diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md
index b0ad9f766..6cf56a6d6 100644
--- a/4-projects/business_unit_1/development/README.md
+++ b/4-projects/business_unit_1/development/README.md
@@ -3,6 +3,7 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
| peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
| base\_shared\_vpc\_project | Project sample base project. |
| base\_shared\_vpc\_project\_sa | Project sample base project SA. |
| base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
| env\_secrets\_project | Project sample peering project id. |
| floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
| keyring | The name of the keyring. |
| keys | List of created key names. |
| peering\_complete | Output to be used as a module dependency. |
| peering\_network | Peer network peering resource. |
| peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
| restricted\_enabled\_apis | Activated APIs. |
| restricted\_shared\_vpc\_project | Project sample restricted project id. |
| restricted\_shared\_vpc\_project\_number | Project sample restricted project. |
diff --git a/4-projects/business_unit_1/development/main.tf b/4-projects/business_unit_1/development/main.tf
index 146b069e9..b1d72822d 100644
--- a/4-projects/business_unit_1/development/main.tf
+++ b/4-projects/business_unit_1/development/main.tf
@@ -17,11 +17,14 @@
module "env" {
source = "../../modules/base_env"
- env = "development"
- business_code = "bu1"
- business_unit = "business_unit_1"
- remote_state_bucket = var.remote_state_bucket
- location_kms = var.location_kms
- location_gcs = var.location_gcs
- peering_module_depends_on = var.peering_module_depends_on
+ env = "development"
+ business_code = "bu1"
+ business_unit = "business_unit_1"
+ remote_state_bucket = var.remote_state_bucket
+ location_kms = var.location_kms
+ location_gcs = var.location_gcs
+ peering_iap_fw_rules_enabled = true
+ subnet_region = var.instance_region
+ subnet_ip_range = "10.3.64.0/21"
+ peering_module_depends_on = var.peering_module_depends_on
}
diff --git a/4-projects/business_unit_1/development/outputs.tf b/4-projects/business_unit_1/development/outputs.tf
index c0fbb931a..a81d4bd68 100644
--- a/4-projects/business_unit_1/development/outputs.tf
+++ b/4-projects/business_unit_1/development/outputs.tf
@@ -95,6 +95,16 @@ output "keys" {
}
output "bucket" {
- description = "The created storage bucket"
+ description = "The created storage bucket."
value = module.env.bucket
}
+
+output "peering_subnetwork_self_link" {
+ description = "The subnetwork self link of the peering network."
+ value = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+ description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+ value = module.env.iap_firewall_tags
+}
diff --git a/4-projects/business_unit_1/development/variables.tf b/4-projects/business_unit_1/development/variables.tf
index 8bc03b2f8..a67cc2b65 100644
--- a/4-projects/business_unit_1/development/variables.tf
+++ b/4-projects/business_unit_1/development/variables.tf
@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
type = list(any)
default = []
}
+
+variable "instance_region" {
+ description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+ type = string
+ default = "us-central1"
+}
diff --git a/4-projects/business_unit_1/non-production/README.md b/4-projects/business_unit_1/non-production/README.md
index b0ad9f766..6cf56a6d6 100644
--- a/4-projects/business_unit_1/non-production/README.md
+++ b/4-projects/business_unit_1/non-production/README.md
@@ -3,6 +3,7 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
| peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
| base\_shared\_vpc\_project | Project sample base project. |
| base\_shared\_vpc\_project\_sa | Project sample base project SA. |
| base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
| env\_secrets\_project | Project sample peering project id. |
| floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
| keyring | The name of the keyring. |
| keys | List of created key names. |
| peering\_complete | Output to be used as a module dependency. |
| peering\_network | Peer network peering resource. |
| peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
| restricted\_enabled\_apis | Activated APIs. |
| restricted\_shared\_vpc\_project | Project sample restricted project id. |
| restricted\_shared\_vpc\_project\_number | Project sample restricted project. |
diff --git a/4-projects/business_unit_1/non-production/main.tf b/4-projects/business_unit_1/non-production/main.tf
index 26a23e881..b5b15db5f 100644
--- a/4-projects/business_unit_1/non-production/main.tf
+++ b/4-projects/business_unit_1/non-production/main.tf
@@ -17,11 +17,14 @@
module "env" {
source = "../../modules/base_env"
- env = "non-production"
- business_code = "bu1"
- business_unit = "business_unit_1"
- remote_state_bucket = var.remote_state_bucket
- location_kms = var.location_kms
- location_gcs = var.location_gcs
- peering_module_depends_on = var.peering_module_depends_on
+ env = "non-production"
+ business_code = "bu1"
+ business_unit = "business_unit_1"
+ remote_state_bucket = var.remote_state_bucket
+ location_kms = var.location_kms
+ location_gcs = var.location_gcs
+ peering_iap_fw_rules_enabled = true
+ subnet_region = var.instance_region
+ subnet_ip_range = "10.3.128.0/21"
+ peering_module_depends_on = var.peering_module_depends_on
}
diff --git a/4-projects/business_unit_1/non-production/outputs.tf b/4-projects/business_unit_1/non-production/outputs.tf
index c0fbb931a..a81d4bd68 100644
--- a/4-projects/business_unit_1/non-production/outputs.tf
+++ b/4-projects/business_unit_1/non-production/outputs.tf
@@ -95,6 +95,16 @@ output "keys" {
}
output "bucket" {
- description = "The created storage bucket"
+ description = "The created storage bucket."
