Skip to content

Commit f6cd9ad

Browse files
drebesbharathkkb
drebes
authored and
bharathkkb
committed
feat: enable hub & spoke transitivity via gateway VMs (terraform-google-modules#322)
1 parent 70501ec commit f6cd9ad

File tree

26 files changed

+742
-91
lines changed

26 files changed

+742
-91
lines changed

3-networks/envs/development/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
2222
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
2323
| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
2424
| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
25+
| enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no |
2526
| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
2627
| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
2728
| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |

3-networks/envs/development/main.tf

Lines changed: 57 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,51 @@ locals {
2323
parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
2424
mode = var.enable_hub_and_spoke ? "spoke" : null
2525
bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514"
26+
enable_transitivity = var.enable_hub_and_spoke && var.enable_hub_and_spoke_transitivity
27+
/*
28+
* Base network ranges
29+
*/
30+
base_subnet_aggregates = ["10.0.0.0/16", "10.1.0.0/16", "100.64.0.0/16", "100.65.0.0/16"]
31+
base_hub_subnet_ranges = ["10.0.0.0/24", "10.1.0.0/24"]
32+
base_private_service_cidr = "10.16.64.0/21"
33+
base_subnet_primary_ranges = {
34+
(var.default_region1) = "10.0.64.0/21"
35+
(var.default_region2) = "10.1.64.0/21"
36+
}
37+
base_subnet_secondary_ranges = {
38+
(var.default_region1) = [
39+
{
40+
range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
41+
ip_cidr_range = "100.64.64.0/21"
42+
},
43+
{
44+
range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"
45+
ip_cidr_range = "100.64.72.0/21"
46+
}
47+
]
48+
}
49+
/*
50+
* Restricted network ranges
51+
*/
52+
restricted_subnet_aggregates = ["10.8.0.0/16", "10.9.0.0/16", "100.72.0.0/16", "100.73.0.0/16"]
53+
restricted_hub_subnet_ranges = ["10.8.0.0/24", "10.9.0.0/24"]
54+
restricted_private_service_cidr = "10.24.64.0/21"
55+
restricted_subnet_primary_ranges = {
56+
(var.default_region1) = "10.8.64.0/21"
57+
(var.default_region2) = "10.9.64.0/21"
58+
}
59+
restricted_subnet_secondary_ranges = {
60+
(var.default_region1) = [
61+
{
62+
range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
63+
ip_cidr_range = "100.72.64.0/21"
64+
},
65+
{
66+
range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
67+
ip_cidr_range = "100.72.72.0/21"
68+
}
69+
]
70+
}
2671
}
2772

2873
data "google_active_folder" "env" {
@@ -57,7 +102,7 @@ module "restricted_shared_vpc" {
57102
access_context_manager_policy_id = var.access_context_manager_policy_id
58103
restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
59104
members = ["serviceAccount:${var.terraform_service_account}"]
60-
private_service_cidr = "10.0.176.0/20"
105+
private_service_cidr = local.restricted_private_service_cidr
61106
org_id = var.org_id
62107
parent_folder = var.parent_folder
63108
bgp_asn_subnet = local.bgp_asn_number
@@ -79,33 +124,26 @@ module "restricted_shared_vpc" {
79124
subnets = [
80125
{
81126
subnet_name = "sb-${local.environment_code}-shared-restricted-${var.default_region1}"
82-
subnet_ip = "10.0.160.0/21"
127+
subnet_ip = local.restricted_subnet_primary_ranges[var.default_region1]
83128
subnet_region = var.default_region1
84129
subnet_private_access = "true"
85130
subnet_flow_logs = var.subnetworks_enable_logging
86131
description = "First ${local.env} subnet example."
87132
},
88133
{
89134
subnet_name = "sb-${local.environment_code}-shared-restricted-${var.default_region2}"
90-
subnet_ip = "10.0.168.0/21"
135+
subnet_ip = local.restricted_subnet_primary_ranges[var.default_region2]
91136
subnet_region = var.default_region2
92137
subnet_private_access = "true"
93138
subnet_flow_logs = var.subnetworks_enable_logging
94139
description = "Second ${local.env} subnet example."
95140
}
96141
]
97142
secondary_ranges = {
98-
"sb-${local.environment_code}-shared-restricted-${var.default_region1}" = [
99-
{
100-
range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
101-
ip_cidr_range = "192.168.0.0/21"
102-
},
103-
{
104-
range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
105-
ip_cidr_range = "192.168.8.0/21"
106-
}
107-
]
143+
"sb-${local.environment_code}-shared-restricted-${var.default_region1}" = local.restricted_subnet_secondary_ranges[var.default_region1]
108144
}
145+
allow_all_ingress_ranges = local.enable_transitivity ? local.restricted_hub_subnet_ranges : null
146+
allow_all_egress_ranges = local.enable_transitivity ? local.restricted_subnet_aggregates : null
109147
}
110148

