feat: Add hub and spoke network architecture (#298)

.kitchen.yml

@@ -71,9 +71,9 @@ suites:
             - development
             - non-production
             - production
-  - name: dns_hub
+  - name: shared
     driver:
-      root_module_directory: test/fixtures/dns_hub/
+      root_module_directory: test/fixtures/shared/
     verifier:
       color: false
       systems:

0-bootstrap/README.md

@@ -66,7 +66,6 @@ Currently, the bucket information is replaced in the state backends as a part of
 | org\_project\_creators | Additional list of members to have project creator role across the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | `bool` | `true` | no |
 
 ## Outputs
 

0-bootstrap/main.tf

@@ -57,7 +57,6 @@ module "seed_bootstrap" {
   org_project_creators           = var.org_project_creators
   sa_enable_impersonation        = true
   parent_folder                  = var.parent_folder == "" ? "" : local.parent
-  skip_gcloud_download           = var.skip_gcloud_download
   org_admins_org_iam_permissions = local.org_admins_org_iam_permissions
   project_prefix                 = var.project_prefix
 
@@ -125,7 +124,6 @@ module "cloudbuild_bootstrap" {
   terraform_sa_name         = module.seed_bootstrap.terraform_sa_name
   terraform_state_bucket    = module.seed_bootstrap.gcs_bucket_tfstate
   sa_enable_impersonation   = true
-  skip_gcloud_download      = var.skip_gcloud_download
   cloudbuild_plan_filename  = "cloudbuild-tf-plan.yaml"
   cloudbuild_apply_filename = "cloudbuild-tf-apply.yaml"
   project_prefix            = var.project_prefix

0-bootstrap/modules/jenkins-agent/README.md

@@ -74,7 +74,6 @@ module "jenkins_bootstrap" {
 | router\_asn | BGP ASN for cloud routes. | `number` | `"64515"` | no |
 | sa\_enable\_impersonation | Allow org\_admins group to impersonate service account & enable APIs required. | `bool` | `false` | no |
 | service\_account\_prefix | Name prefix to use for service accounts. | `string` | `"sa"` | no |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | `bool` | `true` | no |
 | storage\_bucket\_labels | Labels to apply to the storage bucket. | `map(string)` | `{}` | no |
 | storage\_bucket\_prefix | Name prefix to use for storage buckets. | `string` | `"bkt"` | no |
 | terraform\_sa\_email | Email for terraform service account. It must be supplied by the seed project | `string` | n/a | yes |

0-bootstrap/modules/jenkins-agent/main.tf

@@ -30,7 +30,7 @@ resource "random_id" "suffix" {
 *******************************************/
 module "cicd_project" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   name                        = local.cicd_project_name
   random_project_id           = true
   disable_services_on_destroy = false
@@ -39,7 +39,6 @@ module "cicd_project" {
   billing_account             = var.billing_account
   activate_apis               = local.activate_apis
   labels                      = var.project_labels
-  skip_gcloud_download        = var.skip_gcloud_download
 }
 
 /******************************************

0-bootstrap/modules/jenkins-agent/variables.tf

@@ -232,9 +232,3 @@ variable "terraform_version_sha256sum" {
   type        = string
   default     = "602d2529aafdaa0f605c06adb7c72cfb585d8aa19b3f4d8d189b42589e27bf11"
 }
-
-variable "skip_gcloud_download" {
-  description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
-  type        = bool
-  default     = true
-}

0-bootstrap/variables.tf

@@ -58,12 +58,6 @@ variable "org_policy_admin_role" {
   default     = false
 }
 
-variable "skip_gcloud_download" {
-  description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
-  type        = bool
-  default     = true
-}
-
 variable "project_prefix" {
   description = "Name prefix to use for projects created."
   type        = string

1-org/envs/shared/README.md

@@ -18,9 +18,9 @@
 | dns\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the DNS hub project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | dns\_hub\_project\_budget\_amount | The amount to use as the budget for the DNS hub project. | `number` | `1000` | no |
 | domains\_to\_allow | The list of domains to allow users from in IAM. | `list(string)` | n/a | yes |
+| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_os\_login\_policy | Enable OS Login policy. | `bool` | `false` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
-| hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | interconnect\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the interconnect project. | `string` | `null` | no |
 | interconnect\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the interconnect project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | interconnect\_project\_budget\_amount | The amount to use as the budget for the interconnect project. | `number` | `1000` | no |

