diff --git a/0-bootstrap/README-GitHub.md b/0-bootstrap/README-GitHub.md
index 6aba496d4..8c98ea3cf 100644
--- a/0-bootstrap/README-GitHub.md
+++ b/0-bootstrap/README-GitHub.md
@@ -565,15 +565,15 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu
chmod 755 ./tf-wrapper.sh
```
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
```bash
mv common.auto.example.tfvars common.auto.tfvars
- mv shared.auto.example.tfvars shared.auto.tfvars
+ mv production.auto.example.tfvars production.auto.tfvars
mv access_context.auto.example.tfvars access_context.auto.tfvars
```
-1. Update the file `shared.auto.tfvars` with the values for the `target_name_server_addresses`.
+1. Update the file `production.auto.tfvars` with the values for the `target_name_server_addresses`.
1. Update the file `access_context.auto.tfvars` with the organization's `access_context_manager_policy_id`.
```bash
diff --git a/0-bootstrap/README-GitLab.md b/0-bootstrap/README-GitLab.md
index b0ab4a312..1a27609a7 100644
--- a/0-bootstrap/README-GitLab.md
+++ b/0-bootstrap/README-GitLab.md
@@ -568,15 +568,15 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu
chmod 755 ./*.sh
```
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
```bash
mv common.auto.example.tfvars common.auto.tfvars
- mv shared.auto.example.tfvars shared.auto.tfvars
+ mv production.auto.example.tfvars production.auto.tfvars
mv access_context.auto.example.tfvars access_context.auto.tfvars
```
-1. Update the file `shared.auto.tfvars` with the values for the `target_name_server_addresses`.
+1. Update the file `production.auto.tfvars` with the values for the `target_name_server_addresses`.
1. Update the file `access_context.auto.tfvars` with the organization's `access_context_manager_policy_id`.
```bash
diff --git a/0-bootstrap/README-Jenkins.md b/0-bootstrap/README-Jenkins.md
index ac536a6c4..5ece83a8f 100644
--- a/0-bootstrap/README-Jenkins.md
+++ b/0-bootstrap/README-Jenkins.md
@@ -599,16 +599,16 @@ Here you will configure a VPN Network tunnel to enable connectivity between the
sed -i'' -e "s/CICD_PROJECT_ID/${CICD_PROJECT_ID}/" ./Jenkinsfile
```
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
```bash
mv common.auto.example.tfvars common.auto.tfvars
- mv shared.auto.example.tfvars shared.auto.tfvars
+ mv production.auto.example.tfvars production.auto.tfvars
mv access_context.auto.example.tfvars access_context.auto.tfvars
```
1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](../3-networks-dual-svpc/envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file.
-1. Update `shared.auto.tfvars` file with the `target_name_server_addresses`.
+1. Update `production.auto.tfvars` file with the `target_name_server_addresses`.
1. Update `access_context.auto.tfvars` file with the `access_context_manager_policy_id`.
1. Use `terraform output` to get the backend bucket and networks step Terraform Service Account values from gcp-bootstrap output.
diff --git a/0-bootstrap/README-Terraform-Cloud.md b/0-bootstrap/README-Terraform-Cloud.md
index c13a88bb4..f68977a4f 100644
--- a/0-bootstrap/README-Terraform-Cloud.md
+++ b/0-bootstrap/README-Terraform-Cloud.md
@@ -476,15 +476,15 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu
chmod 755 ./tf-wrapper.sh
```
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
```bash
mv common.auto.example.tfvars common.auto.tfvars
- mv shared.auto.example.tfvars shared.auto.tfvars
+ mv production.auto.example.tfvars production.auto.tfvars
mv access_context.auto.example.tfvars access_context.auto.tfvars
```
-1. Update the file `shared.auto.tfvars` with the values for the `target_name_server_addresses`.
+1. Update the file `production.auto.tfvars` with the values for the `target_name_server_addresses`.
1. Update the file `access_context.auto.tfvars` with the organization's `access_context_manager_policy_id`.
```bash
diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md
index ddfb54ab2..6b19953cc 100644
--- a/3-networks-dual-svpc/README.md
+++ b/3-networks-dual-svpc/README.md
@@ -163,16 +163,16 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
chmod 755 ./tf-wrapper.sh
```
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
```bash
mv common.auto.example.tfvars common.auto.tfvars
- mv shared.auto.example.tfvars shared.auto.tfvars
+ mv production.auto.example.tfvars production.auto.tfvars
mv access_context.auto.example.tfvars access_context.auto.tfvars
```
1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](./envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file.
- Update `shared.auto.tfvars` file with the `target_name_server_addresses`.
+ Update `production.auto.tfvars` file with the `target_name_server_addresses`.
Update `access_context.auto.tfvars` file with the `access_context_manager_policy_id`.
Use `terraform output` to get the backend bucket value from 0-bootstrap output.
@@ -305,16 +305,16 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s
git checkout -b production
```
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
```bash
mv common.auto.example.tfvars common.auto.tfvars
- mv shared.auto.example.tfvars shared.auto.tfvars
+ mv production.auto.example.tfvars production.auto.tfvars
mv access_context.auto.example.tfvars access_context.auto.tfvars
```
1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](./envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file.
