diff --git a/blueprints/README.md b/blueprints/README.md index 75e2d21e5f..b9851bde99 100644 --- a/blueprints/README.md +++ b/blueprints/README.md @@ -9,7 +9,7 @@ Currently available blueprints: - **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Minimal Data Platform](./data-solutions/data-platform-minimal), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder), [BigQuery ML and Vertex AI Pipeline](./data-solutions/bq-ml) - **factories** - [The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory) - **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [GKE Autopilot](./gke/autopilot) -- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), On-prem DNS and Google Private Access, [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke) +- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), On-prem DNS and Google Private Access, [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke) - **serverless** - [Cloud Run series](./serverless/cloud-run-explore) - **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun) diff --git a/blueprints/networking/README.md b/blueprints/networking/README.md index 40660022d9..9dca3f97ff 100644 --- a/blueprints/networking/README.md +++ b/blueprints/networking/README.md @@ -73,14 +73,14 @@ The emulated on-premises environment can be used to test access to different ser
---> - ### Network filtering with Squid This [blueprint](./filtering-proxy/) how to deploy a filtering HTTP proxy to restrict Internet access, in a simplified setup using a VPC with two subnets and a Cloud DNS zone, and an optional MIG for scaling.
+--> + ### Shared VPC with GKE and per-subnet support This [blueprint](./shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities. diff --git a/blueprints/networking/__need_fixing/README.md b/blueprints/networking/__need_fixing/README.md index 21d3e67413..44a0006d79 100644 --- a/blueprints/networking/__need_fixing/README.md +++ b/blueprints/networking/__need_fixing/README.md @@ -3,3 +3,4 @@ The blueprints in this folder are either deprecated or need work on them. - nginx reverse proxy cluster needs tests and resolving a cycle +- filtering-proxy needs upstream `cloud-config-container/__need_fixing/squid` to be fixed diff --git a/blueprints/networking/filtering-proxy-psc/README.md b/blueprints/networking/__need_fixing/filtering-proxy-psc/README.md similarity index 97% rename from blueprints/networking/filtering-proxy-psc/README.md rename to blueprints/networking/__need_fixing/filtering-proxy-psc/README.md index dd9f058582..db5149bc3a 100644 --- a/blueprints/networking/filtering-proxy-psc/README.md +++ b/blueprints/networking/__need_fixing/filtering-proxy-psc/README.md @@ -29,10 +29,9 @@ To simplify the usage of the proxy, a Cloud DNS private zone is created in each ## Test - ```hcl module "test" { - source = "./fabric/blueprints/networking/filtering-proxy-psc" + source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy-psc" prefix = "fabric" project_create = { billing_account = "123456-ABCDEF-123456" diff --git a/blueprints/networking/filtering-proxy-psc/consumer.tf b/blueprints/networking/__need_fixing/filtering-proxy-psc/consumer.tf similarity index 95% rename from blueprints/networking/filtering-proxy-psc/consumer.tf rename to blueprints/networking/__need_fixing/filtering-proxy-psc/consumer.tf index 08f5b41386..38849ee062 100644 --- a/blueprints/networking/filtering-proxy-psc/consumer.tf +++ b/blueprints/networking/__need_fixing/filtering-proxy-psc/consumer.tf @@ -19,7 +19,7 @@ ############################################################################### module "vpc-consumer" { - source = "../../../modules/net-vpc" + source = "../../../../modules/net-vpc" project_id = module.project.project_id name = "${var.prefix}-app" subnets = [ @@ -36,7 +36,7 @@ module "vpc-consumer" { ############################################################################### module "test-vm-consumer" { - source = "../../../modules/compute-vm" + source = "../../../../modules/compute-vm" project_id = module.project.project_id zone = "${var.region}-b" name = "${var.prefix}-test-vm" @@ -83,7 +83,7 @@ resource "google_compute_forwarding_rule" "psc_ilb_consumer" { ############################################################################### module "private-dns" { - source = "../../../modules/dns" + source = "../../../../modules/dns" project_id = module.project.project_id name = "${var.prefix}-internal" zone_config = { @@ -99,7 +99,7 @@ module "private-dns" { } module "firewall-consumer" { - source = "../../../modules/net-vpc-firewall" + source = "../../../../modules/net-vpc-firewall" project_id = module.project.project_id network = module.vpc-consumer.name } diff --git a/blueprints/networking/filtering-proxy-psc/main.tf b/blueprints/networking/__need_fixing/filtering-proxy-psc/main.tf similarity index 92% rename from blueprints/networking/filtering-proxy-psc/main.tf rename to blueprints/networking/__need_fixing/filtering-proxy-psc/main.tf index 6908197fe3..ed35be3a99 100644 --- a/blueprints/networking/filtering-proxy-psc/main.tf +++ b/blueprints/networking/__need_fixing/filtering-proxy-psc/main.tf @@ -19,7 +19,7 @@ ############################################################################### module "project" { - source = "../../../modules/project" + source = "../../../../modules/project" project_create = var.project_create != null billing_account = try(var.project_create.billing_account, null) parent = try(var.project_create.parent, null) @@ -33,7 +33,7 @@ module "project" { } module "vpc" { - source = "../../../modules/net-vpc" + source = "../../../../modules/net-vpc" project_id = module.project.project_id name = "${var.prefix}-vpc" subnets = [ @@ -53,7 +53,7 @@ module "vpc" { } module "firewall" { - source = "../../../modules/net-vpc-firewall" + source = "../../../../modules/net-vpc-firewall" project_id = module.project.project_id network = module.vpc.name ingress_rules = { @@ -73,7 +73,7 @@ module "firewall" { } module "nat" { - source = "../../../modules/net-cloudnat" + source = "../../../../modules/net-cloudnat" project_id = module.project.project_id region = var.region name = "default" @@ -118,7 +118,7 @@ resource "google_compute_service_attachment" "service_attachment" { ############################################################################### module "service-account-squid" { - source = "../../../modules/iam-service-account" + source = "../../../../modules/iam-service-account" project_id = module.project.project_id name = "svc-squid" iam_project_roles = { @@ -130,7 +130,7 @@ module "service-account-squid" { } module "cos-squid" { - source = "../../../modules/cloud-config-container/squid" + source = "../../../../modules/cloud-config-container/__need_fixing/squid" allow = var.allowed_domains clients = [var.cidrs.app] squid_config = "${path.module}/squid.conf" @@ -140,7 +140,7 @@ module "cos-squid" { } module "squid-vm" { - source = "../../../modules/compute-vm" + source = "../../../../modules/compute-vm" project_id = module.project.project_id zone = "${var.region}-b" name = "squid-vm" @@ -165,7 +165,7 @@ module "squid-vm" { } module "squid-mig" { - source = "../../../modules/compute-mig" + source = "../../../../modules/compute-mig" project_id = module.project.project_id location = "${var.region}-b" name = "squid-mig" @@ -202,7 +202,7 @@ module "squid-mig" { } module "squid-ilb" { - source = "../../../modules/net-lb-int" + source = "../../../../modules/net-lb-int" project_id = module.project.project_id region = var.region name = "squid-ilb" diff --git a/blueprints/networking/filtering-proxy-psc/squid.conf b/blueprints/networking/__need_fixing/filtering-proxy-psc/squid.conf similarity index 100% rename from blueprints/networking/filtering-proxy-psc/squid.conf rename to blueprints/networking/__need_fixing/filtering-proxy-psc/squid.conf diff --git a/blueprints/networking/filtering-proxy-psc/startup.sh b/blueprints/networking/__need_fixing/filtering-proxy-psc/startup.sh similarity index 100% rename from blueprints/networking/filtering-proxy-psc/startup.sh rename to blueprints/networking/__need_fixing/filtering-proxy-psc/startup.sh diff --git a/blueprints/networking/filtering-proxy-psc/variables.tf b/blueprints/networking/__need_fixing/filtering-proxy-psc/variables.tf similarity index 100% rename from blueprints/networking/filtering-proxy-psc/variables.tf rename to blueprints/networking/__need_fixing/filtering-proxy-psc/variables.tf diff --git a/blueprints/networking/filtering-proxy/README.md b/blueprints/networking/__need_fixing/filtering-proxy/README.md similarity index 95% rename from blueprints/networking/filtering-proxy/README.md rename to blueprints/networking/__need_fixing/filtering-proxy/README.md index 70dcf6df5b..b2c1d38ef0 100644 --- a/blueprints/networking/filtering-proxy/README.md +++ b/blueprints/networking/__need_fixing/filtering-proxy/README.md @@ -41,7 +41,7 @@ You can optionally deploy the Squid server as [Managed Instance Group](https://c ```hcl module "test1" { - source = "./fabric/blueprints/networking/filtering-proxy" + source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy" billing_account = "123456-123456-123456" mig = true prefix = "fabric" @@ -52,7 +52,7 @@ module "test1" { ```hcl module "test2" { - source = "./fabric/blueprints/networking/filtering-proxy" + source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy" billing_account = "123456-123456-123456" mig = false prefix = "fabric" diff --git a/blueprints/networking/filtering-proxy/main.tf b/blueprints/networking/__need_fixing/filtering-proxy/main.tf similarity index 90% rename from blueprints/networking/filtering-proxy/main.tf rename to blueprints/networking/__need_fixing/filtering-proxy/main.tf index 107ca1f785..d8036cb243 100644 --- a/blueprints/networking/filtering-proxy/main.tf +++ b/blueprints/networking/__need_fixing/filtering-proxy/main.tf @@ -27,7 +27,7 @@ locals { ############################################################################### module "folder-netops" { - source = "../../../modules/folder" + source = "../../../../modules/folder" parent = var.root_node name = "netops" } @@ -37,7 +37,7 @@ module "folder-netops" { ############################################################################### module "project-host" { - source = "../../../modules/project" + source = "../../../../modules/project" billing_account = var.billing_account name = "host" parent = module.folder-netops.id @@ -53,7 +53,7 @@ module "project-host" { } module "vpc" { - source = "../../../modules/net-vpc" + source = "../../../../modules/net-vpc" project_id = module.project-host.project_id name = "vpc" subnets = [ @@ -71,7 +71,7 @@ module "vpc" { } module "firewall" { - source = "../../../modules/net-vpc-firewall" + source = "../../../../modules/net-vpc-firewall" project_id = module.project-host.project_id network = module.vpc.name ingress_rules = { @@ -91,7 +91,7 @@ module "firewall" { } module "nat" { - source = "../../../modules/net-cloudnat" + source = "../../../../modules/net-cloudnat" project_id = module.project-host.project_id region = var.region name = "default" @@ -114,7 +114,7 @@ module "nat" { } module "private-dns" { - source = "../../../modules/dns" + source = "../../../../modules/dns" project_id = module.project-host.project_id name = "internal" zone_config = { @@ -134,7 +134,7 @@ module "private-dns" { ############################################################################### module "service-account-squid" { - source = "../../../modules/iam-service-account" + source = "../../../../modules/iam-service-account" project_id = module.project-host.project_id name = "svc-squid" iam_project_roles = { @@ -146,13 +146,13 @@ module "service-account-squid" { } module "cos-squid" { - source = "../../../modules/cloud-config-container/squid" + source = "../../../../modules/cloud-config-container/__need_fixing/squid" allow = var.allowed_domains clients = [var.cidrs.apps] } module "squid-vm" { - source = "../../../modules/compute-vm" + source = "../../../../modules/compute-vm" project_id = module.project-host.project_id zone = "${var.region}-b" name = "squid-vm" @@ -177,7 +177,7 @@ module "squid-vm" { module "squid-mig" { count = var.mig ? 1 : 0 - source = "../../../modules/compute-mig" + source = "../../../../modules/compute-mig" project_id = module.project-host.project_id location = "${var.region}-b" name = "squid-mig" @@ -206,7 +206,7 @@ module "squid-mig" { module "squid-ilb" { count = var.mig ? 1 : 0 - source = "../../../modules/net-lb-int" + source = "../../../../modules/net-lb-int" project_id = module.project-host.project_id region = var.region name = "squid-ilb" @@ -236,7 +236,7 @@ module "squid-ilb" { ############################################################################### module "folder-apps" { - source = "../../../modules/folder" + source = "../../../../modules/folder" parent = var.root_node name = "apps" org_policies = { @@ -248,7 +248,7 @@ module "folder-apps" { } module "project-app" { - source = "../../../modules/project" + source = "../../../../modules/project" billing_account = var.billing_account name = "app1" parent = module.folder-apps.id @@ -263,7 +263,7 @@ module "project-app" { } module "test-vm" { - source = "../../../modules/compute-vm" + source = "../../../../modules/compute-vm" project_id = module.project-app.project_id zone = "${var.region}-b" name = "test-vm" diff --git a/blueprints/networking/filtering-proxy/outputs.tf b/blueprints/networking/__need_fixing/filtering-proxy/outputs.tf similarity index 100% rename from blueprints/networking/filtering-proxy/outputs.tf rename to blueprints/networking/__need_fixing/filtering-proxy/outputs.tf diff --git a/blueprints/networking/filtering-proxy/squid.png b/blueprints/networking/__need_fixing/filtering-proxy/squid.png similarity index 100% rename from blueprints/networking/filtering-proxy/squid.png rename to blueprints/networking/__need_fixing/filtering-proxy/squid.png diff --git a/blueprints/networking/filtering-proxy/variables.tf b/blueprints/networking/__need_fixing/filtering-proxy/variables.tf similarity index 100% rename from blueprints/networking/filtering-proxy/variables.tf rename to blueprints/networking/__need_fixing/filtering-proxy/variables.tf diff --git a/modules/cloud-config-container/README.md b/modules/cloud-config-container/README.md index 2307a76d62..d7017dcb77 100644 --- a/modules/cloud-config-container/README.md +++ b/modules/cloud-config-container/README.md @@ -14,7 +14,6 @@ These modules are designed for several use cases: - [CoreDNS](./coredns) - [MySQL](./mysql) - [Nginx](./nginx) -- [Squid forward proxy](./squid) - On-prem in Docker (*needs fixing*) ## Using the modules diff --git a/modules/cloud-config-container/squid/README.md b/modules/cloud-config-container/__need_fixing/squid/README.md similarity index 97% rename from modules/cloud-config-container/squid/README.md rename to modules/cloud-config-container/__need_fixing/squid/README.md index eceff67d32..dd0ac01b79 100644 --- a/modules/cloud-config-container/squid/README.md +++ b/modules/cloud-config-container/__need_fixing/squid/README.md @@ -14,7 +14,7 @@ Logging and monitoring are enabled via the [Google Cloud Logging agent](https:// The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata. -For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../README.md) for more details on the included instance. +For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../../README.md) for more details on the included instance. ## Examples @@ -24,7 +24,7 @@ This example will create a `cloud-config` that allows any client in the 10.0.0.0 ```hcl module "cos-squid" { - source = "./fabric/modules/cloud-config-container/squid" + source = "./fabric/modules/cloud-config-container/__need_fixing/squid" allow = [".github.com"] clients = ["10.0.0.0/8"] } diff --git a/modules/cloud-config-container/squid/cloud-config.yaml b/modules/cloud-config-container/__need_fixing/squid/cloud-config.yaml similarity index 100% rename from modules/cloud-config-container/squid/cloud-config.yaml rename to modules/cloud-config-container/__need_fixing/squid/cloud-config.yaml diff --git a/modules/cloud-config-container/squid/docker/Dockerfile b/modules/cloud-config-container/__need_fixing/squid/docker/Dockerfile similarity index 100% rename from modules/cloud-config-container/squid/docker/Dockerfile rename to modules/cloud-config-container/__need_fixing/squid/docker/Dockerfile diff --git a/modules/cloud-config-container/squid/docker/cloudbuild.yaml b/modules/cloud-config-container/__need_fixing/squid/docker/cloudbuild.yaml similarity index 100% rename from modules/cloud-config-container/squid/docker/cloudbuild.yaml rename to modules/cloud-config-container/__need_fixing/squid/docker/cloudbuild.yaml diff --git a/modules/cloud-config-container/squid/docker/entrypoint.sh b/modules/cloud-config-container/__need_fixing/squid/docker/entrypoint.sh similarity index 100% rename from modules/cloud-config-container/squid/docker/entrypoint.sh rename to modules/cloud-config-container/__need_fixing/squid/docker/entrypoint.sh diff --git a/modules/cloud-config-container/squid/main.tf b/modules/cloud-config-container/__need_fixing/squid/main.tf similarity index 100% rename from modules/cloud-config-container/squid/main.tf rename to modules/cloud-config-container/__need_fixing/squid/main.tf diff --git a/modules/cloud-config-container/squid/outputs.tf b/modules/cloud-config-container/__need_fixing/squid/outputs.tf similarity index 100% rename from modules/cloud-config-container/squid/outputs.tf rename to modules/cloud-config-container/__need_fixing/squid/outputs.tf diff --git a/modules/cloud-config-container/squid/squid.conf b/modules/cloud-config-container/__need_fixing/squid/squid.conf similarity index 100% rename from modules/cloud-config-container/squid/squid.conf rename to modules/cloud-config-container/__need_fixing/squid/squid.conf diff --git a/modules/cloud-config-container/squid/variables.tf b/modules/cloud-config-container/__need_fixing/squid/variables.tf similarity index 100% rename from modules/cloud-config-container/squid/variables.tf rename to modules/cloud-config-container/__need_fixing/squid/variables.tf diff --git a/modules/cloud-config-container/squid/versions.tf b/modules/cloud-config-container/__need_fixing/squid/versions.tf similarity index 100% rename from modules/cloud-config-container/squid/versions.tf rename to modules/cloud-config-container/__need_fixing/squid/versions.tf