value = module.env.bucket
}
+
+output "peering_subnetwork_self_link" {
+ description = "The subnetwork self link of the peering network."
+ value = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+ description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+ value = module.env.iap_firewall_tags
+}
diff --git a/4-projects/business_unit_1/non-production/variables.tf b/4-projects/business_unit_1/non-production/variables.tf
index 8bc03b2f8..a67cc2b65 100644
--- a/4-projects/business_unit_1/non-production/variables.tf
+++ b/4-projects/business_unit_1/non-production/variables.tf
@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
type = list(any)
default = []
}
+
+variable "instance_region" {
+ description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+ type = string
+ default = "us-central1"
+}
diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md
index b0ad9f766..6cf56a6d6 100644
--- a/4-projects/business_unit_1/production/README.md
+++ b/4-projects/business_unit_1/production/README.md
@@ -3,6 +3,7 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
| peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
| base\_shared\_vpc\_project | Project sample base project. |
| base\_shared\_vpc\_project\_sa | Project sample base project SA. |
| base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
| env\_secrets\_project | Project sample peering project id. |
| floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
| keyring | The name of the keyring. |
| keys | List of created key names. |
| peering\_complete | Output to be used as a module dependency. |
| peering\_network | Peer network peering resource. |
| peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
| restricted\_enabled\_apis | Activated APIs. |
| restricted\_shared\_vpc\_project | Project sample restricted project id. |
| restricted\_shared\_vpc\_project\_number | Project sample restricted project. |
diff --git a/4-projects/business_unit_1/production/main.tf b/4-projects/business_unit_1/production/main.tf
index 6c2c037c8..00dc70fa8 100644
--- a/4-projects/business_unit_1/production/main.tf
+++ b/4-projects/business_unit_1/production/main.tf
@@ -17,11 +17,14 @@
module "env" {
source = "../../modules/base_env"
- env = "production"
- business_code = "bu1"
- business_unit = "business_unit_1"
- remote_state_bucket = var.remote_state_bucket
- location_kms = var.location_kms
- location_gcs = var.location_gcs
- peering_module_depends_on = var.peering_module_depends_on
+ env = "production"
+ business_code = "bu1"
+ business_unit = "business_unit_1"
+ remote_state_bucket = var.remote_state_bucket
+ location_kms = var.location_kms
+ location_gcs = var.location_gcs
+ peering_iap_fw_rules_enabled = true
+ subnet_region = var.instance_region
+ subnet_ip_range = "10.3.192.0/21"
+ peering_module_depends_on = var.peering_module_depends_on
}
diff --git a/4-projects/business_unit_1/production/outputs.tf b/4-projects/business_unit_1/production/outputs.tf
index c0fbb931a..a81d4bd68 100644
--- a/4-projects/business_unit_1/production/outputs.tf
+++ b/4-projects/business_unit_1/production/outputs.tf
@@ -95,6 +95,16 @@ output "keys" {
}
output "bucket" {
- description = "The created storage bucket"
+ description = "The created storage bucket."
value = module.env.bucket
}
+
+output "peering_subnetwork_self_link" {
+ description = "The subnetwork self link of the peering network."
+ value = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+ description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+ value = module.env.iap_firewall_tags
+}
diff --git a/4-projects/business_unit_1/production/variables.tf b/4-projects/business_unit_1/production/variables.tf
index 8bc03b2f8..a67cc2b65 100644
--- a/4-projects/business_unit_1/production/variables.tf
+++ b/4-projects/business_unit_1/production/variables.tf
@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
type = list(any)
default = []
}
+
+variable "instance_region" {
+ description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+ type = string
+ default = "us-central1"
+}
diff --git a/4-projects/business_unit_2/development/README.md b/4-projects/business_unit_2/development/README.md
index b0ad9f766..6cf56a6d6 100644
--- a/4-projects/business_unit_2/development/README.md
+++ b/4-projects/business_unit_2/development/README.md
@@ -3,6 +3,7 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
| peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
| base\_shared\_vpc\_project | Project sample base project. |
| base\_shared\_vpc\_project\_sa | Project sample base project SA. |
| base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
| env\_secrets\_project | Project sample peering project id. |
| floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
| keyring | The name of the keyring. |
| keys | List of created key names. |
| peering\_complete | Output to be used as a module dependency. |
| peering\_network | Peer network peering resource. |
| peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
| restricted\_enabled\_apis | Activated APIs. |
| restricted\_shared\_vpc\_project | Project sample restricted project id. |
| restricted\_shared\_vpc\_project\_number | Project sample restricted project. |
diff --git a/4-projects/business_unit_2/development/main.tf b/4-projects/business_unit_2/development/main.tf
index aab469121..4ca2e1ee2 100644
--- a/4-projects/business_unit_2/development/main.tf
+++ b/4-projects/business_unit_2/development/main.tf
@@ -17,11 +17,14 @@
module "env" {
source = "../../modules/base_env"
- env = "development"
- business_code = "bu2"
- business_unit = "business_unit_2"
- remote_state_bucket = var.remote_state_bucket
- location_kms = var.location_kms
- location_gcs = var.location_gcs
- peering_module_depends_on = var.peering_module_depends_on
+ env = "development"
+ business_code = "bu2"
+ business_unit = "business_unit_2"
+ remote_state_bucket = var.remote_state_bucket
+ location_kms = var.location_kms
+ location_gcs = var.location_gcs
+ peering_iap_fw_rules_enabled = true
+ subnet_region = var.instance_region
+ subnet_ip_range = "10.4.64.0/21"
+ peering_module_depends_on = var.peering_module_depends_on
}
diff --git a/4-projects/business_unit_2/development/outputs.tf b/4-projects/business_unit_2/development/outputs.tf
index c0fbb931a..a81d4bd68 100644
--- a/4-projects/business_unit_2/development/outputs.tf
+++ b/4-projects/business_unit_2/development/outputs.tf
@@ -95,6 +95,16 @@ output "keys" {
}
output "bucket" {
- description = "The created storage bucket"
+ description = "The created storage bucket."
value = module.env.bucket
}
+
+output "peering_subnetwork_self_link" {
+ description = "The subnetwork self link of the peering network."
+ value = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+ description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+ value = module.env.iap_firewall_tags
+}
diff --git a/4-projects/business_unit_2/development/variables.tf b/4-projects/business_unit_2/development/variables.tf
index 8bc03b2f8..a67cc2b65 100644
--- a/4-projects/business_unit_2/development/variables.tf
+++ b/4-projects/business_unit_2/development/variables.tf
@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
type = list(any)
default = []
}
+
+variable "instance_region" {
+ description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+ type = string
+ default = "us-central1"
+}
diff --git a/4-projects/business_unit_2/non-production/README.md b/4-projects/business_unit_2/non-production/README.md
index b0ad9f766..6cf56a6d6 100644
--- a/4-projects/business_unit_2/non-production/README.md
+++ b/4-projects/business_unit_2/non-production/README.md
@@ -3,6 +3,7 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
| peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
| base\_shared\_vpc\_project | Project sample base project. |
| base\_shared\_vpc\_project\_sa | Project sample base project SA. |
| base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
| env\_secrets\_project | Project sample peering project id. |
| floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
| keyring | The name of the keyring. |
| keys | List of created key names. |
| peering\_complete | Output to be used as a module dependency. |
| peering\_network | Peer network peering resource. |
| peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
| restricted\_enabled\_apis | Activated APIs. |
| restricted\_shared\_vpc\_project | Project sample restricted project id. |
