removing base references

renato-rudnicki · Nov 12, 2024 · 02decb3 · 02decb3
1 parent b6810c7
commit 02decb3
Show file tree

Hide file tree

Showing 18 changed files with 57 additions and 292 deletions.
diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md
@@ -50,8 +50,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| dns\_hub\_project\_id | The DNS hub project ID |
+No outputs.
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs-transitivity.tf
@@ -16,16 +16,6 @@
 
 locals {
   enable_transitivity = var.enable_hub_and_spoke_transitivity
-  base_regional_aggregates = {
-    (local.default_region1) = [
-      "10.0.0.0/16",
-      "100.64.0.0/16"
-    ]
-    (local.default_region2) = [
-      "10.1.0.0/16",
-      "100.65.0.0/16"
-    ]
-  }
   restricted_regional_aggregates = {
     (local.default_region1) = [
       "10.8.0.0/16",
@@ -38,40 +28,6 @@ locals {
   }
 }
 
-/*
- * Base Network Transitivity
- */
-
-module "base_transitivity" {
-  source = "../../modules/transitivity"
-  count  = local.enable_transitivity ? 1 : 0
-
-  project_id          = local.base_net_hub_project_id
-  regions             = keys(local.base_subnet_primary_ranges)
-  vpc_name            = module.base_shared_vpc.network_name
-  gw_subnets          = { for region in keys(local.base_subnet_primary_ranges) : region => "sb-c-shared-base-hub-${region}" }
-  regional_aggregates = local.base_regional_aggregates
-  firewall_policy     = module.base_shared_vpc.firewall_policy
-  commands = [
-    # Accept all ICMP (troubleshooting)
-    "iptables -A INPUT -p icmp -j ACCEPT",
-    # Accept SSH local traffic to the eth0 interface (health checking)
-    "iptables -A INPUT -p tcp --dport 22 -d $(curl -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip) -j ACCEPT",
-    # Drop everything else
-    "iptables -A INPUT -j DROP",
-    # Accept all return transit traffic for established flows
-    "iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
-    # Accept all transit traffic from internal ranges
-    # Replace by actual multiple source/destination/proto/ports rules for fine-grained ACLs.
-    "iptables -A FORWARD -s ${join(",", flatten(values(local.base_regional_aggregates)))} -d ${join(",", flatten(values(local.base_regional_aggregates)))} -j ACCEPT",
-    # Drop everything else
-    "iptables -A FORWARD -j DROP",
-    # SNAT traffic not to the local eth0 interface
-    "iptables -t nat -A POSTROUTING ! -d $(curl -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip) -j MASQUERADE",
-  ]
-
-  depends_on = [module.base_shared_vpc]
-}
 
 /*
  * Restricted Network Transitivity

diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf
@@ -167,81 +167,6 @@ locals {
   restricted_services_dry_run = length(var.custom_restricted_services) != 0 ? var.custom_restricted_services : local.supported_restricted_service
 }
 
