feat: enable hub & spoke transitivity via gateway VMs (#322)

terraform-google-modules · Mar 31, 2021 · f6cd9ad · f6cd9ad
1 parent 70501ec
commit f6cd9ad
Show file tree

Hide file tree

Showing 26 changed files with 742 additions and 91 deletions.
diff --git a/3-networks/envs/development/README.md b/3-networks/envs/development/README.md
@@ -22,6 +22,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
+| enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |

diff --git a/3-networks/envs/development/main.tf b/3-networks/envs/development/main.tf
@@ -23,6 +23,51 @@ locals {
   parent_id                 = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
   mode                      = var.enable_hub_and_spoke ? "spoke" : null
   bgp_asn_number            = var.enable_partner_interconnect ? "16550" : "64514"
+  enable_transitivity       = var.enable_hub_and_spoke && var.enable_hub_and_spoke_transitivity
+  /*
+   * Base network ranges
+   */
+  base_subnet_aggregates    = ["10.0.0.0/16", "10.1.0.0/16", "100.64.0.0/16", "100.65.0.0/16"]
+  base_hub_subnet_ranges    = ["10.0.0.0/24", "10.1.0.0/24"]
+  base_private_service_cidr = "10.16.64.0/21"
+  base_subnet_primary_ranges = {
+    (var.default_region1) = "10.0.64.0/21"
+    (var.default_region2) = "10.1.64.0/21"
+  }
+  base_subnet_secondary_ranges = {
+    (var.default_region1) = [
+      {
+        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
+        ip_cidr_range = "100.64.64.0/21"
+      },
+      {
+        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"
+        ip_cidr_range = "100.64.72.0/21"
+      }
+    ]
+  }
+  /*
+   * Restricted network ranges
+   */
+  restricted_subnet_aggregates    = ["10.8.0.0/16", "10.9.0.0/16", "100.72.0.0/16", "100.73.0.0/16"]
+  restricted_hub_subnet_ranges    = ["10.8.0.0/24", "10.9.0.0/24"]
+  restricted_private_service_cidr = "10.24.64.0/21"
+  restricted_subnet_primary_ranges = {
+    (var.default_region1) = "10.8.64.0/21"
+    (var.default_region2) = "10.9.64.0/21"
+  }
+  restricted_subnet_secondary_ranges = {
+    (var.default_region1) = [
+      {
+        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
+        ip_cidr_range = "100.72.64.0/21"
+      },
+      {
+        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
+        ip_cidr_range = "100.72.72.0/21"
+      }
+    ]
+  }
 }
 
 data "google_active_folder" "env" {
@@ -57,7 +102,7 @@ module "restricted_shared_vpc" {
   access_context_manager_policy_id = var.access_context_manager_policy_id
   restricted_services              = ["bigquery.googleapis.com", "storage.googleapis.com"]
   members                          = ["serviceAccount:${var.terraform_service_account}"]
-  private_service_cidr             = "10.0.176.0/20"
+  private_service_cidr             = local.restricted_private_service_cidr
   org_id                           = var.org_id
   parent_folder                    = var.parent_folder
   bgp_asn_subnet                   = local.bgp_asn_number
@@ -79,33 +124,26 @@ module "restricted_shared_vpc" {
   subnets = [
     {
       subnet_name           = "sb-${local.environment_code}-shared-restricted-${var.default_region1}"
-      subnet_ip             = "10.0.160.0/21"
+      subnet_ip             = local.restricted_subnet_primary_ranges[var.default_region1]
       subnet_region         = var.default_region1
       subnet_private_access = "true"
       subnet_flow_logs      = var.subnetworks_enable_logging
       description           = "First ${local.env} subnet example."
     },
     {
       subnet_name           = "sb-${local.environment_code}-shared-restricted-${var.default_region2}"
-      subnet_ip             = "10.0.168.0/21"
+      subnet_ip             = local.restricted_subnet_primary_ranges[var.default_region2]
       subnet_region         = var.default_region2
       subnet_private_access = "true"
       subnet_flow_logs      = var.subnetworks_enable_logging
       description           = "Second ${local.env} subnet example."
     }
   ]
   secondary_ranges = {
-    "sb-${local.environment_code}-shared-restricted-${var.default_region1}" = [
-      {
-        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
-        ip_cidr_range = "192.168.0.0/21"
-      },
-      {
-        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
-        ip_cidr_range = "192.168.8.0/21"
-      }
-    ]
+    "sb-${local.environment_code}-shared-restricted-${var.default_region1}" = local.restricted_subnet_secondary_ranges[var.default_region1]
   }
+  allow_all_ingress_ranges = local.enable_transitivity ? local.restricted_hub_subnet_ranges : null
+  allow_all_egress_ranges  = local.enable_transitivity ? local.restricted_subnet_aggregates : null
 }
 
