Skip to content

Commit

Permalink
extend change to other networking stages
Browse files Browse the repository at this point in the history
  • Loading branch information
@ludoo
ludoo committed Jan 8, 2025
1 parent a008f87 commit 0a97839
Show file tree
Hide file tree
Showing 18 changed files with 573 additions and 150 deletions.
2 changes: 1 addition & 1 deletion fast/stages/2-networking-a-simple/net-dev.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
locals {
# streamline VPC configuration conditionals for modules by moving them here
dev_cfg = {
cloudnat = var.vpc_configs.landing.cloudnat.enable == true
cloudnat = var.vpc_configs.dev.cloudnat.enable == true
dns_logging = var.vpc_configs.dev.dns.enable_logging == true
dns_policy = var.vpc_configs.dev.dns.create_inbound_policy == true
fw_classic = var.vpc_configs.dev.firewall.use_classic == true
Expand Down
2 changes: 1 addition & 1 deletion fast/stages/2-networking-a-simple/net-prod.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
locals {
# streamline VPC configuration conditionals for modules by moving them here
prod_cfg = {
cloudnat = var.vpc_configs.landing.cloudnat.enable == true
cloudnat = var.vpc_configs.prod.cloudnat.enable == true
dns_logging = var.vpc_configs.prod.dns.enable_logging == true
dns_policy = var.vpc_configs.prod.dns.create_inbound_policy == true
fw_classic = var.vpc_configs.prod.firewall.use_classic == true
Expand Down
30 changes: 15 additions & 15 deletions fast/stages/2-networking-b-nva/README.md
View file

Large diffs are not rendered by default.

43 changes: 39 additions & 4 deletions fast/stages/2-networking-b-nva/net-dev.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,21 @@

# tfdoc:file:description Dev spoke VPC and related resources.

locals {
# streamline VPC configuration conditionals for modules by moving them here
dev_cfg = {
dns_logging = var.vpc_configs.dev.dns.enable_logging == true
dns_policy = var.vpc_configs.dev.dns.create_inbound_policy == true
fw_classic = var.vpc_configs.dev.firewall.use_classic == true
fw_order = (
var.vpc_configs.dev.firewall.policy_has_priority == true
? "BEFORE_CLASSIC_FIREWALL"
: "AFTER_CLASSIC_FIREWALL"
)
fw_policy = var.vpc_configs.dev.firewall.create_policy == true
}
}

module "dev-spoke-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
Expand Down Expand Up @@ -70,15 +85,17 @@ module "dev-spoke-vpc" {
project_id = module.dev-spoke-project.project_id
name = "dev-spoke-0"
mtu = 1500
dns_policy = {
logging = var.dns.enable_logging
dns_policy = !local.dev_cfg.dns_policy ? {} : {
inbound = true
logging = local.dev_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
}
delete_default_routes_on_create = true
psa_configs = var.psa_ranges.dev
delete_default_routes_on_create = true
firewall_policy_enforcement_order = local.dev_cfg.fw_order
psa_configs = var.psa_ranges.dev
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
Expand Down Expand Up @@ -118,6 +135,7 @@ module "dev-spoke-vpc" {

module "dev-spoke-firewall" {
source = "../../../modules/net-vpc-firewall"
count = local.dev_cfg.fw_classic ? 1 : 0
project_id = module.dev-spoke-project.project_id
network = module.dev-spoke-vpc.name
default_rules_config = {
Expand All @@ -129,6 +147,23 @@ module "dev-spoke-firewall" {
}
}

module "dev-firewall-policy" {
source = "../../../modules/net-firewall-policy"
count = local.dev_cfg.fw_policy ? 1 : 0
name = "dev-spoke-0"
parent_id = module.dev-spoke-project.project_id
region = "global"
attachments = {
dev-spoke-0 = module.dev-spoke-vpc.id
}
# TODO: add context for security groups
factories_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policies/dev/egress.yaml"
ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policies/dev/ingress.yaml"
}
}

module "peering-dev" {
source = "../../../modules/net-vpc-peering"
prefix = "dev-peering-0"
Expand Down
84 changes: 75 additions & 9 deletions fast/stages/2-networking-b-nva/net-landing.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,33 @@

