Skip to content

Latest commit

 

History

History
54 lines (46 loc) · 8.4 KB

File metadata and controls

54 lines (46 loc) · 8.4 KB

3-networks-hub-and-spoke/production

The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment nonproduction. This version of the Network step will makes usage of the Hub and Spoke network architecture.

Prerequisites

  1. 0-bootstrap executed successfully.
  2. 1-org executed successfully.
  3. 2-environments/envs/production executed successfully.
  4. 3-networks-hub-and-spoke/envs/shared executed successfully.
  5. Obtain the value for the access_context_manager_policy_id variable. Can be obtained by running gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)".

Inputs

Name Description Type Default Required
access_context_manager_policy_id The id of the default Access Context Manager policy created in step 1-org. Can be obtained by running gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)". number n/a yes
domain The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. string n/a yes
egress_policies A list of all egress policies to use in an enforced perimeter. Each list object has a from and to value that describes egress_from and egress_to.

Example: [{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]

Valid Values:
ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNT
SRV_NAME = "*" (allow all services) or Specific Services
OP_TYPE = methods or permissions
list(object({
from = any
to = any
}))
[] no
egress_policies_dry_run A list of all egress policies to use in a dry-run perimeter. Each list object has a from and to value that describes egress_from and egress_to.

Example: [{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]

Valid Values:
ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNT
SRV_NAME = "*" (allow all services) or Specific Services
OP_TYPE = methods or permissions
list(object({
from = any
to = any
}))
[] no
enable_hub_and_spoke_transitivity Enable transitivity via gateway VMs on Hub-and-Spoke architecture. bool false no
ingress_policies A list of all ingress policies to use in an enforced perimeter. Each list object has a from and to value that describes ingress_from and ingress_to.

Example: [{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]

Valid Values:
ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNT
SRV_NAME = "*" (allow all services) or Specific Services
OP_TYPE = methods or permissions
list(object({
from = any
to = any
}))
[] no
ingress_policies_dry_run A list of all ingress policies to use in a dry-run perimeter. Each list object has a from and to value that describes ingress_from and ingress_to.

Example: [{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]

Valid Values:
ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNT
SRV_NAME = "*" (allow all services) or Specific Services
OP_TYPE = methods or permissions
list(object({
from = any
to = any
}))
[] no
perimeter_additional_members The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: user:[email protected] or serviceAccount:[email protected]. list(string) [] no
perimeter_additional_members_dry_run The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: user:[email protected] or serviceAccount:[email protected]. list(string) [] no
remote_state_bucket Backend bucket to load Terraform Remote State Data from previous steps. string n/a yes
tfc_org_name Name of the TFC organization string "" no

Outputs

Name Description
access_context_manager_policy_id Access Context Manager Policy ID.
access_level_name Access context manager access level name
access_level_name_dry_run Access context manager access level name for the dry-run perimeter
base_host_project_id The base host project ID
base_network_name The name of the VPC being created
base_network_self_link The URI of the VPC being created
base_subnets_ips The IPs and CIDRs of the subnets being created
base_subnets_names The names of the subnets being created
base_subnets_secondary_ranges The secondary ranges associated with these subnets
base_subnets_self_links The self-links of subnets being created
enforce_vpcsc Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review best practices for enabling VPC Service Controls, then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases.
restricted_host_project_id The restricted host project ID
restricted_network_name The name of the VPC being created
restricted_network_self_link The URI of the VPC being created
restricted_service_perimeter_name Access context manager service perimeter name
restricted_subnets_ips The IPs and CIDRs of the subnets being created
restricted_subnets_names The names of the subnets being created
restricted_subnets_secondary_ranges The secondary ranges associated with these subnets
restricted_subnets_self_links The self-links of subnets being created