Small fixes to FAST Networking stage with NVAs (#1273)

* fix issue with test-resources and internet connectivity from spokes * terraform fmt * removed reference to startup-script in README.md
GoogleCloudPlatform · Mar 23, 2023 · c4c4688 · c4c4688
1 parent a4bc9c6
commit c4c4688
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 77 deletions.
diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md
@@ -23,32 +23,41 @@ The final number of subnets, and their IP addressing will depend on the user-spe
 
 ## Table of contents
 
-- [Design overview and choices](#design-overview-and-choices)
-  - [Multi-regional deployment](#multi-regional-deployment)
-  - [VPC design](#vpc-design)
-  - [External connectivity](#external-connectivity)
-  - [Internal connectivity](#internal-connectivity)
-  - [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing)
-  - [Internet egress](#internet-egress)
-  - [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall)
-  - [DNS](#dns)
-- [Stage structure and files layout](#stage-structure-and-files-layout)
-  - [VPCs](#vpcs)
-  - [VPNs](#vpns)
-  - [Routing and BGP](#routing-and-bgp)
-  - [Firewall](#firewall)
-  - [DNS architecture](#dns-architecture)
-  - [Private Google Access](#private-google-access)
-- [How to run this stage](#how-to-run-this-stage)
-  - [Provider and Terraform variables](#provider-and-terraform-variables)
-  - [Impersonating the automation service account](#impersonating-the-automation-service-account)
-  - [Variable configuration](#variable-configuration)
-  - [Running the stage](#running-the-stage)
-  - [Post-deployment activities](#post-deployment-activities)
-- [Customizations](#customizations)
-  - [Changing default regions](#changing-default-regions)
-  - [Configuring the VPNs to on prem](#configuring-the-vpns-to-on-prem)
-  - [Adding an environment](#adding-an-environment)
+- [Networking with Network Virtual Appliance](#networking-with-network-virtual-appliance)
+  - [Table of contents](#table-of-contents)
+  - [Design overview and choices](#design-overview-and-choices)
+    - [Multi-regional deployment](#multi-regional-deployment)
+    - [VPC design](#vpc-design)
+    - [External connectivity](#external-connectivity)
+    - [Internal connectivity](#internal-connectivity)
+    - [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing)
+    - [Internet egress](#internet-egress)
+    - [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall)
+    - [DNS](#dns)
+  - [Stage structure and files layout](#stage-structure-and-files-layout)
+    - [VPCs](#vpcs)
+    - [VPNs](#vpns)
+    - [Routing and BGP](#routing-and-bgp)
+    - [Firewall](#firewall)
+    - [DNS architecture](#dns-architecture)
+      - [Cloud environment](#cloud-environment)
+      - [Cloud to on-prem](#cloud-to-on-prem)
+      - [On-prem to cloud](#on-prem-to-cloud)
+  - [How to run this stage](#how-to-run-this-stage)
+    - [Provider and Terraform variables](#provider-and-terraform-variables)
+    - [Impersonating the automation service account](#impersonating-the-automation-service-account)
+    - [Variable configuration](#variable-configuration)
+    - [Using delayed billing association for projects](#using-delayed-billing-association-for-projects)
+    - [Running the stage](#running-the-stage)
+    - [Post-deployment activities](#post-deployment-activities)
+      - [Private Google Access](#private-google-access)
+  - [Customizations](#customizations)
+    - [Changing default regions](#changing-default-regions)
+    - [Configuring the VPNs to on prem](#configuring-the-vpns-to-on-prem)
+    - [Adding an environment](#adding-an-environment)
+  - [Files](#files)
+  - [Variables](#variables)
+  - [Outputs](#outputs)
 
 ## Design overview and choices
 
@@ -446,8 +455,6 @@ The new VPC requires a set of dedicated CIDRs, one per region, added to variable
 >
 Variables managing L7 Internal Load Balancers (`l7ilb_subnets`) and Private Service Access (`psa_ranges`) should also be adapted, and subnets and firewall rules for the new spoke should be added, as described above.
 
-Configure the NVAs deployed or update the sample [NVA config file](data/nva-startup-script.tftpl) making sure they support the new subnets.
-
 DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS resolution to Landing through DNS peering, and optionally define a private zone (e.g. `dev.gcp.example.com`) which the landing peers to. To configure DNS for a new environment, copy one of the other environments DNS files [e.g. (dns-dev.tf)](dns-dev.tf) into a new `dns-*.tf` file suffixed with the environment name (e.g. `dns-staging.tf`), and update its content accordingly. Don't forget to add a peering zone from the landing to the newly created environment private zone.
 