 /******************************************
@@ -116,7 +154,7 @@ module "base_shared_vpc" {
   source                        = "../../modules/base_shared_vpc"
   project_id                    = local.base_project_id
   environment_code              = local.environment_code
-  private_service_cidr          = "10.0.144.0/20"
+  private_service_cidr          = local.base_private_service_cidr
   org_id                        = var.org_id
   parent_folder                 = var.parent_folder
   default_region1               = var.default_region1
@@ -139,31 +177,24 @@ module "base_shared_vpc" {
   subnets = [
     {
       subnet_name           = "sb-${local.environment_code}-shared-base-${var.default_region1}"
-      subnet_ip             = "10.0.128.0/21"
+      subnet_ip             = local.base_subnet_primary_ranges[var.default_region1]
       subnet_region         = var.default_region1
       subnet_private_access = "true"
       subnet_flow_logs      = var.subnetworks_enable_logging
       description           = "First ${local.env} subnet example."
     },
     {
       subnet_name           = "sb-${local.environment_code}-shared-base-${var.default_region2}"
-      subnet_ip             = "10.0.136.0/21"
+      subnet_ip             = local.base_subnet_primary_ranges[var.default_region2]
       subnet_region         = var.default_region2
       subnet_private_access = "true"
       subnet_flow_logs      = var.subnetworks_enable_logging
       description           = "Second ${local.env} subnet example."
     }
   ]
   secondary_ranges = {
-    "sb-${local.environment_code}-shared-base-${var.default_region1}" = [
-      {
-        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
-        ip_cidr_range = "192.168.16.0/21"
-      },
-      {
-        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"
-        ip_cidr_range = "192.168.24.0/21"
-      }
-    ]
+    "sb-${local.environment_code}-shared-base-${var.default_region1}" = local.base_subnet_secondary_ranges[var.default_region1]
   }
+  allow_all_ingress_ranges = local.enable_transitivity ? local.base_hub_subnet_ranges : null
+  allow_all_egress_ranges  = local.enable_transitivity ? local.base_subnet_aggregates : null
 }
diff --git a/3-networks/envs/development/variables.tf b/3-networks/envs/development/variables.tf
@@ -139,3 +139,9 @@ variable "preactivate_partner_interconnect" {
   type        = bool
   default     = false
 }
+
+variable "enable_hub_and_spoke_transitivity" {
+  description = "Enable transitivity via gateway VMs on Hub-and-Spoke architecture."
+  type        = bool
+  default     = false
+}
diff --git a/3-networks/envs/non-production/README.md b/3-networks/envs/non-production/README.md
@@ -22,6 +22,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
+| enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |

diff --git a/3-networks/envs/non-production/main.tf b/3-networks/envs/non-production/main.tf
@@ -23,6 +23,51 @@ locals {
   parent_id                 = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
   mode                      = var.enable_hub_and_spoke ? "spoke" : null
   bgp_asn_number            = var.enable_partner_interconnect ? "16550" : "64514"
+  enable_transitivity       = var.enable_hub_and_spoke && var.enable_hub_and_spoke_transitivity
+  /*
+   * Base network ranges
+   */
+  base_subnet_aggregates    = ["10.0.0.0/16", "10.1.0.0/16", "100.64.0.0/16", "100.65.0.0/16"]
+  base_hub_subnet_ranges    = ["10.0.0.0/24", "10.1.0.0/24"]
+  base_private_service_cidr = "10.16.128.0/21"
+  base_subnet_primary_ranges = {
+    (var.default_region1) = "10.0.128.0/21"
+    (var.default_region2) = "10.1.128.0/21"
+  }
+  base_subnet_secondary_ranges = {
+    (var.default_region1) = [
+      {
+        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
+        ip_cidr_range = "100.64.128.0/21"
+      },
+      {
+        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"
+        ip_cidr_range = "100.64.136.0/21"
+      }
+    ]
+  }
+  /*
+   * Restricted network ranges
+   */
+  restricted_subnet_aggregates    = ["10.8.0.0/16", "10.9.0.0/16", "100.72.0.0/16", "100.73.0.0/16"]
+  restricted_hub_subnet_ranges    = ["10.8.0.0/24", "10.9.0.0/24"]
+  restricted_private_service_cidr = "10.24.128.0/21"
+  restricted_subnet_primary_ranges = {
+    (var.default_region1) = "10.8.128.0/21"
+    (var.default_region2) = "10.9.128.0/21"
+  }
+  restricted_subnet_secondary_ranges = {
+    (var.default_region1) = [
+      {
+        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
+        ip_cidr_range = "100.72.128.0/21"
+      },
+      {
+        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
+        ip_cidr_range = "100.72.136.0/21"
+      }
+    ]
+  }
 }
 