| restricted\_shared\_vpc\_project\_number | Project sample restricted project. |
diff --git a/4-projects/business_unit_2/non-production/main.tf b/4-projects/business_unit_2/non-production/main.tf
index 01533f9f3..df030fd30 100644
--- a/4-projects/business_unit_2/non-production/main.tf
+++ b/4-projects/business_unit_2/non-production/main.tf
@@ -17,11 +17,14 @@
module "env" {
source = "../../modules/base_env"
- env = "non-production"
- business_code = "bu2"
- business_unit = "business_unit_2"
- remote_state_bucket = var.remote_state_bucket
- location_kms = var.location_kms
- location_gcs = var.location_gcs
- peering_module_depends_on = var.peering_module_depends_on
+ env = "non-production"
+ business_code = "bu2"
+ business_unit = "business_unit_2"
+ remote_state_bucket = var.remote_state_bucket
+ location_kms = var.location_kms
+ location_gcs = var.location_gcs
+ peering_iap_fw_rules_enabled = true
+ subnet_region = var.instance_region
+ subnet_ip_range = "10.4.128.0/21"
+ peering_module_depends_on = var.peering_module_depends_on
}
diff --git a/4-projects/business_unit_2/non-production/outputs.tf b/4-projects/business_unit_2/non-production/outputs.tf
index c0fbb931a..a81d4bd68 100644
--- a/4-projects/business_unit_2/non-production/outputs.tf
+++ b/4-projects/business_unit_2/non-production/outputs.tf
@@ -95,6 +95,16 @@ output "keys" {
}
output "bucket" {
- description = "The created storage bucket"
+ description = "The created storage bucket."
value = module.env.bucket
}
+
+output "peering_subnetwork_self_link" {
+ description = "The subnetwork self link of the peering network."
+ value = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+ description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+ value = module.env.iap_firewall_tags
+}
diff --git a/4-projects/business_unit_2/non-production/variables.tf b/4-projects/business_unit_2/non-production/variables.tf
index 8bc03b2f8..a67cc2b65 100644
--- a/4-projects/business_unit_2/non-production/variables.tf
+++ b/4-projects/business_unit_2/non-production/variables.tf
@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
type = list(any)
default = []
}
+
+variable "instance_region" {
+ description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+ type = string
+ default = "us-central1"
+}
diff --git a/4-projects/business_unit_2/production/README.md b/4-projects/business_unit_2/production/README.md
index b0ad9f766..6cf56a6d6 100644
--- a/4-projects/business_unit_2/production/README.md
+++ b/4-projects/business_unit_2/production/README.md
@@ -3,6 +3,7 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `"us-central1"` | no |
| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
| peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
@@ -16,14 +17,16 @@
| base\_shared\_vpc\_project | Project sample base project. |
| base\_shared\_vpc\_project\_sa | Project sample base project SA. |
| base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
| env\_secrets\_project | Project sample peering project id. |
| floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
| keyring | The name of the keyring. |
| keys | List of created key names. |
| peering\_complete | Output to be used as a module dependency. |
| peering\_network | Peer network peering resource. |
| peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
| restricted\_enabled\_apis | Activated APIs. |
| restricted\_shared\_vpc\_project | Project sample restricted project id. |
| restricted\_shared\_vpc\_project\_number | Project sample restricted project. |
diff --git a/4-projects/business_unit_2/production/main.tf b/4-projects/business_unit_2/production/main.tf
index a8c62594d..6c335d113 100644
--- a/4-projects/business_unit_2/production/main.tf
+++ b/4-projects/business_unit_2/production/main.tf
@@ -17,11 +17,14 @@
module "env" {
source = "../../modules/base_env"
- env = "production"
- business_code = "bu2"
- business_unit = "business_unit_2"
- remote_state_bucket = var.remote_state_bucket
- location_kms = var.location_kms
- location_gcs = var.location_gcs
- peering_module_depends_on = var.peering_module_depends_on
+ env = "production"
+ business_code = "bu2"
+ business_unit = "business_unit_2"
+ remote_state_bucket = var.remote_state_bucket
+ location_kms = var.location_kms
+ location_gcs = var.location_gcs
+ peering_iap_fw_rules_enabled = true
+ subnet_region = var.instance_region
+ subnet_ip_range = "10.4.192.0/21"
+ peering_module_depends_on = var.peering_module_depends_on
}
diff --git a/4-projects/business_unit_2/production/outputs.tf b/4-projects/business_unit_2/production/outputs.tf
index c0fbb931a..a81d4bd68 100644
--- a/4-projects/business_unit_2/production/outputs.tf
+++ b/4-projects/business_unit_2/production/outputs.tf
@@ -95,6 +95,16 @@ output "keys" {
}
output "bucket" {
- description = "The created storage bucket"
+ description = "The created storage bucket."
value = module.env.bucket
}
+
+output "peering_subnetwork_self_link" {
+ description = "The subnetwork self link of the peering network."
