From b437e29544c474d10eb3ba2abc1fd0551a7e2627 Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Fri, 16 Dec 2022 17:03:24 -0300 Subject: [PATCH] fix: tflint fixes (#909) --- 0-bootstrap/cb.tf | 1 + 0-bootstrap/groups.tf | 4 +- 0-bootstrap/jenkins.tf.example | 3 +- 0-bootstrap/main.tf | 5 +-- 0-bootstrap/modules/cb-private-pool/vpn_ha.tf | 1 - 0-bootstrap/modules/jenkins-agent/README.md | 1 - 0-bootstrap/modules/jenkins-agent/main.tf | 5 ++- .../modules/jenkins-agent/variables.tf | 6 --- 0-bootstrap/modules/jenkins-agent/vpn_ha.tf | 5 ++- 1-org/envs/shared/org_policy.tf | 29 +++++++----- 1-org/envs/shared/projects.tf | 44 +++++++++++-------- 1-org/envs/shared/tags.tf | 4 +- 2-environments/modules/env_baseline/main.tf | 2 - .../modules/env_baseline/monitoring.tf | 5 ++- .../modules/env_baseline/networking.tf | 10 +++-- .../modules/env_baseline/secrets.tf | 5 ++- 3-networks-dual-svpc/envs/shared/dns-hub.tf | 9 +++- .../envs/shared/hierarchical_firewall.tf | 1 + .../modules/base_env/interconnect.tf.example | 1 + 3-networks-dual-svpc/modules/base_env/main.tf | 27 ++---------- .../modules/base_env/vpn.tf.example | 4 ++ .../modules/base_shared_vpc/README.md | 4 -- .../modules/base_shared_vpc/data.tf | 31 ------------- .../modules/base_shared_vpc/dns.tf | 5 ++- .../modules/base_shared_vpc/main.tf | 5 ++- .../modules/base_shared_vpc/nat.tf | 4 +- .../private_service_connect.tf | 5 ++- .../modules/base_shared_vpc/variables.tf | 23 ---------- .../modules/dedicated_interconnect/README.md | 1 - .../dedicated_interconnect/variables.tf | 6 --- .../modules/partner_interconnect/README.md | 1 - .../modules/partner_interconnect/variables.tf | 6 --- .../modules/restricted_shared_vpc/README.md | 3 -- .../modules/restricted_shared_vpc/data.tf | 31 ------------- .../modules/restricted_shared_vpc/nat.tf | 4 +- .../private_service_connect.tf | 5 ++- .../restricted_shared_vpc/service_control.tf | 1 - .../restricted_shared_vpc/variables.tf | 17 ------- 3-networks-dual-svpc/modules/vpn-ha/README.md | 2 - 3-networks-dual-svpc/modules/vpn-ha/main.tf | 16 +++++-- .../modules/vpn-ha/variables.tf | 12 ----- .../envs/shared/dns-hub.tf | 9 +++- .../envs/shared/hierarchical_firewall.tf | 1 + .../envs/shared/net-hubs-transitivity.tf | 10 +++-- .../envs/shared/net-hubs.tf | 8 ++-- .../modules/base_env/main.tf | 25 ++--------- .../modules/base_env/vpn.tf.example | 4 ++ .../modules/base_shared_vpc/README.md | 2 - .../modules/base_shared_vpc/data.tf | 31 ------------- .../modules/base_shared_vpc/dns.tf | 5 ++- .../modules/base_shared_vpc/main.tf | 12 ++--- .../modules/base_shared_vpc/nat.tf | 4 +- .../private_service_connect.tf | 5 ++- .../modules/base_shared_vpc/variables.tf | 11 ----- .../modules/restricted_shared_vpc/README.md | 1 - .../modules/restricted_shared_vpc/data.tf | 31 ------------- .../modules/restricted_shared_vpc/main.tf | 5 ++- .../modules/restricted_shared_vpc/nat.tf | 4 +- .../restricted_shared_vpc/variables.tf | 5 --- .../modules/transitivity/main.tf | 26 ++++++----- .../modules/vpn-ha/main.tf | 16 +++++-- .../shared/example_infra_pipeline.tf | 1 - .../shared/example_infra_pipeline.tf | 1 - .../base_env/example_peering_project.tf | 10 +++-- .../modules/base_env/example_storage_cmek.tf | 9 ++-- 4-projects/modules/base_env/main.tf | 4 -- 4-projects/modules/infra_pipelines/README.md | 1 - .../modules/infra_pipelines/variables.tf | 6 --- 4-projects/modules/single_project/README.md | 1 - 4-projects/modules/single_project/main.tf | 3 +- .../modules/single_project/variables.tf | 6 --- .../business_unit_1/development/main.tf | 1 - .../business_unit_1/non-production/main.tf | 1 - .../business_unit_1/production/main.tf | 1 - 5-app-infra/modules/env_base/README.md | 1 - 5-app-infra/modules/env_base/main.tf | 1 - 5-app-infra/modules/env_base/variables.tf | 6 --- Makefile | 3 +- build/int.cloudbuild.yaml | 2 +- build/lint.cloudbuild.yaml | 3 +- 80 files changed, 206 insertions(+), 424 deletions(-) delete mode 100644 3-networks-dual-svpc/modules/base_shared_vpc/data.tf delete mode 100644 3-networks-dual-svpc/modules/restricted_shared_vpc/data.tf delete mode 100644 3-networks-hub-and-spoke/modules/base_shared_vpc/data.tf delete mode 100644 3-networks-hub-and-spoke/modules/restricted_shared_vpc/data.tf diff --git a/0-bootstrap/cb.tf b/0-bootstrap/cb.tf index 7c99dba57..bb040d67e 100644 --- a/0-bootstrap/cb.tf +++ b/0-bootstrap/cb.tf @@ -22,6 +22,7 @@ locals { cicd_project_id = module.tf_source.cloudbuild_project_id + bucket_self_link_prefix = "https://www.googleapis.com/storage/v1/b/" default_state_bucket_self_link = "${local.bucket_self_link_prefix}${module.seed_bootstrap.gcs_bucket_tfstate}" gcp_projects_state_bucket_self_link = module.gcp_projects_state_bucket.bucket.self_link diff --git a/0-bootstrap/groups.tf b/0-bootstrap/groups.tf index 704aee224..274635e24 100644 --- a/0-bootstrap/groups.tf +++ b/0-bootstrap/groups.tf @@ -33,9 +33,9 @@ data "google_organization" "org" { } module "required_group" { - for_each = local.required_groups_to_create source = "terraform-google-modules/group/google" version = "~> 0.4" + for_each = local.required_groups_to_create id = each.value display_name = each.key @@ -45,9 +45,9 @@ module "required_group" { } module "optional_group" { - for_each = local.optional_groups_to_create source = "terraform-google-modules/group/google" version = "~> 0.4" + for_each = local.optional_groups_to_create id = each.value display_name = each.key diff --git a/0-bootstrap/jenkins.tf.example b/0-bootstrap/jenkins.tf.example index 5f35976c9..7e9413ffb 100644 --- a/0-bootstrap/jenkins.tf.example +++ b/0-bootstrap/jenkins.tf.example @@ -21,7 +21,8 @@ locals { } module "jenkins_bootstrap" { - source = "./modules/jenkins-agent" + source = "./modules/jenkins-agent" + org_id = var.org_id folder_id = google_folder.bootstrap.id billing_account = var.billing_account diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index 5014021eb..f3a3ff555 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -33,9 +33,8 @@ locals { org_admins_org_iam_permissions = var.org_policy_admin_role == true ? [ "roles/orgpolicy.policyAdmin", "roles/resourcemanager.organizationAdmin", "roles/billing.user" ] : ["roles/resourcemanager.organizationAdmin", "roles/billing.user"] - bucket_self_link_prefix = "https://www.googleapis.com/storage/v1/b/" - group_org_admins = var.groups.create_groups ? var.groups.required_groups.group_org_admins : var.group_org_admins - group_billing_admins = var.groups.create_groups ? var.groups.required_groups.group_billing_admins : var.group_billing_admins + group_org_admins = var.groups.create_groups ? var.groups.required_groups.group_org_admins : var.group_org_admins + group_billing_admins = var.groups.create_groups ? var.groups.required_groups.group_billing_admins : var.group_billing_admins } resource "google_folder" "bootstrap" { diff --git a/0-bootstrap/modules/cb-private-pool/vpn_ha.tf b/0-bootstrap/modules/cb-private-pool/vpn_ha.tf index fe57b986b..d08a48132 100644 --- a/0-bootstrap/modules/cb-private-pool/vpn_ha.tf +++ b/0-bootstrap/modules/cb-private-pool/vpn_ha.tf @@ -31,7 +31,6 @@ module "vpn_ha_cb_to_onprem" { version = "~> 2.3" count = var.vpn_configuration.enable_vpn ? 1 : 0 - project_id = var.project_id region = var.private_worker_pool.region network = local.peered_network_id diff --git a/0-bootstrap/modules/jenkins-agent/README.md b/0-bootstrap/modules/jenkins-agent/README.md index ea1032106..be3249452 100644 --- a/0-bootstrap/modules/jenkins-agent/README.md +++ b/0-bootstrap/modules/jenkins-agent/README.md @@ -61,7 +61,6 @@ module "jenkins_bootstrap" { | jenkins\_agent\_gce\_name | Jenkins Agent GCE Instance name. | `string` | `"jenkins-agent-01"` | no | | jenkins\_agent\_gce\_private\_ip\_address | The private IP Address of the Jenkins Agent. This IP Address must be in the CIDR range of `jenkins_agent_gce_subnetwork_cidr_range` and be reachable through the VPN that exists between on-prem (Jenkins Controller) and GCP (CICD Project, where the Jenkins Agent is located). | `string` | n/a | yes | | jenkins\_agent\_gce\_ssh\_pub\_key | SSH public key needed by the Jenkins Agent GCE Instance. The Jenkins Controller holds the SSH private key. The correct format is `'ssh-rsa [KEY_VALUE] [USERNAME]'` | `string` | n/a | yes | -| jenkins\_agent\_gce\_ssh\_user | Jenkins Agent GCE Instance SSH username. | `string` | `"jenkins"` | no | | jenkins\_agent\_gce\_subnetwork\_cidr\_range | The subnetwork to which the Jenkins Agent will be connected to (in CIDR range 0.0.0.0/0) | `string` | n/a | yes | | jenkins\_agent\_sa\_email | Email for Jenkins Agent service account. | `string` | `"jenkins-agent-gce"` | no | | jenkins\_controller\_subnetwork\_cidr\_range | A list of CIDR IP ranges of the Jenkins Controller in the form ['0.0.0.0/0']. Usually only one IP in the form '0.0.0.0/32'. Needed to create a FW rule that allows communication with the Jenkins Agent GCE Instance. | `list(string)` | n/a | yes | diff --git a/0-bootstrap/modules/jenkins-agent/main.tf b/0-bootstrap/modules/jenkins-agent/main.tf index bb05ee822..ee765c07c 100644 --- a/0-bootstrap/modules/jenkins-agent/main.tf +++ b/0-bootstrap/modules/jenkins-agent/main.tf @@ -29,8 +29,9 @@ resource "random_id" "suffix" { CICD project *******************************************/ module "cicd_project" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + name = local.cicd_project_name random_project_id = true random_project_id_length = 4 diff --git a/0-bootstrap/modules/jenkins-agent/variables.tf b/0-bootstrap/modules/jenkins-agent/variables.tf index 53b51b422..220c28427 100644 --- a/0-bootstrap/modules/jenkins-agent/variables.tf +++ b/0-bootstrap/modules/jenkins-agent/variables.tf @@ -64,12 +64,6 @@ variable "jenkins_agent_gce_private_ip_address" { type = string } -variable "jenkins_agent_gce_ssh_user" { - description = "Jenkins Agent GCE Instance SSH username." - type = string - default = "jenkins" -} - variable "jenkins_agent_gce_ssh_pub_key" { description = "SSH public key needed by the Jenkins Agent GCE Instance. The Jenkins Controller holds the SSH private key. The correct format is `'ssh-rsa [KEY_VALUE] [USERNAME]'`" type = string diff --git a/0-bootstrap/modules/jenkins-agent/vpn_ha.tf b/0-bootstrap/modules/jenkins-agent/vpn_ha.tf index b022aac09..cd05f36e5 100644 --- a/0-bootstrap/modules/jenkins-agent/vpn_ha.tf +++ b/0-bootstrap/modules/jenkins-agent/vpn_ha.tf @@ -15,8 +15,9 @@ */ module "vpn_ha_agent_to_onprem" { - source = "terraform-google-modules/vpn/google//modules/vpn_ha" - version = "~> 2.0" + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + version = "~> 2.0" + project_id = module.cicd_project.project_id region = var.default_region network = google_compute_network.jenkins_agents.name diff --git a/1-org/envs/shared/org_policy.tf b/1-org/envs/shared/org_policy.tf index 994e6a905..6d99d78f5 100644 --- a/1-org/envs/shared/org_policy.tf +++ b/1-org/envs/shared/org_policy.tf @@ -20,7 +20,7 @@ locals { policy_for = local.parent_folder != "" ? "folder" : "organization" essential_contacts_domains_to_allow = concat( - [for domain in var.essential_contacts_domains_to_allow : "${domain}" if can(regex("^@.*$", domain)) == true], + [for domain in var.essential_contacts_domains_to_allow : domain if can(regex("^@.*$", domain)) == true], [for domain in var.essential_contacts_domains_to_allow : "@${domain}" if can(regex("^@.*$", domain)) == false] ) @@ -46,9 +46,10 @@ locals { } module "organization_policies_type_boolean" { - for_each = local.boolean_type_organization_policies - source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + source = "terraform-google-modules/org-policy/google" + version = "~> 5.1" + for_each = local.boolean_type_organization_policies + organization_id = local.organization_id folder_id = local.folder_id policy_for = local.policy_for @@ -62,8 +63,9 @@ module "organization_policies_type_boolean" { *******************************************/ module "org_vm_external_ip_access" { - source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + source = "terraform-google-modules/org-policy/google" + version = "~> 5.1" + organization_id = local.organization_id folder_id = local.folder_id policy_for = local.policy_for @@ -73,8 +75,9 @@ module "org_vm_external_ip_access" { } module "restrict_protocol_fowarding" { - source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + source = "terraform-google-modules/org-policy/google" + version = "~> 5.1" + organization_id = local.organization_id folder_id = local.folder_id policy_for = local.policy_for @@ -89,8 +92,9 @@ module "restrict_protocol_fowarding" { *******************************************/ module "org_domain_restricted_sharing" { - source = "terraform-google-modules/org-policy/google//modules/domain_restricted_sharing" - version = "~> 5.1" + source = "terraform-google-modules/org-policy/google//modules/domain_restricted_sharing" + version = "~> 5.1" + organization_id = local.organization_id folder_id = local.folder_id policy_for = local.policy_for @@ -102,8 +106,9 @@ module "org_domain_restricted_sharing" { *******************************************/ module "domain_restricted_contacts" { - source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + source = "terraform-google-modules/org-policy/google" + version = "~> 5.1" + organization_id = local.organization_id folder_id = local.folder_id policy_for = local.policy_for diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf index f09cec59c..3ebb4e8bc 100644 --- a/1-org/envs/shared/projects.tf +++ b/1-org/envs/shared/projects.tf @@ -28,8 +28,9 @@ locals { *****************************************/ module "org_audit_logs" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" @@ -54,8 +55,9 @@ module "org_audit_logs" { } module "org_billing_logs" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" @@ -84,8 +86,9 @@ module "org_billing_logs" { *****************************************/ module "org_secrets" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" @@ -114,8 +117,9 @@ module "org_secrets" { *****************************************/ module "interconnect" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" @@ -144,8 +148,9 @@ module "interconnect" { *****************************************/ module "scc_notifications" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" @@ -174,8 +179,9 @@ module "scc_notifications" { *****************************************/ module "dns_hub" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" @@ -212,9 +218,10 @@ module "dns_hub" { *****************************************/ module "base_network_hub" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" - count = var.enable_hub_and_spoke ? 1 : 0 + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + count = var.enable_hub_and_spoke ? 1 : 0 + random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" @@ -259,9 +266,10 @@ resource "google_project_iam_member" "network_sa_base" { *****************************************/ module "restricted_network_hub" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" - count = var.enable_hub_and_spoke ? 1 : 0 + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + count = var.enable_hub_and_spoke ? 1 : 0 + random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" diff --git a/1-org/envs/shared/tags.tf b/1-org/envs/shared/tags.tf index 375aa0c47..54a39dbb7 100644 --- a/1-org/envs/shared/tags.tf +++ b/1-org/envs/shared/tags.tf @@ -34,9 +34,9 @@ locals { tags_obj_list = flatten([ for tag_key, tag_obj in local.tags : [ for value in tag_obj.values : { - shortkey = "${tag_key}" + shortkey = tag_key key = "${tag_key}_${value}" - val = "${value}" + val = value } ] ]) diff --git a/2-environments/modules/env_baseline/main.tf b/2-environments/modules/env_baseline/main.tf index 9cb333da3..9475329c7 100644 --- a/2-environments/modules/env_baseline/main.tf +++ b/2-environments/modules/env_baseline/main.tf @@ -16,10 +16,8 @@ locals { org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account - default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix tags = data.terraform_remote_state.org.outputs.tags diff --git a/2-environments/modules/env_baseline/monitoring.tf b/2-environments/modules/env_baseline/monitoring.tf index 4c9bd34e6..680e32fd1 100644 --- a/2-environments/modules/env_baseline/monitoring.tf +++ b/2-environments/modules/env_baseline/monitoring.tf @@ -19,8 +19,9 @@ *****************************************/ module "monitoring_project" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 name = "${local.project_prefix}-${var.environment_code}-monitoring" diff --git a/2-environments/modules/env_baseline/networking.tf b/2-environments/modules/env_baseline/networking.tf index 8ee236440..b04c7f898 100644 --- a/2-environments/modules/env_baseline/networking.tf +++ b/2-environments/modules/env_baseline/networking.tf @@ -19,8 +19,9 @@ *****************************************/ module "base_shared_vpc_host_project" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 name = format("%s-%s-shared-base", local.project_prefix, var.environment_code) @@ -53,8 +54,9 @@ module "base_shared_vpc_host_project" { } module "restricted_shared_vpc_host_project" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 name = format("%s-%s-shared-restricted", local.project_prefix, var.environment_code) diff --git a/2-environments/modules/env_baseline/secrets.tf b/2-environments/modules/env_baseline/secrets.tf index 44d9f00b4..2f97736f8 100644 --- a/2-environments/modules/env_baseline/secrets.tf +++ b/2-environments/modules/env_baseline/secrets.tf @@ -20,8 +20,9 @@ *****************************************/ module "env_secrets" { - source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 14.0" + random_project_id = true random_project_id_length = 4 default_service_account = "deprivilege" diff --git a/3-networks-dual-svpc/envs/shared/dns-hub.tf b/3-networks-dual-svpc/envs/shared/dns-hub.tf index 41dc70bac..31b9915d9 100644 --- a/3-networks-dual-svpc/envs/shared/dns-hub.tf +++ b/3-networks-dual-svpc/envs/shared/dns-hub.tf @@ -19,8 +19,9 @@ *****************************************/ module "dns_hub_vpc" { - source = "terraform-google-modules/network/google" - version = "~> 5.1" + source = "terraform-google-modules/network/google" + version = "~> 5.1" + project_id = local.dns_hub_project_id network_name = "vpc-c-dns-hub" shared_vpc_host = "false" @@ -91,6 +92,7 @@ module "dns-forwarding-zone" { module "dns_hub_region1_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 3.0" + name = "cr-c-dns-hub-${local.default_region1}-cr1" project = local.dns_hub_project_id network = module.dns_hub_vpc.network_name @@ -104,6 +106,7 @@ module "dns_hub_region1_router1" { module "dns_hub_region1_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 3.0" + name = "cr-c-dns-hub-${local.default_region1}-cr2" project = local.dns_hub_project_id network = module.dns_hub_vpc.network_name @@ -117,6 +120,7 @@ module "dns_hub_region1_router2" { module "dns_hub_region2_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 3.0" + name = "cr-c-dns-hub-${local.default_region2}-cr3" project = local.dns_hub_project_id network = module.dns_hub_vpc.network_name @@ -130,6 +134,7 @@ module "dns_hub_region2_router1" { module "dns_hub_region2_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 3.0" + name = "cr-c-dns-hub-${local.default_region2}-cr4" project = local.dns_hub_project_id network = module.dns_hub_vpc.network_name diff --git a/3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf b/3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf index d03fc4e38..4bf884848 100644 --- a/3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf +++ b/3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf @@ -16,6 +16,7 @@ module "hierarchical_firewall_policy" { source = "../../modules/hierarchical_firewall_policy/" + parent = local.common_folder_name name = "common-firewall-rules" associations = [ diff --git a/3-networks-dual-svpc/modules/base_env/interconnect.tf.example b/3-networks-dual-svpc/modules/base_env/interconnect.tf.example index 4034c9b6f..c7d170837 100644 --- a/3-networks-dual-svpc/modules/base_env/interconnect.tf.example +++ b/3-networks-dual-svpc/modules/base_env/interconnect.tf.example @@ -15,6 +15,7 @@ */ locals { + interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id base_config = { "development" = { region1_interconnect1_candidate_subnets = ["169.254.0.192/29"] diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index c9b40916a..70c4dfa33 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -15,17 +15,9 @@ */ locals { - org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder - parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id - billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account - default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix restricted_project_id = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_id restricted_project_number = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_number base_project_id = data.terraform_remote_state.environments_env.outputs.base_shared_vpc_project_id - env_secret_project_id = data.terraform_remote_state.environments_env.outputs.env_secrets_project_id - interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id interconnect_project_number = data.terraform_remote_state.org.outputs.interconnect_project_number dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id organization_service_account = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email @@ -197,15 +189,6 @@ data "terraform_remote_state" "org" { } } -data "terraform_remote_state" "network_shared" { - backend = "gcs" - - config = { - bucket = var.remote_state_bucket - prefix = "terraform/networks/envs/shared" - } -} - data "terraform_remote_state" "environments_env" { backend = "gcs" @@ -219,7 +202,8 @@ data "terraform_remote_state" "environments_env" { Restricted shared VPC *****************************************/ module "restricted_shared_vpc" { - source = "../restricted_shared_vpc" + source = "../restricted_shared_vpc" + project_id = local.restricted_project_id dns_hub_project_id = local.dns_hub_project_id project_number = local.restricted_project_number @@ -233,8 +217,6 @@ module "restricted_shared_vpc" { ], var.perimeter_additional_members)) private_service_cidr = var.restricted_private_service_cidr private_service_connect_ip = var.restricted_private_service_connect_ip - org_id = local.org_id - parent_folder = local.parent_folder bgp_asn_subnet = local.bgp_asn_number default_region1 = var.default_region1 default_region2 = var.default_region2 @@ -276,14 +258,13 @@ module "restricted_shared_vpc" { *****************************************/ module "base_shared_vpc" { - source = "../base_shared_vpc" + source = "../base_shared_vpc" + project_id = local.base_project_id dns_hub_project_id = local.dns_hub_project_id environment_code = var.environment_code private_service_cidr = var.base_private_service_cidr private_service_connect_ip = var.base_private_service_connect_ip - org_id = local.org_id - parent_folder = local.parent_folder default_region1 = var.default_region1 default_region2 = var.default_region2 domain = var.domain diff --git a/3-networks-dual-svpc/modules/base_env/vpn.tf.example b/3-networks-dual-svpc/modules/base_env/vpn.tf.example index b41656be0..660edc104 100644 --- a/3-networks-dual-svpc/modules/base_env/vpn.tf.example +++ b/3-networks-dual-svpc/modules/base_env/vpn.tf.example @@ -14,6 +14,10 @@ * limitations under the License. */ +locals { + env_secret_project_id = data.terraform_remote_state.environments_env.outputs.env_secrets_project_id +} + module "shared_base_vpn" { source = "../vpn-ha" diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index d65840a9b..f0b838fab 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -14,14 +14,10 @@ | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no | | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | -| nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no | | nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no | | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes | | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/data.tf b/3-networks-dual-svpc/modules/base_shared_vpc/data.tf deleted file mode 100644 index 3fe8f19cc..000000000 --- a/3-networks-dual-svpc/modules/base_shared_vpc/data.tf +++ /dev/null @@ -1,31 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - Ranges for default firewall rules. - *****************************************/ - -data "google_netblock_ip_ranges" "legacy_health_checkers" { - range_type = "legacy-health-checkers" -} - -data "google_netblock_ip_ranges" "health_checkers" { - range_type = "health-checkers" -} - -data "google_netblock_ip_ranges" "iap_forwarders" { - range_type = "iap-forwarders" -} diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf index 0a6b62f48..e749b3b75 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf @@ -37,8 +37,9 @@ data "google_compute_network" "vpc_dns_hub" { } module "peering_zone" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 3.1" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 3.1" + project_id = var.project_id type = "peering" name = "dz-${var.environment_code}-shared-base-to-dns-hub" diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf index aa0f75aa8..5bab6d488 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf @@ -25,8 +25,9 @@ locals { *****************************************/ module "main" { - source = "terraform-google-modules/network/google" - version = "~> 5.1" + source = "terraform-google-modules/network/google" + version = "~> 5.1" + project_id = var.project_id network_name = local.network_name shared_vpc_host = "true" diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/nat.tf b/3-networks-dual-svpc/modules/base_shared_vpc/nat.tf index bfe791cd6..600a06f8c 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/nat.