1-org/envs/shared/outputs.tf

@@ -70,12 +70,12 @@ output "dns_hub_project_id" {
 }
 
 output "base_net_hub_project_id" {
-  value       = try(module.base_network_hub["yes"].project_id, null)
+  value       = try(module.base_network_hub[0].project_id, null)
   description = "The Base Network hub project ID"
 }
 
 output "restricted_net_hub_project_id" {
-  value       = try(module.restricted_network_hub["yes"].project_id, null)
+  value       = try(module.restricted_network_hub[0].project_id, null)
   description = "The Restricted Network hub project ID"
 }
 

1-org/envs/shared/projects.tf

@@ -20,15 +20,14 @@
 
 module "org_audit_logs" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   default_service_account     = "depriviledge"
   name                        = "${var.project_prefix}-c-logging"
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.common.id
-  skip_gcloud_download        = var.skip_gcloud_download
   activate_apis               = ["logging.googleapis.com", "bigquery.googleapis.com", "billingbudgets.googleapis.com"]
 
   labels = {
@@ -47,15 +46,14 @@ module "org_audit_logs" {
 
 module "org_billing_logs" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   default_service_account     = "depriviledge"
   name                        = "${var.project_prefix}-c-billing-logs"
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.common.id
-  skip_gcloud_download        = var.skip_gcloud_download
   activate_apis               = ["logging.googleapis.com", "bigquery.googleapis.com", "billingbudgets.googleapis.com"]
 
   labels = {
@@ -78,15 +76,14 @@ module "org_billing_logs" {
 
 module "org_secrets" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   default_service_account     = "depriviledge"
   name                        = "${var.project_prefix}-c-secrets"
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.common.id
-  skip_gcloud_download        = var.skip_gcloud_download
   activate_apis               = ["logging.googleapis.com", "secretmanager.googleapis.com", "billingbudgets.googleapis.com"]
 
   labels = {
@@ -109,15 +106,14 @@ module "org_secrets" {
 
 module "interconnect" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   default_service_account     = "depriviledge"
   name                        = "${var.project_prefix}-c-interconnect"
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.common.id
-  skip_gcloud_download        = var.skip_gcloud_download
   activate_apis               = ["billingbudgets.googleapis.com", "compute.googleapis.com"]
 
   labels = {
@@ -140,7 +136,7 @@ module "interconnect" {
 
 module "scc_notifications" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   default_service_account     = "depriviledge"
@@ -149,7 +145,6 @@ module "scc_notifications" {
   billing_account             = var.billing_account
   folder_id                   = google_folder.common.id
   activate_apis               = ["logging.googleapis.com", "pubsub.googleapis.com", "securitycenter.googleapis.com", "billingbudgets.googleapis.com"]
-  skip_gcloud_download        = var.skip_gcloud_download
 
   labels = {
     environment       = "production"
@@ -171,15 +166,14 @@ module "scc_notifications" {
 
 module "dns_hub" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   default_service_account     = "depriviledge"
   name                        = "${var.project_prefix}-c-dns-hub"
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.common.id
-  skip_gcloud_download        = var.skip_gcloud_download
 
   activate_apis = [
     "compute.googleapis.com",
@@ -210,19 +204,19 @@ module "dns_hub" {
 
 module "base_network_hub" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
-  for_each                    = var.hub_and_spoke ? toset(["yes"]) : toset([])
+  version                     = "~> 10.0"
+  count                       = var.enable_hub_and_spoke ? 1 : 0
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   default_service_account     = "depriviledge"
   name                        = "${var.project_prefix}-c-base-net-hub"
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.common.id
-  skip_gcloud_download        = var.skip_gcloud_download
 
   activate_apis = [
     "compute.googleapis.com",
+    "dns.googleapis.com",
     "servicenetworking.googleapis.com",
     "logging.googleapis.com",
     "cloudresourcemanager.googleapis.com",
@@ -249,19 +243,19 @@ module "base_network_hub" {
 
 module "restricted_network_hub" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
-  for_each                    = var.hub_and_spoke ? toset(["yes"]) : toset([])
+  version                     = "~> 10.0"
+  count                       = var.enable_hub_and_spoke ? 1 : 0
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   default_service_account     = "depriviledge"
   name                        = "${var.project_prefix}-c-restricted-net-hub"
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.common.id
-  skip_gcloud_download        = var.skip_gcloud_download
 
   activate_apis = [
     "compute.googleapis.com",
+    "dns.googleapis.com",
     "servicenetworking.googleapis.com",
     "logging.googleapis.com",
     "cloudresourcemanager.googleapis.com",

