From b5d2118ac7ff24fb4bdaaf2df9e816353b144e1a Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Fri, 17 Nov 2023 11:47:44 -0300 Subject: [PATCH 01/33] Development --- 3-networks-dual-svpc/envs/development/main.tf | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf index f5971873e..4dccecfc0 100644 --- a/3-networks-dual-svpc/envs/development/main.tf +++ b/3-networks-dual-svpc/envs/development/main.tf @@ -22,40 +22,40 @@ locals { /* * Base network ranges */ - base_private_service_cidr = "10.16.64.0/21" + base_private_service_cidr = "10.16.8.0/21" base_subnet_primary_ranges = { - (local.default_region1) = "10.0.64.0/21" - (local.default_region2) = "10.1.64.0/21" + (local.default_region1) = "10.0.64.0/18" + (local.default_region2) = "10.1.64.0/18" } base_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.64.0/21" + ip_cidr_range = "100.64.64.0/18" }, { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.64.72.0/21" + ip_cidr_range = "100.65.64.0/18" } ] } /* * Restricted network ranges */ - restricted_private_service_cidr = "10.24.64.0/21" + restricted_private_service_cidr = "10.16.40.0/21" restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.64.0/21" - (local.default_region2) = "10.9.64.0/21" + (local.default_region1) = "10.8.64.0/18" + (local.default_region2) = "10.9.64.0/18" } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.64.0/21" + ip_cidr_range = "100.72.64.0/18" }, { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.72.72.0/21" + ip_cidr_range = "100.73.64.0/18" } ] } @@ -77,11 +77,11 @@ module "base_env" { base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.2.64.5" + base_private_service_connect_ip = "10.17.0.2" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.10.64.5" + restricted_private_service_connect_ip = "10.17.0.6" remote_state_bucket = var.remote_state_bucket } From ad2e3cf2cf89f3ea5005c9e3eea2e53daf1a8f82 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 27 Nov 2023 23:25:30 -0300 Subject: [PATCH 02/33] Fix dev --- 3-networks-dual-svpc/envs/development/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf index 4dccecfc0..52ee93f1e 100644 --- a/3-networks-dual-svpc/envs/development/main.tf +++ b/3-networks-dual-svpc/envs/development/main.tf @@ -83,5 +83,4 @@ module "base_env" { restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.6" remote_state_bucket = var.remote_state_bucket - } From 24adc68497cdf6e05dce976e9ba47c980bde1591 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 27 Nov 2023 23:25:52 -0300 Subject: [PATCH 03/33] Non-Production IPs --- .../envs/non-production/main.tf | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/3-networks-dual-svpc/envs/non-production/main.tf b/3-networks-dual-svpc/envs/non-production/main.tf index a2d1aabe6..f3a8b2eaf 100644 --- a/3-networks-dual-svpc/envs/non-production/main.tf +++ b/3-networks-dual-svpc/envs/non-production/main.tf @@ -22,40 +22,40 @@ locals { /* * Base network ranges */ - base_private_service_cidr = "10.16.128.0/21" + base_private_service_cidr = "10.16.16.0/21" base_subnet_primary_ranges = { - (local.default_region1) = "10.0.128.0/21" - (local.default_region2) = "10.1.128.0/21" + (local.default_region1) = "10.0.128.0/18" + (local.default_region2) = "10.1.128.0/18" } base_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.128.0/21" + ip_cidr_range = "100.64.128.0/18" }, { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.64.136.0/21" + ip_cidr_range = "100.65.128.0/18" } ] } /* * Restricted network ranges */ - restricted_private_service_cidr = "10.24.128.0/21" + restricted_private_service_cidr = "10.16.48.0/21" restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.128.0/21" - (local.default_region2) = "10.9.128.0/21" + (local.default_region1) = "10.8.128.0/18" + (local.default_region2) = "10.9.128.0/18" } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.128.0/21" + ip_cidr_range = "100.72.128.0/18" }, { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.72.136.0/21" + ip_cidr_range = "100.73.128.0/18" } ] } @@ -77,10 +77,10 @@ module "base_env" { base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.2.128.5" + base_private_service_connect_ip = "10.17.0.3" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.10.128.5" + restricted_private_service_connect_ip = "10.17.0.7" remote_state_bucket = var.remote_state_bucket } From e150c9dbb59a3c6ade842a0a4e056bea4160b13a Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 27 Nov 2023 23:53:26 -0300 Subject: [PATCH 04/33] Production IPs --- 3-networks-dual-svpc/envs/production/main.tf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index fe3e0bbf1..646641771 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -22,40 +22,40 @@ locals { /* * Base network ranges */ - base_private_service_cidr = "10.16.192.0/21" + base_private_service_cidr = "10.16.24.0/21" base_subnet_primary_ranges = { - (local.default_region1) = "10.0.192.0/21" - (local.default_region2) = "10.1.192.0/21" + (local.default_region1) = "10.0.192.0/18" + (local.default_region2) = "10.1.192.0/18" } base_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.192.0/21" + ip_cidr_range = "100.64.192.0/18" }, { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.64.200.0/21" + ip_cidr_range = "100.65.192.0/18" } ] } /* * Restricted network ranges */ - restricted_private_service_cidr = "10.24.192.0/21" + restricted_private_service_cidr = "10.16.56.0/21" restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.192.0/21" - (local.default_region2) = "10.9.192.0/21" + (local.default_region1) = "10.8.192.0/18" + (local.default_region2) = "10.9.192.0/18" } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.192.0/21" + ip_cidr_range = "100.72.192.0/18" }, { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.72.200.0/21" + ip_cidr_range = "100.73.192.0/18" } ] } @@ -77,10 +77,10 @@ module "base_env" { base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.2.192.5" + base_private_service_connect_ip = "10.17.0.4" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.10.192.5" + restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket } From 989dbe63441b970d94bc1c2d1361d2bbe6c2daae Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Tue, 28 Nov 2023 00:09:12 -0300 Subject: [PATCH 05/33] Hub IPs --- 3-networks-hub-and-spoke/envs/shared/net-hubs.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index af7fe0415..a398489cb 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -19,15 +19,15 @@ locals { * Base network ranges */ base_subnet_primary_ranges = { - (local.default_region1) = "10.0.0.0/24" - (local.default_region2) = "10.1.0.0/24" + (local.default_region1) = "10.0.0.0/18" + (local.default_region2) = "10.1.0.0/18" } /* * Restricted network ranges */ restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.0.0/24" - (local.default_region2) = "10.9.0.0/24" + (local.default_region1) = "10.8.0.0/18" + (local.default_region2) = "10.9.0.0/18" } @@ -169,7 +169,7 @@ module "base_shared_vpc" { project_id = local.base_net_hub_project_id dns_hub_project_id = local.dns_hub_project_id environment_code = local.environment_code - private_service_connect_ip = "10.2.0.5" + private_service_connect_ip = "10.17.0.1" bgp_asn_subnet = local.bgp_asn_number default_region1 = local.default_region1 default_region2 = local.default_region2 @@ -218,7 +218,7 @@ module "restricted_shared_vpc" { project_number = local.restricted_net_hub_project_number dns_hub_project_id = local.dns_hub_project_id environment_code = local.environment_code - private_service_connect_ip = "10.10.0.5" + private_service_connect_ip = "10.17.0.5" access_context_manager_policy_id = var.access_context_manager_policy_id restricted_services = local.restricted_services members = distinct(concat([ From 6cb871ab4b07a9d691bd4e9e8c1af1a0b226aeab Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Wed, 29 Nov 2023 10:01:03 -0300 Subject: [PATCH 06/33] Replicate IPs to Hub and Spoke --- .../envs/development/main.tf | 24 +++++++++---------- .../envs/non-production/main.tf | 24 +++++++++---------- .../envs/production/main.tf | 24 +++++++++---------- 3 files changed, 36 insertions(+), 36 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/development/main.tf b/3-networks-hub-and-spoke/envs/development/main.tf index 1fd727854..3eadf2469 100644 --- a/3-networks-hub-and-spoke/envs/development/main.tf +++ b/3-networks-hub-and-spoke/envs/development/main.tf @@ -22,40 +22,40 @@ locals { /* * Base network ranges */ - base_private_service_cidr = "10.16.64.0/21" + base_private_service_cidr = "10.16.8.0/21" base_subnet_primary_ranges = { - (local.default_region1) = "10.0.64.0/21" - (local.default_region2) = "10.1.64.0/21" + (local.default_region1) = "10.0.64.0/18" + (local.default_region2) = "10.1.64.0/18" } base_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.64.0/21" + ip_cidr_range = "100.64.64.0/18" }, { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.64.72.0/21" + ip_cidr_range = "100.65.64.0/18" } ] } /* * Restricted network ranges */ - restricted_private_service_cidr = "10.24.64.0/21" + restricted_private_service_cidr = "10.16.40.0/21" restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.64.0/21" - (local.default_region2) = "10.9.64.0/21" + (local.default_region1) = "10.8.64.0/18" + (local.default_region2) = "10.9.64.0/18" } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.64.0/21" + ip_cidr_range = "100.72.64.0/18" }, { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.72.72.0/21" + ip_cidr_range = "100.73.64.0/18" } ] } @@ -78,10 +78,10 @@ module "base_env" { base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.2.64.5" + base_private_service_connect_ip = "10.17.0.2" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.10.64.5" + restricted_private_service_connect_ip = "10.17.0.6" remote_state_bucket = var.remote_state_bucket } diff --git a/3-networks-hub-and-spoke/envs/non-production/main.tf b/3-networks-hub-and-spoke/envs/non-production/main.tf index 41bb61a96..70736ca92 100644 --- a/3-networks-hub-and-spoke/envs/non-production/main.tf +++ b/3-networks-hub-and-spoke/envs/non-production/main.tf @@ -22,40 +22,40 @@ locals { /* * Base network ranges */ - base_private_service_cidr = "10.16.128.0/21" + base_private_service_cidr = "10.16.16.0/21" base_subnet_primary_ranges = { - (local.default_region1) = "10.0.128.0/21" - (local.default_region2) = "10.1.128.0/21" + (local.default_region1) = "10.0.128.0/18" + (local.default_region2) = "10.1.128.0/18" } base_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.128.0/21" + ip_cidr_range = "100.64.128.0/18" }, { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.64.136.0/21" + ip_cidr_range = "100.65.128.0/18" } ] } /* * Restricted network ranges */ - restricted_private_service_cidr = "10.24.128.0/21" + restricted_private_service_cidr = "10.16.48.0/21" restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.128.0/21" - (local.default_region2) = "10.9.128.0/21" + (local.default_region1) = "10.8.128.0/18" + (local.default_region2) = "10.9.128.0/18" } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.128.0/21" + ip_cidr_range = "100.72.128.0/18" }, { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.72.136.0/21" + ip_cidr_range = "100.73.128.0/18" } ] } @@ -78,10 +78,10 @@ module "base_env" { base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.2.128.5" + base_private_service_connect_ip = "10.17.0.3" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.10.128.5" + restricted_private_service_connect_ip = "10.17.0.7" remote_state_bucket = var.remote_state_bucket } diff --git a/3-networks-hub-and-spoke/envs/production/main.tf b/3-networks-hub-and-spoke/envs/production/main.tf index 22f4d4733..b4b19aaa7 100644 --- a/3-networks-hub-and-spoke/envs/production/main.tf +++ b/3-networks-hub-and-spoke/envs/production/main.tf @@ -22,40 +22,40 @@ locals { /* * Base network ranges */ - base_private_service_cidr = "10.16.192.0/21" + base_private_service_cidr = "10.16.24.0/21" base_subnet_primary_ranges = { - (local.default_region1) = "10.0.192.0/21" - (local.default_region2) = "10.1.192.0/21" + (local.default_region1) = "10.0.192.0/18" + (local.default_region2) = "10.1.192.0/18" } base_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod" - ip_cidr_range = "100.64.192.0/21" + ip_cidr_range = "100.64.192.0/18" }, { range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc" - ip_cidr_range = "100.64.200.0/21" + ip_cidr_range = "100.65.192.0/18" } ] } /* * Restricted network ranges */ - restricted_private_service_cidr = "10.24.192.0/21" + restricted_private_service_cidr = "10.16.56.0/21" restricted_subnet_primary_ranges = { - (local.default_region1) = "10.8.192.0/21" - (local.default_region2) = "10.9.192.0/21" + (local.default_region1) = "10.8.192.0/18" + (local.default_region2) = "10.9.192.0/18" } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod" - ip_cidr_range = "100.72.192.0/21" + ip_cidr_range = "100.72.192.0/18" }, { range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc" - ip_cidr_range = "100.72.200.0/21" + ip_cidr_range = "100.73.192.0/18" } ] } @@ -78,10 +78,10 @@ module "base_env" { base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges - base_private_service_connect_ip = "10.2.192.5" + base_private_service_connect_ip = "10.17.0.4" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - restricted_private_service_connect_ip = "10.10.192.5" + restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket } From 556733726e0e59c58c158651a53aa9023228a5a8 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Wed, 29 Nov 2023 15:01:24 -0300 Subject: [PATCH 07/33] Fix other IPs --- .../envs/shared/net-hubs-transitivity.tf | 16 ++++++++-------- .../modules/base_env/main.tf | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf index 048c1f476..23de2b20e 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf @@ -18,22 +18,22 @@ locals { enable_transitivity = var.enable_hub_and_spoke_transitivity base_regional_aggregates = { (local.default_region1) = [ - "10.0.0.0/16", - "100.64.0.0/16" + "10.0.0.0/18", + "100.64.0.0/18" ] (local.default_region2) = [ - "10.1.0.0/16", - "100.65.0.0/16" + "10.1.0.0/18", + "100.65.0.0/18" ] } restricted_regional_aggregates = { (local.default_region1) = [ - "10.8.0.0/16", - "100.72.0.0/16" + "10.8.0.0/18", + "100.72.0.0/18" ] (local.default_region2) = [ - "10.9.0.0/16", - "100.73.0.0/16" + "10.9.0.0/18", + "100.73.0.0/18" ] } } diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 56b067856..b7e736d9a 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -30,12 +30,12 @@ locals { /* * Base network ranges */ - base_subnet_aggregates = ["10.0.0.0/16", "10.1.0.0/16", "100.64.0.0/16", "100.65.0.0/16"] + base_subnet_aggregates = ["10.0.0.0/18", "10.1.0.0/18", "100.64.0.0/18", "100.65.0.0/18"] base_hub_subnet_ranges = ["10.0.0.0/24", "10.1.0.0/24"] /* * Restricted network ranges */ - restricted_subnet_aggregates = ["10.8.0.0/16", "10.9.0.0/16", "100.72.0.0/16", "100.73.0.0/16"] + restricted_subnet_aggregates = ["10.8.0.0/18", "10.9.0.0/18", "100.72.0.0/18", "100.73.0.0/18"] restricted_hub_subnet_ranges = ["10.8.0.0/24", "10.9.0.0/24"] supported_restricted_service = [ From 77ea3cc3d46c69dc53e185fd9946ca31a07e2a72 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Wed, 29 Nov 2023 16:50:16 -0300 Subject: [PATCH 08/33] Fix IP for transitivity --- .../envs/shared/net-hubs-transitivity.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf index 23de2b20e..048c1f476 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf @@ -18,22 +18,22 @@ locals { enable_transitivity = var.enable_hub_and_spoke_transitivity base_regional_aggregates = { (local.default_region1) = [ - "10.0.0.0/18", - "100.64.0.0/18" + "10.0.0.0/16", + "100.64.0.0/16" ] (local.default_region2) = [ - "10.1.0.0/18", - "100.65.0.0/18" + "10.1.0.0/16", + "100.65.0.0/16" ] } restricted_regional_aggregates = { (local.default_region1) = [ - "10.8.0.0/18", - "100.72.0.0/18" + "10.8.0.0/16", + "100.72.0.0/16" ] (local.default_region2) = [ - "10.9.0.0/18", - "100.73.0.0/18" + "10.9.0.0/16", + "100.73.0.0/16" ] } } From b740b10949135c23d744dbfbe54da2ee31f57ff1 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Wed, 29 Nov 2023 16:55:55 -0300 Subject: [PATCH 09/33] Fix test IPs --- test/integration/networks/networks_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index 34b40b66c..21b47f994 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -231,8 +231,8 @@ func TestNetworks(t *testing.T) { "restricted": []string{"10.8.128.0/21", "10.9.128.0/21"}, }, "production": { - "base": []string{"10.0.192.0/21", "10.1.192.0/21"}, - "restricted": []string{"10.8.192.0/21", "10.9.192.0/21"}, + "base": []string{"10.0.192.0/18", "10.1.192.0/18"}, + "restricted": []string{"10.8.192.0/18", "10.9.192.0/18"}, }, } @@ -246,8 +246,8 @@ func TestNetworks(t *testing.T) { "restricted": "10.10.128.5", }, "production": { - "base": "10.2.192.5", - "restricted": "10.10.192.5", + "base": "10.17.0.4", + "restricted": "10.17.0.8", }, } From 2416f7777dd6e18f6d4a6564935c4c3faf12d799 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Thu, 30 Nov 2023 00:20:51 -0300 Subject: [PATCH 10/33] Fix IP on test --- test/integration/networks/networks_test.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index 21b47f994..009ccc4df 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -223,12 +223,12 @@ func TestNetworks(t *testing.T) { cidrRanges := map[string]map[string][]string{ "development": { - "base": []string{"10.0.64.0/21", "10.1.64.0/21"}, - "restricted": []string{"10.8.64.0/21", "10.9.64.0/21"}, + "base": []string{"10.0.64.0/18", "10.1.64.0/18"}, + "restricted": []string{"10.8.64.0/18", "10.9.64.0/18"}, }, "non-production": { - "base": []string{"10.0.128.0/21", "10.1.128.0/21"}, - "restricted": []string{"10.8.128.0/21", "10.9.128.0/21"}, + "base": []string{"10.0.128.0/18", "10.1.128.0/21"}, + "restricted": []string{"10.8.128.0/21", "10.9.128.0/18"}, }, "production": { "base": []string{"10.0.192.0/18", "10.1.192.0/18"}, @@ -238,12 +238,12 @@ func TestNetworks(t *testing.T) { googleapisCIDR := map[string]map[string]string{ "development": { - "base": "10.2.64.5", - "restricted": "10.10.64.5", + "base": "10.17.0.2", + "restricted": "10.17.0.6", }, "non-production": { "base": "10.2.128.5", - "restricted": "10.10.128.5", + "restricted": "10.17.0.7", }, "production": { "base": "10.17.0.4", From 2794eb01c35e98d1128ace3ee1d701ebe3d83eda Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Thu, 30 Nov 2023 01:52:39 -0300 Subject: [PATCH 11/33] Fix IP on test --- test/integration/networks/networks_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index 009ccc4df..6537f0d9b 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -227,8 +227,8 @@ func TestNetworks(t *testing.T) { "restricted": []string{"10.8.64.0/18", "10.9.64.0/18"}, }, "non-production": { - "base": []string{"10.0.128.0/18", "10.1.128.0/21"}, - "restricted": []string{"10.8.128.0/21", "10.9.128.0/18"}, + "base": []string{"10.0.128.0/18", "10.1.128.0/18"}, + "restricted": []string{"10.8.128.0/18", "10.9.128.0/18"}, }, "production": { "base": []string{"10.0.192.0/18", "10.1.192.0/18"}, @@ -242,7 +242,7 @@ func TestNetworks(t *testing.T) { "restricted": "10.17.0.6", }, "non-production": { - "base": "10.2.128.5", + "base": "10.17.0.3", "restricted": "10.17.0.7", }, "production": { From 64049cad874656974ad4a70880f51d6d4817ea33 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 4 Dec 2023 13:42:49 -0300 Subject: [PATCH 12/33] Add variables to new proxy-only subnets --- 3-networks-dual-svpc/modules/base_env/main.tf | 37 +++++++++++++++++++ .../modules/base_env/variables.tf | 10 +++++ .../modules/base_env/main.tf | 36 ++++++++++++++++++ .../modules/base_env/variables.tf | 10 +++++ 4 files changed, 93 insertions(+) diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 70c4dfa33..2b6492efc 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -244,6 +244,24 @@ module "restricted_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = true description = "Second ${var.env} subnet example." + }, + { + subnet_name = "sb-${var.environment_code}-shared-restricted-proxy-${var.default_region1}" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_private_access = "true" + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + purpose = "REGIONAL_MANAGED_PROXY" + }, + { + subnet_name = "sb-${var.environment_code}-shared-restricted-proxy-${var.default_region2}" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_private_access = "true" + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = { @@ -286,8 +304,27 @@ module "base_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = true description = "Second ${var.env} subnet