-1. Update `shared.auto.tfvars` file with the `target_name_server_addresses`.
+1. Update `production.auto.tfvars` file with the `target_name_server_addresses`.
1. Update `access_context.auto.tfvars` file with the `access_context_manager_policy_id`.
1. Use `terraform output` to get the backend bucket value from gcp-bootstrap output.
diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf
index 233cafe53..c6512b2ac 100644
--- a/3-networks-dual-svpc/envs/production/main.tf
+++ b/3-networks-dual-svpc/envs/production/main.tf
@@ -20,48 +20,48 @@ locals {
/*
* Base network ranges
*/
- base_private_service_cidr = "10.16.16.0/21"
+ base_private_service_cidr = "10.16.24.0/21"
base_subnet_primary_ranges = {
- (local.default_region1) = "10.0.128.0/18"
- (local.default_region2) = "10.1.128.0/18"
+ (local.default_region1) = "10.0.192.0/18"
+ (local.default_region2) = "10.1.192.0/18"
}
base_subnet_proxy_ranges = {
- (local.default_region1) = "10.18.4.0/23"
- (local.default_region2) = "10.19.4.0/23"
+ (local.default_region1) = "10.18.6.0/23"
+ (local.default_region2) = "10.19.6.0/23"
}
base_subnet_secondary_ranges = {
(local.default_region1) = [
{
range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod"
- ip_cidr_range = "100.64.128.0/18"
+ ip_cidr_range = "100.64.192.0/18"
},
{
range_name = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc"
- ip_cidr_range = "100.65.128.0/18"
+ ip_cidr_range = "100.65.192.0/18"
}
]
}
/*
* Restricted network ranges
*/
- restricted_private_service_cidr = "10.16.48.0/21"
+ restricted_private_service_cidr = "10.16.56.0/21"
restricted_subnet_primary_ranges = {
- (local.default_region1) = "10.8.128.0/18"
- (local.default_region2) = "10.9.128.0/18"
+ (local.default_region1) = "10.8.192.0/18"
+ (local.default_region2) = "10.9.192.0/18"
}
restricted_subnet_proxy_ranges = {
- (local.default_region1) = "10.26.4.0/23"
- (local.default_region2) = "10.27.4.0/23"
+ (local.default_region1) = "10.26.6.0/23"
+ (local.default_region2) = "10.27.6.0/23"
}
restricted_subnet_secondary_ranges = {
(local.default_region1) = [
{
range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod"
- ip_cidr_range = "100.72.128.0/18"
+ ip_cidr_range = "100.72.192.0/18"
},
{
range_name = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc"
- ip_cidr_range = "100.73.128.0/18"
+ ip_cidr_range = "100.73.192.0/18"
}
]
}
diff --git a/3-networks-dual-svpc/envs/production/shared.auto.tfvars b/3-networks-dual-svpc/envs/production/shared.auto.tfvars
deleted file mode 120000
index b7f8387a8..000000000
--- a/3-networks-dual-svpc/envs/production/shared.auto.tfvars
+++ /dev/null
@@ -1 +0,0 @@
-../../shared.auto.tfvars
\ No newline at end of file
diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-dual-svpc/envs/shared/README.md
index 84a48fa06..37d6649d7 100644
--- a/3-networks-dual-svpc/envs/shared/README.md
+++ b/3-networks-dual-svpc/envs/shared/README.md
@@ -13,9 +13,7 @@
| bgp\_asn\_dns | BGP Autonomous System Number (ASN). | `number` | `64667` | no |
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
| domain | The DNS name of forwarding managed zone, for instance 'example.com'. Must end with a period. | `string` | n/a | yes |
-| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
| firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no |
-| preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
| tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |
| vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.
aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.
flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].
metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.
metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.
filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | object({
enable_logging = optional(string, "true")
aggregation_interval = optional(string, "INTERVAL_5_SEC")
flow_sampling = optional(string, "0.5")
metadata = optional(string, "INCLUDE_ALL_METADATA")
metadata_fields = optional(list(string), [])
filter_expr = optional(string, "true")
}) | `{}` | no |
diff --git a/3-networks-dual-svpc/envs/shared/interconnect.tf.example b/3-networks-dual-svpc/envs/shared/interconnect.tf.example
deleted file mode 100644
index 818d8b26e..000000000
--- a/3-networks-dual-svpc/envs/shared/interconnect.tf.example
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-module "dns_hub_interconnect" {
- source = "../../modules/dedicated_interconnect"
-
- vpc_name = "vpc-p-shared-restricted"
- interconnect_project_id = local.restricted_project_id
-
- region1 = local.default_region1
- region1_router1_name = module.dns_hub_region1_router1.router.name
- region1_interconnect1_candidate_subnets = ["169.254.0.0/29"]
- region1_interconnect1_vlan_tag8021q = "3931"
- region1_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-1"
- region1_interconnect1_location = "las-zone1-770"
- region1_interconnect1_onprem_dc = "onprem-dc1"
- region1_router2_name = module.dns_hub_region1_router2.router.name
- region1_interconnect2_candidate_subnets = ["169.254.0.8/29"]
- region1_interconnect2_vlan_tag8021q = "3932"
- region1_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-2"
- region1_interconnect2_location = "las-zone1-770"
- region1_interconnect2_onprem_dc = "onprem-dc2"
-
- region2 = local.default_region2
- region2_router1_name = module.dns_hub_region2_router1.router.name
- region2_interconnect1_candidate_subnets = ["169.254.0.16/29"]
- region2_interconnect1_vlan_tag8021q = "3933"
- region2_interconnect1 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-3"
- region2_interconnect1_location = "lax-zone2-19"
- region2_interconnect1_onprem_dc = "onprem-dc3"
- region2_router2_name = module.dns_hub_region2_router2.router.name
- region2_interconnect2_candidate_subnets = ["169.254.0.24/29"]
- region2_interconnect2_vlan_tag8021q = "3934"
- region2_interconnect2 = "https://www.googleapis.com/compute/v1/projects/${local.interconnect_project_id}/global/interconnects/example-interconnect-4"
- region2_interconnect2_location = "lax-zone1-403"
- region2_interconnect2_onprem_dc = "onprem-dc4"
-
- peer_asn = "64515"
- peer_name = "interconnect-peer"
-
- cloud_router_labels = {
- vlan_1 = "cr1",
- vlan_2 = "cr2",
- vlan_3 = "cr3",
- vlan_4 = "cr4"
- }
-}
diff --git a/3-networks-dual-svpc/envs/shared/partner_interconnect.auto.tfvars.example b/3-networks-dual-svpc/envs/shared/partner_interconnect.auto.tfvars.example
deleted file mode 100644
index aae4c298e..000000000
--- a/3-networks-dual-svpc/envs/shared/partner_interconnect.auto.tfvars.example
+++ /dev/null
@@ -1,18 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-enable_partner_interconnect = true
-preactivate_partner_interconnect = true
diff --git a/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example b/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example
deleted file mode 100644
index 67d045e7e..000000000
--- a/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-module "dns_hub_interconnect" {
- source = "../../modules/partner_interconnect"
-
- vpc_name = "vpc-p-shared-restricted"
- attachment_project_id = local.restricted_project_id
- preactivate = var.preactivate_partner_interconnect
-
- region1 = local.default_region1
- region1_router1_name = module.dns_hub_region1_router1.router.name
- region1_interconnect1_location = "las-zone1-770"
- region1_interconnect1_onprem_dc = "onprem-dc1"
- region1_router2_name = module.dns_hub_region1_router2.router.name
- region1_interconnect2_location = "las-zone1-770"
- region1_interconnect2_onprem_dc = "onprem-dc2"
-
- region2 = local.default_region2
- region2_router1_name = module.dns_hub_region2_router1.router.name
- region2_interconnect1_location = "lax-zone2-19"
- region2_interconnect1_onprem_dc = "onprem-dc3"
- region2_router2_name = module.dns_hub_region2_router2.router.name
- region2_interconnect2_location = "lax-zone1-403"
- region2_interconnect2_onprem_dc = "onprem-dc4"
-
- cloud_router_labels = {
- vlan_1 = "cr1",
- vlan_2 = "cr2",
- vlan_3 = "cr3",
- vlan_4 = "cr4"
- }
-}
diff --git a/3-networks-dual-svpc/envs/shared/remote.tf b/3-networks-dual-svpc/envs/shared/remote.tf
index 72017f904..3afb75cb7 100644
--- a/3-networks-dual-svpc/envs/shared/remote.tf
+++ b/3-networks-dual-svpc/envs/shared/remote.tf
@@ -17,12 +17,10 @@
locals {
env = "common"
environment_code = "c"
- dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns
+ dns_bgp_asn_number = var.bgp_asn_dns
default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix
- interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id
- restricted_project_id = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id
parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id
bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name
common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name
diff --git a/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example b/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example
index f12825173..10ffccb73 100644
--- a/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example
+++ b/3-networks-dual-svpc/envs/shared/remote.tf.cloud.example
@@ -17,18 +17,16 @@
locals {
env = "common"
environment_code = "c"
- dns_bgp_asn_number = var.enable_partner_interconnect ? "16550" : var.bgp_asn_dns
+ dns_bgp_asn_number = var.bgp_asn_dns
default_region1 = data.tfe_outputs.bootstrap.outputs.common_config.default_region
default_region2 = data.tfe_outputs.bootstrap.outputs.common_config.default_region_2
folder_prefix = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.folder_prefix
- dns_hub_project_id = data.tfe_outputs.org.nonsensitive_values.dns_hub_project_id
- interconnect_project_id = data.tfe_outputs.org.nonsensitive_values.interconnect_project_id
parent_id = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.parent_id
bootstrap_folder_name = data.tfe_outputs.bootstrap.nonsensitive_values.common_config.bootstrap_folder_name
common_folder_name = data.tfe_outputs.org.nonsensitive_values.common_folder_name
network_folder_name = data.tfe_outputs.org.nonsensitive_values.network_folder_name
development_folder_name = data.tfe_outputs.env_development.nonsensitive_values.env_folder
- nonproduction_folder_name = data.tfe_outputs.env_nonproduction.nonsensitive_values.env_folder
+ nonproduction_folder_name = data.tfe_outputs.env_nonproduction.nonsensitive_values.env_folder
production_folder_name = data.tfe_outputs.env_production.nonsensitive_values.env_folder
}
diff --git a/3-networks-dual-svpc/envs/shared/shared.auto.tfvars b/3-networks-dual-svpc/envs/shared/shared.auto.tfvars
deleted file mode 120000
index b7f8387a8..000000000
--- a/3-networks-dual-svpc/envs/shared/shared.auto.tfvars
+++ /dev/null
@@ -1 +0,0 @@
-../../shared.auto.tfvars
\ No newline at end of file
diff --git a/3-networks-dual-svpc/envs/shared/variables.tf b/3-networks-dual-svpc/envs/shared/variables.tf
index 960985cd8..ef776e33e 100644
--- a/3-networks-dual-svpc/envs/shared/variables.tf
+++ b/3-networks-dual-svpc/envs/shared/variables.tf
@@ -62,18 +62,6 @@ variable "firewall_policies_enable_logging" {
default = true
}
-variable "enable_partner_interconnect" {
- description = "Enable Partner Interconnect in the environment."