1-org/envs/shared/variables.tf

@@ -34,7 +34,7 @@ variable "default_region" {
   type        = string
 }
 
-variable "hub_and_spoke" {
+variable "enable_hub_and_spoke" {
   description = "Enable Hub-and-Spoke architecture."
   type        = bool
   default     = false

2-environments/envs/production/variables.tf

@@ -51,4 +51,3 @@ variable "folder_prefix" {
   type        = string
   default     = "fldr"
 }
-

2-environments/modules/env_baseline/README.md

@@ -23,17 +23,16 @@
 | secret\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the secrets project. | `string` | `null` | no |
 | secret\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the secrets project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | secret\_project\_budget\_amount | The amount to use as the budget for the secrets project. | `number` | `1000` | no |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | `bool` | `true` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| base\_shared\_vpc\_project\_id | Project for monitoring infra. |
+| base\_shared\_vpc\_project\_id | Project for base shared VPC network. |
 | env\_folder | Environment folder created under parent. |
-| env\_secrets\_project\_id | Project for monitoring infra. |
+| env\_secrets\_project\_id | Project for environment secrets. |
 | monitoring\_project\_id | Project for monitoring infra. |
-| restricted\_shared\_vpc\_project\_id | Project for monitoring infra. |
+| restricted\_shared\_vpc\_project\_id | Project for restricted shared VPC network. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

2-environments/modules/env_baseline/monitoring.tf

@@ -20,14 +20,13 @@
 
 module "monitoring_project" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   name                        = "${var.project_prefix}-${var.environment_code}-monitoring"
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.env.id
-  skip_gcloud_download        = var.skip_gcloud_download
   disable_services_on_destroy = false
   activate_apis = [
     "logging.googleapis.com",

2-environments/modules/env_baseline/networking.tf

@@ -20,14 +20,13 @@
 
 module "base_shared_vpc_host_project" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
-  name                        = "${var.project_prefix}-${var.environment_code}-shared-base"
+  name                        = format("%s-%s-shared-base", var.project_prefix, var.environment_code)
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.env.id
-  skip_gcloud_download        = var.skip_gcloud_download
   disable_services_on_destroy = false
   activate_apis = [
     "compute.googleapis.com",
@@ -54,14 +53,13 @@ module "base_shared_vpc_host_project" {
 
 module "restricted_shared_vpc_host_project" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
-  name                        = "${var.project_prefix}-${var.environment_code}-shared-restricted"
+  name                        = format("%s-%s-shared-restricted", var.project_prefix, var.environment_code)
   org_id                      = var.org_id
   billing_account             = var.billing_account
   folder_id                   = google_folder.env.id
-  skip_gcloud_download        = var.skip_gcloud_download
   disable_services_on_destroy = false
   activate_apis = [
     "compute.googleapis.com",

2-environments/modules/env_baseline/outputs.tf

@@ -25,16 +25,16 @@ output "monitoring_project_id" {
 }
 
 output "base_shared_vpc_project_id" {
-  description = "Project for monitoring infra."
+  description = "Project for base shared VPC network."
   value       = module.base_shared_vpc_host_project.project_id
 }
 
 output "restricted_shared_vpc_project_id" {
-  description = "Project for monitoring infra."
+  description = "Project for restricted shared VPC network."
   value       = module.restricted_shared_vpc_host_project.project_id
 }
 
 output "env_secrets_project_id" {
-  description = "Project for monitoring infra."
+  description = "Project for environment secrets."
   value       = module.env_secrets.project_id
 }

2-environments/modules/env_baseline/secrets.tf

@@ -21,7 +21,7 @@
 
 module "env_secrets" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 9.2"
+  version                     = "~> 10.0"
   random_project_id           = "true"
   impersonate_service_account = var.terraform_service_account
   default_service_account     = "depriviledge"
@@ -31,7 +31,6 @@ module "env_secrets" {
   folder_id                   = google_folder.env.id
   disable_services_on_destroy = false
   activate_apis               = ["logging.googleapis.com", "secretmanager.googleapis.com"]
-  skip_gcloud_download        = var.skip_gcloud_download
 
   labels = {
     environment       = var.env

2-environments/modules/env_baseline/variables.tf

@@ -49,12 +49,6 @@ variable "monitoring_workspace_users" {
   type        = string
 }
 
-variable "skip_gcloud_download" {
-  description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
-  type        = bool
-  default     = true
-}
-
 variable "base_network_project_alert_spent_percents" {
   description = "A list of percentages of the budget to alert on when threshold is exceeded for the base networks project"
   type        = list(number)