Skip to content

Commit

Permalink
Move everything to a new stage
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Apr 4, 2023
1 parent 5d283c9 commit e8852cb
Show file tree
Hide file tree
Showing 54 changed files with 3,179 additions and 287 deletions.
81 changes: 27 additions & 54 deletions fast/stages/2-networking-c-nva/README.md

Large diffs are not rendered by default.

12 changes: 0 additions & 12 deletions fast/stages/2-networking-c-nva/data/cidrs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,18 +6,6 @@ healthchecks:
- 209.85.152.0/22
- 209.85.204.0/22

ncc_cloud_routers_trusted:
- 10.128.64.201/32
- 10.128.64.202/32
- 10.128.96.201/32
- 10.128.96.202/32

ncc_cloud_routers_untrusted:
- 10.128.0.201/32
- 10.128.0.202/32
- 10.128.32.201/32
- 10.128.32.202/32

rfc1918:
- 10.0.0.0/8
- 172.16.0.0/12
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,3 @@ ingress:
- protocol: tcp
ports:
- 12345
# This is not really needed, but it's good to have it
# in place if the more generic hierarchical firewall policies
# get deleted
allow-ncc-nva-bgp-trusted:
description: "Allow BGP traffic from NCC Cloud Routers to NVAs"
source_ranges:
- ncc_cloud_routers_trusted
targets: ["nva"]
rules:
- protocol: tcp
ports:
- 179
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,3 @@ ingress:
- protocol: tcp
ports:
- 22
# these are not really needed, but it's good to have them
# in place if the more generic hierarchical firewall policies
# get deleted
allow-ncc-nva-bgp-untrusted:
description: "Allow BGP traffic from NCC Cloud Routers to NVAs"
source_ranges:
- ncc_cloud_routers_untrusted
targets: ["nva"]
rules:
- protocol: tcp
ports:
- 179
allow-nva-nva-bgp-untrusted:
description: "Allow BGP traffic from cross-regional NVAs"
sources: ["nva"]
targets: ["nva"]
rules:
- protocol: tcp
ports:
- 179
Binary file modified fast/stages/2-networking-c-nva/diagram.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion fast/stages/2-networking-c-nva/diagram.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 0 additions & 1 deletion fast/stages/2-networking-c-nva/landing.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ module "landing-project" {
"compute.googleapis.com",
"dns.googleapis.com",
"iap.googleapis.com",
"networkconnectivity.googleapis.com",
"networkmanagement.googleapis.com",
"stackdriver.googleapis.com"
]
Expand Down
244 changes: 118 additions & 126 deletions fast/stages/2-networking-c-nva/nva.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2023 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -15,173 +15,165 @@
*/

locals {
_nva_zones = ["b", "c"]