- type = bool
- default = false
-}
-
-variable "preactivate_partner_interconnect" {
- description = "Preactivate Partner Interconnect VLAN attachment in the environment."
- type = bool
- default = false
-}
-
variable "tfc_org_name" {
description = "Name of the TFC organization"
type = string
diff --git a/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example b/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example
index 6ba8d057d..df60f9e1c 100644
--- a/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example
+++ b/3-networks-dual-svpc/modules/base_env/remote.tf.cloud.example
@@ -19,7 +19,6 @@ locals {
restricted_project_number = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].restricted_shared_vpc_project_number
base_project_id = data.tfe_outputs.org.nonsensitive_values.shared_vpc_projects[var.env].base_shared_vpc_project_id
interconnect_project_number = data.tfe_outputs.org.nonsensitive_values.interconnect_project_number
- dns_hub_project_id = data.tfe_outputs.org.nonsensitive_values.dns_hub_project_id
organization_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.organization_step_terraform_service_account_email
networks_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.networks_step_terraform_service_account_email
projects_service_account = data.tfe_outputs.bootstrap.nonsensitive_values.projects_step_terraform_service_account_email
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md
index 1372cc47e..707c8acd1 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md
@@ -3,6 +3,7 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| base\_dns\_project\_id | Project ID for DNS Base Shared. | `string` | `""` | no |
| base\_network\_name | The name of the VPC being created | `string` | `""` | no |
| bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes |
| default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes |
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf
index 9ed5abc34..dd065135e 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf
@@ -36,7 +36,7 @@ data "google_compute_network" "vpc_dns_hub" {
count = var.environment_code != "p" ? 1 : 0
name = "vpc-p-shared-base"
- project = var.production_project_id
+ project = var.base_dns_project_id
}
module "peering_zone" {
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
index e4c22a827..8fdbaf055 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf
@@ -15,11 +15,12 @@
*/
locals {
- vpc_name = "${var.environment_code}-shared-base"
- network_name = "vpc-${local.vpc_name}"
- private_googleapis_cidr = module.private_service_connect.private_service_connect_ip
- google_private_service_range = "35.199.192.0/19"
- advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }]
+ vpc_name = "${var.environment_code}-shared-base"
+ network_name = "vpc-${local.vpc_name}"
+ private_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ google_forward_source_range = "35.199.192.0/19"
+ advertised_ip = var.private_service_cidr == "p" ? [{ range = local.google_forward_source_range }, { range = local.private_googleapis_cidr }] : [{ range = local.private_googleapis_cidr }]
+
}
/******************************************
diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
index 5afba9883..6a4ba92da 100644
--- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
+++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf
@@ -14,6 +14,12 @@
* limitations under the License.
*/
+variable "base_dns_project_id" {
+ description = "Project ID for DNS Base Shared."
+ type = string
+ default = ""
+}
+
variable "target_name_server_addresses" {
description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
type = list(map(any))
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
index f0937fcb1..3ad3b457d 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md
@@ -26,11 +26,9 @@
| nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no |
| private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no |
| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes |
-| production\_restricted\_project\_id | Project ID for Restricted Shared. | `string` | `""` | no |
| project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes |
| project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes |
-| restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no |
-| restricted\_network\_name | The name of the VPC being created | `string` | `""` | no |
+| restricted\_dns\_project\_id | Project ID for DNS Restricted Shared. | `string` | `""` | no |
| restricted\_services | List of services to restrict in an enforced perimeter. | `list(string)` | n/a | yes |
| restricted\_services\_dry\_run | List of services to restrict in a dry-run perimeter. | `list(string)` | n/a | yes |
| secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf
index 2d07d80a9..85b190d82 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf
@@ -36,7 +36,7 @@ data "google_compute_network" "vpc_dns_hub" {
count = var.environment_code != "p" ? 1 : 0
name = "vpc-p-shared-restricted"
- project = var.production_restricted_project_id
+ project = var.restricted_dns_project_id
}
module "peering_zone" {
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
index 306a19d28..53802c22a 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf
@@ -15,11 +15,11 @@
*/
locals {
- vpc_name = "${var.environment_code}-shared-restricted"
- network_name = "vpc-${local.vpc_name}"
- restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip
- google_private_service_range = "35.199.192.0/19"
- advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }]
+ vpc_name = "${var.environment_code}-shared-restricted"
+ network_name = "vpc-${local.vpc_name}"
+ restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ google_forward_source_range = "35.199.192.0/19"
+ advertised_ip = var.private_service_cidr == "p" ? [{ range = local.google_forward_source_range }, { range = local.restricted_googleapis_cidr }] : [{ range = local.restricted_googleapis_cidr }]
}
/******************************************
diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
index f73965b07..27e733385 100644
--- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
+++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf
@@ -14,8 +14,8 @@
* limitations under the License.
*/
-variable "production_restricted_project_id" {
- description = "Project ID for Restricted Shared."
+variable "restricted_dns_project_id" {
+ description = "Project ID for DNS Restricted Shared."
type = string
default = ""
}
@@ -25,18 +25,6 @@ variable "target_name_server_addresses" {
type = list(map(any))
}
-variable "restricted_net_hub_project_id" {
- type = string
- description = "The restricted net hub project ID"
- default = ""
-}
-
-variable "restricted_network_name" {
- type = string
- description = "The name of the VPC being created"
- default = ""
-}
-
variable "access_context_manager_policy_id" {
type = number
description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`."
diff --git a/3-networks-dual-svpc/shared.auto.example.tfvars b/3-networks-dual-svpc/shared.auto.example.tfvars
deleted file mode 100644
index 0db7e30ea..000000000
--- a/3-networks-dual-svpc/shared.auto.example.tfvars
+++ /dev/null
@@ -1,28 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-// List of IPv4 address of target name servers for the forwarding zone configuration.
-// See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones
-target_name_server_addresses = [
- {
- ipv4_address = "192.168.0.1",
- forwarding_path = "default"
- },
- {
- ipv4_address = "192.168.0.2",
- forwarding_path = "default"
- }
-]
diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf
index d20c3f0df..355031822 100644
--- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf
+++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf
@@ -31,12 +31,6 @@ resource "google_dns_policy" "default_policy" {
/******************************************
Creates DNS Peering to DNS HUB
*****************************************/
-data "google_compute_network" "vpc_dns_hub" {
- count = var.mode == "spoke" ? 1 : 0
-
- name = data.google_compute_network.vpc_base_net_hub[0].name
- project = var.base_net_hub_project_id
-}
module "peering_zone" {
source = "terraform-google-modules/cloud-dns/google"
@@ -53,7 +47,7 @@ module "peering_zone" {
private_visibility_config_networks = [
module.main.network_self_link
]
- target_network = data.google_compute_network.vpc_dns_hub[0].self_link
+ target_network = data.google_compute_network.vpc_base_net_hub[0].self_link
}
/******************************************
diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf
index e9c4fbba6..49ef53872 100644
--- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf
+++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf
@@ -15,12 +15,12 @@
*/
locals {
- mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke"
- vpc_name = "${var.environment_code}-shared-base${local.mode}"
- network_name = "vpc-${local.vpc_name}"
- private_googleapis_cidr = module.private_service_connect.private_service_connect_ip
- google_private_service_range = "35.199.192.0/19"
- advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.private_googleapis_cidr }]
+ mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke"
+ vpc_name = "${var.environment_code}-shared-base${local.mode}"
+ network_name = "vpc-${local.vpc_name}"
+ private_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ google_forward_source_range = "35.199.192.0/19"
+ advertised_ip = var.private_service_cidr == null ? [{ range = local.google_forward_source_range }] : [{ range = local.private_googleapis_cidr }]
}
/******************************************
diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf
index e5706d46f..e9dadbb59 100644
--- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf
+++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf
@@ -31,12 +31,6 @@ resource "google_dns_policy" "default_policy" {
/******************************************
Creates DNS Peering to DNS HUB
*****************************************/
-data "google_compute_network" "vpc_dns_hub" {
- count = var.mode == "spoke" ? 1 : 0
-
- name = data.google_compute_network.vpc_restricted_net_hub[0].name
- project = var.restricted_net_hub_project_id
-}
module "peering_zone" {
source = "terraform-google-modules/cloud-dns/google"
@@ -53,7 +47,7 @@ module "peering_zone" {
private_visibility_config_networks = [
module.main.network_self_link
]
- target_network = data.google_compute_network.vpc_dns_hub[0].self_link
+ target_network = data.google_compute_network.vpc_restricted_net_hub[0].self_link
}
/******************************************
diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf
index 07cd09540..5742c7540 100644
--- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf
+++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf
@@ -15,12 +15,12 @@
*/
locals {
- mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke"
- vpc_name = "${var.environment_code}-shared-restricted${local.mode}"
- network_name = "vpc-${local.vpc_name}"
- restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip
- google_private_service_range = "35.199.192.0/19"
- advertised_ip = var.private_service_cidr == null ? [{ range = local.google_private_service_range }] : [{ range = local.restricted_googleapis_cidr }]
+ mode = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke"
+ vpc_name = "${var.environment_code}-shared-restricted${local.mode}"
+ network_name = "vpc-${local.vpc_name}"
+ restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip
+ google_forward_source_range = "35.199.192.0/19"
+ advertised_ip = var.private_service_cidr == null ? [{ range = local.google_forward_source_range }] : [{ range = local.restricted_googleapis_cidr }]
}
/******************************************
diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
index 49216a86b..41dfabe41 100644
--- a/build/int.cloudbuild.yaml
+++ b/build/int.cloudbuild.yaml
@@ -66,6 +66,18 @@ steps:
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestEnvs --stage verify --verbose --test-dir /workspace/test/integration']
+- id: create-shared
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', './test/disable_tf_files.sh --shared && cft test run TestShared --stage init --verbose --test-dir /workspace/test/integration']
+
+- id: converge-shared
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestShared --stage apply --verbose --test-dir /workspace/test/integration']
+
+- id: verify-shared
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestShared --stage verify --verbose --test-dir /workspace/test/integration']
+
- id: create-networks
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', './test/disable_tf_files.sh --networks && cft test run TestNetworks --stage init --verbose --test-dir /workspace/test/integration']
@@ -130,6 +142,10 @@ steps:
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestNetworks --stage destroy --verbose --test-dir /workspace/test/integration']
+- id: destroy-shared
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestShared --stage destroy --verbose --test-dir /workspace/test/integration']
+
- id: destroy-envs
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestEnvs --stage destroy --verbose --test-dir /workspace/test/integration']
diff --git a/test/disable_tf_files.sh b/test/disable_tf_files.sh
index 7c7892c3a..bdd22f199 100755
--- a/test/disable_tf_files.sh
+++ b/test/disable_tf_files.sh
@@ -23,41 +23,39 @@ function networks(){
network_dir="3-networks-hub-and-spoke"
else
network_dir="3-networks-dual-svpc"
+
+ # disable production.auto.tfvars in main module #
+ mv $network_dir/envs/production/production.auto.tfvars $network_dir/envs/production/production.auto.tfvars.disabled
fi
# disable access_context.auto.tfvars in main module
- mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled #
mv $network_dir/envs/development/access_context.auto.tfvars $network_dir/envs/development/access_context.auto.tfvars.disabled
mv $network_dir/envs/nonproduction/access_context.auto.tfvars $network_dir/envs/nonproduction/access_context.auto.tfvars.disabled
mv $network_dir/envs/production/access_context.auto.tfvars $network_dir/envs/production/access_context.auto.tfvars.disabled
# disable common.auto.tfvars in main module
- mv $network_dir/envs/shared/common.auto.tfvars $network_dir/envs/shared/common.auto.tfvars.disabled #
mv $network_dir/envs/development/common.auto.tfvars $network_dir/envs/development/common.auto.tfvars.disabled
mv $network_dir/envs/nonproduction/common.auto.tfvars $network_dir/envs/nonproduction/common.auto.tfvars.disabled
mv $network_dir/envs/production/common.auto.tfvars $network_dir/envs/production/common.auto.tfvars.disabled
-
- # disable shared.auto.tfvars in main module #
- mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled
}
-# function shared(){
+function shared(){
-# if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then
-# network_dir="3-networks-hub-and-spoke"
-# else
-# network_dir="3-networks-dual-svpc"
-# fi
+ if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then
+ network_dir="3-networks-hub-and-spoke"
-# # disable access_context.auto.tfvars in main module
-# mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled
+ # disable shared.auto.tfvars in main module
+ mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled
+ else
+ network_dir="3-networks-dual-svpc"
+ fi
-# # disable common.auto.tfvars in main module
-# mv $network_dir/envs/shared/common.auto.tfvars $network_dir/envs/shared/common.auto.tfvars.disabled
+ # disable access_context.auto.tfvars in main module
+ mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled
-# # disable shared.auto.tfvars in main module
-# mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled
-# }
+ # disable common.auto.tfvars in main module
+ mv $network_dir/envs/shared/common.auto.tfvars $network_dir/envs/shared/common.auto.tfvars.disabled
+}
function projectsshared(){
# disable shared.auto.tfvars
@@ -95,10 +93,10 @@ do
networks
shift
;;
- # -s|--shared)
- # shared
- # shift
- # ;;
+ -s|--shared)
+ shared
+ shift
+ ;;
-a|--appinfra)
appinfra
shift
diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go
new file mode 100644
index 000000000..8102b7163
--- /dev/null
+++ b/test/integration/shared/shared_test.go
@@ -0,0 +1,159 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package shared
+
+import (
+ "fmt"
+ "testing"
+ "time"
+
+ "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+ "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+ "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils"
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+
+ "github.com/terraform-google-modules/terraform-example-foundation/test/integration/testutils"
+)
+
+func isHubAndSpokeMode(t *testing.T) bool {
+ mode := utils.ValFromEnv(t, "TF_VAR_example_foundations_mode")
+ return mode == "HubAndSpoke"
+}
+
+func TestShared(t *testing.T) {
+
+ bootstrap := tft.NewTFBlueprintTest(t,
+ tft.WithTFDir("../../../0-bootstrap"),
+ )
+
+ orgID := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["org_id"]
+ policyID := testutils.GetOrgACMPolicyID(t, orgID)
+ require.NotEmpty(t, policyID, "Access Context Manager Policy ID must be configured in the organization for the test to proceed.")
