Dns refactory

3-networks-dual-svpc/README.md

@@ -240,6 +240,8 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
 1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
    pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
 
+*Note:** The Production envrionment must be the next branch to be merged as it includes the DNS Hub communication that will be used by other environments.
+
    ```bash
    git checkout -b production
    git push origin production

3-networks-dual-svpc/envs/production/README.md

@@ -1,6 +1,6 @@
 # 3-networks-dual-svpc/production
 
-The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment production.
+The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment production and the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones) that will be used by all environments.
 
 ## Prerequisites
 

3-networks-dual-svpc/envs/production/main.tf

@@ -15,53 +15,53 @@
  */
 
 locals {
-  env              = "production"
+  env              = "nonproduction"
   environment_code = substr(local.env, 0, 1)
   /*
    * Base network ranges
    */
-  base_private_service_cidr = "10.16.24.0/21"
+  base_private_service_cidr = "10.16.16.0/21"
   base_subnet_primary_ranges = {
-    (local.default_region1) = "10.0.192.0/18"
-    (local.default_region2) = "10.1.192.0/18"
+    (local.default_region1) = "10.0.128.0/18"
+    (local.default_region2) = "10.1.128.0/18"
   }
   base_subnet_proxy_ranges = {
-    (local.default_region1) = "10.18.6.0/23"
-    (local.default_region2) = "10.19.6.0/23"
+    (local.default_region1) = "10.18.4.0/23"
+    (local.default_region2) = "10.19.4.0/23"
   }
   base_subnet_secondary_ranges = {
     (local.default_region1) = [
       {
         range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-pod"
-        ip_cidr_range = "100.64.192.0/18"
+        ip_cidr_range = "100.64.128.0/18"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-base-${local.default_region1}-gke-svc"
-        ip_cidr_range = "100.65.192.0/18"
+        ip_cidr_range = "100.65.128.0/18"
       }
     ]
   }
   /*
    * Restricted network ranges
    */
-  restricted_private_service_cidr = "10.16.56.0/21"
+  restricted_private_service_cidr = "10.16.48.0/21"
   restricted_subnet_primary_ranges = {
-    (local.default_region1) = "10.8.192.0/18"
-    (local.default_region2) = "10.9.192.0/18"
+    (local.default_region1) = "10.8.128.0/18"
+    (local.default_region2) = "10.9.128.0/18"
   }
   restricted_subnet_proxy_ranges = {
-    (local.default_region1) = "10.26.6.0/23"
-    (local.default_region2) = "10.27.6.0/23"
+    (local.default_region1) = "10.26.4.0/23"
+    (local.default_region2) = "10.27.4.0/23"
   }
   restricted_subnet_secondary_ranges = {
     (local.default_region1) = [
       {
         range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-pod"
-        ip_cidr_range = "100.72.192.0/18"
+        ip_cidr_range = "100.72.128.0/18"
       },
       {
         range_name    = "rn-${local.environment_code}-shared-restricted-${local.default_region1}-gke-svc"
-        ip_cidr_range = "100.73.192.0/18"
+        ip_cidr_range = "100.73.128.0/18"
       }
     ]
   }
@@ -87,12 +87,12 @@ module "base_env" {
   base_subnet_primary_ranges            = local.base_subnet_primary_ranges
   base_subnet_proxy_ranges              = local.base_subnet_proxy_ranges
   base_subnet_secondary_ranges          = local.base_subnet_secondary_ranges
-  base_private_service_connect_ip       = "10.17.0.4"
+  base_private_service_connect_ip       = "10.17.0.3"
   restricted_private_service_cidr       = local.restricted_private_service_cidr
-  restricted_subnet_primary_ranges      = local.restricted_subnet_primary_ranges
   restricted_subnet_proxy_ranges        = local.restricted_subnet_proxy_ranges
+  restricted_subnet_primary_ranges      = local.restricted_subnet_primary_ranges
   restricted_subnet_secondary_ranges    = local.restricted_subnet_secondary_ranges
-  restricted_private_service_connect_ip = "10.17.0.8"
+  restricted_private_service_connect_ip = "10.17.0.7"
   remote_state_bucket                   = var.remote_state_bucket
   tfc_org_name                          = var.tfc_org_name
 }

3-networks-dual-svpc/envs/shared/README.md

@@ -1,7 +1,5 @@