+ value = module.env.peering_subnetwork_self_link
+}
+
+output "iap_firewall_tags" {
+ description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+ value = module.env.iap_firewall_tags
+}
diff --git a/4-projects/business_unit_2/production/variables.tf b/4-projects/business_unit_2/production/variables.tf
index 8bc03b2f8..a67cc2b65 100644
--- a/4-projects/business_unit_2/production/variables.tf
+++ b/4-projects/business_unit_2/production/variables.tf
@@ -36,3 +36,9 @@ variable "peering_module_depends_on" {
type = list(any)
default = []
}
+
+variable "instance_region" {
+ description = "Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project)."
+ type = string
+ default = "us-central1"
+}
diff --git a/4-projects/modules/base_env/README.md b/4-projects/modules/base_env/README.md
index dd7d2a2b3..41fa50c36 100644
--- a/4-projects/modules/base_env/README.md
+++ b/4-projects/modules/base_env/README.md
@@ -13,11 +13,14 @@
| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no |
| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
-| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
+| optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
+| peering\_iap\_fw\_rules\_enabled | Toggle creation of optional IAP firewall rules: SSH, RDP. | `bool` | `false` | no |
| peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no |
| project\_budget | Budget configuration.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`. | object({
budget_amount = optional(number, 1000)
alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])
alert_pubsub_topic = optional(string, null)
}) | `{}` | no |
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no |
+| subnet\_ip\_range | IP range for the peered subnetwork. If "peering\_iap\_fw\_rules\_enabled" is true, this field should not be null. | `string` | `null` | no |
+| subnet\_region | Region which the peered subnet will be created. If "peering\_iap\_fw\_rules\_enabled" is true, this field should not be null. | `string` | `null` | no |
| windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
## Outputs
@@ -28,14 +31,16 @@
| base\_shared\_vpc\_project | Project sample base project. |
| base\_shared\_vpc\_project\_sa | Project sample base project SA. |
| base\_subnets\_self\_links | The self-links of subnets from base environment. |
-| bucket | The created storage bucket |
+| bucket | The created storage bucket. |
| env\_secrets\_project | Project sample peering project id. |
| floating\_project | Project sample floating project. |
+| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
| keyring | The name of the keyring. |
| keys | List of created key names. |
| peering\_complete | Output to be used as a module dependency. |
| peering\_network | Peer network peering resource. |
| peering\_project | Project sample peering project id. |
+| peering\_subnetwork\_self\_link | The subnetwork self link of the peering network. |
| restricted\_enabled\_apis | Activated APIs. |
| restricted\_shared\_vpc\_project | Project sample restricted project id. |
| restricted\_shared\_vpc\_project\_number | Project sample restricted project. |
diff --git a/4-projects/modules/base_env/example_peering_project.tf b/4-projects/modules/base_env/example_peering_project.tf
index d44f220ec..0c10e2283 100644
--- a/4-projects/modules/base_env/example_peering_project.tf
+++ b/4-projects/modules/base_env/example_peering_project.tf
@@ -40,6 +40,25 @@ module "peering_project" {
project_budget = var.project_budget
project_prefix = local.project_prefix
+ // Enabling Cloud Build Deploy to use Service Accounts during the build and give permissions to the SA.
