feat: implement support for Partner Interconnect (#345)

terraform-google-modules · Mar 31, 2021 · 70501ec · 70501ec
1 parent 02a4ac5
commit 70501ec
Show file tree

Hide file tree

Showing 34 changed files with 773 additions and 38 deletions.
diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -21,9 +21,9 @@
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_os\_login\_policy | Enable OS Login policy. | `bool` | `false` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
-| interconnect\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the interconnect project. | `string` | `null` | no |
-| interconnect\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the interconnect project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
-| interconnect\_project\_budget\_amount | The amount to use as the budget for the interconnect project. | `number` | `1000` | no |
+| interconnect\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the Dedicated Interconnect project. | `string` | `null` | no |
+| interconnect\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the Dedicated Interconnect project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
+| interconnect\_project\_budget\_amount | The amount to use as the budget for the Dedicated Interconnect project. | `number` | `1000` | no |
 | log\_export\_storage\_force\_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | `bool` | `false` | no |
 | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `"US"` | no |
 | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br>    is_locked             = bool<br>    retention_period_days = number<br>  })</pre> | `null` | no |
@@ -59,7 +59,7 @@
 | common\_folder\_name | The common folder name |
 | dns\_hub\_project\_id | The DNS hub project ID |
 | domains\_to\_allow | The list of domains to allow users from in IAM. |
-| interconnect\_project\_id | The interconnect project ID |
+| interconnect\_project\_id | The Dedicated Interconnect project ID |
 | logs\_export\_pubsub\_topic | The Pub/Sub topic for destination of log exports |
 | logs\_export\_storage\_bucket\_name | The storage bucket for destination of log exports |
 | org\_audit\_logs\_project\_id | The org audit logs project ID |

diff --git a/1-org/envs/shared/outputs.tf b/1-org/envs/shared/outputs.tf
@@ -56,7 +56,7 @@ output "org_secrets_project_id" {
 
 output "interconnect_project_id" {
   value       = module.interconnect.project_id
-  description = "The interconnect project ID"
+  description = "The Dedicated Interconnect project ID"
 }
 
 output "scc_notifications_project_id" {

diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
@@ -190,19 +190,19 @@ variable "restricted_net_hub_project_budget_amount" {
 }
 
 variable "interconnect_project_alert_spent_percents" {
-  description = "A list of percentages of the budget to alert on when threshold is exceeded for the interconnect project."
+  description = "A list of percentages of the budget to alert on when threshold is exceeded for the Dedicated Interconnect project."
   type        = list(number)
   default     = [0.5, 0.75, 0.9, 0.95]
 }
 
 variable "interconnect_project_alert_pubsub_topic" {
-  description = "The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the interconnect project."
+  description = "The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the Dedicated Interconnect project."
   type        = string
   default     = null
 }
 
 variable "interconnect_project_budget_amount" {
-  description = "The amount to use as the budget for the interconnect project."
+  description = "The amount to use as the budget for the Dedicated Interconnect project."
   type        = number
   default     = 1000
 }

diff --git a/3-networks/README.md b/3-networks/README.md
@@ -3,7 +3,7 @@
 The purpose of this step is to:
 
 - Setup the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones).
-- Setup base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem dedicated interconnect and baseline firewall rules for each environment.
+- Setup base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated or Partner Interconnect and baseline firewall rules for each environment.
 
 ## Prerequisites
 
@@ -22,9 +22,17 @@ If you have the prerequisites listed in the [Dedicated Interconnect README](./mo
 1. Update the file `interconnect.tf` with values that are valid for your environment for the interconnects, locations, candidate subnetworks, vlan_tag8021q and peer info.
 1. The candidate subnetworks and vlan_tag8021q variables can be set to `null` to allow the interconnect module to auto generate these values.
 
+### Using Partner Interconnect
+
+If you have the prerequisites listed in the [Partner Interconnect README](./modules/partner_interconnect/README.md) follow this steps to enable Partner Interconnect to access onprem.
+
+1. Rename `partner_interconnect.tf.example` to `partner_interconnect.tf` and `interconnect.auto.tfvars.example` to `interconnect.auto.tfvars` in the environment folder in `3-networks/envs/<environment>` .
+1. Update the file `partner_interconnect.tf` with values that are valid for your environment for the VLAN attachments, locations, candidate subnetworks.
+1. The candidate subnetworks variable can be set to `null` to allow the interconnect module to auto generate this value.
+
 ### OPTIONAL - Using High Availability VPN
 
-If you are not able to use dedicated interconnect, you can also use an HA VPN to access onprem.
+If you are not able to use Dedicated or Partner Interconnect, you can also use an HA Cloud VPN to access onprem.
 
