Move squid to __need_fixing

blueprints/README.md

@@ -9,7 +9,7 @@ Currently available blueprints:
 - **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Minimal Data Platform](./data-solutions/data-platform-minimal), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder), [BigQuery ML and Vertex AI Pipeline](./data-solutions/bq-ml)
 - **factories** - [The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory)
 - **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [GKE Autopilot](./gke/autopilot)
-- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), On-prem DNS and Google Private Access,  [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
+- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), On-prem DNS and Google Private Access,  [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
 - **serverless** - [Cloud Run series](./serverless/cloud-run-explore)
 - **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun)
 

blueprints/networking/README.md

@@ -73,14 +73,14 @@ The emulated on-premises environment can be used to test access to different ser
 
 <br clear="left">
 
--->
-
 ### Network filtering with Squid
 
 <a href="./filtering-proxy/" title="Network filtering with Squid"><img src="./filtering-proxy/squid.png" align="left" width="280px"></a> This [blueprint](./filtering-proxy/) how to deploy a filtering HTTP proxy to restrict Internet access, in a simplified setup using a VPC with two subnets and a Cloud DNS zone, and an optional MIG for scaling.
 
 <br clear="left">
 
+-->
+
 ### Shared VPC with GKE and per-subnet support
 
 <a href="./shared-vpc-gke/" title="Shared VPC with GKE"><img src="./shared-vpc-gke/diagram.png" align="left" width="280px"></a> This [blueprint](./shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities.

blueprints/networking/__need_fixing/README.md

@@ -3,3 +3,4 @@
 The blueprints in this folder are either deprecated or need work on them.
 
 - nginx reverse proxy cluster needs tests and resolving a cycle
+- filtering-proxy needs upstream `cloud-config-container/__need_fixing/squid` to be fixed

blueprints/networking/filtering-proxy-psc/README.md → blueprints/networking/__need_fixing/filtering-proxy-psc/README.md

@@ -29,10 +29,9 @@ To simplify the usage of the proxy, a Cloud DNS private zone is created in each
 