-/******************************************
-  Base Network VPC
-*****************************************/
-
-module "base_shared_vpc" {
-  source = "../../modules/base_shared_vpc"
-
-  project_id                    = local.base_net_hub_project_id
-  dns_hub_project_id            = local.dns_hub_project_id
-  environment_code              = local.environment_code
-  private_service_connect_ip    = "10.17.0.1"
-  bgp_asn_subnet                = local.bgp_asn_number
-  default_region1               = local.default_region1
-  default_region2               = local.default_region2
-  domain                        = var.domain
-  dns_enable_inbound_forwarding = var.base_hub_dns_enable_inbound_forwarding
-  dns_enable_logging            = var.base_hub_dns_enable_logging
-  firewall_enable_logging       = var.base_hub_firewall_enable_logging
-  nat_enabled                   = var.base_hub_nat_enabled
-  nat_bgp_asn                   = var.base_hub_nat_bgp_asn
-  nat_num_addresses_region1     = var.base_hub_nat_num_addresses_region1
-  nat_num_addresses_region2     = var.base_hub_nat_num_addresses_region2
-  windows_activation_enabled    = var.base_hub_windows_activation_enabled
-  mode                          = "hub"
-
-  subnets = [
-    {
-      subnet_name                      = "sb-c-shared-base-hub-${local.default_region1}"
-      subnet_ip                        = local.base_subnet_primary_ranges[local.default_region1]
-      subnet_region                    = local.default_region1
-      subnet_private_access            = "true"
-      subnet_flow_logs                 = var.base_vpc_flow_logs.enable_logging
-      subnet_flow_logs_interval        = var.base_vpc_flow_logs.aggregation_interval
-      subnet_flow_logs_sampling        = var.base_vpc_flow_logs.flow_sampling
-      subnet_flow_logs_metadata        = var.base_vpc_flow_logs.metadata
-      subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
-      subnet_flow_logs_filter          = var.base_vpc_flow_logs.filter_expr
-      description                      = "Base network hub subnet for ${local.default_region1}"
-    },
-    {
-      subnet_name                      = "sb-c-shared-base-hub-${local.default_region2}"
-      subnet_ip                        = local.base_subnet_primary_ranges[local.default_region2]
-      subnet_region                    = local.default_region2
-      subnet_private_access            = "true"
-      subnet_flow_logs                 = var.base_vpc_flow_logs.enable_logging
-      subnet_flow_logs_interval        = var.base_vpc_flow_logs.aggregation_interval
-      subnet_flow_logs_sampling        = var.base_vpc_flow_logs.flow_sampling
-      subnet_flow_logs_metadata        = var.base_vpc_flow_logs.metadata
-      subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
-      subnet_flow_logs_filter          = var.base_vpc_flow_logs.filter_expr
-      description                      = "Base network hub subnet for ${local.default_region2}"
-    },
-    {
-      subnet_name      = "sb-c-shared-base-hub-${local.default_region1}-proxy"
-      subnet_ip        = local.base_subnet_proxy_ranges[local.default_region1]
-      subnet_region    = local.default_region1
-      subnet_flow_logs = false
-      description      = "Base network hub proxy-only subnet for ${local.default_region1}"
-      role             = "ACTIVE"
-      purpose          = "REGIONAL_MANAGED_PROXY"
-    },
-    {
-      subnet_name      = "sb-c-shared-base-hub-${local.default_region2}-proxy"
-      subnet_ip        = local.base_subnet_proxy_ranges[local.default_region2]
-      subnet_region    = local.default_region2
-      subnet_flow_logs = false
-      description      = "Base network hub proxy-only subnet for ${local.default_region2}"
-      role             = "ACTIVE"
-      purpose          = "REGIONAL_MANAGED_PROXY"
-    }
-  ]
-  secondary_ranges = {}
-
-}
-
 /******************************************
   Restricted Network VPC
 *****************************************/
@@ -251,7 +176,6 @@ module "restricted_shared_vpc" {
 
   project_id                       = local.restricted_net_hub_project_id
   project_number                   = local.restricted_net_hub_project_number
-  dns_hub_project_id               = local.dns_hub_project_id
   environment_code                 = local.environment_code
   private_service_connect_ip       = "10.17.0.5"
   access_context_manager_policy_id = var.access_context_manager_policy_id
@@ -279,6 +203,7 @@ module "restricted_shared_vpc" {
   nat_num_addresses_region1     = var.restricted_hub_nat_num_addresses_region1
   nat_num_addresses_region2     = var.restricted_hub_nat_num_addresses_region2
   windows_activation_enabled    = var.restricted_hub_windows_activation_enabled
+  target_name_server_addresses  = var.target_name_server_addresses
   mode                          = "hub"
 
   subnets = [

diff --git a/3-networks-hub-and-spoke/envs/shared/outputs.tf b/3-networks-hub-and-spoke/envs/shared/outputs.tf
@@ -14,7 +14,3 @@
  * limitations under the License.
  */
 
-output "dns_hub_project_id" {
-  value       = local.dns_hub_project_id
-  description = "The DNS hub project ID"
-}
diff --git a/3-networks-hub-and-spoke/envs/shared/remote.tf b/3-networks-hub-and-spoke/envs/shared/remote.tf
@@ -15,7 +15,6 @@
  */
 
 locals {
-  dns_hub_project_id                = data.terraform_remote_state.org.outputs.dns_hub_project_id
   interconnect_project_id           = data.terraform_remote_state.org.outputs.interconnect_project_id
   interconnect_project_number       = data.terraform_remote_state.org.outputs.interconnect_project_number
   parent_folder                     = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder
@@ -33,7 +32,6 @@ locals {
   development_folder_name           = data.terraform_remote_state.env_development.outputs.env_folder
   nonproduction_folder_name         = data.terraform_remote_state.env_nonproduction.outputs.env_folder
   production_folder_name            = data.terraform_remote_state.env_production.outputs.env_folder
-  base_net_hub_project_id           = data.terraform_remote_state.org.outputs.base_net_hub_project_id
   restricted_net_hub_project_id     = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id
   restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number
   organization_service_account      = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email