 1. Rename `vpn.tf.example` to `vpn.tf` in each environment folder in `3-networks/envs/<ENV>`.
 1. Create secret for VPN private preshared key `echo '<YOUR-PRESHARED-KEY-SECRET>' | gcloud secrets create <VPN_PRIVATE_PSK_SECRET_NAME> --project <ENV_SECRETS_PROJECT> --replication-policy=automatic --data-file=-`.

diff --git a/3-networks/envs/development/README.md b/3-networks/envs/development/README.md
@@ -1,6 +1,6 @@
 # 3-networks/development
 
-The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem dedicated interconnect, onprem VPN and baseline firewall rules for environment development.
+The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment development.
 
 ## Prerequisites
 
@@ -22,6 +22,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
+| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
 | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no |
@@ -32,6 +33,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
+| preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |
 | subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes |
 | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |

diff --git a/3-networks/envs/development/interconnect.auto.tfvars.example b/3-networks/envs/development/interconnect.auto.tfvars.example
@@ -0,0 +1,4 @@
+
+enable_partner_interconnect = true
+preactivate_partner_interconnect = true
+
diff --git a/3-networks/envs/development/main.tf b/3-networks/envs/development/main.tf
@@ -22,6 +22,7 @@ locals {
   base_project_id           = data.google_projects.base_host_project.projects[0].project_id
   parent_id                 = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
   mode                      = var.enable_hub_and_spoke ? "spoke" : null
+  bgp_asn_number            = var.enable_partner_interconnect ? "16550" : "64514"
 }
 
 data "google_active_folder" "env" {
@@ -59,7 +60,7 @@ module "restricted_shared_vpc" {
   private_service_cidr             = "10.0.176.0/20"
   org_id                           = var.org_id
   parent_folder                    = var.parent_folder
-  bgp_asn_subnet                   = "64514"
+  bgp_asn_subnet                   = local.bgp_asn_number
   default_region1                  = var.default_region1
   default_region2                  = var.default_region2
   domain                           = var.domain
@@ -121,7 +122,7 @@ module "base_shared_vpc" {
   default_region1               = var.default_region1
   default_region2               = var.default_region2
   domain                        = var.domain
-  bgp_asn_subnet                = "64514"
+  bgp_asn_subnet                = local.bgp_asn_number
   windows_activation_enabled    = var.windows_activation_enabled
   dns_enable_inbound_forwarding = var.dns_enable_inbound_forwarding
   dns_enable_logging            = var.dns_enable_logging