# The configurations used to create the NVA VMs.
#
# Rendered as following:
# nva_configs = {
# primary-b = {...}
# primary-c = {...}
# secondary-b = {...}
# secondary-c = {...}
# }
nva_configs = {
for v in setproduct(keys(var.regions), local._nva_zones) :
join("-", v) => {
# Each NVA announces its trusted regional subnets
announce-to-nva = upper(v.0)
# NVAs in each region have their own ASN
# and peer with cross-regional NVAs.
asn_nva = (
v.0 == "primary"
? var.ncc_asn.nva_primary
: var.ncc_asn.nva_secondary
)
asn_nva_cross_region = (
v.0 == "primary"
? var.ncc_asn.nva_secondary
: var.ncc_asn.nva_primary
)
asn_trusted = var.ncc_asn.trusted
asn_untrusted = var.ncc_asn.untrusted
# To guarantee traffic to remain symmetric,
# NVAs need to advertise cross-region routes with a higher cost (10100)
cost_primary = v.0 == "primary" ? "100" : "10100"
cost_secondary = v.0 == "primary" ? "10100" : "100"
gcp_dev_primary = var.gcp_ranges.gcp_dev_primary
gcp_dev_secondary = var.gcp_ranges.gcp_dev_secondary
gcp_landing_trusted_primary = var.gcp_ranges.gcp_landing_trusted_primary
gcp_landing_trusted_secondary = var.gcp_ranges.gcp_landing_trusted_secondary
gcp_landing_untrusted_primary = var.gcp_ranges.gcp_landing_untrusted_primary
gcp_landing_untrusted_secondary = var.gcp_ranges.gcp_landing_untrusted_secondary
gcp_prod_primary = var.gcp_ranges.gcp_prod_primary
gcp_prod_secondary = var.gcp_ranges.gcp_prod_secondary
# The IPs of cross-region NVA VMs in the untrusted VPC (x.y.w.z)
ip_neighbor_cross_region_nva_0 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${local._regions_cross[v.0]}/landing-untrusted-default-${local.region_shortnames[local._regions_cross[v.0]]}"], 101)
ip_neighbor_cross_region_nva_1 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${local._regions_cross[v.0]}/landing-untrusted-default-${local.region_shortnames[local._regions_cross[v.0]]}"], 102)
# The Cloud router IPs (x.y.w.z) in the untrusted
# and in the trusted VPCs, where the NVA connects to
ip_neighbor_trusted_0 = cidrhost(module.landing-trusted-vpc.subnet_ips["${var.regions[v.0]}/landing-trusted-default-${local.region_shortnames[var.regions[v.0]]}"], 201)
ip_neighbor_trusted_1 = cidrhost(module.landing-trusted-vpc.subnet_ips["${var.regions[v.0]}/landing-trusted-default-${local.region_shortnames[var.regions[v.0]]}"], 202)
ip_neighbor_untrusted_0 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${var.regions[v.0]}/landing-untrusted-default-${local.region_shortnames[var.regions[v.0]]}"], 201)
ip_neighbor_untrusted_1 = cidrhost(module.landing-untrusted-vpc.subnet_ips["${var.regions[v.0]}/landing-untrusted-default-${local.region_shortnames[var.regions[v.0]]}"], 202)
# The IPs to assign to the NVA NICs
# in the trusted and in the untrusted VPCs.
ip_trusted = cidrhost(module.landing-trusted-vpc.subnet_ips["${var.regions[v.0]}/landing-trusted-default-${local.region_shortnames[var.regions[v.0]]}"], 101 + index(var.zones, v.1))
ip_untrusted = cidrhost(module.landing-untrusted-vpc.subnet_ips["${var.regions[v.0]}/landing-untrusted-default-${local.region_shortnames[var.regions[v.0]]}"], 101 + index(var.zones, v.1))
# Either primary or secondary
name = v.0
# The name of the region where the NVA lives.
# For example, europe-west1 or europe-west4
region = var.regions[v.0]
# the short name for the region. For example, ew1 or ew4
shortname = local.region_shortnames[var.regions[v.0]]
# The zone where the NVA lives. For example, b or c
zone = v.1
}
}

# The routing_config should be aligned to the NVA NICs.
# For example:
# local.routing_config[0] configures eth0;
# local.routing_config[0] configures eth1.
# routing_config should be aligned to the NVA network interfaces - i.e.
# local.routing_config[0] sets up the first interface, and so on.
routing_config = [
{
enable_masquerading = true
name = "untrusted"
enable_masquerading = true
routes = [
var.gcp_ranges.gcp_landing_untrusted_primary,
var.gcp_ranges.gcp_landing_untrusted_secondary
var.gcp_ranges.gcp_landing_untrusted_secondary,
]
},
{
name = "trusted"
routes = [
var.gcp_ranges.gcp_dev_primary,
var.gcp_ranges.gcp_dev_secondary,
var.gcp_ranges.gcp_landing_trusted_primary,
var.gcp_ranges.gcp_landing_trusted_secondary
var.gcp_ranges.gcp_landing_trusted_secondary,
var.gcp_ranges.gcp_prod_primary,
var.gcp_ranges.gcp_prod_secondary,
]
}
},
]
nva_locality = {
for v in setproduct(keys(var.regions), local.nva_zones) :
join("-", v) => {
name = v.0
region = var.regions[v.0]
shortname = local.region_shortnames[var.regions[v.0]]
zone = v.1
}
}
nva_zones = ["b", "c"]
}

module "nva-bgp-cloud-config" {
for_each = local.nva_configs
# NVA config
module "nva-cloud-config" {
source = "../../../modules/cloud-config-container/simple-nva"
enable_health_checks = true
network_interfaces = local.routing_config
frr_config = {
config_file = templatefile("data/bgp-config.tftpl", each.value)
daemons_enabled = ["bgpd"]
}
}

resource "google_compute_address" "nva_static_ip_trusted" {
for_each = local.nva_configs
name = "nva-ip-trusted-${each.value.shortname}-${each.value.zone}"
project = module.landing-project.project_id
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.shortname}"]
address_type = "INTERNAL"
address = each.value.ip_trusted
region = each.value.region
}