example." + }, + { + subnet_name = "sb-${var.environment_code}-shared-base-proxy-${var.default_region1}" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_private_access = "true" + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + purpose = "REGIONAL_MANAGED_PROXY" + }, + { + subnet_name = "sb-${var.environment_code}-shared-base-proxy-${var.default_region2}" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_private_access = "true" + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + purpose = "REGIONAL_MANAGED_PROXY" } ] + secondary_ranges = { "sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1] } diff --git a/3-networks-dual-svpc/modules/base_env/variables.tf b/3-networks-dual-svpc/modules/base_env/variables.tf index 1b656ba15..10de1c464 100644 --- a/3-networks-dual-svpc/modules/base_env/variables.tf +++ b/3-networks-dual-svpc/modules/base_env/variables.tf @@ -71,6 +71,11 @@ variable "base_subnet_primary_ranges" { description = "The base subnet primary IPTs ranges to the Base Shared Vpc." } +variable "base_subnet_proxy_ranges" { + type = map(string) + description = "The base proxy-only subnet primary IPTs ranges to the Base Shared Vpc." +} + variable "base_subnet_secondary_ranges" { type = map(list(map(string))) description = "The base subnet secondary IPTs ranges to the Base Shared Vpc." @@ -91,6 +96,11 @@ variable "restricted_subnet_primary_ranges" { description = "The base subnet primary IPTs ranges to the Restricted Shared Vpc." } +variable "restricted_subnet_proxy_ranges" { + type = map(string) + description = "The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc." +} + variable "restricted_subnet_secondary_ranges" { type = map(list(map(string))) description = "The base subnet secondary IPTs ranges to the Restricted Shared Vpc" diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index b7e736d9a..5bf7cc697 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -234,6 +234,24 @@ module "restricted_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = true description = "Second ${var.env} subnet example." + }, + { + subnet_name = "sb-${var.environment_code}-shared-restricted-proxy-${var.default_region1}" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_private_access = "true" + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + purpose = "REGIONAL_MANAGED_PROXY" + }, + { + subnet_name = "sb-${var.environment_code}-shared-restricted-proxy-${var.default_region2}" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_private_access = "true" + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = { @@ -278,6 +296,24 @@ module "base_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = true description = "Second ${var.env} subnet example." + }, + { + subnet_name = "sb-${var.environment_code}-shared-base-proxy-${var.default_region1}" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_private_access = "true" + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + purpose = "REGIONAL_MANAGED_PROXY" + }, + { + subnet_name = "sb-${var.environment_code}-shared-base-proxy-${var.default_region2}" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_private_access = "true" + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = { diff --git a/3-networks-hub-and-spoke/modules/base_env/variables.tf b/3-networks-hub-and-spoke/modules/base_env/variables.tf index 83d05ccf9..a6b57b850 100644 --- a/3-networks-hub-and-spoke/modules/base_env/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_env/variables.tf @@ -71,6 +71,11 @@ variable "base_subnet_primary_ranges" { description = "The base subnet primary IPTs ranges to the Base Shared Vpc." } +variable "base_subnet_proxy_ranges" { + type = map(string) + description = "The base proxy-only subnet primary IPTs ranges to the Base Shared Vpc." +} + variable "base_subnet_secondary_ranges" { type = map(list(map(string))) description = "The base subnet secondary IPTs ranges to the Base Shared Vpc." @@ -91,6 +96,11 @@ variable "restricted_subnet_primary_ranges" { description = "The base subnet primary IPTs ranges to the Restricted Shared Vpc." } +variable "restricted_subnet_proxy_ranges" { + type = map(string) + description = "The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc." +} + variable "restricted_subnet_secondary_ranges" { type = map(list(map(string))) description = "The base subnet secondary IPTs ranges to the Restricted Shared Vpc" From 1a9eccb093baf97a56317c4f9c5c3ff7bb2f8343 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 4 Dec 2023 14:08:44 -0300 Subject: [PATCH 13/33] Using new variables for proxy-only subnet --- 3-networks-dual-svpc/envs/development/main.tf | 10 +++++ .../envs/non-production/main.tf | 10 +++++ 3-networks-dual-svpc/envs/production/main.tf | 10 +++++ .../envs/development/main.tf | 11 +++++ .../envs/non-production/main.tf | 10 +++++ .../envs/production/main.tf | 10 +++++ .../envs/shared/net-hubs.tf | 41 ++++++++++++++++++- 7 files changed, 101 insertions(+), 1 deletion(-) diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf index 52ee93f1e..befba819d 100644 --- a/3-networks-dual-svpc/envs/development/main.tf +++ b/3-networks-dual-svpc/envs/development/main.tf @@ -27,6 +27,10 @@ locals { (local.default_region1) = "10.0.64.0/18" (local.default_region2) = "10.1.64.0/18" } + base_subnet_proxy_ranges = { + (local.default_region1) = "10.18.2.0/23" + (local.default_region2) = "10.19.2.0/23" + } base_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -47,6 +51,10 @@ locals { (local.default_region1) = "10.8.64.0/18" (local.default_region2) = "10.9.64.0/18" } + restricted_subnet_proxy_ranges = { + (local.default_region1) = "10.26.2.0/23" + (local.default_region2) = "10.27.2.0/23" + } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -76,10 +84,12 @@ module "base_env" { enable_partner_interconnect = false base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.2" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.6" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-dual-svpc/envs/non-production/main.tf b/3-networks-dual-svpc/envs/non-production/main.tf index f3a8b2eaf..4e1534372 100644 --- a/3-networks-dual-svpc/envs/non-production/main.tf +++ b/3-networks-dual-svpc/envs/non-production/main.tf @@ -27,6 +27,10 @@ locals { (local.default_region1) = "10.0.128.0/18" (local.default_region2) = "10.1.128.0/18" } + base_subnet_proxy_ranges = { + (local.default_region1) = "10.18.4.0/23" + (local.default_region2) = "10.19.4.0/23" + } base_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -47,6 +51,10 @@ locals { (local.default_region1) = "10.8.128.0/18" (local.default_region2) = "10.9.128.0/18" } + restricted_subnet_proxy_ranges = { + (local.default_region1) = "10.26.4.0/23" + (local.default_region2) = "10.27.4.0/23" + } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -76,9 +84,11 @@ module "base_env" { enable_partner_interconnect = false base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.3" restricted_private_service_cidr = local.restricted_private_service_cidr + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.7" diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index 646641771..b24ac2faa 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -27,6 +27,10 @@ locals { (local.default_region1) = "10.0.192.0/18" (local.default_region2) = "10.1.192.0/18" } + base_subnet_proxy_ranges = { + (local.default_region1) = "10.18.6.0/23" + (local.default_region2) = "10.19.6.0/23" + } base_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -47,6 +51,10 @@ locals { (local.default_region1) = "10.8.192.0/18" (local.default_region2) = "10.9.192.0/18" } + restricted_subnet_proxy_ranges = { + (local.default_region1) = "10.26.6.0/23" + (local.default_region2) = "10.27.6.0/23" + } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -76,10 +84,12 @@ module "base_env" { enable_partner_interconnect = false base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.4" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-hub-and-spoke/envs/development/main.tf b/3-networks-hub-and-spoke/envs/development/main.tf index 3eadf2469..629708dc5 100644 --- a/3-networks-hub-and-spoke/envs/development/main.tf +++ b/3-networks-hub-and-spoke/envs/development/main.tf @@ -27,6 +27,11 @@ locals { (local.default_region1) = "10.0.64.0/18" (local.default_region2) = "10.1.64.0/18" } + + base_subnet_proxy_ranges = { + (local.default_region1) = "10.18.2.0/23" + (local.default_region2) = "10.19.2.0/23" + } base_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -47,6 +52,10 @@ locals { (local.default_region1) = "10.8.64.0/18" (local.default_region2) = "10.9.64.0/18" } + restricted_subnet_proxy_ranges = { + (local.default_region1) = "10.26.2.0/23" + (local.default_region2) = "10.27.2.0/23" + } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -77,10 +86,12 @@ module "base_env" { enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.2" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.6" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-hub-and-spoke/envs/non-production/main.tf b/3-networks-hub-and-spoke/envs/non-production/main.tf index 70736ca92..85fadf938 100644 --- a/3-networks-hub-and-spoke/envs/non-production/main.tf +++ b/3-networks-hub-and-spoke/envs/non-production/main.tf @@ -27,6 +27,10 @@ locals { (local.default_region1) = "10.0.128.0/18" (local.default_region2) = "10.1.128.0/18" } + base_subnet_proxy_ranges = { + (local.default_region1) = "10.18.4.0/23" + (local.default_region2) = "10.19.4.0/23" + } base_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -47,6 +51,10 @@ locals { (local.default_region1) = "10.8.128.0/18" (local.default_region2) = "10.9.128.0/18" } + restricted_subnet_proxy_ranges = { + (local.default_region1) = "10.26.4.0/23" + (local.default_region2) = "10.27.4.0/23" + } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -77,10 +85,12 @@ module "base_env" { enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.3" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.7" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-hub-and-spoke/envs/production/main.tf b/3-networks-hub-and-spoke/envs/production/main.tf index b4b19aaa7..5e524a4cd 100644 --- a/3-networks-hub-and-spoke/envs/production/main.tf +++ b/3-networks-hub-and-spoke/envs/production/main.tf @@ -27,6 +27,10 @@ locals { (local.default_region1) = "10.0.192.0/18" (local.default_region2) = "10.1.192.0/18" } + base_subnet_proxy_ranges = { + (local.default_region1) = "10.18.6.0/23" + (local.default_region2) = "10.19.6.0/23" + } base_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -47,6 +51,10 @@ locals { (local.default_region1) = "10.8.192.0/18" (local.default_region2) = "10.9.192.0/18" } + restricted_subnet_proxy_ranges = { + (local.default_region1) = "10.26.6.0/23" + (local.default_region2) = "10.27.6.0/23" + } restricted_subnet_secondary_ranges = { (local.default_region1) = [ { @@ -77,10 +85,12 @@ module "base_env" { enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.4" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index a398489cb..e41741ef5 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -22,6 +22,10 @@ locals { (local.default_region1) = "10.0.0.0/18" (local.default_region2) = "10.1.0.0/18" } + base_subnet_proxy_ranges = { + (local.default_region1) = "10.18.0.0/23" + (local.default_region2) = "10.19.0.0/23" + } /* * Restricted network ranges */ @@ -29,7 +33,10 @@ locals { (local.default_region1) = "10.8.0.0/18" (local.default_region2) = "10.9.0.0/18" } - + restricted_subnet_proxy_ranges = { + (local.default_region1) = "10.26.0.0/23" + (local.default_region2) = "10.27.0.0/23" + } supported_restricted_service = [ "accessapproval.googleapis.com", @@ -200,6 +207,22 @@ module "base_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = var.subnetworks_enable_logging description = "Base network hub subnet for ${local.default_region2}" + }, + { + subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" + subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_private_access = "true" + subnet_flow_logs = false + description = "Base network hub proxy-only subnet for ${local.default_region1}" + }, + { + subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" + subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_private_access = "true" + subnet_flow_logs = false + description = "Base network hub proxy-only subnet for ${local.default_region2}" } ] secondary_ranges = {} @@ -256,6 +279,22 @@ module "restricted_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = var.subnetworks_enable_logging description = "Restricted network hub subnet for ${local.default_region2}" + }, + { + subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" + subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_private_access = "true" + subnet_flow_logs = false + description = "Restricted network hub proxy-only subnet for ${local.default_region1}" + }, + { + subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" + subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_private_access = "true" + subnet_flow_logs = false + description = "Restricted network hub proxy-only subnet for ${local.default_region2}" } ] secondary_ranges = {} From 360d4b041e33477acd5d74e6890d68454afa1d07 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 4 Dec 2023 14:11:45 -0300 Subject: [PATCH 14/33] Small fix on proxy-only subnets --- 3-networks-dual-svpc/modules/base_env/main.tf | 8 ++++---- 3-networks-hub-and-spoke/envs/shared/net-hubs.tf | 2 ++ 3-networks-hub-and-spoke/modules/base_env/main.tf | 8 ++++---- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 2b6492efc..374aa8382 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -246,7 +246,7 @@ module "restricted_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-proxy-${var.default_region1}" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 subnet_private_access = "true" @@ -255,7 +255,7 @@ module "restricted_shared_vpc" { purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-proxy-${var.default_region2}" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 subnet_private_access = "true" @@ -306,7 +306,7 @@ module "base_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-base-proxy-${var.default_region1}" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 subnet_private_access = "true" @@ -315,7 +315,7 @@ module "base_shared_vpc" { purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-base-proxy-${var.default_region2}" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 subnet_private_access = "true" diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index e41741ef5..97cfb24a6 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -215,6 +215,7 @@ module "base_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = false description = "Base network hub proxy-only subnet for ${local.default_region1}" + purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" @@ -223,6 +224,7 @@ module "base_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = false description = "Base network hub proxy-only subnet for ${local.default_region2}" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = {} diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 5bf7cc697..dc2118cc1 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -236,7 +236,7 @@ module "restricted_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-proxy-${var.default_region1}" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 subnet_private_access = "true" @@ -245,7 +245,7 @@ module "restricted_shared_vpc" { purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-proxy-${var.default_region2}" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 subnet_private_access = "true" @@ -298,7 +298,7 @@ module "base_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-base-proxy-${var.default_region1}" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 subnet_private_access = "true" @@ -307,7 +307,7 @@ module "base_shared_vpc" { purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-base-proxy-${var.default_region2}" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 subnet_private_access = "true" From 92471e91fd6e8317d637486f876f50f891b4791a Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 4 Dec 2023 14:14:54 -0300 Subject: [PATCH 15/33] Lint --- 3-networks-dual-svpc/envs/development/main.tf | 4 ++-- 3-networks-dual-svpc/envs/non-production/main.tf | 4 ++-- 3-networks-dual-svpc/envs/production/main.tf | 4 ++-- 3-networks-dual-svpc/modules/base_env/README.md | 2 ++ 3-networks-dual-svpc/modules/base_env/main.tf | 2 +- 3-networks-hub-and-spoke/envs/development/main.tf | 4 ++-- 3-networks-hub-and-spoke/envs/non-production/main.tf | 4 ++-- 3-networks-hub-and-spoke/envs/production/main.tf | 4 ++-- 3-networks-hub-and-spoke/modules/base_env/README.md | 2 ++ 9 files changed, 17 insertions(+), 13 deletions(-) diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf index befba819d..f2ee96459 100644 --- a/3-networks-dual-svpc/envs/development/main.tf +++ b/3-networks-dual-svpc/envs/development/main.tf @@ -84,12 +84,12 @@ module "base_env" { enable_partner_interconnect = false base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.2" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.6" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-dual-svpc/envs/non-production/main.tf b/3-networks-dual-svpc/envs/non-production/main.tf index 4e1534372..0ba66791e 100644 --- a/3-networks-dual-svpc/envs/non-production/main.tf +++ b/3-networks-dual-svpc/envs/non-production/main.tf @@ -84,11 +84,11 @@ module "base_env" { enable_partner_interconnect = false base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.3" restricted_private_service_cidr = local.restricted_private_service_cidr - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.7" diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index b24ac2faa..8b97da7ce 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -84,12 +84,12 @@ module "base_env" { enable_partner_interconnect = false base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.4" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md index 52e50d22f..a95a57356 100644 --- a/3-networks-dual-svpc/modules/base_env/README.md +++ b/3-networks-dual-svpc/modules/base_env/README.md @@ -7,6 +7,7 @@ | base\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc. | `string` | n/a | yes | | base\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC | `string` | n/a | yes | | base\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | +| base\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | | base\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Base Shared Vpc. | `map(list(map(string)))` | n/a | yes | | custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | @@ -23,6 +24,7 @@ | restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes | | restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes | | restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | +| restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | ## Outputs diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 374aa8382..8042fd34d 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -324,7 +324,7 @@ module "base_shared_vpc" { purpose = "REGIONAL_MANAGED_PROXY" } ] - + secondary_ranges = { "sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1] } diff --git a/3-networks-hub-and-spoke/envs/development/main.tf b/3-networks-hub-and-spoke/envs/development/main.tf index 629708dc5..7307b1ec7 100644 --- a/3-networks-hub-and-spoke/envs/development/main.tf +++ b/3-networks-hub-and-spoke/envs/development/main.tf @@ -86,12 +86,12 @@ module "base_env" { enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.2" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.6" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-hub-and-spoke/envs/non-production/main.tf b/3-networks-hub-and-spoke/envs/non-production/main.tf index 85fadf938..905141953 100644 --- a/3-networks-hub-and-spoke/envs/non-production/main.tf +++ b/3-networks-hub-and-spoke/envs/non-production/main.tf @@ -85,12 +85,12 @@ module "base_env" { enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.3" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.7" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-hub-and-spoke/envs/production/main.tf b/3-networks-hub-and-spoke/envs/production/main.tf index 5e524a4cd..ac8a9446c 100644 --- a/3-networks-hub-and-spoke/envs/production/main.tf +++ b/3-networks-hub-and-spoke/envs/production/main.tf @@ -85,12 +85,12 @@ module "base_env" { enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges - base_subnet_proxy_ranges = local.base_subnet_proxy_ranges + base_subnet_proxy_ranges = local.base_subnet_proxy_ranges base_subnet_secondary_ranges = local.base_subnet_secondary_ranges base_private_service_connect_ip = "10.17.0.4" restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges - restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges + restricted_subnet_proxy_ranges = local.restricted_subnet_proxy_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges restricted_private_service_connect_ip = "10.17.0.8" remote_state_bucket = var.remote_state_bucket diff --git a/3-networks-hub-and-spoke/modules/base_env/README.md b/3-networks-hub-and-spoke/modules/base_env/README.md index f89dc0429..fcfac0703 100644 --- a/3-networks-hub-and-spoke/modules/base_env/README.md +++ b/3-networks-hub-and-spoke/modules/base_env/README.md @@ -7,6 +7,7 @@ | base\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc. | `string` | n/a | yes | | base\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC | `string` | n/a | yes | | base\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | +| base\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | | base\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Base Shared Vpc. | `map(list(map(string)))` | n/a | yes | | custom\_restricted\_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | `list(string)` | `[]` | no | | default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | @@ -23,6 +24,7 @@ | restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes | | restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes | | restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | +| restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | ## Outputs From 9e85b9a2ee3d132e271f61ea316c2ddb9585ca36 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 4 Dec 2023 18:04:53 -0300 Subject: [PATCH 16/33] Fix proxy subnet creation. --- 3-networks-dual-svpc/modules/base_env/main.tf | 8 ++++---- 3-networks-hub-and-spoke/modules/base_env/main.tf | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 8042fd34d..49290ddda 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -249,18 +249,18 @@ module "restricted_shared_vpc" { subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 - subnet_private_access = "true" subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 - subnet_private_access = "true" subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" } ] @@ -309,18 +309,18 @@ module "base_shared_vpc" { subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 - subnet_private_access = "true" subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 - subnet_private_access = "true" subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" } ] diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index dc2118cc1..931c879e9 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -239,18 +239,18 @@ module "restricted_shared_vpc" { subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 - subnet_private_access = "true" subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 - subnet_private_access = "true" subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" } ] @@ -301,18 +301,18 @@ module "base_shared_vpc" { subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 - subnet_private_access = "true" - subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." + subnet_flow_logs = false + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 - subnet_private_access = "true" - subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." + subnet_flow_logs = false + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" } ] From 7b5a19b0752e4fdc431002cc7321cd127e35abb0 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 4 Dec 2023 18:25:18 -0300 Subject: [PATCH 17/33] Lint --- 3-networks-dual-svpc/modules/base_env/main.tf | 56 +++++++++---------- .../modules/base_env/main.tf | 56 +++++++++---------- 2 files changed, 56 insertions(+), 56 deletions(-) diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 49290ddda..015476aab 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -246,22 +246,22 @@ module "restricted_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - subnet_flow_logs = false - description = "First ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - subnet_flow_logs = false - description = "Second ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = { @@ -306,22 +306,22 @@ module "base_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - subnet_flow_logs = false - description = "First ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - subnet_flow_logs = false - description = "Second ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 931c879e9..84a0541c1 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -236,22 +236,22 @@ module "restricted_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - subnet_flow_logs = false - description = "First ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - subnet_flow_logs = false - description = "Second ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = { @@ -298,22 +298,22 @@ module "base_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - description = "First ${var.env} proxy-only subnet example." - subnet_flow_logs = false - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + description = "First ${var.env} proxy-only subnet example." + subnet_flow_logs = false + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - description = "Second ${var.env} proxy-only subnet example." - subnet_flow_logs = false - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + description = "Second ${var.env} proxy-only subnet example." + subnet_flow_logs = false + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = { From e909ada8d25a7e8126769002fae85ab951b269ee Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 4 Dec 2023 22:07:29 -0300 Subject: [PATCH 18/33] Fix hub proxy subnet --- .../envs/shared/net-hubs.tf | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index 97cfb24a6..3658cef20 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -209,22 +209,22 @@ module "base_shared_vpc" { description = "Base network hub subnet for ${local.default_region2}" }, { - subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" - subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_private_access = "true" - subnet_flow_logs = false - description = "Base network hub proxy-only subnet for ${local.default_region1}" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" + subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_flow_logs = false + description = "Base network hub proxy-only subnet for ${local.default_region1}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" - subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_private_access = "true" - subnet_flow_logs = false - description = "Base network hub proxy-only subnet for ${local.default_region2}" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" + subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_flow_logs = false + description = "Base network hub proxy-only subnet for ${local.default_region2}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = {} From 9db58f16739770ddbf7866d4c2970d209ae6f7df Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Tue, 5 Dec 2023 12:47:10 -0300 Subject: [PATCH 19/33] Fix test --- 3-networks-hub-and-spoke/envs/shared/net-hubs.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index 3658cef20..145c61304 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -289,6 +289,8 @@ module "restricted_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = false description = "Restricted network hub proxy-only subnet for ${local.default_region1}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" @@ -297,6 +299,8 @@ module "restricted_shared_vpc" { subnet_private_access = "true" subnet_flow_logs = false description = "Restricted network hub proxy-only subnet for ${local.default_region2}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = {} From 84c7a4644d82e02952630d01a784b2e841d88dc2 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Tue, 5 Dec 2023 18:11:58 -0300 Subject: [PATCH 20/33] Fix subnet hub proxy. Remove private access. --- .../envs/shared/net-hubs.tf | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index 145c61304..d30fa763a 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -283,24 +283,22 @@ module "restricted_shared_vpc" { description = "Restricted network hub subnet for ${local.default_region2}" }, { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" - subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_private_access = "true" - subnet_flow_logs = false - description = "Restricted network hub proxy-only subnet for ${local.default_region1}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" + subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_flow_logs = false + description = "Restricted network hub proxy-only subnet for ${local.default_region1}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" - subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_private_access = "true" - subnet_flow_logs = false - description = "Restricted network hub proxy-only subnet for ${local.default_region2}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" + subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_flow_logs = false + description = "Restricted network hub proxy-only subnet for ${local.default_region2}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = {} From a5e052949b0c4960c36e247bedca730d3970b872 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 11 Dec 2023 12:24:26 -0300 Subject: [PATCH 21/33] Replace /16 to /18 on hub --- .../envs/shared/net-hubs-transitivity.