+
+ // Configure impersonation for test execution
+ terraformSA := bootstrap.GetStringOutput("networks_step_terraform_service_account_email")
+ utils.SetEnv(t, "GOOGLE_IMPERSONATE_SERVICE_ACCOUNT", terraformSA)
+ backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate")
+
+ backendConfig := map[string]interface{}{
+ "bucket": backend_bucket,
+ }
+
+ vars := map[string]interface{}{
+ "remote_state_bucket": backend_bucket,
+ }
+ var tfdDir string
+ if isHubAndSpokeMode(t) {
+ vars["access_context_manager_policy_id"] = policyID
+ vars["perimeter_additional_members"] = []string{}
+ tfdDir = "../../../3-networks-hub-and-spoke/envs/shared"
+ } else {
+ tfdDir = "../../../3-networks-dual-svpc/envs/shared"
+ }
+
+ shared := tft.NewTFBlueprintTest(t,
+ tft.WithTFDir(tfdDir),
+ tft.WithVars(vars),
+ tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 1, 2*time.Minute),
+ tft.WithPolicyLibraryPath("/workspace/policy-library", bootstrap.GetTFSetupStringOutput("project_id")),
+ tft.WithBackendConfig(backendConfig),
+ )
+ shared.DefineVerify(
+ func(assert *assert.Assertions) {
+
+ // do a time.Sleep to wait for propagation of VPC Service Controls configuration in the Hub and Spoke network mode
+ if isHubAndSpokeMode(t) {
+ time.Sleep(60 * time.Second)
+ }
+
+ // perform default verification ensuring Terraform reports no additional changes on an applied blueprint
+ // Comment DefaultVerify because proxy-only subnets tries to change `ipv6_access_type` from `INTERNAL` to `null` on every run (plan and apply)
+ // Module issue: https://github.com/terraform-google-modules/terraform-google-network/issues/528
+ // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16801
+ // Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804
+ // shared.DefaultVerify(assert)
+
+ projectID := shared.GetStringOutput("dns_hub_project_id")
+ networkName := "vpc-net-dns"
+ dnsHubNetworkUrl := fmt.Sprintf("https://www.googleapis.com/compute/v1/projects/%s/global/networks/vpc-net-dns", projectID)
+ dnsPolicyName := "dp-dns-hub-default-policy"
+
+ dnsPolicy := gcloud.Runf(t, "dns policies describe %s --project %s", dnsPolicyName, projectID)
+ assert.True(dnsPolicy.Get("enableInboundForwarding").Bool(), fmt.Sprintf("dns policy %s should have inbound forwarding enabled", dnsPolicyName))
+ assert.Equal(dnsHubNetworkUrl, dnsPolicy.Get("networks.0.networkUrl").String(), fmt.Sprintf("dns policy %s should be on network %s", dnsPolicyName, networkName))
+
+ dnsFwZoneName := "fz-dns-hub"
+ dnsZone := gcloud.Runf(t, "dns managed-zones describe %s --project %s", dnsFwZoneName, projectID)
+ assert.Equal(dnsFwZoneName, dnsZone.Get("name").String(), fmt.Sprintf("dnsZone %s should exist", dnsFwZoneName))
+
+ projectNetwork := gcloud.Runf(t, "compute networks describe %s --project %s", networkName, projectID)
+ assert.Equal(networkName, projectNetwork.Get("name").String(), fmt.Sprintf("network %s should exist", networkName))
+
+ for _, subnet := range []struct {
+ name string
+ cidrRange string
+ region string
+ }{
+ {
+ name: "sb-net-dns-us-west1",
+ cidrRange: "172.16.0.128/25",
+ region: "us-west1",
+ },
+ {
+ name: "sb-net-dns-us-central1",
+ cidrRange: "172.16.0.0/25",
+ region: "us-central1",
+ },
+ } {
+ sub := gcloud.Runf(t, "compute networks subnets describe %s --region %s --project %s", subnet.name, subnet.region, projectID)
+ assert.Equal(subnet.name, sub.Get("name").String(), fmt.Sprintf("subnet %s should exist", subnet.name))
+ assert.Equal(subnet.cidrRange, sub.Get("ipCidrRange").String(), fmt.Sprintf("IP CIDR range %s should be", subnet.cidrRange))
+ }
+
+ bgpAdvertisedIpRange := "35.199.192.0/19"
+
+ for _, router := range []struct {
+ name string
+ region string
+ }{
+ {
+ name: "cr-net-dns-us-central1-cr1",
+ region: "us-central1",
+ },
+ {
+ name: "cr-net-dns-us-central1-cr2",
+ region: "us-central1",
+ },
+ {
+ name: "cr-net-dns-us-west1-cr3",
+ region: "us-west1",
+ },
+ {
+ name: "cr-net-dns-us-west1-cr4",
+ region: "us-west1",
+ },
+ } {
+ computeRouter := gcloud.Runf(t, "compute routers describe %s --region %s --project %s", router.name, router.region, projectID)
+ assert.Equal(router.name, computeRouter.Get("name").String(), fmt.Sprintf("router %s should exist", router.name))
+ assert.Equal("64667", computeRouter.Get("bgp.asn").String(), fmt.Sprintf("router %s should have bgp asm 64667", router.name))