# tfdoc:file:description Landing VPC and related resources.

locals {
# streamline VPC configuration conditionals for modules by moving them here
dmz_cfg = {
cloudnat = var.vpc_configs.dmz.cloudnat.enable == true
dns_logging = var.vpc_configs.dmz.dns.enable_logging == true
dns_policy = var.vpc_configs.dmz.dns.create_inbound_policy == true
fw_classic = var.vpc_configs.dmz.firewall.use_classic == true
fw_order = (
var.vpc_configs.dmz.firewall.policy_has_priority == true
? "BEFORE_CLASSIC_FIREWALL"
: "AFTER_CLASSIC_FIREWALL"
)
fw_policy = var.vpc_configs.dmz.firewall.create_policy == true
}
landing_cfg = {
dns_logging = var.vpc_configs.landing.dns.enable_logging == true
dns_policy = var.vpc_configs.landing.dns.create_inbound_policy == true
fw_classic = var.vpc_configs.landing.firewall.use_classic == true
fw_order = (
var.vpc_configs.landing.firewall.policy_has_priority == true
? "BEFORE_CLASSIC_FIREWALL"
: "AFTER_CLASSIC_FIREWALL"
)
fw_policy = var.vpc_configs.landing.firewall.create_policy == true
}
}

module "landing-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
Expand Down Expand Up @@ -49,16 +76,17 @@ module "dmz-vpc" {
project_id = module.landing-project.project_id
name = "prod-dmz-0"
mtu = 1500
dns_policy = {
dns_policy = !local.dmz_cfg.dns_policy ? {} : {
inbound = true
logging = var.dns.enable_logging
logging = local.dmz_cfg.dns_logging
}
create_googleapis_routes = null
factories_config = {
context = { regions = var.regions }
subnets_folder = "${var.factories_config.data_dir}/subnets/dmz"
}
delete_default_routes_on_create = true
delete_default_routes_on_create = true
firewall_policy_enforcement_order = local.dmz_cfg.fw_order
routes = merge(
{
default = {
Expand Down Expand Up @@ -88,6 +116,7 @@ module "dmz-vpc" {

module "dmz-firewall" {
source = "../../../modules/net-vpc-firewall"
count = local.dmz_cfg.fw_classic ? 1 : 0
project_id = module.landing-project.project_id
network = module.dmz-vpc.name
default_rules_config = {
Expand All @@ -99,11 +128,28 @@ module "dmz-firewall" {
}
}

module "dmz-firewall-policy" {
source = "../../../modules/net-firewall-policy"
count = local.dmz_cfg.fw_policy ? 1 : 0
name = "prod-dmz-0"
parent_id = module.landing-project.project_id
region = "global"
attachments = {
dmz-0 = module.dmz-vpc.id
}
# TODO: add context for security groups
factories_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policies/dmz/egress.yaml"
ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policies/dmz/ingress.yaml"
}
}

# NAT

module "dmz-nat-primary" {
source = "../../../modules/net-cloudnat"
count = var.enable_cloud_nat ? 1 : 0
count = local.dmz_cfg.cloudnat ? 1 : 0
project_id = module.landing-project.project_id
region = var.regions.primary
name = local.region_shortnames[var.regions.primary]
Expand All @@ -114,7 +160,7 @@ module "dmz-nat-primary" {

module "dmz-nat-secondary" {
source = "../../../modules/net-cloudnat"
count = var.enable_cloud_nat ? 1 : 0
count = local.dmz_cfg.cloudnat ? 1 : 0
project_id = module.landing-project.project_id
region = var.regions.secondary
name = local.region_shortnames[var.regions.secondary]
Expand All @@ -129,15 +175,17 @@ module "landing-vpc" {
source = "../../../modules/net-vpc"
project_id = module.landing-project.project_id
name = "prod-landing-0"
delete_default_routes_on_create = true
mtu = 1500
delete_default_routes_on_create = true
dns_policy = !local.landing_cfg.dns_policy ? {} : {
inbound = true
logging = local.landing_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
subnets_folder = "${var.factories_config.data_dir}/subnets/landing"
}
dns_policy = {
inbound = true
}
firewall_policy_enforcement_order = local.landing_cfg.fw_order
# Set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
Expand All @@ -147,6 +195,7 @@ module "landing-vpc" {