+ // The permissions will be the ones necessary for the deployment of the step 5-app-infra
+ enable_cloudbuild_deploy = local.enable_cloudbuild_deploy
+
+ // A map of Service Accounts to use on the infra pipeline (Cloud Build)
+ // Where the key is the repository name ("${var.business_code}-example-app")
+ app_infra_pipeline_service_accounts = local.app_infra_pipeline_service_accounts
+
+ // Map for the roles where the key is the repository name ("${var.business_code}-example-app")
+ // and the value is the list of roles that this SA need to deploy step 5-app-infra
+ sa_roles = {
+ "${var.business_code}-example-app" = [
+ "roles/compute.instanceAdmin.v1",
+ "roles/iam.serviceAccountAdmin",
+ "roles/iam.serviceAccountUser",
+ "roles/resourcemanager.tagUser",
+ ]
+ }
+
activate_apis = [
"dns.googleapis.com"
]
@@ -61,7 +80,17 @@ module "peering_network" {
network_name = "vpc-${local.env_code}-peering-base"
shared_vpc_host = "false"
delete_default_internet_gateway_routes = "true"
- subnets = []
+
+ subnets = [
+ {
+ subnet_name = "sb-${local.env_code}-${var.business_code}-peered-${var.subnet_region}"
+ subnet_ip = var.subnet_ip_range
+ subnet_region = var.subnet_region
+ subnet_private_access = "true"
+ subnet_flow_logs = "true"
+ description = "Peered subnetwork on region ${var.subnet_region}."
+ }
+ ]
}
resource "google_dns_policy" "default_policy" {
@@ -149,62 +178,6 @@ resource "google_compute_firewall" "allow_private_api_egress" {
Optional firewall rules
*****************************************/
-// Allow SSH via IAP when using the allow-iap-ssh tag for Linux workloads.
-resource "google_compute_firewall" "allow_iap_ssh" {
- count = var.optional_fw_rules_enabled ? 1 : 0
- name = "fw-${local.env_code}-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22"
- network = module.peering_network.network_name
- project = module.peering_project.project_id
-
- dynamic "log_config" {
- for_each = var.firewall_enable_logging == true ? [{
- metadata = "INCLUDE_ALL_METADATA"
- }] : []
-
- content {
- metadata = log_config.value.metadata
- }
- }
-
- // Cloud IAP's TCP forwarding netblock
- source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
-
- allow {
- protocol = "tcp"
- ports = ["22"]
- }
-
- target_tags = ["allow-iap-ssh"]
-}
-
-// Allow RDP via IAP when using the allow-iap-rdp tag for Windows workloads.
-resource "google_compute_firewall" "allow_iap_rdp" {
- count = var.optional_fw_rules_enabled ? 1 : 0
- name = "fw-${local.env_code}-peering-base-1000-i-a-all-allow-iap-rdp-tcp-3389"
- network = module.peering_network.network_name
- project = module.peering_project.project_id
-
- dynamic "log_config" {
- for_each = var.firewall_enable_logging == true ? [{
- metadata = "INCLUDE_ALL_METADATA"
- }] : []
-
- content {
- metadata = log_config.value.metadata
- }
- }
-
- // Cloud IAP's TCP forwarding netblock
- source_ranges = concat(data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4)
-
- allow {
- protocol = "tcp"
- ports = ["3389"]
- }
-
- target_tags = ["allow-iap-rdp"]
-}
-
// Allow access to kms.windows.googlecloud.com for Windows license activation
resource "google_compute_firewall" "allow_windows_activation" {
count = var.windows_activation_enabled ? 1 : 0
@@ -261,3 +234,106 @@ resource "google_compute_firewall" "allow_lb" {
target_tags = ["allow-lb"]
}
+
+// Allow SSH and RDP via IAP when using the Firewall Secure Tags.
+module "allow_iap_ssh_rdp" {
+ source = "terraform-google-modules/network/google//modules/network-firewall-policy"
+ version = "~> 8.0"
+
+ project_id = module.peering_project.project_id
+ policy_name = "fp-${local.env_code}-allow-iap-policy"
+
+ rules = [
+ {
+ // Allow SSH via IAP when using the ssh-iap-access/allow resource manager tag for Linux workloads.
+ rule_name = "fw-${local.env_code}-peering-base-1000-i-a-all-allow-iap-ssh-tcp-22"
+ action = "allow"
+ direction = "INGRESS"
+ priority = "1000"
+ enable_logging = true
+ target_secure_tags = ["tagValues/${google_tags_tag_value.firewall_tag_value_ssh[0].name}"]
+ match = {
+ src_ip_ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4
+ layer4_configs = [
+ {
+ ip_protocol = "tcp"
+ ports = ["22"]
+ },
+ ]
+ }
+ },
+ {
+ // Allow RDP via IAP when using the rdp-iap-access/allow resource manager tag for Windows workloads.