 # 3-networks-dual-svpc/shared
 
-The purpose of this step is to set up the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones) that will be used by all environments.
-
 ## Prerequisites
 
 1. 0-bootstrap executed successfully.
@@ -19,14 +17,11 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google.
 | firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no |
 | preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
-| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |
 | vpc\_flow\_logs | enable\_logging: set to true to enable VPC flow logging for the subnetworks.<br>  aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    enable_logging       = optional(string, "true")<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| dns\_hub\_project\_id | The DNS hub project ID |
+No outputs.
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

3-networks-dual-svpc/envs/shared/interconnect.tf.example

@@ -17,8 +17,8 @@
 module "dns_hub_interconnect" {
   source = "../../modules/dedicated_interconnect"
 
-  vpc_name                = "net-dns"
-  interconnect_project_id = local.dns_hub_project_id
+  vpc_name                = "vpc-p-shared-restricted"
+  interconnect_project_id = local.restricted_project_id
 
   region1                                 = local.default_region1
   region1_router1_name                    = module.dns_hub_region1_router1.router.name

3-networks-dual-svpc/envs/shared/outputs.tf

@@ -14,7 +14,3 @@
  * limitations under the License.
  */
 
-output "dns_hub_project_id" {
-  value       = local.dns_hub_project_id
-  description = "The DNS hub project ID"
-}

3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example

@@ -17,8 +17,8 @@
 module "dns_hub_interconnect" {
   source = "../../modules/partner_interconnect"
 
-  vpc_name              = "net-dns"
-  attachment_project_id = local.dns_hub_project_id
+  vpc_name                = "vpc-p-shared-restricted"
+  attachment_project_id = local.restricted_project_id
   preactivate           = var.preactivate_partner_interconnect
 
   region1                         = local.default_region1

3-networks-dual-svpc/envs/shared/remote.tf

@@ -21,8 +21,8 @@ locals {
   default_region1           = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
   default_region2           = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
   folder_prefix             = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix
-  dns_hub_project_id        = data.terraform_remote_state.org.outputs.dns_hub_project_id
   interconnect_project_id   = data.terraform_remote_state.org.outputs.interconnect_project_id
+  restricted_project_id     = data.terraform_remote_state.org.outputs.shared_vpc_projects[local.env].restricted_shared_vpc_project_id
   parent_id                 = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id
   bootstrap_folder_name     = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name
   common_folder_name        = data.terraform_remote_state.org.outputs.common_folder_name

3-networks-dual-svpc/envs/shared/variables.tf

@@ -56,11 +56,6 @@ variable "bgp_asn_dns" {
   default     = 64667
 }
 
-variable "target_name_server_addresses" {
-  description = "List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones."
-  type        = list(map(any))
-}
-
 variable "firewall_policies_enable_logging" {
   type        = bool
   description = "Toggle hierarchical firewall logging."

3-networks-dual-svpc/modules/base_env/README.md

@@ -32,6 +32,7 @@
 | restricted\_subnet\_proxy\_ranges | The base proxy-only subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
 | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes |
 | restricted\_vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | `list(map(any))` | `[]` | no |
 | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes |
 
 ## Outputs
@@ -56,5 +57,6 @@
 | restricted\_subnets\_names | The names of the subnets being created |
 | restricted\_subnets\_secondary\_ranges | The secondary ranges associated with these subnets |
 | restricted\_subnets\_self\_links | The self-links of subnets being created |
+| target\_name\_server\_addresses | List of IPv4 address of target name servers for the forwarding zone configuration |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->