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/nat.tf @@ -42,7 +42,7 @@ resource "google_compute_router_nat" "egress_nat_region1" { count = var.nat_enabled ? 1 : 0 name = "rn-${local.vpc_name}-${var.default_region1}-egress" project = var.project_id - router = google_compute_router.nat_router_region1.0.name + router = google_compute_router.nat_router_region1[0].name region = var.default_region1 nat_ip_allocate_option = "MANUAL_ONLY" nat_ips = google_compute_address.nat_external_addresses_region1.*.self_link @@ -77,7 +77,7 @@ resource "google_compute_router_nat" "egress_nat2" { count = var.nat_enabled ? 1 : 0 name = "rn-${local.vpc_name}-${var.default_region2}-egress" project = var.project_id - router = google_compute_router.nat_router_region2.0.name + router = google_compute_router.nat_router_region2[0].name region = var.default_region2 nat_ip_allocate_option = "MANUAL_ONLY" nat_ips = google_compute_address.nat_external_addresses_region2.*.self_link diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf b/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf index 0c03ea327..d1f2bd90d 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf @@ -16,8 +16,9 @@ module "private_service_connect" { - source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 5.2" + source = "terraform-google-modules/network/google//modules/private-service-connect" + version = "~> 5.2" + project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-base" network_self_link = module.main.network_self_link diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index c7735c659..4a8e779fd 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -variable "org_id" { - type = string - description = "Organization ID" -} - variable "project_id" { type = string description = "Project ID for Private Shared VPC." @@ -125,24 +120,6 @@ variable "windows_activation_enabled" { default = false } -variable "nat_num_addresses" { - type = number - description = "Number of external IPs to reserve for Cloud NAT." - default = 2 -} - -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} - variable "allow_all_egress_ranges" { description = "List of network ranges to which all egress traffic will be allowed" default = null diff --git a/3-networks-dual-svpc/modules/dedicated_interconnect/README.md b/3-networks-dual-svpc/modules/dedicated_interconnect/README.md index 632970051..cc94dcd37 100644 --- a/3-networks-dual-svpc/modules/dedicated_interconnect/README.md +++ b/3-networks-dual-svpc/modules/dedicated_interconnect/README.md @@ -20,7 +20,6 @@ This module implements the recommendation proposed in [Establishing 99.99% Avail | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | cloud\_router\_labels | A map of suffixes for labelling vlans with four entries like "vlan\_1" => "suffix1" with keys from `vlan_1` to `vlan_4`. | `map(string)` | `{}` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | | interconnect\_project\_id | Interconnect project ID. | `string` | n/a | yes | | peer\_asn | Peer BGP Autonomous System Number (ASN). | `number` | n/a | yes | | peer\_name | Name of this BGP peer. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]\*[a-z0-9])? | `string` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/dedicated_interconnect/variables.tf b/3-networks-dual-svpc/modules/dedicated_interconnect/variables.tf index a13136b3a..446fbfbb8 100644 --- a/3-networks-dual-svpc/modules/dedicated_interconnect/variables.tf +++ b/3-networks-dual-svpc/modules/dedicated_interconnect/variables.tf @@ -175,9 +175,3 @@ variable "region2_interconnect2_vlan_tag8021q" { description = "The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094." default = null } - -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} diff --git a/3-networks-dual-svpc/modules/partner_interconnect/README.md b/3-networks-dual-svpc/modules/partner_interconnect/README.md index 154a7e820..8982c4c24 100644 --- a/3-networks-dual-svpc/modules/partner_interconnect/README.md +++ b/3-networks-dual-svpc/modules/partner_interconnect/README.md @@ -22,7 +22,6 @@ This module implements the recommendation proposed in [Establishing 99.99% Avail |------|-------------|------|---------|:--------:| | attachment\_project\_id | the Interconnect project ID. | `string` | n/a | yes | | cloud\_router\_labels | A map of suffixes for labelling vlans with four entries like "vlan\_1" => "suffix1" with keys from `vlan_1` to `vlan_4`. | `map(string)` | `{}` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | | preactivate | Preactivate Partner Interconnect attachments, works only for level3 Partner Interconnect | `string` | `false` | no | | region1 | First subnet region. The Partner Interconnect module only configures two regions. | `string` | n/a | yes | | region1\_interconnect1\_location | Name of the interconnect location used in the creation of the Interconnect for the first location of region1 | `string` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/partner_interconnect/variables.tf b/3-networks-dual-svpc/modules/partner_interconnect/variables.tf index 82caf4e60..3ee144750 100644 --- a/3-networks-dual-svpc/modules/partner_interconnect/variables.tf +++ b/3-networks-dual-svpc/modules/partner_interconnect/variables.tf @@ -100,12 +100,6 @@ variable "cloud_router_labels" { default = {} } -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} - variable "preactivate" { description = "Preactivate Partner Interconnect attachments, works only for level3 Partner Interconnect" type = string diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index f68b7cf3c..b6cebf542 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -16,15 +16,12 @@ | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | | ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | members | An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | `list(string)` | n/a | yes | | nat\_bgp\_asn | BGP ASN for NAT cloud routes. If NAT is enabled this variable value must be a value in ranges [64512..65534] or [4200000000..4294967294]. | `number` | `64512` | no | | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | | nat\_num\_addresses\_region1 | Number of external IPs to reserve for region 1 Cloud NAT. | `number` | `2` | no | | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/data.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/data.tf deleted file mode 100644 index 3fe8f19cc..000000000 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/data.tf +++ /dev/null @@ -1,31 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - Ranges for default firewall rules. - *****************************************/ - -data "google_netblock_ip_ranges" "legacy_health_checkers" { - range_type = "legacy-health-checkers" -} - -data "google_netblock_ip_ranges" "health_checkers" { - range_type = "health-checkers" -} - -data "google_netblock_ip_ranges" "iap_forwarders" { - range_type = "iap-forwarders" -} diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/nat.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/nat.tf index 50c074c63..587ac9cdf 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/nat.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/nat.tf @@ -44,7 +44,7 @@ resource "google_compute_router_nat" "nat_external_addresses_region1" { name = "rn-${local.vpc_name}-${var.default_region1}-egress" project = var.project_id - router = google_compute_router.nat_router_region1.0.name + router = google_compute_router.nat_router_region1[0].name region = var.default_region1 nat_ip_allocate_option = "MANUAL_ONLY" nat_ips = google_compute_address.nat_external_addresses1.*.self_link @@ -82,7 +82,7 @@ resource "google_compute_router_nat" "egress_nat_region2" { name = "rn-${local.vpc_name}-${var.default_region2}-egress" project = var.project_id - router = google_compute_router.nat_router_region2.0.name + router = google_compute_router.nat_router_region2[0].name region = var.default_region2 nat_ip_allocate_option = "MANUAL_ONLY" nat_ips = google_compute_address.nat_external_addresses_region2.*.self_link diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf index 58ef89e9b..f1c0ab8a9 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf @@ -16,8 +16,9 @@ module "private_service_connect" { - source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 5.2" + source = "terraform-google-modules/network/google//modules/private-service-connect" + version = "~> 5.2" + project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-restricted" network_self_link = module.main.network_self_link diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/service_control.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/service_control.tf index 261be1511..194c21f1e 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/service_control.