices. +Cloud KMS crypto keys can be configured either from the [FAST security stage](../../2-security) or from an external source. This step is optional and depends on customer policies and security best practices. To configure the use of Cloud KMS on resources, you have to specify the key id on the `service_encryption_keys` variable. Key locations should match resource locations. diff --git a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh index 27d2d4d150..a3779abfa2 100644 --- a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh +++ b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh @@ -45,10 +45,10 @@ case "${PLUTO_VERB}" in # Disable IPSEC Policy sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1 - # Enable loosy source validation, if possible. Otherwise disable validation. + # Enable loose source validation, if possible. Otherwise disable validation. sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=0 - # If you would like to use VTI for policy-based you should take care of routing by yourselv, e.x. + # If you would like to use VTI for policy-based you should take care of routing by yourself,, e.x. if [[ "${PLUTO_PEER_CLIENT}" != "0.0.0.0/0" ]]; then ${IP} r add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}" fi diff --git a/modules/net-lb-app-int-cross-region/main.tf b/modules/net-lb-app-int-cross-region/main.tf index 52a7db8678..e3b3b50361 100644 --- a/modules/net-lb-app-int-cross-region/main.tf +++ b/modules/net-lb-app-int-cross-region/main.tf @@ -69,7 +69,7 @@ resource "google_compute_global_forwarding_rule" "forwarding_rules" { subnetwork = var.vpc_config.subnetworks[each.key] labels = var.labels target = local.fwd_rule_target - # during the preview phase you cannot change ths attribute on an existing rule + # during the preview phase you cannot change this attribute on an existing rule dynamic "service_directory_registrations" { for_each = var.service_directory_registration == null ? [] : [""] content { diff --git a/modules/net-lb-proxy-int/main.tf b/modules/net-lb-proxy-int/main.tf index 0e7e3a7030..1fdfd0f07b 100644 --- a/modules/net-lb-proxy-int/main.tf +++ b/modules/net-lb-proxy-int/main.tf @@ -169,7 +169,7 @@ resource "google_compute_region_network_endpoint" "internet" { port = each.value.port } -# PSC Procuder Service attachments +# PSC Producer Service attachments resource "google_compute_service_attachment" "default" { count = var.service_attachment == null ? 0 : 1 project = var.project_id diff --git a/modules/project-factory/README.md b/modules/project-factory/README.md index 478dc984bf..34490c1514 100644 --- a/modules/project-factory/README.md +++ b/modules/project-factory/README.md @@ -224,7 +224,7 @@ module "project-factory" { "stackdriver.googleapis.com" ] } - # always use this contaxt and prefix, regardless of what is in the yaml file + # always use this contacts and prefix, regardless of what is in the yaml file data_overrides = { contacts = { "admin@example.org" = ["ALL"] diff --git a/modules/project/README.md b/modules/project/README.md index 04aa70bf2d..db276e9564 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -184,7 +184,7 @@ You can control these actions by adjusting the settings in the `var.service_agen The `service_agents` output provides a convenient way to access information about all active service agents in the project. Note that this output only includes details for service agents that are currently active (i.e. their API is listed in `var.services`) within your project. > [!IMPORTANT] -> You can only access a service agent's details through the `service_agents` output if it's corresponding API is enabled throught the `services` variable. +> You can only access a service agent's details through the `service_agents` output if it's corresponding API is enabled through the `services` variable. The complete list of Google Cloud service agents, including their names, default roles, and associated APIs, is maintained in the [service-agents.yaml](./service-agents.yaml) file. This file is regularly updated to reflect the [official list of Google Cloud service agents](https://cloud.google.com/iam/docs/service-agents) using the [`build_service_agents`](../../tools/build_service_agents.py) script. diff --git a/modules/project/cmek.tf b/modules/project/cmek.tf index df9838a096..8bd44a56f5 100644 --- a/modules/project/cmek.tf +++ b/modules/project/cmek.tf @@ -55,7 +55,7 @@ locals { # use the deps listed above, if the service does not appear # there, use all the service agents belonging to the service for dep in try(local._cmek_agents_by_service[service], [for x in local._service_agents_by_api[service] : x.name]) : { - # use index in map key, to allow specyfing keys, that will be created in the same apply + # use index in map key, to allow specifying keys, that will be created in the same apply for index, key in keys : "key-${index}.${local._aliased_service_agents[dep].name}" => { key = key