 <!-- TFDOC OPTS files:1 show_extra:1 -->

diff --git a/fast/stages/2-networking-c-nva/data/nva-startup-script.tftpl b/fast/stages/2-networking-c-nva/data/nva-startup-script.tftpl
diff --git a/fast/stages/2-networking-c-nva/nva.tf b/fast/stages/2-networking-c-nva/nva.tf
@@ -19,7 +19,8 @@ locals {
   # local.routing_config[0] sets up the first interface, and so on.
   routing_config = [
     {
-      name = "untrusted"
+      name                = "untrusted"
+      enable_masquerading = true
       routes = [
         var.gcp_ranges.gcp_landing_untrusted_primary,
         var.gcp_ranges.gcp_landing_untrusted_secondary,

diff --git a/fast/stages/2-networking-c-nva/test-resources.tf b/fast/stages/2-networking-c-nva/test-resources.tf
@@ -22,15 +22,17 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.landing-project.project_id
 #   zone       = "${var.regions.primary}-b"
-#   name       = "test-vm-lnd-unt-primary-0"
+#   name       = "test-vm-lnd-unt-pri-0"
 #   network_interfaces = [{
 #     network    = module.landing-untrusted-vpc.self_link
 #     subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.primary}/landing-untrusted-default-${local.region_shortnames[var.regions.primary]}"]
 #   }]
 #   tags                   = ["primary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@@ -48,15 +50,17 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.landing-project.project_id
 #   zone       = "${var.regions.secondary}-a"
-#   name       = "test-vm-lnd-unt-secondary-0"
+#   name       = "test-vm-lnd-unt-sec-0"
 #   network_interfaces = [{
 #     network    = module.landing-untrusted-vpc.self_link
 #     subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.secondary}/landing-untrusted-default-${local.region_shortnames[var.regions.secondary]}"]
 #   }]
 #   tags                   = ["secondary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@@ -76,15 +80,17 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.landing-project.project_id
 #   zone       = "${var.regions.primary}-b"
-#   name       = "test-vm-lnd-tru-primary-0"
+#   name       = "test-vm-lnd-tru-pri-0"
 #   network_interfaces = [{
 #     network    = module.landing-trusted-vpc.self_link
 #     subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.primary}/landing-trusted-default-${local.region_shortnames[var.regions.primary]}"]
 #   }]
 #   tags                   = ["primary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@@ -102,15 +108,17 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.landing-project.project_id
 #   zone       = "${var.regions.secondary}-a"
-#   name       = "test-vm-lnd-tru-secondary-0"
+#   name       = "test-vm-lnd-tru-sec-0"
 #   network_interfaces = [{
 #     network    = module.landing-trusted-vpc.self_link
 #     subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.secondary}/landing-trusted-default-${local.region_shortnames[var.regions.secondary]}"]
 #   }]
 #   tags                   = ["secondary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@@ -130,7 +138,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.dev-spoke-project.project_id
 #   zone       = "${var.regions.primary}-b"
-#   name       = "test-vm-dev-primary-0"
+#   name       = "test-vm-dev-pri-0"
 #   network_interfaces = [{
 #     network = module.dev-spoke-vpc.self_link
 #     # change the subnet name to match the values you are actually using
@@ -139,7 +147,9 @@
 #   tags                   = ["primary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@@ -157,7 +167,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.dev-spoke-project.project_id
 #   zone       = "${var.regions.secondary}-a"
-#   name       = "test-vm-dev-secondary-0"
+#   name       = "test-vm-dev-sec-0"
 #   network_interfaces = [{
 #     network = module.dev-spoke-vpc.self_link
 #     # change the subnet name to match the values you are actually using
@@ -166,7 +176,9 @@
 #   tags                   = ["secondary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true
@@ -186,7 +198,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.prod-spoke-project.project_id
 #   zone       = "${var.regions.primary}-b"
-#   name       = "test-vm-prod-primary-0"
+#   name       = "test-vm-prod-pri-0"
 #   network_interfaces = [{
 #     network = module.prod-spoke-vpc.self_link
 #     # change the subnet name to match the values you are actually using
@@ -195,9 +207,11 @@
 #   tags                   = ["primary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
-#     type  = "pd-balanced"
-#     size  = 10
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#         type  = "pd-balanced"
+#         size  = 10
+#     }
 #   }
 #   options = {
 #     spot               = true
@@ -215,7 +229,7 @@
 #   source     = "../../../modules/compute-vm"
 #   project_id = module.prod-spoke-project.project_id
 #   zone       = "${var.regions.secondary}-a"
-#   name       = "test-vm-prod-secondary-0"
+#   name       = "test-vm-prod-sec-0"
 #   network_interfaces = [{
 #     network = module.prod-spoke-vpc.self_link
 #     # change the subnet name to match the values you are actually using
@@ -224,7 +238,9 @@
 #   tags                   = ["secondary", "ssh"]
 #   service_account_create = true
 #   boot_disk = {
-#     image = "projects/debian-cloud/global/images/family/debian-10"
+#     initialize_params = {
+#         image = "projects/debian-cloud/global/images/family/debian-10"
+#     }
 #   }
 #   options = {
 #     spot               = true