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/service_control.tf @@ -18,7 +18,6 @@ locals { prefix = "${var.environment_code}_shared_restricted" access_level_name = "alp_${local.prefix}_members_${random_id.random_access_level_suffix.hex}" perimeter_name = "sp_${local.prefix}_default_perimeter_${random_id.random_access_level_suffix.hex}" - bridge_name = "spb_c_to_${local.prefix}_bridge_${random_id.random_access_level_suffix.hex}" } resource "random_id" "random_access_level_suffix" { diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 0ea6d4c68..47bb94ab0 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -variable "org_id" { - type = string - description = "Organization ID" -} - variable "access_context_manager_policy_id" { type = number description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." @@ -145,18 +140,6 @@ variable "restricted_services" { description = "List of services to restrict." } -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} - variable "allow_all_egress_ranges" { description = "List of network ranges to which all egress traffic will be allowed" default = null diff --git a/3-networks-dual-svpc/modules/vpn-ha/README.md b/3-networks-dual-svpc/modules/vpn-ha/README.md index af3a12ceb..70e57bb60 100755 --- a/3-networks-dual-svpc/modules/vpn-ha/README.md +++ b/3-networks-dual-svpc/modules/vpn-ha/README.md @@ -24,10 +24,8 @@ If you are not able to use Dedicated Interconnect or Partner Interconnect you ca | default\_region1 | Default region 1 for Cloud Routers | `string` | n/a | yes | | default\_region2 | Default region 2 for Cloud Routers | `string` | n/a | yes | | env\_secret\_project\_id | the environment secrets project ID | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | | on\_prem\_router\_ip\_address1 | On-Prem Router IP address | `string` | n/a | yes | | on\_prem\_router\_ip\_address2 | On-Prem Router IP address | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | project\_id | VPC Project ID | `string` | n/a | yes | | region1\_router1\_name | Name of the Router 1 for Region 1 where the attachment resides. | `string` | n/a | yes | | region1\_router1\_tunnel0\_bgp\_peer\_address | BGP session address for router 1 in region 1 tunnel 0 | `string` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/vpn-ha/main.tf b/3-networks-dual-svpc/modules/vpn-ha/main.tf index 77a48279d..2b962f625 100755 --- a/3-networks-dual-svpc/modules/vpn-ha/main.tf +++ b/3-networks-dual-svpc/modules/vpn-ha/main.tf @@ -29,7 +29,9 @@ data "google_secret_manager_secret_version" "psk" { } module "vpn_ha_region1_router1" { - source = "terraform-google-modules/vpn/google//modules/vpn_ha" + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + version = "~> 2.3" + project_id = var.project_id region = var.default_region1 network = local.network_name @@ -75,7 +77,9 @@ module "vpn_ha_region1_router1" { } module "vpn_ha_region1_router2" { - source = "terraform-google-modules/vpn/google//modules/vpn_ha" + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + version = "~> 2.3" + project_id = var.project_id region = var.default_region1 network = local.network_name @@ -121,7 +125,9 @@ module "vpn_ha_region1_router2" { } module "vpn_ha_region2_router1" { - source = "terraform-google-modules/vpn/google//modules/vpn_ha" + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + version = "~> 2.3" + project_id = var.project_id region = var.default_region2 network = local.network_name @@ -167,7 +173,9 @@ module "vpn_ha_region2_router1" { } module "vpn_ha_region2_router2" { - source = "terraform-google-modules/vpn/google//modules/vpn_ha" + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + version = "~> 2.3" + project_id = var.project_id region = var.default_region2 network = local.network_name diff --git a/3-networks-dual-svpc/modules/vpn-ha/variables.tf b/3-networks-dual-svpc/modules/vpn-ha/variables.tf index b7ec1900b..9ef39cee8 100644 --- a/3-networks-dual-svpc/modules/vpn-ha/variables.tf +++ b/3-networks-dual-svpc/modules/vpn-ha/variables.tf @@ -158,15 +158,3 @@ variable "region2_router2_tunnel1_bgp_peer_range" { type = string description = "BGP session range for router 2 in region 1 tunnel 1" } - -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} diff --git a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf index fb4014678..ce23036a3 100644 --- a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf +++ b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf @@ -19,8 +19,9 @@ *****************************************/ module "dns_hub_vpc" { - source = "terraform-google-modules/network/google" - version = "~> 5.1" + source = "terraform-google-modules/network/google" + version = "~> 5.1" + project_id = local.dns_hub_project_id network_name = "vpc-c-dns-hub" shared_vpc_host = "false" @@ -91,6 +92,7 @@ module "dns-forwarding-zone" { module "dns_hub_region1_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 3.0" + name = "cr-c-dns-hub-${local.default_region1}-cr1" project = local.dns_hub_project_id network = module.dns_hub_vpc.network_name @@ -104,6 +106,7 @@ module "dns_hub_region1_router1" { module "dns_hub_region1_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 3.0" + name = "cr-c-dns-hub-${local.default_region1}-cr2" project = local.dns_hub_project_id network = module.dns_hub_vpc.network_name @@ -117,6 +120,7 @@ module "dns_hub_region1_router2" { module "dns_hub_region2_router1" { source = "terraform-google-modules/cloud-router/google" version = "~> 3.0" + name = "cr-c-dns-hub-${local.default_region2}-cr3" project = local.dns_hub_project_id network = module.dns_hub_vpc.network_name @@ -130,6 +134,7 @@ module "dns_hub_region2_router1" { module "dns_hub_region2_router2" { source = "terraform-google-modules/cloud-router/google" version = "~> 3.0" + name = "cr-c-dns-hub-${local.default_region2}-cr4" project = local.dns_hub_project_id network = module.dns_hub_vpc.network_name diff --git a/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf b/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf index d924ff582..ec2cd2b3a 100644 --- a/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf +++ b/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf @@ -16,6 +16,7 @@ module "hierarchical_firewall_policy" { source = "../../modules/hierarchical_firewall_policy/" + parent = local.common_folder_name name = "common-firewall-rules" associations = [ diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf index 08a9ffeed..048c1f476 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf @@ -43,8 +43,9 @@ locals { */ module "base_transitivity" { - count = local.enable_transitivity ? 1 : 0 - source = "../../modules/transitivity" + source = "../../modules/transitivity" + count = local.enable_transitivity ? 1 : 0 + project_id = local.base_net_hub_project_id regions = keys(local.base_subnet_primary_ranges) vpc_name = module.base_shared_vpc.network_name @@ -76,8 +77,9 @@ module "base_transitivity" { */ module "restricted_transitivity" { - count = local.enable_transitivity ? 1 : 0 - source = "../../modules/transitivity" + source = "../../modules/transitivity" + count = local.enable_transitivity ? 1 : 0 + project_id = local.restricted_net_hub_project_id regions = keys(local.restricted_subnet_primary_ranges) vpc_name = module.restricted_shared_vpc.network_name diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index a30484707..af7fe0415 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -164,12 +164,12 @@ locals { *****************************************/ module "base_shared_vpc" { - source = "../../modules/base_shared_vpc" + source = "../../modules/base_shared_vpc" + project_id = local.base_net_hub_project_id dns_hub_project_id = local.dns_hub_project_id environment_code = local.environment_code private_service_connect_ip = "10.2.0.5" - org_id = local.org_id bgp_asn_subnet = local.bgp_asn_number default_region1 = local.default_region1 default_region2 = local.default_region2 @@ -212,7 +212,8 @@ module "base_shared_vpc" { *****************************************/ module "restricted_shared_vpc" { - source = "../../modules/restricted_shared_vpc" + source = "../../modules/restricted_shared_vpc" + project_id = local.restricted_net_hub_project_id project_number = local.restricted_net_hub_project_number dns_hub_project_id = local.dns_hub_project_id @@ -225,7 +226,6 @@ module "restricted_shared_vpc" { "serviceAccount:${local.projects_service_account}", "serviceAccount:${local.organization_service_account}", ], var.perimeter_additional_members)) - org_id = local.org_id bgp_asn_subnet = local.bgp_asn_number default_region1 = local.default_region1 default_region2 = local.default_region2 diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 2f26e6868..56b067856 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -15,17 +15,9 @@ */ locals { - org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder - parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id - billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account - default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix restricted_project_id = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_id restricted_project_number = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_number base_project_id = data.terraform_remote_state.environments_env.outputs.base_shared_vpc_project_id - env_secret_project_id = data.terraform_remote_state.environments_env.outputs.env_secrets_project_id - interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id @@ -192,15 +184,6 @@ data "terraform_remote_state" "org" { } } -data "terraform_remote_state" "network_shared" { - backend = "gcs" - - config = { - bucket = var.remote_state_bucket - prefix = "terraform/networks/envs/shared" - } -} - data "terraform_remote_state" "environments_env" { backend = "gcs" @@ -214,7 +197,8 @@ data "terraform_remote_state" "environments_env" { Restricted shared VPC *****************************************/ module "restricted_shared_vpc" { - source = "../restricted_shared_vpc" + source = "../restricted_shared_vpc" + project_id = local.restricted_project_id project_number = local.restricted_project_number dns_hub_project_id = local.dns_hub_project_id @@ -228,7 +212,6 @@ module "restricted_shared_vpc" { private_service_connect_ip = var.restricted_private_service_connect_ip ingress_policies = var.ingress_policies egress_policies = var.egress_policies - org_id = local.org_id bgp_asn_subnet = local.bgp_asn_number default_region1 = var.default_region1 default_region2 = var.default_region2 @@ -265,14 +248,14 @@ module "restricted_shared_vpc" { *****************************************/ module "base_shared_vpc" { - source = "../base_shared_vpc" + source = "../base_shared_vpc" + project_id = local.base_project_id dns_hub_project_id = local.dns_hub_project_id base_net_hub_project_id = local.base_net_hub_project_id environment_code = var.environment_code private_service_cidr = var.base_private_service_cidr private_service_connect_ip = var.base_private_service_connect_ip - org_id = local.org_id default_region1 = var.default_region1 default_region2 = var.default_region2 domain = var.domain diff --git a/3-networks-hub-and-spoke/modules/base_env/vpn.tf.example b/3-networks-hub-and-spoke/modules/base_env/vpn.tf.example index 7b3ef985d..49063e882 100644 --- a/3-networks-hub-and-spoke/modules/base_env/vpn.tf.example +++ b/3-networks-hub-and-spoke/modules/base_env/vpn.tf.example @@ -14,6 +14,10 @@ * limitations under the License. */ +locals { + env_secret_project_id = data.terraform_remote_state.environments_env.outputs.env_secrets_project_id +} + module "shared_base_vpn" { source = "../vpn-ha" diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md index 410bb4163..66e6248c4 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md @@ -18,10 +18,8 @@ | mode | Network deployment mode, should be set to `hub` or `spoke` when `enable_hub_and_spoke` architecture chosen, keep as `null` otherwise. | `string` | `null` | no | | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no | | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | -| nat\_num\_addresses | Number of external IPs to reserve for Cloud NAT. | `number` | `2` | no | | nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no | | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no | -| org\_id | Organization ID | `string` | n/a | yes | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/data.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/data.tf deleted file mode 100644 index db6163d95..000000000 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/data.tf +++ /dev/null @@ -1,31 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - Ranges for default firewall rules. - *****************************************/ - -data "google_netblock_ip_ranges" "legacy_health_checkers" { - range_type = "legacy-health-checkers" -} - -data "google_netblock_ip_ranges" "health_checkers" { - range_type = "health-checkers" -} - -data "google_netblock_ip_ranges" "iap_forwarders" { - range_type = "iap-forwarders" -} diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf index 83f3a051c..7cf072ba0 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf @@ -37,8 +37,9 @@ data "google_compute_network" "vpc_dns_hub" { } module "peering_zone" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 3.1" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 3.1" + project_id = var.project_id type = "peering" name = "dz-${var.environment_code}-shared-base-to-dns-hub" diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index a335246f1..6e4a3b5d5 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -26,8 +26,9 @@ locals { *****************************************/ module "main" { - source = "terraform-google-modules/network/google" - version = "~> 5.1" + source = "terraform-google-modules/network/google" + version = "~> 5.1" + project_id = var.project_id network_name = local.network_name shared_vpc_host = "true" @@ -72,9 +73,10 @@ data "google_compute_network" "vpc_base_net_hub" { } module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 5.1" - count = var.mode == "spoke" ? 1 : 0 + source = "terraform-google-modules/network/google//modules/network-peering" + version = "~> 5.1" + count = var.mode == "spoke" ? 1 : 0 + prefix = "np" local_network = module.main.network_self_link peer_network = data.google_compute_network.vpc_base_net_hub[0].self_link diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/nat.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/nat.tf index b4872e0a9..dc0b49c4d 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/nat.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/nat.tf @@ -42,7 +42,7 @@ resource "google_compute_router_nat" "egress_nat_region1" { count = var.nat_enabled ? 1 : 0 name = "rn-${local.vpc_name}-${var.default_region1}-egress" project = var.project_id - router = google_compute_router.nat_router_region1.0.name + router = google_compute_router.nat_router_region1[0].name region = var.default_region1 nat_ip_allocate_option = "MANUAL_ONLY" nat_ips = google_compute_address.nat_external_addresses_region1.*.self_link @@ -77,7 +77,7 @@ resource "google_compute_router_nat" "egress_nat2" { count = var.nat_enabled ? 1 : 0 name = "rn-${local.vpc_name}-${var.default_region2}-egress" project = var.project_id - router = google_compute_router.nat_router_region2.0.name + router = google_compute_router.nat_router_region2[0].name region = var.default_region2 nat_ip_allocate_option = "MANUAL_ONLY" nat_ips = google_compute_address.nat_external_addresses_region2.*.self_link diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf index 0c03ea327..d1f2bd90d 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf @@ -16,8 +16,9 @@ module "private_service_connect" { - source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 5.2" + source = "terraform-google-modules/network/google//modules/private-service-connect" + version = "~> 5.2" + project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-base" network_self_link = module.main.network_self_link diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf index 926928e54..efb21c323 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -variable "org_id" { - type = string - description = "Organization ID" -} - variable "project_id" { type = string description = "Project ID for Private Shared VPC." @@ -137,12 +132,6 @@ variable "windows_activation_enabled" { default = false } -variable "nat_num_addresses" { - type = number - description = "Number of external IPs to reserve for Cloud NAT." - default = 2 -} - variable "allow_all_egress_ranges" { description = "List of network ranges to which all egress traffic will be allowed" default = null diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md index 946b4be58..0b1970f8d 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md @@ -23,7 +23,6 @@ | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | | nat\_num\_addresses\_region1 | Number of external IPs to reserve for region 1 Cloud NAT. | `number` | `2` | no | | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | -| org\_id | Organization ID | `string` | n/a | yes | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/data.