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf index 048c1f476..23de2b20e 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf @@ -18,22 +18,22 @@ locals { enable_transitivity = var.enable_hub_and_spoke_transitivity base_regional_aggregates = { (local.default_region1) = [ - "10.0.0.0/16", - "100.64.0.0/16" + "10.0.0.0/18", + "100.64.0.0/18" ] (local.default_region2) = [ - "10.1.0.0/16", - "100.65.0.0/16" + "10.1.0.0/18", + "100.65.0.0/18" ] } restricted_regional_aggregates = { (local.default_region1) = [ - "10.8.0.0/16", - "100.72.0.0/16" + "10.8.0.0/18", + "100.72.0.0/18" ] (local.default_region2) = [ - "10.9.0.0/16", - "100.73.0.0/16" + "10.9.0.0/18", + "100.73.0.0/18" ] } } From ac498c52b1fbd97a066de6cab029390acbdbe165 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 11 Dec 2023 12:25:14 -0300 Subject: [PATCH 22/33] Other small fixes --- 3-networks-dual-svpc/modules/base_env/main.tf | 8 ++++---- 3-networks-hub-and-spoke/envs/shared/net-hubs.tf | 6 ++++-- 3-networks-hub-and-spoke/modules/base_env/main.tf | 12 ++++++------ 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 8042fd34d..49290ddda 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -249,18 +249,18 @@ module "restricted_shared_vpc" { subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 - subnet_private_access = "true" subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 - subnet_private_access = "true" subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" } ] @@ -309,18 +309,18 @@ module "base_shared_vpc" { subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 - subnet_private_access = "true" subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 - subnet_private_access = "true" subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" } ] diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index 97cfb24a6..0a905795c 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -286,17 +286,19 @@ module "restricted_shared_vpc" { subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] subnet_region = local.default_region1 - subnet_private_access = "true" subnet_flow_logs = false description = "Restricted network hub proxy-only subnet for ${local.default_region1}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] subnet_region = local.default_region2 - subnet_private_access = "true" subnet_flow_logs = false description = "Restricted network hub proxy-only subnet for ${local.default_region2}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = {} diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index dc2118cc1..931c879e9 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -239,18 +239,18 @@ module "restricted_shared_vpc" { subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 - subnet_private_access = "true" subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 - subnet_private_access = "true" subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" } ] @@ -301,18 +301,18 @@ module "base_shared_vpc" { subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] subnet_region = var.default_region1 - subnet_private_access = "true" - subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." + subnet_flow_logs = false + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" }, { subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] subnet_region = var.default_region2 - subnet_private_access = "true" - subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." + subnet_flow_logs = false + role = "ACTIVE" purpose = "REGIONAL_MANAGED_PROXY" } ] From 351e51283bdec36b660bf618f667cd5d49fc26d1 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 11 Dec 2023 12:38:50 -0300 Subject: [PATCH 23/33] Lint --- 0-bootstrap/terraform.example.tfvars | 24 ++++---- 3-networks-dual-svpc/modules/base_env/main.tf | 56 +++++++++---------- .../envs/shared/net-hubs.tf | 28 +++++----- .../modules/base_env/main.tf | 56 +++++++++---------- 4 files changed, 82 insertions(+), 82 deletions(-) diff --git a/0-bootstrap/terraform.example.tfvars b/0-bootstrap/terraform.example.tfvars index 179019d20..93ebde792 100644 --- a/0-bootstrap/terraform.example.tfvars +++ b/0-bootstrap/terraform.example.tfvars @@ -41,22 +41,22 @@ default_region = "us-central1" # create_groups = true, # billing_project = "billing-project", # required_groups = { - # group_org_admins = "group_org_admins_local_test@example.com" - # group_billing_admins = "group_billing_admins_local_test@example.com" - # billing_data_users = "billing_data_users_local_test@example.com" - # audit_data_users = "audit_data_users_local_test@example.com" - # monitoring_workspace_users = "monitoring_workspace_users_local_test@example.com" +# group_org_admins = "group_org_admins_local_test@example.com" +# group_billing_admins = "group_billing_admins_local_test@example.com" +# billing_data_users = "billing_data_users_local_test@example.com" +# audit_data_users = "audit_data_users_local_test@example.com" +# monitoring_workspace_users = "monitoring_workspace_users_local_test@example.com" # }, # optional_groups = { - # gcp_platform_viewer = "gcp_platform_viewer_local_test@example.com" - # gcp_security_reviewer = "gcp_security_reviewer_local_test@example.com" - # gcp_network_viewer = "gcp_network_viewer_local_test@example.com" - # gcp_scc_admin = "gcp_scc_admin_local_test@example.com" - # gcp_global_secrets_admin = "gcp_global_secrets_admin_local_test@example.com" - # gcp_audit_viewer = "gcp_audit_viewer_local_test@example.com" +# gcp_platform_viewer = "gcp_platform_viewer_local_test@example.com" +# gcp_security_reviewer = "gcp_security_reviewer_local_test@example.com" +# gcp_network_viewer = "gcp_network_viewer_local_test@example.com" +# gcp_scc_admin = "gcp_scc_admin_local_test@example.com" +# gcp_global_secrets_admin = "gcp_global_secrets_admin_local_test@example.com" +# gcp_audit_viewer = "gcp_audit_viewer_local_test@example.com" # } # } -# + /* ---------------------------------------- diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 49290ddda..015476aab 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -246,22 +246,22 @@ module "restricted_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - subnet_flow_logs = false - description = "First ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - subnet_flow_logs = false - description = "Second ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = { @@ -306,22 +306,22 @@ module "base_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - subnet_flow_logs = false - description = "First ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - subnet_flow_logs = false - description = "Second ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index 0a905795c..15c8f1b78 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -283,22 +283,22 @@ module "restricted_shared_vpc" { description = "Restricted network hub subnet for ${local.default_region2}" }, { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" - subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_flow_logs = false - description = "Restricted network hub proxy-only subnet for ${local.default_region1}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" + subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_flow_logs = false + description = "Restricted network hub proxy-only subnet for ${local.default_region1}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" - subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_flow_logs = false - description = "Restricted network hub proxy-only subnet for ${local.default_region2}" - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}-proxy" + subnet_ip = local.restricted_subnet_proxy_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_flow_logs = false + description = "Restricted network hub proxy-only subnet for ${local.default_region2}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = {} diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 931c879e9..84a0541c1 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -236,22 +236,22 @@ module "restricted_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - subnet_flow_logs = false - description = "First ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region1}-proxy" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + subnet_flow_logs = false + description = "First ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" - subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - subnet_flow_logs = false - description = "Second ${var.env} proxy-only subnet example." - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-restricted-${var.default_region2}-proxy" + subnet_ip = var.restricted_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + subnet_flow_logs = false + description = "Second ${var.env} proxy-only subnet example." + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = { @@ -298,22 +298,22 @@ module "base_shared_vpc" { description = "Second ${var.env} subnet example." }, { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] - subnet_region = var.default_region1 - description = "First ${var.env} proxy-only subnet example." - subnet_flow_logs = false - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region1] + subnet_region = var.default_region1 + description = "First ${var.env} proxy-only subnet example." + subnet_flow_logs = false + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" - subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] - subnet_region = var.default_region2 - description = "Second ${var.env} proxy-only subnet example." - subnet_flow_logs = false - role = "ACTIVE" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy" + subnet_ip = var.base_subnet_proxy_ranges[var.default_region2] + subnet_region = var.default_region2 + description = "Second ${var.env} proxy-only subnet example." + subnet_flow_logs = false + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = { From d5ae8aae3a6b274fa7f34b0587856092411d8e90 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 11 Dec 2023 20:19:51 -0300 Subject: [PATCH 24/33] Fix subnets creation and proxy-only --- .../modules/base_shared_vpc/variables.tf | 19 ++++++++++++- .../restricted_shared_vpc/variables.tf | 19 ++++++++++++- .../envs/shared/net-hubs-transitivity.tf | 16 +++++------ .../envs/shared/net-hubs.tf | 28 +++++++++---------- .../modules/base_shared_vpc/variables.tf | 19 ++++++++++++- .../restricted_shared_vpc/variables.tf | 19 ++++++++++++- 6 files changed, 94 insertions(+), 26 deletions(-) diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index 4a8e779fd..5c4b1346d 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -69,7 +69,24 @@ variable "bgp_asn_subnet" { } variable "subnets" { - type = list(map(string)) + type = list(object({ + subnet_name = string + subnet_ip = string + subnet_region = string + subnet_private_access = optional(string, "false") + subnet_private_ipv6_access = optional(string) + subnet_flow_logs = optional(string, "false") + subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC") + subnet_flow_logs_sampling = optional(string, "0.5") + subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA") + subnet_flow_logs_filter = optional(string, "true") + subnet_flow_logs_metadata_fields = optional(list(string), []) + description = optional(string) + purpose = optional(string) + role = optional(string) + stack_type = optional(string) + ipv6_access_type = optional(string) + })) description = "The list of subnets being created" default = [] } diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 47bb94ab0..fceb6f26b 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -79,7 +79,24 @@ variable "default_region2" { } variable "subnets" { - type = list(map(string)) + type = list(object({ + subnet_name = string + subnet_ip = string + subnet_region = string + subnet_private_access = optional(string, "false") + subnet_private_ipv6_access = optional(string) + subnet_flow_logs = optional(string, "false") + subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC") + subnet_flow_logs_sampling = optional(string, "0.5") + subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA") + subnet_flow_logs_filter = optional(string, "true") + subnet_flow_logs_metadata_fields = optional(list(string), []) + description = optional(string) + purpose = optional(string) + role = optional(string) + stack_type = optional(string) + ipv6_access_type = optional(string) + })) description = "The list of subnets being created" default = [] } diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf index 23de2b20e..048c1f476 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf @@ -18,22 +18,22 @@ locals { enable_transitivity = var.enable_hub_and_spoke_transitivity base_regional_aggregates = { (local.default_region1) = [ - "10.0.0.0/18", - "100.64.0.0/18" + "10.0.0.0/16", + "100.64.0.0/16" ] (local.default_region2) = [ - "10.1.0.0/18", - "100.65.0.0/18" + "10.1.0.0/16", + "100.65.0.0/16" ] } restricted_regional_aggregates = { (local.default_region1) = [ - "10.8.0.0/18", - "100.72.0.0/18" + "10.8.0.0/16", + "100.72.0.0/16" ] (local.default_region2) = [ - "10.9.0.0/18", - "100.73.0.0/18" + "10.9.0.0/16", + "100.73.0.0/16" ] } } diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index 15c8f1b78..d30fa763a 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -209,22 +209,22 @@ module "base_shared_vpc" { description = "Base network hub subnet for ${local.default_region2}" }, { - subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" - subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] - subnet_region = local.default_region1 - subnet_private_access = "true" - subnet_flow_logs = false - description = "Base network hub proxy-only subnet for ${local.default_region1}" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-c-shared-base-hub-${local.default_region1}-proxy" + subnet_ip = local.base_subnet_proxy_ranges[local.default_region1] + subnet_region = local.default_region1 + subnet_flow_logs = false + description = "Base network hub proxy-only subnet for ${local.default_region1}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" }, { - subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" - subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] - subnet_region = local.default_region2 - subnet_private_access = "true" - subnet_flow_logs = false - description = "Base network hub proxy-only subnet for ${local.default_region2}" - purpose = "REGIONAL_MANAGED_PROXY" + subnet_name = "sb-c-shared-base-hub-${local.default_region2}-proxy" + subnet_ip = local.base_subnet_proxy_ranges[local.default_region2] + subnet_region = local.default_region2 + subnet_flow_logs = false + description = "Base network hub proxy-only subnet for ${local.default_region2}" + role = "ACTIVE" + purpose = "REGIONAL_MANAGED_PROXY" } ] secondary_ranges = {} diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf index efb21c323..f9d92a43d 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf @@ -81,7 +81,24 @@ variable "bgp_asn_subnet" { } variable "subnets" { - type = list(map(string)) + type = list(object({ + subnet_name = string + subnet_ip = string + subnet_region = string + subnet_private_access = optional(string, "false") + subnet_private_ipv6_access = optional(string) + subnet_flow_logs = optional(string, "false") + subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC") + subnet_flow_logs_sampling = optional(string, "0.5") + subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA") + subnet_flow_logs_filter = optional(string, "true") + subnet_flow_logs_metadata_fields = optional(list(string), []) + description = optional(string) + purpose = optional(string) + role = optional(string) + stack_type = optional(string) + ipv6_access_type = optional(string) + })) description = "The list of subnets being created" default = [] } diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf index 77836a925..55f9fb0d6 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf @@ -97,7 +97,24 @@ variable "default_region2" { } variable "subnets" { - type = list(map(string)) + type = list(object({ + subnet_name = string + subnet_ip = string + subnet_region = string + subnet_private_access = optional(string, "false") + subnet_private_ipv6_access = optional(string) + subnet_flow_logs = optional(string, "false") + subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC") + subnet_flow_logs_sampling = optional(string, "0.5") + subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA") + subnet_flow_logs_filter = optional(string, "true") + subnet_flow_logs_metadata_fields = optional(list(string), []) + description = optional(string) + purpose = optional(string) + role = optional(string) + stack_type = optional(string) + ipv6_access_type = optional(string) + })) description = "The list of subnets being created" default = [] } From c99cd067d52d5ccc2332b31f6d47365aee2e763d Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 11 Dec 2023 20:26:23 -0300 Subject: [PATCH 25/33] Lint readme --- 3-networks-dual-svpc/modules/base_shared_vpc/README.md | 2 +- 3-networks-dual-svpc/modules/restricted_shared_vpc/README.md | 2 +- 3-networks-hub-and-spoke/modules/base_shared_vpc/README.md | 2 +- .../modules/restricted_shared_vpc/README.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index f0b838fab..4a8099725 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -22,7 +22,7 @@ | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes | | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | -| subnets | The list of subnets being created | `list(map(string))` | `[]` | no | +| subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index b6cebf542..35d56c4ed 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -28,7 +28,7 @@ | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | | restricted\_services | List of services to restrict. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | -| subnets | The list of subnets being created | `list(map(string))` | `[]` | no | +| subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md index 66e6248c4..e9d33c423 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md @@ -24,7 +24,7 @@ | private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes | | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | -| subnets | The list of subnets being created | `list(map(string))` | `[]` | no | +| subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md index 0b1970f8d..63291e27a 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md @@ -31,7 +31,7 @@ | restricted\_net\_hub\_project\_number | The restricted net hub project number | `string` | `""` | no | | restricted\_services | List of services to restrict. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | -| subnets | The list of subnets being created | `list(map(string))` | `[]` | no | +| subnets | The list of subnets being created | 
list(object({
    subnet_name                      = string
    subnet_ip                        = string
    subnet_region                    = string
    subnet_private_access            = optional(string, "false")
    subnet_private_ipv6_access       = optional(string)
    subnet_flow_logs                 = optional(string, "false")
    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
    subnet_flow_logs_sampling        = optional(string, "0.5")
    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
    subnet_flow_logs_filter          = optional(string, "true")
    subnet_flow_logs_metadata_fields = optional(list(string), [])
    description                      = optional(string)
    purpose                          = optional(string)
    role                             = optional(string)
    stack_type                       = optional(string)
    ipv6_access_type                 = optional(string)
  }))
| `[]` | no | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs From 79ce9f3af90ca0c1fde5edd9a230da7f203b6a6a Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Mon, 11 Dec 2023 22:12:25 -0300 Subject: [PATCH 26/33] ipv6 default value: INTERNAL --- 3-networks-dual-svpc/modules/base_env/main.tf | 4 ++++ 3-networks-hub-and-spoke/envs/shared/net-hubs.tf | 4 ++++ 3-networks-hub-and-spoke/modules/base_env/main.tf | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index cff54a9fd..48d7567f9 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -243,6 +243,7 @@ module "restricted_shared_vpc" { subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" }, { @@ -252,6 +253,7 @@ module "restricted_shared_vpc" { subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" } ] @@ -303,6 +305,7 @@ module "base_shared_vpc" { subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" }, { @@ -312,6 +315,7 @@ module "base_shared_vpc" { subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" } ] diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index d30fa763a..1ba3c2a8a 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -215,6 +215,7 @@ module "base_shared_vpc" { subnet_flow_logs = false description = "Base network hub proxy-only subnet for ${local.default_region1}" role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" }, { @@ -224,6 +225,7 @@ module "base_shared_vpc" { subnet_flow_logs = false description = "Base network hub proxy-only subnet for ${local.default_region2}" role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" } ] @@ -289,6 +291,7 @@ module "restricted_shared_vpc" { subnet_flow_logs = false description = "Restricted network hub proxy-only subnet for ${local.default_region1}" role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" }, { @@ -298,6 +301,7 @@ module "restricted_shared_vpc" { subnet_flow_logs = false description = "Restricted network hub proxy-only subnet for ${local.default_region2}" role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" } ] diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 32fee8b20..885d6b129 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -238,6 +238,7 @@ module "restricted_shared_vpc" { subnet_flow_logs = false description = "First ${var.env} proxy-only subnet example." role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" }, { @@ -247,6 +248,7 @@ module "restricted_shared_vpc" { subnet_flow_logs = false description = "Second ${var.env} proxy-only subnet example." role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" } ] @@ -300,6 +302,7 @@ module "base_shared_vpc" { description = "First ${var.env} proxy-only subnet example." subnet_flow_logs = false role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" }, { @@ -309,6 +312,7 @@ module "base_shared_vpc" { description = "Second ${var.env} proxy-only subnet example." subnet_flow_logs = false role = "ACTIVE" + ipv6_access_type = "INTERNAL" purpose = "REGIONAL_MANAGED_PROXY" } ] From c58a6eeaa18dcee72df30af12b1d75aa3a9eba5b Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Wed, 13 Dec 2023 18:57:27 -0300 Subject: [PATCH 27/33] Lint --- 3-networks-hub-and-spoke/envs/shared/net-hubs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index edd635879..36ffb84d9 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -287,7 +287,7 @@ module "restricted_shared_vpc" { subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr - description = "Restricted network hub subnet for ${local.default_region1}" + description = "Restricted network hub subnet for ${local.default_region1}" }, { subnet_name = "sb-c-shared-restricted-hub-${local.default_region2}" @@ -300,7 +300,7 @@ module "restricted_shared_vpc" { subnet_flow_logs_metadata = var.restricted_vpc_flow_logs.metadata subnet_flow_logs_metadata_fields = var.restricted_vpc_flow_logs.metadata_fields subnet_flow_logs_filter = var.restricted_vpc_flow_logs.filter_expr - description = "Restricted network hub subnet for ${local.default_region2}" + description = "Restricted network hub subnet for ${local.default_region2}" }, { subnet_name = "sb-c-shared-restricted-hub-${local.default_region1}-proxy" From 53c3836133853849a82d7f10d49a0e8caaf6ef96 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Thu, 14 Dec 2023 01:34:33 -0300 Subject: [PATCH 28/33] Remove network test DefaultVerify --- test/integration/networks/networks_test.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index 83c2b13ab..e64d7b30e 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -327,7 +327,10 @@ func TestNetworks(t *testing.T) { networks.DefineVerify( func(assert *assert.Assertions) { // perform default verification ensuring Terraform reports no additional changes on an applied blueprint - networks.DefaultVerify(assert) + // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) + // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 + // Resource issue: + // networks.DefaultVerify(assert) servicePerimeterLink := fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", policyID, networks.GetStringOutput("restricted_service_perimeter_name")) accessLevel := fmt.Sprintf("accessPolicies/%s/accessLevels/%s", policyID, networks.GetStringOutput("restricted_access_level_name")) From d26ab6fe281ef2199a29dc6be769fc9670762569 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Thu, 14 Dec 2023 09:16:22 -0300 Subject: [PATCH 29/33] Remove shared test DefaultVerify --- test/integration/shared/shared_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go index f865c722b..dac4a7dbf 100644 --- a/test/integration/shared/shared_test.go +++ b/test/integration/shared/shared_test.go @@ -81,6 +81,9 @@ func TestShared(t *testing.T) { } // perform default verification ensuring Terraform reports no additional changes on an applied blueprint + // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) + // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 + // Resource issue: shared.DefaultVerify(assert) projectID := shared.GetStringOutput("dns_hub_project_id") From 5362ea474151bdc9d337f258baa64a1cc5879285 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Thu, 14 Dec 2023 09:45:57 -0300 Subject: [PATCH 30/33] Remove shared test DefaultVerify --- test/integration/shared/shared_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go index dac4a7dbf..487da4356 100644 --- a/test/integration/shared/shared_test.go +++ b/test/integration/shared/shared_test.go @@ -84,7 +84,7 @@ func TestShared(t *testing.T) { // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 // Resource issue: - shared.DefaultVerify(assert) + // shared.DefaultVerify(assert) projectID := shared.GetStringOutput("dns_hub_project_id") networkName := "vpc-c-dns-hub" From 366476d3a37c06331dc012c0fbebfcd7a7d77b04 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Thu, 14 Dec 2023 16:54:53 -0300 Subject: [PATCH 31/33] Add resource issue on the comment in test files. --- test/integration/networks/networks_test.go | 2 +- test/integration/shared/shared_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index e64d7b30e..dc957b031 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -329,7 +329,7 @@ func TestNetworks(t *testing.T) { // perform default verification ensuring Terraform reports no additional changes on an applied blueprint // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 - // Resource issue: + // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16801 // networks.DefaultVerify(assert) servicePerimeterLink := fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", policyID, networks.GetStringOutput("restricted_service_perimeter_name")) diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go index 487da4356..aec4dc083 100644 --- a/test/integration/shared/shared_test.go +++ b/test/integration/shared/shared_test.go @@ -83,7 +83,7 @@ func TestShared(t *testing.T) { // perform default verification ensuring Terraform reports no additional changes on an applied blueprint // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 - // Resource issue: + // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16801 // shared.DefaultVerify(assert) projectID := shared.GetStringOutput("dns_hub_project_id") From c1f3714f45ee01c4857e01e781cb42b378d2248c Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Thu, 14 Dec 2023 21:16:46 -0300 Subject: [PATCH 32/33] Add resource issue on the comment in test files. --- test/integration/networks/networks_test.go | 1 + test/integration/shared/shared_test.go | 1 + 2 files changed, 2 insertions(+) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index dc957b031..b99f584d3 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -330,6 +330,7 @@ func TestNetworks(t *testing.T) { // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16801 + // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804 // networks.DefaultVerify(assert) servicePerimeterLink := fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", policyID, networks.GetStringOutput("restricted_service_perimeter_name")) diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go index aec4dc083..8fc7f422b 100644 --- a/test/integration/shared/shared_test.go +++ b/test/integration/shared/shared_test.go @@ -84,6 +84,7 @@ func TestShared(t *testing.T) { // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply) // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528 // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16801 + // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804 // shared.DefaultVerify(assert) projectID := shared.GetStringOutput("dns_hub_project_id") From fae02b2c963355e2553c1e5f1f6db6912d2d4997 Mon Sep 17 00:00:00 2001 From: Samir-Cit Date: Wed, 20 Dec 2023 20:18:23 -0300 Subject: [PATCH 33/33] Retry policy for TagValue error --- docs/TROUBLESHOOTING.md | 17 +++++++++++++++++ test/integration/testutils/retry.go | 3 +++ 2 files changed, 20 insertions(+) diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index 2837a29b5..6fde4ff84 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -25,6 +25,7 @@ See [GLOSSARY.md](./GLOSSARY.md). - [Error: Unsupported attribute](#error-unsupported-attribute) - [Error: Error adding network peering](#error-error-adding-network-peering) - [Error: Unknown project id on 4-project step context](#error-unknown-project-id-on-4-project-step-context) +- [Error: Error getting operation for committing purpose for TagValue](#error-error-getting-operation-for-committing-purpose-for-tagvalue) - - - ### Project quota exceeded @@ -334,6 +335,22 @@ This should complete successfully, if you encounter another similar error for an - Make sure you run the taint command just for the resources that contain the [number] at the end of the line returned by terraform state list step. You don't need to run for the groups (the resources that don't have the [] at the end). +### Error: Error getting operation for committing purpose for TagValue + +**Error message:** + +```text +Error: Error waiting to create TagValue: Error waiting for Creating TagValue: Error code 13, message: Error getting operation for committing purpose for TagValue: tagValues/{tag_value_id} +``` + +**Cause:** + +Sometimes when deploying a [google_tags_tag_value](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/tags_tag_value) the error occurs and Terraform is not able to finish the execution. + +**Solution:** + +1. This is a transient error and the deploy can be retried. +1. A retry policy was added to prevent this error during the integration test. - - - ### Caller does not have permission in the Organization diff --git a/test/integration/testutils/retry.go b/test/integration/testutils/retry.go index 0c7e7f6d2..73b0deb69 100644 --- a/test/integration/testutils/retry.go +++ b/test/integration/testutils/retry.go @@ -28,5 +28,8 @@ var ( // Editing VPC Service Controls is eventually consistent. ".*Error 403.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*": "Request is prohibited by organization's policy.", + + // Error code 13 during the creation of a Resource Manager Tag Value. + ".*Error getting operation for committing purpose for TagValue.*": "Failed creating TagValue.", } )