diff --git a/3-networks-hub-and-spoke/modules/base_env/README.md b/3-networks-hub-and-spoke/modules/base_env/README.md
@@ -33,6 +33,7 @@
 | restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
 | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes |
 | restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes |
 
 ## Outputs
@@ -41,13 +42,6 @@
 |------|-------------|
 | access\_level\_name | Access context manager access level name for the enforced perimeter |
 | access\_level\_name\_dry\_run | Access context manager access level name for the dry-run perimeter |
-| base\_host\_project\_id | The base host project ID |
-| base\_network\_name | The name of the VPC being created |
-| base\_network\_self\_link | The URI of the VPC being created |
-| base\_subnets\_ips | The IPs and CIDRs of the subnets being created |
-| base\_subnets\_names | The names of the subnets being created |
-| base\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets |
-| base\_subnets\_self\_links | The self-links of subnets being created |
 | enforce\_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review [best practices for enabling VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/enable), then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. |
 | restricted\_host\_project\_id | The restricted host project ID |
 | restricted\_network\_name | The name of the VPC being created |

diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf
@@ -166,7 +166,6 @@ module "restricted_shared_vpc" {
 
   project_id                        = local.restricted_project_id
   project_number                    = local.restricted_project_number
-  dns_hub_project_id                = local.dns_hub_project_id
   restricted_net_hub_project_id     = local.restricted_net_hub_project_id
   restricted_net_hub_project_number = local.restricted_net_hub_project_number
   environment_code                  = var.environment_code
@@ -183,15 +182,16 @@ module "restricted_shared_vpc" {
     "serviceAccount:${local.projects_service_account}",
     "serviceAccount:${local.organization_service_account}",
   ], var.perimeter_additional_members))
-  private_service_cidr       = var.restricted_private_service_cidr
-  private_service_connect_ip = var.restricted_private_service_connect_ip
-  ingress_policies           = var.ingress_policies
-  egress_policies            = var.egress_policies
-  bgp_asn_subnet             = local.bgp_asn_number
-  default_region1            = var.default_region1
-  default_region2            = var.default_region2
-  domain                     = var.domain
-  mode                       = "spoke"
+  private_service_cidr         = var.restricted_private_service_cidr
+  private_service_connect_ip   = var.restricted_private_service_connect_ip
+  ingress_policies             = var.ingress_policies
+  egress_policies              = var.egress_policies
+  bgp_asn_subnet               = local.bgp_asn_number
+  default_region1              = var.default_region1
+  default_region2              = var.default_region2
+  domain                       = var.domain
+  mode                         = "spoke"
+  target_name_server_addresses = var.target_name_server_addresses
 