+ assert.Equal(1, len(computeRouter.Get("bgp.advertisedIpRanges").Array()), fmt.Sprintf("router %s should have only one advertised IP range", router.name))
+ assert.Equal(bgpAdvertisedIpRange, computeRouter.Get("bgp.advertisedIpRanges.0.range").String(), fmt.Sprintf("router %s should have only range %s", router.name, bgpAdvertisedIpRange))
+ assert.Equal(dnsHubNetworkUrl, computeRouter.Get("network").String(), fmt.Sprintf("router %s should have be from network vpc-net-dns", router.name))
+ }
+ })
+ shared.Test()
+}
diff --git a/test/restore_tf_files.sh b/test/restore_tf_files.sh
index 946c666b2..74d530c13 100644
--- a/test/restore_tf_files.sh
+++ b/test/restore_tf_files.sh
@@ -35,50 +35,47 @@ function networks(){
network_dir="3-networks-hub-and-spoke"
else
network_dir="3-networks-dual-svpc"
+
+ # disable shared.auto.tfvars in main module #
+ mv $network_dir/envs/production/production.auto.tfvars.disabled $network_dir/envs/production/production.auto.tfvars
fi
# restore backend configs in main module
- mv $network_dir/envs/shared/backend.tf.disabled $network_dir/envs/shared/backend.tf #
mv $network_dir/envs/development/backend.tf.disabled $network_dir/envs/development/backend.tf
mv $network_dir/envs/nonproduction/backend.tf.disabled $network_dir/envs/nonproduction/backend.tf
mv $network_dir/envs/production/backend.tf.disabled $network_dir/envs/production/backend.tf
# restore access_context.auto.tfvars in main module
- mv $network_dir/envs/shared/access_context.auto.tfvars.disabled $network_dir/envs/shared/access_context.auto.tfvars #
mv $network_dir/envs/development/access_context.auto.tfvars.disabled $network_dir/envs/development/access_context.auto.tfvars
mv $network_dir/envs/nonproduction/access_context.auto.tfvars.disabled $network_dir/envs/nonproduction/access_context.auto.tfvars
mv $network_dir/envs/production/access_context.auto.tfvars.disabled $network_dir/envs/production/access_context.auto.tfvars
# restore common.auto.tfvars in main module
- mv $network_dir/envs/shared/common.auto.tfvars.disabled $network_dir/envs/shared/common.auto.tfvars #
mv $network_dir/envs/development/common.auto.tfvars.disabled $network_dir/envs/development/common.auto.tfvars
mv $network_dir/envs/nonproduction/common.auto.tfvars.disabled $network_dir/envs/nonproduction/common.auto.tfvars
mv $network_dir/envs/production/common.auto.tfvars.disabled $network_dir/envs/production/common.auto.tfvars
-
- # restore shared.auto.tfvars in main module #
- mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars
}
-# function shared(){
+function shared(){
-# if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then
-# network_dir="3-networks-hub-and-spoke"
-# else
-# network_dir="3-networks-dual-svpc"
-# fi
+ if [ "$TF_VAR_example_foundations_mode" == "HubAndSpoke" ]; then
+ network_dir="3-networks-hub-and-spoke"
-# # restore backend configs in main module
-# mv $network_dir/envs/shared/backend.tf.disabled $network_dir/envs/shared/backend.tf
+ # restore shared.auto.tfvars in main module
+ mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars
+ else
+ network_dir="3-networks-dual-svpc"
+ fi
-# # restore access_context.auto.tfvars in main module
-# mv $network_dir/envs/shared/access_context.auto.tfvars.disabled $network_dir/envs/shared/access_context.auto.tfvars
+ # restore backend configs in main module
+ mv $network_dir/envs/shared/backend.tf.disabled $network_dir/envs/shared/backend.tf
-# # restore common.auto.tfvars in main module
-# mv $network_dir/envs/shared/common.auto.tfvars.disabled $network_dir/envs/shared/common.auto.tfvars
+ # restore access_context.auto.tfvars in main module
+ mv $network_dir/envs/shared/access_context.auto.tfvars.disabled $network_dir/envs/shared/access_context.auto.tfvars
-# # restore shared.auto.tfvars in main module
-# mv $network_dir/envs/shared/shared.auto.tfvars.disabled $network_dir/envs/shared/shared.auto.tfvars
-# }
+ # restore common.auto.tfvars in main module
+ mv $network_dir/envs/shared/common.auto.tfvars.disabled $network_dir/envs/shared/common.auto.tfvars
+}
function projects(){
# restore backend configs in main module
@@ -137,10 +134,10 @@ do
networks
shift
;;
- # -s|--shared)
- # shared
- # shift
- # ;;
+ -s|--shared)
+ shared
+ shift
+ ;;
-o|--org)
org
shift