diff --git a/3-networks/envs/development/partner_interconnect.tf.example b/3-networks/envs/development/partner_interconnect.tf.example
@@ -0,0 +1,81 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "shared_restricted_interconnect" {
+  source                         = "../../modules/partner_interconnect"
+
+  org_id                         = var.org_id
+  parent_folder                  = var.parent_folder
+  vpc_name                       = "${local.environment_code}-shared-restricted"
+  environment                    = local.env
+  enable_hub_and_spoke           = var.enable_hub_and_spoke
+  vpc_type                       = "restricted"
+  preactivate                    = var.preactivate_partner_interconnect
+
+  region1                        = var.default_region1
+  region1_router1_name           = module.restricted_shared_vpc.region1_router1.router.name
+  region1_interconnect1_location = "las-zone1-770"
+  region1_router2_name           = module.restricted_shared_vpc.region1_router2.router.name
+  region1_interconnect2_location = "las-zone1-770"
+
+  region2                        = var.default_region2
+  region2_router1_name           = module.restricted_shared_vpc.region2_router1.router.name
+  region2_interconnect1_location = "lax-zone2-19"
+  region2_router2_name           = module.restricted_shared_vpc.region2_router2.router.name
+  region2_interconnect2_location = "lax-zone1-403"
+
+  folder_prefix                  = var.folder_prefix
+
+  cloud_router_labels = {
+    vlan_1 = "cr5",
+    vlan_2 = "cr6",
+    vlan_3 = "cr7",
+    vlan_4 = "cr8"
+  }
+}
+
+module "shared_base_interconnect" {
+  source                         = "../../modules/partner_interconnect"
+
+  org_id                         = var.org_id
+  parent_folder                  = var.parent_folder
+  vpc_name                       = "${local.environment_code}-shared-base"
+  environment                    = local.env
+  enable_hub_and_spoke           = var.enable_hub_and_spoke
+  vpc_type                       = "base"
+  preactivate                    = var.preactivate_partner_interconnect
+
+  region1                        = var.default_region1
+  region1_router1_name           = module.base_shared_vpc.region1_router1.router.name
+  region1_interconnect1_location = "las-zone1-770"
+  region1_router2_name           = module.base_shared_vpc.region1_router2.router.name
+  region1_interconnect2_location = "las-zone1-770"
+
+  region2                        = var.default_region2
+  region2_router1_name           = module.base_shared_vpc.region2_router1.router.name
+  region2_interconnect1_location = "lax-zone2-19"
+  region2_router2_name           = module.base_shared_vpc.region2_router2.router.name
+  region2_interconnect2_location = "lax-zone1-403"
+
+  folder_prefix                  = var.folder_prefix
+
+  cloud_router_labels = {
+    vlan_1 = "cr1",
+    vlan_2 = "cr2",
+    vlan_3 = "cr3",
+    vlan_4 = "cr4"
+  }
+}
diff --git a/3-networks/envs/development/variables.tf b/3-networks/envs/development/variables.tf
@@ -127,3 +127,15 @@ variable "enable_hub_and_spoke" {
   type        = bool
   default     = false
 }
+
+variable "enable_partner_interconnect" {
+  description = "Enable Partner Interconnect in the environment."
+  type        = bool
+  default     = false
+}
+
+variable "preactivate_partner_interconnect" {
+  description = "Preactivate Partner Interconnect VLAN attachment in the environment."
+  type        = bool
+  default     = false
+}
diff --git a/3-networks/envs/non-production/README.md b/3-networks/envs/non-production/README.md
@@ -1,6 +1,6 @@
 # 3-networks/non-production
 
-The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem dedicated interconnect, onprem VPN and baseline firewall rules for environment non-production.
+The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment non-production.
 
 ## Prerequisites
 
@@ -22,6 +22,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
+| enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
 | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no |
@@ -32,6 +33,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
+| preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no |
 | subnetworks\_enable\_logging | Toggle subnetworks flow logging for VPC Subnetworks. | `bool` | `true` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes |
 | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |

diff --git a/3-networks/envs/non-production/interconnect.auto.tfvars.example b/3-networks/envs/non-production/interconnect.auto.tfvars.example
@@ -0,0 +1,4 @@
+
+enable_partner_interconnect = true
+preactivate_partner_interconnect = true
+
diff --git a/3-networks/envs/non-production/main.tf b/3-networks/envs/non-production/main.tf
@@ -22,6 +22,7 @@ locals {
   base_project_id           = data.google_projects.base_host_project.projects[0].project_id
   parent_id                 = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
   mode                      = var.enable_hub_and_spoke ? "spoke" : null
+  bgp_asn_number            = var.enable_partner_interconnect ? "16550" : "64514"
 }
 
 data "google_active_folder" "env" {
@@ -48,7 +49,6 @@ data "google_projects" "base_host_project" {
 /******************************************
  Restricted shared VPC
 *****************************************/
-
 module "restricted_shared_vpc" {
   source                           = "../../modules/restricted_shared_vpc"
   project_id                       = local.restricted_project_id
@@ -60,7 +60,7 @@ module "restricted_shared_vpc" {
   private_service_cidr             = "10.0.112.0/20"
   org_id                           = var.org_id
   parent_folder                    = var.parent_folder
-  bgp_asn_subnet                   = "64514"
+  bgp_asn_subnet                   = local.bgp_asn_number
   default_region1                  = var.default_region1
   default_region2                  = var.default_region2
   domain                           = var.domain
@@ -122,7 +122,7 @@ module "base_shared_vpc" {
   default_region1               = var.default_region1
   default_region2               = var.default_region2
   domain                        = var.domain
-  bgp_asn_subnet                = "64514"
+  bgp_asn_subnet                = local.bgp_asn_number
   windows_activation_enabled    = var.windows_activation_enabled
   dns_enable_inbound_forwarding = var.dns_enable_inbound_forwarding
   dns_enable_logging            = var.dns_enable_logging