+ rule_name = "fw-${local.env_code}-peering-base-1001-i-a-all-allow-iap-rdp-tcp-3389"
+ action = "allow"
+ direction = "INGRESS"
+ priority = "1001"
+ enable_logging = true
+ target_secure_tags = ["tagValues/${google_tags_tag_value.firewall_tag_value_rdp[0].name}"]
+ match = {
+ src_ip_ranges = data.google_netblock_ip_ranges.iap_forwarders.cidr_blocks_ipv4
+ layer4_configs = [
+ {
+ ip_protocol = "tcp"
+ ports = ["3389"]
+ },
+ ]
+ }
+ }
+ ]
+
+ depends_on = [
+ google_tags_tag_value.firewall_tag_value_ssh,
+ google_tags_tag_value.firewall_tag_value_rdp
+ ]
+}
+
+resource "google_compute_network_firewall_policy_association" "vpc_associations" {
+ name = "fpa-${local.env_code}-allow-iap-ssh-rdp"
+ attachment_target = module.peering_network.network_id
+ firewall_policy = module.allow_iap_ssh_rdp.fw_policy[0].id
+ project = module.peering_project.project_id
+
+ depends_on = [
+ module.allow_iap_ssh_rdp,
+ module.peering_network
+ ]
+}
+
+resource "google_tags_tag_key" "firewall_tag_key_ssh" {
+ count = var.peering_iap_fw_rules_enabled ? 1 : 0
+
+ short_name = "ssh-iap-access"
+ parent = "projects/${module.peering_project.project_id}"
+ purpose = "GCE_FIREWALL"
+
+ purpose_data = {
+ network = "${module.peering_project.project_id}/${module.peering_network.network_name}"
+ }
+}
+
+resource "google_tags_tag_value" "firewall_tag_value_ssh" {
+ count = var.peering_iap_fw_rules_enabled ? 1 : 0
+
+ short_name = "allow"
+ parent = "tagKeys/${google_tags_tag_key.firewall_tag_key_ssh[0].name}"
+}
+
+resource "google_tags_tag_key" "firewall_tag_key_rdp" {
+ count = var.peering_iap_fw_rules_enabled ? 1 : 0
+
+ short_name = "rdp-iap-access"
+ parent = "projects/${module.peering_project.project_id}"
+ purpose = "GCE_FIREWALL"
+
+ purpose_data = {
+ network = "${module.peering_project.project_id}/${module.peering_network.network_name}"
+ }
+}
+
+resource "google_tags_tag_value" "firewall_tag_value_rdp" {
+ count = var.peering_iap_fw_rules_enabled ? 1 : 0
+
+ short_name = "allow"
+ parent = "tagKeys/${google_tags_tag_key.firewall_tag_key_rdp[0].name}"
+}
diff --git a/4-projects/modules/base_env/outputs.tf b/4-projects/modules/base_env/outputs.tf
index 039b43aea..81abf32a3 100644
--- a/4-projects/modules/base_env/outputs.tf
+++ b/4-projects/modules/base_env/outputs.tf
@@ -95,6 +95,19 @@ output "keys" {
}
output "bucket" {
- description = "The created storage bucket"
+ description = "The created storage bucket."
value = module.gcs_buckets.bucket
}
+
+output "peering_subnetwork_self_link" {
+ description = "The subnetwork self link of the peering network."
+ value = var.peering_iap_fw_rules_enabled ? module.peering_network.subnets_self_links[0] : ""
+}
+
+output "iap_firewall_tags" {
+ description = "The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project."
+ value = var.peering_iap_fw_rules_enabled ? {
+ "tagKeys/${google_tags_tag_key.firewall_tag_key_ssh[0].name}" = "tagValues/${google_tags_tag_value.firewall_tag_value_ssh[0].name}"
+ "tagKeys/${google_tags_tag_key.firewall_tag_key_rdp[0].name}" = "tagValues/${google_tags_tag_value.firewall_tag_value_rdp[0].name}"
+ } : {}
+}
diff --git a/4-projects/modules/base_env/variables.tf b/4-projects/modules/base_env/variables.tf
index 560d0c577..844ff42f6 100644
--- a/4-projects/modules/base_env/variables.tf
+++ b/4-projects/modules/base_env/variables.tf
@@ -43,7 +43,7 @@ variable "firewall_enable_logging" {
variable "optional_fw_rules_enabled" {
type = bool
- description = "Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges."