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/data.tf deleted file mode 100644 index db6163d95..000000000 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/data.tf +++ /dev/null @@ -1,31 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/****************************************** - Ranges for default firewall rules. - *****************************************/ - -data "google_netblock_ip_ranges" "legacy_health_checkers" { - range_type = "legacy-health-checkers" -} - -data "google_netblock_ip_ranges" "health_checkers" { - range_type = "health-checkers" -} - -data "google_netblock_ip_ranges" "iap_forwarders" { - range_type = "iap-forwarders" -} diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 4fb4045f6..98ac17f06 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -26,8 +26,9 @@ locals { *****************************************/ module "main" { - source = "terraform-google-modules/network/google" - version = "~> 5.1" + source = "terraform-google-modules/network/google" + version = "~> 5.1" + project_id = var.project_id network_name = local.network_name shared_vpc_host = "true" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/nat.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/nat.tf index 40e16900b..61b48ee9f 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/nat.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/nat.tf @@ -44,7 +44,7 @@ resource "google_compute_router_nat" "nat_external_addresses_region1" { name = "rn-${local.vpc_name}-${var.default_region1}-egress" project = var.project_id - router = google_compute_router.nat_router_region1.0.name + router = google_compute_router.nat_router_region1[0].name region = var.default_region1 nat_ip_allocate_option = "MANUAL_ONLY" nat_ips = google_compute_address.nat_external_addresses1.*.self_link @@ -82,7 +82,7 @@ resource "google_compute_router_nat" "egress_nat_region2" { name = "rn-${local.vpc_name}-${var.default_region2}-egress" project = var.project_id - router = google_compute_router.nat_router_region2.0.name + router = google_compute_router.nat_router_region2[0].name region = var.default_region2 nat_ip_allocate_option = "MANUAL_ONLY" nat_ips = google_compute_address.nat_external_addresses_region2.*.self_link diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf index 6a967f02b..77836a925 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -variable "org_id" { - type = string - description = "Organization ID" -} - variable "access_context_manager_policy_id" { type = number description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." diff --git a/3-networks-hub-and-spoke/modules/transitivity/main.tf b/3-networks-hub-and-spoke/modules/transitivity/main.tf index 781a43d04..8d6b12751 100644 --- a/3-networks-hub-and-spoke/modules/transitivity/main.tf +++ b/3-networks-hub-and-spoke/modules/transitivity/main.tf @@ -23,8 +23,9 @@ locals { } module "service_account" { - source = "terraform-google-modules/service-accounts/google" - version = "~> 4.1" + source = "terraform-google-modules/service-accounts/google" + version = "~> 4.1" + project_id = var.project_id names = ["transitivity-gw"] project_roles = [ @@ -34,9 +35,10 @@ module "service_account" { } module "templates" { - source = "terraform-google-modules/vm/google//modules/instance_template" - version = "~> 7.9" - for_each = toset(var.regions) + source = "terraform-google-modules/vm/google//modules/instance_template" + version = "~> 7.9" + for_each = toset(var.regions) + can_ip_forward = true disk_size_gb = 10 name_prefix = "transitivity-gw-${each.key}" @@ -61,9 +63,10 @@ module "templates" { } module "migs" { - source = "terraform-google-modules/vm/google//modules/mig" - version = "~> 7.7" - for_each = toset(var.regions) + source = "terraform-google-modules/vm/google//modules/mig" + version = "~> 7.7" + for_each = toset(var.regions) + project_id = var.project_id region = each.key target_size = 3 @@ -85,9 +88,10 @@ module "migs" { } module "ilbs" { - source = "GoogleCloudPlatform/lb-internal/google" - version = "~> 5.0" - for_each = toset(var.regions) + source = "GoogleCloudPlatform/lb-internal/google" + version = "~> 5.0" + for_each = toset(var.regions) + region = each.key name = each.key ports = null diff --git a/3-networks-hub-and-spoke/modules/vpn-ha/main.tf b/3-networks-hub-and-spoke/modules/vpn-ha/main.tf index 93fdf68ee..9d94673bc 100755 --- a/3-networks-hub-and-spoke/modules/vpn-ha/main.tf +++ b/3-networks-hub-and-spoke/modules/vpn-ha/main.tf @@ -29,7 +29,9 @@ data "google_secret_manager_secret_version" "psk" { } module "vpn_ha_region1_router1" { - source = "terraform-google-modules/vpn/google//modules/vpn_ha" + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + version = "~> 2.3" + project_id = var.project_id region = var.default_region1 network = local.network_name @@ -75,7 +77,9 @@ module "vpn_ha_region1_router1" { } module "vpn_ha_region1_router2" { - source = "terraform-google-modules/vpn/google//modules/vpn_ha" + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + version = "~> 2.3" + project_id = var.project_id region = var.default_region1 network = local.network_name @@ -121,7 +125,9 @@ module "vpn_ha_region1_router2" { } module "vpn_ha_region2_router1" { - source = "terraform-google-modules/vpn/google//modules/vpn_ha" + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + version = "~> 2.3" + project_id = var.project_id region = var.default_region2 network = local.network_name @@ -167,7 +173,9 @@ module "vpn_ha_region2_router1" { } module "vpn_ha_region2_router2" { - source = "terraform-google-modules/vpn/google//modules/vpn_ha" + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + version = "~> 2.3" + project_id = var.project_id region = var.default_region2 network = local.network_name diff --git a/4-projects/business_unit_1/shared/example_infra_pipeline.tf b/4-projects/business_unit_1/shared/example_infra_pipeline.tf index bbe0e8c97..7b09e6cd6 100644 --- a/4-projects/business_unit_1/shared/example_infra_pipeline.tf +++ b/4-projects/business_unit_1/shared/example_infra_pipeline.tf @@ -53,7 +53,6 @@ module "infra_pipelines" { cloudbuild_project_id = module.app_infra_cloudbuild_project[0].project_id cloud_builder_artifact_repo = local.cloud_builder_artifact_repo remote_tfstate_bucket = local.projects_remote_bucket_tfstate - project_prefix = local.project_prefix billing_account = local.billing_account default_region = var.default_region app_infra_repos = local.repo_names diff --git a/4-projects/business_unit_2/shared/example_infra_pipeline.tf b/4-projects/business_unit_2/shared/example_infra_pipeline.tf index 4947f329f..6bc339edd 100644 --- a/4-projects/business_unit_2/shared/example_infra_pipeline.tf +++ b/4-projects/business_unit_2/shared/example_infra_pipeline.tf @@ -53,7 +53,6 @@ module "infra_pipelines" { cloudbuild_project_id = module.app_infra_cloudbuild_project[0].project_id cloud_builder_artifact_repo = local.cloud_builder_artifact_repo remote_tfstate_bucket = local.projects_remote_bucket_tfstate - project_prefix = local.project_prefix billing_account = local.billing_account default_region = var.default_region app_infra_repos = local.repo_names diff --git a/4-projects/modules/base_env/example_peering_project.tf b/4-projects/modules/base_env/example_peering_project.tf index 213b5066b..432b8cf20 100644 --- a/4-projects/modules/base_env/example_peering_project.tf +++ b/4-projects/modules/base_env/example_peering_project.tf @@ -54,8 +54,9 @@ module "peering_project" { } module "peering_network" { - source = "terraform-google-modules/network/google" - version = "~> 5.0" + source = "terraform-google-modules/network/google" + version = "~> 5.0" + project_id = module.peering_project.project_id network_name = "vpc-${local.env_code}-peering-base" shared_vpc_host = "false" @@ -74,8 +75,9 @@ resource "google_dns_policy" "default_policy" { } module "peering" { - source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 5.0" + source = "terraform-google-modules/network/google//modules/network-peering" + version = "~> 5.0" + prefix = "${var.business_code}-${local.env_code}" local_network = module.peering_network.network_self_link peer_network = local.base_network_self_link diff --git a/4-projects/modules/base_env/example_storage_cmek.tf b/4-projects/modules/base_env/example_storage_cmek.tf index 444a5a7aa..f63740efb 100644 --- a/4-projects/modules/base_env/example_storage_cmek.tf +++ b/4-projects/modules/base_env/example_storage_cmek.tf @@ -64,14 +64,17 @@ resource "random_string" "bucket_name" { } module "gcs_buckets" { - depends_on = [module.kms] - source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 3.0" + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + version = "~> 