fix integration tests, shared vpc module and bootstrap README

mariammartins · Dec 6, 2024 · 469a01a · 469a01a
1 parent bf87065
commit 469a01a
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 74 deletions.
diff --git a/0-bootstrap/README-GitLab.md b/0-bootstrap/README-GitLab.md
@@ -591,7 +591,7 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu
 
 1. Update `common.auto.tfvars` file with values from your GCP environment.
 See any of the envs folder [README.md](../3-networks-svpc/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file.
-1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project.
+1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the shared vpc.
 1. Update the `remote_state_bucket` variable with the backend bucket from step Bootstrap in the `common.auto.tfvars` file.
 
    ```bash
@@ -725,7 +725,7 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
 
 1. Update `common.auto.tfvars` file with values from your GCP environment.
 See any of the envs folder [README.md](../3-networks-hub-and-spoke/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file.
-1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project.
+1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the shared vpc.
 1. Update the `remote_state_bucket` variable with the backend bucket from step Bootstrap in the `common.auto.tfvars` file.
 
    ```bash

diff --git a/0-bootstrap/README-Terraform-Cloud.md b/0-bootstrap/README-Terraform-Cloud.md
@@ -499,7 +499,7 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu
 
 1. Update `common.auto.tfvars` file with values from your GCP environment.
 See any of the envs folder [README.md](../3-networks-svpc/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file.
-1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project.
+1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the shared vpc.
 
 1. You must manually plan and apply the `shared` environment from your (only once) since the `development`, `nonproduction` and `production` environments depend on it.
 
@@ -648,7 +648,7 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
 
 1. Update `common.auto.tfvars` file with values from your GCP environment.
 See any of the envs folder [README.md](../3-networks-hub-and-spoke/envs/production/README.md#inputs) files for additional information on the values in the `common.auto.tfvars` file.
-1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the restricted project.
+1. You must add your user email in the variable `perimeter_additional_members` to be able to see the resources created in the shared vpc.
 
 1. You must manually plan and apply the `shared` environment (only once) since the `development`, `nonproduction` and `production` environments depend on it.
 

diff --git a/3-networks-svpc/modules/shared_vpc/firewall.tf b/3-networks-svpc/modules/shared_vpc/firewall.tf
@@ -61,42 +61,6 @@ module "firewall_rules" {
           ]
         }
       }
-    ],
-    !var.enable_all_vpc_internal_traffic ? [] : [
-      {
-        priority       = "10000"
-        direction      = "EGRESS"
-        action         = "allow"
-        rule_name      = "fw-${var.environment_code}-shared-base-10000-e-a-all-all-all"
-        description    = "Allow all egress to the provided IP range."
-        enable_logging = var.firewall_enable_logging
-        match = {
-          dest_ip_ranges = module.main.subnets_ips
-          layer4_configs = [
-            {
-              ip_protocol = "all"
-            },
-          ]
-        }
-      }
-    ],
-    !var.enable_all_vpc_internal_traffic ? [] : [
-      {
-        priority       = "10001"
-        direction      = "INGRESS"
-        action         = "allow"
-        rule_name      = "fw-${var.environment_code}-shared-base-10001-i-a-all"
-        description    = "Allow all ingress to the provided IP range."
-        enable_logging = var.firewall_enable_logging
-        match = {
-          src_ip_ranges = module.main.subnets_ips
-          layer4_configs = [
-            {
-              ip_protocol = "all"
-            },
-          ]
-        }
-      }
     ]
   )
 }
diff --git a/3-networks-svpc/modules/shared_vpc/versions.tf b/3-networks-svpc/modules/shared_vpc/versions.tf
@@ -26,7 +26,7 @@ terraform {
       version = ">= 3.50"
     }
     random = {
-      source = "hashicorp/random"
+      source  = "hashicorp/random"
       version = ">= 3.4.3, < 4"
     }
   }

diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go
@@ -48,25 +48,7 @@ func getFirewallMode(t *testing.T) string {
 