 ## Test
 
-
 ```hcl
 module "test" {
-  source = "./fabric/blueprints/networking/filtering-proxy-psc"
+  source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy-psc"
   prefix = "fabric"
   project_create = {
     billing_account = "123456-ABCDEF-123456"

blueprints/networking/filtering-proxy-psc/consumer.tf → blueprints/networking/__need_fixing/filtering-proxy-psc/consumer.tf

@@ -19,7 +19,7 @@
 ###############################################################################
 
 module "vpc-consumer" {
-  source     = "../../../modules/net-vpc"
+  source     = "../../../../modules/net-vpc"
   project_id = module.project.project_id
   name       = "${var.prefix}-app"
   subnets = [
@@ -36,7 +36,7 @@ module "vpc-consumer" {
 ###############################################################################
 
 module "test-vm-consumer" {
-  source        = "../../../modules/compute-vm"
+  source        = "../../../../modules/compute-vm"
   project_id    = module.project.project_id
   zone          = "${var.region}-b"
   name          = "${var.prefix}-test-vm"
@@ -83,7 +83,7 @@ resource "google_compute_forwarding_rule" "psc_ilb_consumer" {
 ###############################################################################
 
 module "private-dns" {
-  source     = "../../../modules/dns"
+  source     = "../../../../modules/dns"
   project_id = module.project.project_id
   name       = "${var.prefix}-internal"
   zone_config = {
@@ -99,7 +99,7 @@ module "private-dns" {
 }
 
 module "firewall-consumer" {
-  source     = "../../../modules/net-vpc-firewall"
+  source     = "../../../../modules/net-vpc-firewall"
   project_id = module.project.project_id
   network    = module.vpc-consumer.name
 }

blueprints/networking/filtering-proxy-psc/main.tf → blueprints/networking/__need_fixing/filtering-proxy-psc/main.tf

@@ -19,7 +19,7 @@
 ###############################################################################
 
 module "project" {
-  source          = "../../../modules/project"
+  source          = "../../../../modules/project"
   project_create  = var.project_create != null
   billing_account = try(var.project_create.billing_account, null)
   parent          = try(var.project_create.parent, null)
@@ -33,7 +33,7 @@ module "project" {
 }
 
 module "vpc" {
-  source     = "../../../modules/net-vpc"
+  source     = "../../../../modules/net-vpc"
   project_id = module.project.project_id
   name       = "${var.prefix}-vpc"
   subnets = [
@@ -53,7 +53,7 @@ module "vpc" {
 }
 
 module "firewall" {
-  source     = "../../../modules/net-vpc-firewall"
+  source     = "../../../../modules/net-vpc-firewall"
   project_id = module.project.project_id
   network    = module.vpc.name
   ingress_rules = {
@@ -73,7 +73,7 @@ module "firewall" {
 }
 
 module "nat" {
-  source                = "../../../modules/net-cloudnat"
+  source                = "../../../../modules/net-cloudnat"
   project_id            = module.project.project_id
   region                = var.region
   name                  = "default"
@@ -118,7 +118,7 @@ resource "google_compute_service_attachment" "service_attachment" {
 ###############################################################################
 
 module "service-account-squid" {
-  source     = "../../../modules/iam-service-account"
+  source     = "../../../../modules/iam-service-account"
   project_id = module.project.project_id
   name       = "svc-squid"
   iam_project_roles = {
@@ -130,7 +130,7 @@ module "service-account-squid" {
 }
 
 module "cos-squid" {
-  source       = "../../../modules/cloud-config-container/squid"
+  source       = "../../../../modules/cloud-config-container/__need_fixing/squid"
   allow        = var.allowed_domains
   clients      = [var.cidrs.app]
   squid_config = "${path.module}/squid.conf"
@@ -140,7 +140,7 @@ module "cos-squid" {
 }
 
 module "squid-vm" {
-  source          = "../../../modules/compute-vm"
+  source          = "../../../../modules/compute-vm"
   project_id      = module.project.project_id
   zone            = "${var.region}-b"
   name            = "squid-vm"
@@ -165,7 +165,7 @@ module "squid-vm" {
 }
 
 module "squid-mig" {
-  source            = "../../../modules/compute-mig"
+  source            = "../../../../modules/compute-mig"
   project_id        = module.project.project_id
   location          = "${var.region}-b"
   name              = "squid-mig"
@@ -202,7 +202,7 @@ module "squid-mig" {
 }
 
 module "squid-ilb" {
-  source        = "../../../modules/net-lb-int"
+  source        = "../../../../modules/net-lb-int"
   project_id    = module.project.project_id
   region        = var.region
   name          = "squid-ilb"

blueprints/networking/filtering-proxy/README.md → blueprints/networking/__need_fixing/filtering-proxy/README.md

@@ -41,7 +41,7 @@ You can optionally deploy the Squid server as [Managed Instance Group](https://c
 