 data "google_active_folder" "env" {
@@ -57,7 +102,7 @@ module "restricted_shared_vpc" {
   access_context_manager_policy_id = var.access_context_manager_policy_id
   restricted_services              = ["bigquery.googleapis.com", "storage.googleapis.com"]
   members                          = ["serviceAccount:${var.terraform_service_account}"]
-  private_service_cidr             = "10.0.112.0/20"
+  private_service_cidr             = local.restricted_private_service_cidr
   org_id                           = var.org_id
   parent_folder                    = var.parent_folder
   bgp_asn_subnet                   = local.bgp_asn_number
@@ -79,33 +124,26 @@ module "restricted_shared_vpc" {
   subnets = [
     {
       subnet_name           = "sb-${local.environment_code}-shared-restricted-${var.default_region1}"
-      subnet_ip             = "10.0.96.0/21"
+      subnet_ip             = local.restricted_subnet_primary_ranges[var.default_region1]
       subnet_region         = var.default_region1
       subnet_private_access = "true"
       subnet_flow_logs      = var.subnetworks_enable_logging
       description           = "First ${local.env} subnet example."
     },
     {
       subnet_name           = "sb-${local.environment_code}-shared-restricted-${var.default_region2}"
-      subnet_ip             = "10.0.104.0/21"
+      subnet_ip             = local.restricted_subnet_primary_ranges[var.default_region2]
       subnet_region         = var.default_region2
       subnet_private_access = "true"
       subnet_flow_logs      = var.subnetworks_enable_logging
       description           = "Second ${local.env} subnet example."
     }
   ]
   secondary_ranges = {
-    "sb-${local.environment_code}-shared-restricted-${var.default_region1}" = [
-      {
-        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-pod"
-        ip_cidr_range = "192.168.32.0/21"
-      },
-      {
-        range_name    = "rn-${local.environment_code}-shared-restricted-${var.default_region1}-gke-svc"
-        ip_cidr_range = "192.168.40.0/21"
-      }
-    ]
+    "sb-${local.environment_code}-shared-restricted-${var.default_region1}" = local.restricted_subnet_secondary_ranges[var.default_region1]
   }
+  allow_all_ingress_ranges = local.enable_transitivity ? local.restricted_hub_subnet_ranges : null
+  allow_all_egress_ranges  = local.enable_transitivity ? local.restricted_subnet_aggregates : null
 }
 
 /******************************************
@@ -116,7 +154,7 @@ module "base_shared_vpc" {
   source                        = "../../modules/base_shared_vpc"
   project_id                    = local.base_project_id
   environment_code              = local.environment_code
-  private_service_cidr          = "10.0.80.0/20"
+  private_service_cidr          = local.base_private_service_cidr
   org_id                        = var.org_id
   parent_folder                 = var.parent_folder
   default_region1               = var.default_region1
@@ -139,31 +177,24 @@ module "base_shared_vpc" {
   subnets = [
     {
       subnet_name           = "sb-${local.environment_code}-shared-base-${var.default_region1}"
-      subnet_ip             = "10.0.64.0/21"
+      subnet_ip             = local.base_subnet_primary_ranges[var.default_region1]
       subnet_region         = var.default_region1
       subnet_private_access = "true"
       subnet_flow_logs      = var.subnetworks_enable_logging
       description           = "First ${local.env} subnet example."
     },
     {
       subnet_name           = "sb-${local.environment_code}-shared-base-${var.default_region2}"
-      subnet_ip             = "10.0.72.0/21"
+      subnet_ip             = local.base_subnet_primary_ranges[var.default_region2]
       subnet_region         = var.default_region2
       subnet_private_access = "true"
       subnet_flow_logs      = var.subnetworks_enable_logging
       description           = "Second ${local.env} subnet example."
     }
   ]
   secondary_ranges = {
-    "sb-${local.environment_code}-shared-base-${var.default_region1}" = [
-      {
-        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-pod"
-        ip_cidr_range = "192.168.48.0/21"
-      },
-      {
-        range_name    = "rn-${local.environment_code}-shared-base-${var.default_region1}-gke-svc"
-        ip_cidr_range = "192.168.56.0/21"
-      }
-    ]
+    "sb-${local.environment_code}-shared-base-${var.default_region1}" = local.base_subnet_secondary_ranges[var.default_region1]
   }
+  allow_all_ingress_ranges = local.enable_transitivity ? local.base_hub_subnet_ranges : null
+  allow_all_egress_ranges  = local.enable_transitivity ? local.base_subnet_aggregates : null
 }
diff --git a/3-networks/envs/non-production/variables.tf b/3-networks/envs/non-production/variables.tf
@@ -138,4 +138,10 @@ variable "preactivate_partner_interconnect" {
   description = "Preactivate Partner Interconnect VLAN attachment in the environment."
   type        = bool
   default     = false
+
+}
+variable "enable_hub_and_spoke_transitivity" {
+  description = "Enable transitivity via gateway VMs on Hub-and-Spoke architecture."
+  type        = bool
+  default     = false
 }
diff --git a/3-networks/envs/production/README.md b/3-networks/envs/production/README.md
@@ -22,6 +22,7 @@ The purpose of this step is to set up base and restricted shared VPCs with defau
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
+| enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |