search

terraform-google-modules / terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
1.2k stars 706 forks source link

FR: verify PGA and PSC modules #1176

Closed fmichaelobrien closed 4 months ago

fmichaelobrien commented 4 months ago

TL;DR

as in the older TEF V1 fork - we added PGA modules - verify that this functionality is in the TEF V4 https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/modules/22-private-service-connect/main.tf

see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/299

Terraform Resources

No response

Detailed design

No response

Additional information

No response

fmichaelobrien commented 4 months ago

Specific usage of PSC in terraform I forgot I had BDC code around TF PSC in a private branch - not main Below is what we are looking for in the TEF around config and module use for private service connect https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/332-dev-prov-client-v20230917/modules/22-private-service-connect/main.tf#L19

locals {
  dns_code        = var.dns_code != "" ? "${var.dns_code}-" : ""
  googleapis_url  = var.forwarding_rule_target == "vpc-sc" ? "restricted.googleapis.com." : "private.googleapis.com."
  recordsets_name = split(".", local.googleapis_url)[0]
}
mromascanu123 commented 4 months ago

After verification the code for PSC and even PSA is there and the IPs (hardcoded) of the 8 PSC endpoints (fwd rules) are advertised by the cloud routers and are allowed in eggress firewall rules, and also A records for private.googleapis.com / restricted.googleapis.com are created in terraform-google-modules/network/google/modules/private-service-connect/dns.tf Just that the IPs of the PSC endpoints are hardcoded Example 3-networks-hub-and-spoke/envs/non-production/main.tf ... module "base_env" { source = "../../modules/base_env" ... base_private_service_connect_ip = "10.17.0.3" ... restricted_private_service_connect_ip = "10.17.0.7"

...

Hardcoded together with all the other addressing e.g. locals { env = "non-production" ... default_region1 = "us-west1" default_region2 = "us-central1" /*

All this hardcoding must be replaced with parameterizable variables

fmichaelobrien commented 4 months ago

stale bot timer restart - https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/.github/workflows/stale.yml#L21