 ```hcl
 module "test1" {
-  source          = "./fabric/blueprints/networking/filtering-proxy"
+  source          = "./fabric/blueprints/networking/__need_fixing/filtering-proxy"
   billing_account = "123456-123456-123456"
   mig             = true
   prefix          = "fabric"
@@ -52,7 +52,7 @@ module "test1" {
 
 ```hcl
 module "test2" {
-  source          = "./fabric/blueprints/networking/filtering-proxy"
+  source          = "./fabric/blueprints/networking/__need_fixing/filtering-proxy"
   billing_account = "123456-123456-123456"
   mig             = false
   prefix          = "fabric"

blueprints/networking/filtering-proxy/main.tf → blueprints/networking/__need_fixing/filtering-proxy/main.tf

@@ -27,7 +27,7 @@ locals {
 ###############################################################################
 
 module "folder-netops" {
-  source = "../../../modules/folder"
+  source = "../../../../modules/folder"
   parent = var.root_node
   name   = "netops"
 }
@@ -37,7 +37,7 @@ module "folder-netops" {
 ###############################################################################
 
 module "project-host" {
-  source          = "../../../modules/project"
+  source          = "../../../../modules/project"
   billing_account = var.billing_account
   name            = "host"
   parent          = module.folder-netops.id
@@ -53,7 +53,7 @@ module "project-host" {
 }
 
 module "vpc" {
-  source     = "../../../modules/net-vpc"
+  source     = "../../../../modules/net-vpc"
   project_id = module.project-host.project_id
   name       = "vpc"
   subnets = [
@@ -71,7 +71,7 @@ module "vpc" {
 }
 
 module "firewall" {
-  source     = "../../../modules/net-vpc-firewall"
+  source     = "../../../../modules/net-vpc-firewall"
   project_id = module.project-host.project_id
   network    = module.vpc.name
   ingress_rules = {
@@ -91,7 +91,7 @@ module "firewall" {
 }
 
 module "nat" {
-  source                = "../../../modules/net-cloudnat"
+  source                = "../../../../modules/net-cloudnat"
   project_id            = module.project-host.project_id
   region                = var.region
   name                  = "default"
@@ -114,7 +114,7 @@ module "nat" {
 }
 
 module "private-dns" {
-  source     = "../../../modules/dns"
+  source     = "../../../../modules/dns"
   project_id = module.project-host.project_id
   name       = "internal"
   zone_config = {
@@ -134,7 +134,7 @@ module "private-dns" {
 ###############################################################################
 
 module "service-account-squid" {
-  source     = "../../../modules/iam-service-account"
+  source     = "../../../../modules/iam-service-account"
   project_id = module.project-host.project_id
   name       = "svc-squid"
   iam_project_roles = {
@@ -146,13 +146,13 @@ module "service-account-squid" {
 }
 
 module "cos-squid" {
-  source  = "../../../modules/cloud-config-container/squid"
+  source  = "../../../../modules/cloud-config-container/__need_fixing/squid"
   allow   = var.allowed_domains
   clients = [var.cidrs.apps]
 }
 
 module "squid-vm" {
-  source          = "../../../modules/compute-vm"
+  source          = "../../../../modules/compute-vm"
   project_id      = module.project-host.project_id
   zone            = "${var.region}-b"
   name            = "squid-vm"
@@ -177,7 +177,7 @@ module "squid-vm" {
 
 module "squid-mig" {
   count             = var.mig ? 1 : 0
-  source            = "../../../modules/compute-mig"
+  source            = "../../../../modules/compute-mig"
   project_id        = module.project-host.project_id
   location          = "${var.region}-b"
   name              = "squid-mig"
@@ -206,7 +206,7 @@ module "squid-mig" {
 
 module "squid-ilb" {
   count         = var.mig ? 1 : 0
-  source        = "../../../modules/net-lb-int"
+  source        = "../../../../modules/net-lb-int"
   project_id    = module.project-host.project_id
   region        = var.region
   name          = "squid-ilb"
@@ -236,7 +236,7 @@ module "squid-ilb" {
 ###############################################################################
 
 module "folder-apps" {
-  source = "../../../modules/folder"
+  source = "../../../../modules/folder"
   parent = var.root_node
   name   = "apps"
   org_policies = {
@@ -248,7 +248,7 @@ module "folder-apps" {
 }
 
 module "project-app" {
-  source          = "../../../modules/project"
+  source          = "../../../../modules/project"
   billing_account = var.billing_account
   name            = "app1"
   parent          = module.folder-apps.id
@@ -263,7 +263,7 @@ module "project-app" {
 }
 
 module "test-vm" {
-  source        = "../../../modules/compute-vm"
+  source        = "../../../../modules/compute-vm"
   project_id    = module.project-app.project_id
   zone          = "${var.region}-b"
   name          = "test-vm"

modules/cloud-config-container/README.md

@@ -14,7 +14,6 @@ These modules are designed for several use cases:
 - [CoreDNS](./coredns)
 - [MySQL](./mysql)
 - [Nginx](./nginx)
-- [Squid forward proxy](./squid)
 - On-prem in Docker (*needs fixing*)
 
 ## Using the modules

modules/cloud-config-container/squid/README.md → modules/cloud-config-container/__need_fixing/squid/README.md

@@ -14,7 +14,7 @@ Logging and monitoring are enabled via the [Google Cloud Logging agent](https://
 
 The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
 
-For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../README.md) for more details on the included instance.
+For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../../README.md) for more details on the included instance.
 
 ## Examples
 
@@ -24,7 +24,7 @@ This example will create a `cloud-config` that allows any client in the 10.0.0.0
 
 ```hcl
 module "cos-squid" {
-  source  = "./fabric/modules/cloud-config-container/squid"
+  source  = "./fabric/modules/cloud-config-container/__need_fixing/squid"
   allow   = [".github.com"]
   clients = ["10.0.0.0/8"]
 }