111149
/******************************************
@@ -116,7 +154,7 @@ module "base_shared_vpc" {
116154
source = "../../modules/base_shared_vpc"
117155
project_id = local.base_project_id
118156
environment_code = local.environment_code
119-
private_service_cidr = "10.0.144.0/20"
157+
private_service_cidr = local.base_private_service_cidr
120158
org_id = var.org_id
121159
parent_folder = var.parent_folder
122160
default_region1 = var.default_region1
@@ -139,31 +177,24 @@ module "base_shared_vpc" {
139177
subnets = [
140178
{
141179
subnet_name = "sb-${local.environment_code}-shared-base-${var.default_region1}"
142-
subnet_ip = "10.0.128.0/21"
180+
subnet_ip = local.base_subnet_primary_ranges[var.default_region1]
143181
subnet_region = var.default_region1
144182
subnet_private_access = "true"
145183
subnet_flow_logs = var.subnetworks_enable_logging
146184
description = "First ${local.env} subnet example."
147185
},
148186
{
149187
subnet_name = "sb-${local.environment_code}-shared-base-${var.default_region2}"
150-
subnet_ip = "10.0.136.0/21"
188+
subnet_ip = local.base_subnet_primary_ranges[var.default_region2]
151189
subnet_region = var.default_region2
152190
subnet_private_access = "true"
153191
subnet_flow_logs = var.subnetworks_enable_logging
154192
description = "Second ${local.env} subnet example."
155193
}
156194
]
157195
secondary_ranges = {
158-
"sb-${local.environment_code}-shared-base-${var.default_region1}" = [
159-
{
160-
range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
161-
ip_cidr_range = "192.168.16.0/21"
162-
},
163-
{
164-
range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"
165-
ip_cidr_range = "192.168.24.0/21"
166-
}
167-
]
196+
"sb-${local.environment_code}-shared-base-${var.default_region1}" = local.base_subnet_secondary_ranges[var.default_region1]
168197
}
198+
allow_all_ingress_ranges = local.enable_transitivity ? local.base_hub_subnet_ranges : null
199+
allow_all_egress_ranges = local.enable_transitivity ? local.base_subnet_aggregates : null
169200
}

3-networks/envs/development/variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -139,3 +139,9 @@ variable "preactivate_partner_interconnect" {
139139
type = bool
140140
default = false
141141
}
142+
143+
variable "enable_hub_and_spoke_transitivity" {
144+
description = "Enable transitivity via gateway VMs on Hub-and-Spoke architecture."
145+
type = bool
146+
default = false
147+
}

3-networks/envs/non-production/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
2222
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
2323
| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
2424
| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
25+
| enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no |
2526
| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
2627
| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
2728
| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |

3-networks/envs/non-production/main.tf

Lines changed: 57 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,51 @@ locals {
2323
parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
2424
mode = var.enable_hub_and_spoke ? "spoke" : null
2525
bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514"
26+
enable_transitivity = var.enable_hub_and_spoke && var.enable_hub_and_spoke_transitivity
27+
/*
28+
* Base network ranges
29+
*/
30+
base_subnet_aggregates = ["10.0.0.0/16", "10.1.0.0/16", "100.64.0.0/16", "100.65.0.0/16"]
31+
base_hub_subnet_ranges = ["10.0.0.0/24", "10.1.0.0/24"]
32+
base_private_service_cidr = "10.16.128.0/21"
33+
base_subnet_primary_ranges = {
34+
(var.default_region1) = "10.0.128.0/21"
35+
(var.default_region2) = "10.1.128.0/21"
36+
}
37+
base_subnet_secondary_ranges = {
38+
(var.default_region1) = [
39+
{
40+
range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
41+
ip_cidr_range = "100.64.128.0/21"
42+
},
43+
{
44+
range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"
45+
ip_cidr_range = "100.64.136.0/21"
46+
}
47+
]
48+
}
49+
/*
50+
* Restricted network ranges
51+
*/
52+
restricted_subnet_aggregates = ["10.8.0.0/16", "10.9.0.0/16", "100.72.0.0/16", "100.73.0.0/16"]
53+
restricted_hub_subnet_ranges = ["10.8.0.0/24", "10.9.0.0/24"]
54+
restricted_private_service_cidr = "10.24.128.0/21"
55+
restricted_subnet_primary_ranges = {
56+
(var.default_region1) = "10.8.128.0/21"
57+
(var.default_region2) = "10.9.128.0/21"
58+
}
59+
restricted_subnet_secondary_ranges = {
60+
(var.default_region1) = [
61+
{
62+
range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
63+
ip_cidr_range = "100.72.128.0/21"
64+
},
65+
{
66+
range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
67+
ip_cidr_range = "100.72.136.0/21"
68+
}
69+
]
70+
}
2671
}
2772