   subnets = [
     {
@@ -244,72 +244,3 @@ module "restricted_shared_vpc" {
   }
 }
 
-/******************************************
- Base shared VPC
-*****************************************/
-
-module "base_shared_vpc" {
-  source = "../base_shared_vpc"
-
-  project_id                 = local.base_project_id
-  dns_hub_project_id         = local.dns_hub_project_id
-  base_net_hub_project_id    = local.base_net_hub_project_id
-  environment_code           = var.environment_code
-  private_service_cidr       = var.base_private_service_cidr
-  private_service_connect_ip = var.base_private_service_connect_ip
-  default_region1            = var.default_region1
-  default_region2            = var.default_region2
-  domain                     = var.domain
-  bgp_asn_subnet             = local.bgp_asn_number
-  mode                       = "spoke"
-
-  subnets = [
-    {
-      subnet_name                      = "sb-${var.environment_code}-shared-base-${var.default_region1}"
-      subnet_ip                        = var.base_subnet_primary_ranges[var.default_region1]
-      subnet_region                    = var.default_region1
-      subnet_private_access            = "true"
-      subnet_flow_logs                 = true
-      subnet_flow_logs_interval        = var.base_vpc_flow_logs.aggregation_interval
-      subnet_flow_logs_sampling        = var.base_vpc_flow_logs.flow_sampling
-      subnet_flow_logs_metadata        = var.base_vpc_flow_logs.metadata
-      subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
-      subnet_flow_logs_filter          = var.base_vpc_flow_logs.filter_expr
-      description                      = "First ${var.env} subnet example."
-    },
-    {
-      subnet_name                      = "sb-${var.environment_code}-shared-base-${var.default_region2}"
-      subnet_ip                        = var.base_subnet_primary_ranges[var.default_region2]
-      subnet_region                    = var.default_region2
-      subnet_private_access            = "true"
-      subnet_flow_logs                 = true
-      subnet_flow_logs_interval        = var.base_vpc_flow_logs.aggregation_interval
-      subnet_flow_logs_sampling        = var.base_vpc_flow_logs.flow_sampling
-      subnet_flow_logs_metadata        = var.base_vpc_flow_logs.metadata
-      subnet_flow_logs_metadata_fields = var.base_vpc_flow_logs.metadata_fields
-      subnet_flow_logs_filter          = var.base_vpc_flow_logs.filter_expr
-      description                      = "Second ${var.env} subnet example."
-    },
-    {
-      subnet_name      = "sb-${var.environment_code}-shared-base-${var.default_region1}-proxy"
-      subnet_ip        = var.base_subnet_proxy_ranges[var.default_region1]
-      subnet_region    = var.default_region1
-      description      = "First ${var.env} proxy-only subnet example."
-      subnet_flow_logs = false
-      role             = "ACTIVE"
-      purpose          = "REGIONAL_MANAGED_PROXY"
-    },
-    {
-      subnet_name      = "sb-${var.environment_code}-shared-base-${var.default_region2}-proxy"
-      subnet_ip        = var.base_subnet_proxy_ranges[var.default_region2]
-      subnet_region    = var.default_region2
-      description      = "Second ${var.env} proxy-only subnet example."
-      subnet_flow_logs = false
-      role             = "ACTIVE"
-      purpose          = "REGIONAL_MANAGED_PROXY"
-    }
-  ]
-  secondary_ranges = {
-    "sb-${var.environment_code}-shared-base-${var.default_region1}" = var.base_subnet_secondary_ranges[var.default_region1]
-  }
-}
diff --git a/3-networks-hub-and-spoke/modules/base_env/outputs.tf b/3-networks-hub-and-spoke/modules/base_env/outputs.tf
@@ -74,42 +74,3 @@ output "restricted_service_perimeter_name" {
 }
 
 
-
-/******************************************
- Private Outputs
-*****************************************/
-
-output "base_host_project_id" {
-  value       = local.base_project_id
-  description = "The base host project ID"
-}
-
-output "base_network_name" {
-  value       = module.base_shared_vpc.network_name
-  description = "The name of the VPC being created"
-}
-
-output "base_network_self_link" {
-  value       = module.base_shared_vpc.network_self_link
-  description = "The URI of the VPC being created"
-}
-
-output "base_subnets_names" {
-  value       = module.base_shared_vpc.subnets_names
-  description = "The names of the subnets being created"
-}
-
-output "base_subnets_ips" {
-  value       = module.base_shared_vpc.subnets_ips
-  description = "The IPs and CIDRs of the subnets being created"
-}
-
-output "base_subnets_self_links" {
-  value       = module.base_shared_vpc.subnets_self_links
-  description = "The self-links of subnets being created"
-}
-
-output "base_subnets_secondary_ranges" {
-  value       = module.base_shared_vpc.subnets_secondary_ranges
-  description = "The secondary ranges associated with these subnets"
-}
diff --git a/3-networks-hub-and-spoke/modules/base_env/remote.tf b/3-networks-hub-and-spoke/modules/base_env/remote.tf
@@ -17,9 +17,6 @@
 locals {
   restricted_project_id             = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_id
   restricted_project_number         = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].restricted_shared_vpc_project_number
-  base_project_id                   = data.terraform_remote_state.org.outputs.shared_vpc_projects[var.env].base_shared_vpc_project_id
-  dns_hub_project_id                = data.terraform_remote_state.org.outputs.dns_hub_project_id
-  base_net_hub_project_id           = data.terraform_remote_state.org.outputs.base_net_hub_project_id
   restricted_net_hub_project_id     = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id
   restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number
   organization_service_account      = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email