resource "google_compute_address" "nva_static_ip_untrusted" {
for_each = local.nva_configs
name = "nva-ip-untrusted-${each.value.shortname}-${each.value.zone}"
project = module.landing-project.project_id
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.shortname}"]
address_type = "INTERNAL"
address = each.value.ip_untrusted
region = each.value.region
}

module "nva" {
for_each = local.nva_configs
source = "../../../modules/compute-vm"
project_id = module.landing-project.project_id
name = "nva-${each.value.shortname}-${each.value.zone}"
instance_type = "e2-standard-2"
can_ip_forward = true
zone = "${each.value.region}-${each.value.zone}"
tags = ["nva"]

module "nva-template" {
for_each = local.nva_locality
source = "../../../modules/compute-vm"
project_id = module.landing-project.project_id
name = "nva-template-${each.key}"
zone = "${each.value.region}-${each.value.zone}"
instance_type = "e2-standard-2"
tags = ["nva"]
create_template = true
can_ip_forward = true
network_interfaces = [
{
network = module.landing-untrusted-vpc.self_link
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.shortname}"]
nat = false
addresses = {
external = null
internal = google_compute_address.nva_static_ip_untrusted[each.key].address
}
addresses = null
},
{
network = module.landing-trusted-vpc.self_link
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.shortname}"]
nat = false
addresses = {
external = null
internal = google_compute_address.nva_static_ip_trusted[each.key].address
}
addresses = null
}
]

boot_disk = {
initialize_params = {
image = "projects/cos-cloud/global/images/family/cos-stable"
size = 10
type = "pd-balanced"
}
}

options = {
allow_stopping_for_update = true
deletion_protection = false
spot = true
termination_action = "STOP"
}

metadata = {
user-data = module.nva-bgp-cloud-config[each.key].cloud_config
user-data = module.nva-cloud-config.cloud_config
}
}

module "nva-mig" {
for_each = local.nva_locality
source = "../../../modules/compute-mig"
project_id = module.landing-project.project_id
location = each.value.region
name = "nva-cos-${each.key}"
instance_template = module.nva-template[each.key].template.self_link
target_size = 1
auto_healing_policies = {
initial_delay_sec = 30
}
health_check_config = {
enable_logging = true
tcp = {
port = 22
}
}
}

module "ilb-nva-untrusted" {
for_each = {
for k, v in var.regions : k => {
region = v
shortname = local.region_shortnames[v]
subnet = "${v}/landing-untrusted-default-${local.region_shortnames[v]}"
}
}
source = "../../../modules/net-ilb"
project_id = module.landing-project.project_id
region = each.value.region
name = "nva-untrusted-${each.key}"
service_label = var.prefix
global_access = true
vpc_config = {
network = module.landing-untrusted-vpc.self_link
subnetwork = module.landing-untrusted-vpc.subnet_self_links[each.value.subnet]
}
backends = [
for k, v in module.nva-mig :
{ group = v.group_manager.instance_group }
if startswith(k, each.key)
]
health_check_config = {
enable_logging = true
tcp = {
port = 22
}
}
}

module "ilb-nva-trusted" {
for_each = {
for k, v in var.regions : k => {
region = v
shortname = local.region_shortnames[v]
subnet = "${v}/landing-trusted-default-${local.region_shortnames[v]}"
}
}
source = "../../../modules/net-ilb"
project_id = module.landing-project.project_id
region = each.value.region
name = "nva-trusted-${each.key}"
service_label = var.prefix
global_access = true
vpc_config = {
network = module.landing-trusted-vpc.self_link
subnetwork = module.landing-trusted-vpc.subnet_self_links[each.value.subnet]
}
backends = [
for k, v in module.nva-mig :
{ group = v.group_manager.instance_group }
if startswith(k, each.key)
]
health_check_config = {
enable_logging = true
tcp = {
port = 22
}
}
}
4 changes: 0 additions & 4 deletions fast/stages/2-networking-c-nva/regions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,6 @@ locals {
_region_cardinal = {
southeast = "se"
}
_regions_cross = {
primary = var.regions["secondary"]
secondary = var.regions["primary"]
}
# only map when the first character would not work
_region_geo = {
australia = "o"
Expand Down
Loading

0 comments on commit e8852cb

Please sign in to comment.