 func getNetworkResourceNames(envCode string, networkMode string, firewallMode string) map[string]map[string]string {
 	return map[string]map[string]string{
-		"base": {
-			"network_name":          fmt.Sprintf("vpc-%s-shared-base%s", envCode, networkMode),
-			"global_address":        fmt.Sprintf("ga-%s-shared-base%s-vpc-peering-internal", envCode, networkMode),
-			"dns_zone_googleapis":   fmt.Sprintf("dz-%s-shared-base-apis", envCode),
-			"dns_zone_gcr":          fmt.Sprintf("dz-%s-shared-base-gcr", envCode),
-			"dns_zone_pkg_dev":      fmt.Sprintf("dz-%s-shared-base-pkg-dev", envCode),
-			"dns_zone_peering_zone": fmt.Sprintf("dz-%s-shared-base-to-dns-hub", envCode),
-			"dns_policy_name":       fmt.Sprintf("dp-%s-shared-base-default-policy", envCode),
-			"subnet_name1":          fmt.Sprintf("sb-%s-shared-base-us-central1", envCode),
-			"subnet_name2":          fmt.Sprintf("sb-%s-shared-base-us-west1", envCode),
-			"region1_router1":       fmt.Sprintf("cr-%s-shared-base%s-us-central1-cr1", envCode, networkMode),
-			"region1_router2":       fmt.Sprintf("cr-%s-shared-base%s-us-central1-cr2", envCode, networkMode),
-			"region2_router1":       fmt.Sprintf("cr-%s-shared-base%s-us-west1-cr3", envCode, networkMode),
-			"region2_router2":       fmt.Sprintf("cr-%s-shared-base%s-us-west1-cr4", envCode, networkMode),
-			"firewall_policy":       fmt.Sprintf("fp-%s-%s-base-firewalls", envCode, firewallMode),
-			"fw_deny_all_egress":    fmt.Sprintf("fw-%s-shared-base-65530-e-d-all-all-all", envCode),
-			"fw_allow_api_egress":   fmt.Sprintf("fw-%s-shared-base-1000-e-a-allow-google-apis-all-tcp-443", envCode),
-		},
-		"restricted": {
+		"shared_vpc": {
 			"network_name":          fmt.Sprintf("vpc-%s-svpc%s", envCode, networkMode),
 			"global_address":        fmt.Sprintf("ga-%s-svpc%s-vpc-peering-internal", envCode, networkMode),
 			"dns_zone_googleapis":   fmt.Sprintf("dz-%s-svpc-apis", envCode),
@@ -80,7 +62,7 @@ func getNetworkResourceNames(envCode string, networkMode string, firewallMode st
 			"region1_router2":       fmt.Sprintf("cr-%s-svpc%s-us-central1-cr6", envCode, networkMode),
 			"region2_router1":       fmt.Sprintf("cr-%s-svpc%s-us-west1-cr7", envCode, networkMode),
 			"region2_router2":       fmt.Sprintf("cr-%s-svpc%s-us-west1-cr8", envCode, networkMode),
-			"firewall_policy":       fmt.Sprintf("fp-%s-%s-restricted-firewalls", envCode, firewallMode),
+			"firewall_policy":       fmt.Sprintf("fp-%s-%s-svpc-firewalls", envCode, firewallMode),
 			"fw_deny_all_egress":    fmt.Sprintf("fw-%s-svpc-65530-e-d-all-all-all", envCode),
 			"fw_allow_api_egress":   fmt.Sprintf("fw-%s-svpc-1000-e-a-allow-google-apis-all-tcp-443", envCode),
 		},
@@ -235,31 +217,25 @@ func TestNetworks(t *testing.T) {
 
 	cidrRanges := map[string]map[string][]string{
 		"development": {
-			"base":       []string{"10.0.64.0/18", "10.1.64.0/18"},
-			"restricted": []string{"10.8.64.0/18", "10.9.64.0/18"},
+			"shared_vpc": []string{"10.8.64.0/18", "10.9.64.0/18"},
 		},
 		"nonproduction": {
-			"base":       []string{"10.0.128.0/18", "10.1.128.0/18"},
-			"restricted": []string{"10.8.128.0/18", "10.9.128.0/18"},
+			"shared_vpc": []string{"10.8.128.0/18", "10.9.128.0/18"},
 		},
 		"production": {
-			"base":       []string{"10.0.192.0/18", "10.1.192.0/18"},
-			"restricted": []string{"10.8.192.0/18", "10.9.192.0/18"},
+			"shared_vpc": []string{"10.8.192.0/18", "10.9.192.0/18"},
 		},
 	}
 
 	googleapisCIDR := map[string]map[string]string{
 		"development": {
-			"base":       "10.17.0.2",
-			"restricted": "10.17.0.6",
+			"shared_vpc": "10.17.0.6",
 		},
 		"nonproduction": {
-			"base":       "10.17.0.3",
-			"restricted": "10.17.0.7",
+			"shared_vpc": "10.17.0.7",
 		},
 		"production": {
-			"base":       "10.17.0.4",
-			"restricted": "10.17.0.8",
+			"shared_vpc": "10.17.0.8",
 		},
 	}
 
@@ -362,7 +338,7 @@ func TestNetworks(t *testing.T) {
 					}
 
 					for _, networkType := range []string{
-						"restricted", //restricted or shared?
+						"shared_vpc",
 					} {
 						projectID := networks.GetStringOutput(fmt.Sprintf("%s_host_project_id", networkType))