module "landing-firewall" {
source = "../../../modules/net-vpc-firewall"
count = local.landing_cfg.fw_classic ? 1 : 0
project_id = module.landing-project.project_id
network = module.landing-vpc.name
default_rules_config = {
Expand All @@ -157,3 +206,20 @@ module "landing-firewall" {
rules_folder = "${var.factories_config.data_dir}/firewall-rules/landing"
}
}

module "landing-firewall-policy" {
source = "../../../modules/net-firewall-policy"
count = local.landing_cfg.fw_policy ? 1 : 0
name = "prod-landing-0"
parent_id = module.landing-project.project_id
region = "global"
attachments = {
landing-0 = module.landing-vpc.id
}
# TODO: add context for security groups
factories_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policies/landing/egress.yaml"
ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policies/landing/ingress.yaml"
}
}
43 changes: 39 additions & 4 deletions fast/stages/2-networking-b-nva/net-prod.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,21 @@

# tfdoc:file:description Production spoke VPC and related resources.

locals {
# streamline VPC configuration conditionals for modules by moving them here
prod_cfg = {
dns_logging = var.vpc_configs.prod.dns.enable_logging == true
dns_policy = var.vpc_configs.prod.dns.create_inbound_policy == true
fw_classic = var.vpc_configs.prod.firewall.use_classic == true
fw_order = (
var.vpc_configs.prod.firewall.policy_has_priority == true
? "BEFORE_CLASSIC_FIREWALL"
: "AFTER_CLASSIC_FIREWALL"
)
fw_policy = var.vpc_configs.prod.firewall.create_policy == true
}
}

module "prod-spoke-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
Expand Down Expand Up @@ -70,15 +85,17 @@ module "prod-spoke-vpc" {
project_id = module.prod-spoke-project.project_id
name = "prod-spoke-0"
mtu = 1500
dns_policy = {
logging = var.dns.enable_logging
dns_policy = !local.prod_cfg.dns_policy ? {} : {
inbound = true
logging = local.prod_cfg.dns_logging
}
factories_config = {
context = { regions = var.regions }
subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
}
delete_default_routes_on_create = true
psa_configs = var.psa_ranges.prod
delete_default_routes_on_create = true
firewall_policy_enforcement_order = local.prod_cfg.fw_order
psa_configs = var.psa_ranges.prod
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
Expand Down Expand Up @@ -118,6 +135,7 @@ module "prod-spoke-vpc" {

module "prod-spoke-firewall" {
source = "../../../modules/net-vpc-firewall"
count = local.prod_cfg.fw_classic ? 1 : 0
project_id = module.prod-spoke-project.project_id
network = module.prod-spoke-vpc.name
default_rules_config = {
Expand All @@ -129,6 +147,23 @@ module "prod-spoke-firewall" {
}
}

module "prod-firewall-policy" {
source = "../../../modules/net-firewall-policy"
count = local.prod_cfg.fw_policy ? 1 : 0
name = "prod-spoke-0"
parent_id = module.prod-spoke-project.project_id
region = "global"
attachments = {
prod-spoke-0 = module.prod-spoke-vpc.id
}
# TODO: add context for security groups
factories_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
egress_rules_file_path = "${var.factories_config.data_dir}/firewall-policies/prod/egress.yaml"
ingress_rules_file_path = "${var.factories_config.data_dir}/firewall-policies/prod/ingress.yaml"
}
}

module "peering-prod" {
source = "../../../modules/net-vpc-peering"
prefix = "prod-peering-0"
Expand Down
Loading

0 comments on commit 0a97839

Please sign in to comment.