3.0" + project_id = module.base_shared_vpc_project.project_id location = var.location_gcs name = "${var.gcs_bucket_prefix}-${module.base_shared_vpc_project.project_id}-${lower(var.location_gcs)}-cmek-encrypted-${random_string.bucket_name.result}" bucket_policy_only = true + encryption = { default_kms_key_name = module.kms.keys[var.key_name] } + + depends_on = [module.kms] } diff --git a/4-projects/modules/base_env/main.tf b/4-projects/modules/base_env/main.tf index 918866834..c49c9f0b8 100644 --- a/4-projects/modules/base_env/main.tf +++ b/4-projects/modules/base_env/main.tf @@ -16,12 +16,8 @@ locals { org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder - parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account - default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix - folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix projects_backend_bucket = data.terraform_remote_state.bootstrap.outputs.projects_gcs_bucket_tfstate perimeter_name = data.terraform_remote_state.network_env.outputs.restricted_service_perimeter_name base_network_self_link = data.terraform_remote_state.network_env.outputs.base_network_self_link diff --git a/4-projects/modules/infra_pipelines/README.md b/4-projects/modules/infra_pipelines/README.md index 59eb8450d..f8f92ed37 100644 --- a/4-projects/modules/infra_pipelines/README.md +++ b/4-projects/modules/infra_pipelines/README.md @@ -11,7 +11,6 @@ | default\_region | Default region to create resources where applicable. | `string` | n/a | yes | | org\_id | GCP Organization ID | `string` | n/a | yes | | private\_worker\_pool\_id | ID of the Cloud Build private worker pool. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no | | remote\_tfstate\_bucket | Bucket with remote state data to be used by the pipeline. | `string` | n/a | yes | | terraform\_docker\_tag\_version | TAG version of the terraform docker image. | `string` | `"v1"` | no | diff --git a/4-projects/modules/infra_pipelines/variables.tf b/4-projects/modules/infra_pipelines/variables.tf index 1389dc930..db37d3b10 100644 --- a/4-projects/modules/infra_pipelines/variables.tf +++ b/4-projects/modules/infra_pipelines/variables.tf @@ -24,12 +24,6 @@ variable "default_region" { type = string } -variable "project_prefix" { - description = "Name prefix to use for projects created." - type = string - default = "prj" -} - variable "cloudbuild_project_id" { description = "The project id where the pipelines and repos should be created." type = string diff --git a/4-projects/modules/single_project/README.md b/4-projects/modules/single_project/README.md index 2bb11e520..10f965a59 100644 --- a/4-projects/modules/single_project/README.md +++ b/4-projects/modules/single_project/README.md @@ -10,7 +10,6 @@ | billing\_code | The code that's used to provide chargeback information | `string` | n/a | yes | | business\_code | The code that describes which business unit owns the project | `string` | `"abcd"` | no | | enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build | `bool` | `false` | no | -| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | | environment | The environment the single project belongs to | `string` | n/a | yes | | folder\_id | The folder id where project will be created | `string` | n/a | yes | | org\_id | The organization id for the associated services | `string` | n/a | yes | diff --git a/4-projects/modules/single_project/main.tf b/4-projects/modules/single_project/main.tf index 23eefb659..34908014c 100644 --- a/4-projects/modules/single_project/main.tf +++ b/4-projects/modules/single_project/main.tf @@ -15,8 +15,7 @@ */ locals { - env_code = element(split("", var.environment), 0) - shared_vpc_mode = var.enable_hub_and_spoke ? "-spoke" : "" + env_code = element(split("", var.environment), 0) source_repos = setintersection( toset(keys(var.app_infra_pipeline_service_accounts)), toset(keys(var.sa_roles)) diff --git a/4-projects/modules/single_project/variables.tf b/4-projects/modules/single_project/variables.tf index 0a3f92a1b..69e9f4343 100644 --- a/4-projects/modules/single_project/variables.tf +++ b/4-projects/modules/single_project/variables.tf @@ -129,12 +129,6 @@ variable "project_prefix" { default = "prj" } -variable "enable_hub_and_spoke" { - description = "Enable Hub-and-Spoke architecture." - type = bool - default = false -} - variable "app_infra_pipeline_service_accounts" { description = "The Service Accounts from App Infra Pipeline." type = map(string) diff --git a/5-app-infra/business_unit_1/development/main.tf b/5-app-infra/business_unit_1/development/main.tf index 3d3c299ce..a5e74b397 100644 --- a/5-app-infra/business_unit_1/development/main.tf +++ b/5-app-infra/business_unit_1/development/main.tf @@ -23,7 +23,6 @@ module "base_shared_gce_instance" { source = "../../modules/env_base" environment = local.environment - business_code = "bu1" business_unit = local.business_unit project_suffix = "sample-base" region = var.instance_region diff --git a/5-app-infra/business_unit_1/non-production/main.tf b/5-app-infra/business_unit_1/non-production/main.tf index 8c2906a1d..3f9d4685a 100644 --- a/5-app-infra/business_unit_1/non-production/main.tf +++ b/5-app-infra/business_unit_1/non-production/main.tf @@ -23,7 +23,6 @@ module "base_shared_gce_instance" { source = "../../modules/env_base" environment = local.environment - business_code = "bu1" business_unit = local.business_unit project_suffix = "sample-base" region = var.instance_region diff --git a/5-app-infra/business_unit_1/production/main.tf b/5-app-infra/business_unit_1/production/main.tf index bafe2cf0b..3a8177e3d 100644 --- a/5-app-infra/business_unit_1/production/main.tf +++ b/5-app-infra/business_unit_1/production/main.tf @@ -23,7 +23,6 @@ module "base_shared_gce_instance" { source = "../../modules/env_base" environment = local.environment - business_code = "bu1" business_unit = local.business_unit project_suffix = "sample-base" region = var.instance_region diff --git a/5-app-infra/modules/env_base/README.md b/5-app-infra/modules/env_base/README.md index 9cbc9adc3..e9cf73d73 100644 --- a/5-app-infra/modules/env_base/README.md +++ b/5-app-infra/modules/env_base/README.md @@ -3,7 +3,6 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| business\_code | The code that describes which business unit owns the project | `string` | `"abcd"` | no | | business\_unit | The business (ex. business\_unit\_1). | `string` | `"business_unit_1"` | no | | environment | The environment the single project belongs to | `string` | n/a | yes | | hostname | Hostname of instances | `string` | `"example-app"` | no | diff --git a/5-app-infra/modules/env_base/main.tf b/5-app-infra/modules/env_base/main.tf index 66c8d10e3..5f216443e 100644 --- a/5-app-infra/modules/env_base/main.tf +++ b/5-app-infra/modules/env_base/main.tf @@ -15,7 +15,6 @@ */ locals { - environment_code = element(split("", var.environment), 0) env_project_ids = { "sample-base" = data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project, "sample-floating" = data.terraform_remote_state.projects_env.outputs.floating_project, diff --git a/5-app-infra/modules/env_base/variables.tf b/5-app-infra/modules/env_base/variables.tf index 81fcd951f..5c104304c 100644 --- a/5-app-infra/modules/env_base/variables.tf +++ b/5-app-infra/modules/env_base/variables.tf @@ -47,12 +47,6 @@ variable "hostname" { default = "example-app" } -variable "business_code" { - description = "The code that describes which business unit owns the project" - type = string - default = "abcd" -} - variable "project_suffix" { description = "The name of the GCP project. Max 16 characters with 3 character business unit code." type = string diff --git a/Makefile b/Makefile index ba12918fa..c0de840c2 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.7 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.10 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd @@ -27,6 +27,7 @@ REGISTRY_URL := gcr.io/cloud-foundation-cicd docker_test_lint: docker run --rm -it \ -e ENABLE_PARALLEL=1 \ + -e DISABLE_TFLINT=1 \ -e EXCLUDE_LINT_DIRS \ -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 14b49a8bf..1875eaffb 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -177,4 +177,4 @@ options: - 'TF_VAR_instance_region=us-west1' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.7' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index df236c69c..c92b19131 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -24,8 +24,9 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.7' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' options: machineType: 'N1_HIGHCPU_8' env: - ENABLE_PARALLEL=0 + - DISABLE_TFLINT=1