2873
data "google_active_folder" "env" {
@@ -57,7 +102,7 @@ module "restricted_shared_vpc" {
57102
access_context_manager_policy_id = var.access_context_manager_policy_id
58103
restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
59104
members = ["serviceAccount:${var.terraform_service_account}"]
60-
private_service_cidr = "10.0.112.0/20"
105+
private_service_cidr = local.restricted_private_service_cidr
61106
org_id = var.org_id
62107
parent_folder = var.parent_folder
63108
bgp_asn_subnet = local.bgp_asn_number
@@ -79,33 +124,26 @@ module "restricted_shared_vpc" {
79124
subnets = [
80125
{
81126
subnet_name = "sb-${local.environment_code}-shared-restricted-${var.default_region1}"
82-
subnet_ip = "10.0.96.0/21"
127+
subnet_ip = local.restricted_subnet_primary_ranges[var.default_region1]
83128
subnet_region = var.default_region1
84129
subnet_private_access = "true"
85130
subnet_flow_logs = var.subnetworks_enable_logging
86131
description = "First ${local.env} subnet example."
87132
},
88133
{
89134
subnet_name = "sb-${local.environment_code}-shared-restricted-${var.default_region2}"
90-
subnet_ip = "10.0.104.0/21"
135+
subnet_ip = local.restricted_subnet_primary_ranges[var.default_region2]
91136
subnet_region = var.default_region2
92137
subnet_private_access = "true"
93138
subnet_flow_logs = var.subnetworks_enable_logging
94139
description = "Second ${local.env} subnet example."
95140
}
96141
]
97142
secondary_ranges = {
98-
"sb-${local.environment_code}-shared-restricted-${var.default_region1}" = [
99-
{
100-
range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
101-
ip_cidr_range = "192.168.32.0/21"
102-
},
103-
{
104-
range_name = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
105-
ip_cidr_range = "192.168.40.0/21"
106-
}
107-
]
143+
"sb-${local.environment_code}-shared-restricted-${var.default_region1}" = local.restricted_subnet_secondary_ranges[var.default_region1]
108144
}
145+
allow_all_ingress_ranges = local.enable_transitivity ? local.restricted_hub_subnet_ranges : null
146+
allow_all_egress_ranges = local.enable_transitivity ? local.restricted_subnet_aggregates : null
109147
}
110148

111149
/******************************************
@@ -116,7 +154,7 @@ module "base_shared_vpc" {
116154
source = "../../modules/base_shared_vpc"
117155
project_id = local.base_project_id
118156
environment_code = local.environment_code
119-
private_service_cidr = "10.0.80.0/20"
157+
private_service_cidr = local.base_private_service_cidr
120158
org_id = var.org_id
121159
parent_folder = var.parent_folder
122160
default_region1 = var.default_region1
@@ -139,31 +177,24 @@ module "base_shared_vpc" {
139177
subnets = [
140178
{
141179
subnet_name = "sb-${local.environment_code}-shared-base-${var.default_region1}"
142-
subnet_ip = "10.0.64.0/21"
180+
subnet_ip = local.base_subnet_primary_ranges[var.default_region1]
143181
subnet_region = var.default_region1
144182
subnet_private_access = "true"
145183
subnet_flow_logs = var.subnetworks_enable_logging
146184
description = "First ${local.env} subnet example."
147185
},
148186
{
149187
subnet_name = "sb-${local.environment_code}-shared-base-${var.default_region2}"
150-
subnet_ip = "10.0.72.0/21"
188+
subnet_ip = local.base_subnet_primary_ranges[var.default_region2]
151189
subnet_region = var.default_region2
152190
subnet_private_access = "true"
153191
subnet_flow_logs = var.subnetworks_enable_logging
154192
description = "Second ${local.env} subnet example."
155193
}
156194
]
157195
secondary_ranges = {
158-
"sb-${local.environment_code}-shared-base-${var.default_region1}" = [
159-
{
160-
range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
161-
ip_cidr_range = "192.168.48.0/21"
162-
},
163-
{
164-
range_name = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"
165-
ip_cidr_range = "192.168.56.0/21"
166-
}
167-
]
196+
"sb-${local.environment_code}-shared-base-${var.default_region1}" = local.base_subnet_secondary_ranges[var.default_region1]
168197
}
198+
allow_all_ingress_ranges = local.enable_transitivity ? local.base_hub_subnet_ranges : null
199+
allow_all_egress_ranges = local.enable_transitivity ? local.base_subnet_aggregates : null
169200
}

3-networks/envs/non-production/variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -138,4 +138,10 @@ variable "preactivate_partner_interconnect" {
138138
description = "Preactivate Partner Interconnect VLAN attachment in the environment."
139139
type = bool
140140
default = false
141+
142+
}
143+
variable "enable_hub_and_spoke_transitivity" {
144+
description = "Enable transitivity via gateway VMs on Hub-and-Spoke architecture."
145+
type = bool
146+
default = false
141147
}

3-networks/envs/production/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
2222
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
2323
| domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
2424
| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
25+
| enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no |
2526
| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
2627
| firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
2728
| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |

0 commit comments

Comments
 (0)