+ description = "Toggle creation of optional firewall rules: Internal & Global load balancing health check and load balancing IP ranges."
default = false
}
@@ -114,3 +114,21 @@ variable "remote_state_bucket" {
description = "Backend bucket to load Terraform Remote State Data from previous steps."
type = string
}
+
+variable "peering_iap_fw_rules_enabled" {
+ description = "Toggle creation of optional IAP firewall rules: SSH, RDP."
+ type = bool
+ default = false
+}
+
+variable "subnet_region" {
+ description = "Region which the peered subnet will be created. If \"peering_iap_fw_rules_enabled\" is true, this field should not be null."
+ type = string
+ default = null
+}
+
+variable "subnet_ip_range" {
+ description = "IP range for the peered subnetwork. If \"peering_iap_fw_rules_enabled\" is true, this field should not be null."
+ type = string
+ default = null
+}
diff --git a/5-app-infra/business_unit_1/development/main.tf b/5-app-infra/business_unit_1/development/main.tf
index a5e74b397..d473670be 100644
--- a/5-app-infra/business_unit_1/development/main.tf
+++ b/5-app-infra/business_unit_1/development/main.tf
@@ -28,3 +28,13 @@ module "base_shared_gce_instance" {
region = var.instance_region
remote_state_bucket = var.remote_state_bucket
}
+
+module "peering_gce_instance" {
+ source = "../../modules/env_base"
+
+ environment = local.environment
+ business_unit = local.business_unit
+ project_suffix = "sample-peering"
+ region = var.instance_region
+ remote_state_bucket = var.remote_state_bucket
+}
diff --git a/5-app-infra/business_unit_1/development/outputs.tf b/5-app-infra/business_unit_1/development/outputs.tf
index 216f7a128..0fa8c81ab 100644
--- a/5-app-infra/business_unit_1/development/outputs.tf
+++ b/5-app-infra/business_unit_1/development/outputs.tf
@@ -22,11 +22,13 @@ output "instances_self_links" {
output "instances_names" {
description = "List of names for compute instances"
value = [for u in module.base_shared_gce_instance.instances_details : u.name]
+ sensitive = true
}
output "instances_zones" {
description = "List of zone for compute instances"
value = [for u in module.base_shared_gce_instance.instances_details : u.zone]
+ sensitive = true
}
output "instances_details" {
diff --git a/5-app-infra/business_unit_1/non-production/main.tf b/5-app-infra/business_unit_1/non-production/main.tf
index 3f9d4685a..7c707ab7a 100644
--- a/5-app-infra/business_unit_1/non-production/main.tf
+++ b/5-app-infra/business_unit_1/non-production/main.tf
@@ -28,3 +28,13 @@ module "base_shared_gce_instance" {
region = var.instance_region
remote_state_bucket = var.remote_state_bucket
}
+
+module "peering_gce_instance" {
+ source = "../../modules/env_base"
+
+ environment = local.environment
+ business_unit = local.business_unit
+ project_suffix = "sample-peering"
+ region = var.instance_region
+ remote_state_bucket = var.remote_state_bucket
+}
diff --git a/5-app-infra/business_unit_1/non-production/outputs.tf b/5-app-infra/business_unit_1/non-production/outputs.tf
index 216f7a128..0fa8c81ab 100644
--- a/5-app-infra/business_unit_1/non-production/outputs.tf
+++ b/5-app-infra/business_unit_1/non-production/outputs.tf
@@ -22,11 +22,13 @@ output "instances_self_links" {
output "instances_names" {
description = "List of names for compute instances"
value = [for u in module.base_shared_gce_instance.instances_details : u.name]
+ sensitive = true
}
output "instances_zones" {
description = "List of zone for compute instances"
value = [for u in module.base_shared_gce_instance.instances_details : u.zone]
+ sensitive = true
}
output "instances_details" {
diff --git a/5-app-infra/business_unit_1/production/main.tf b/5-app-infra/business_unit_1/production/main.tf
index 3a8177e3d..544c94213 100644
--- a/5-app-infra/business_unit_1/production/main.tf
+++ b/5-app-infra/business_unit_1/production/main.tf
@@ -28,3 +28,13 @@ module "base_shared_gce_instance" {
region = var.instance_region
remote_state_bucket = var.remote_state_bucket
}
+
+module "peering_gce_instance" {
+ source = "../../modules/env_base"
+
+ environment = local.environment
+ business_unit = local.business_unit
+ project_suffix = "sample-peering"
+ region = var.instance_region
+ remote_state_bucket = var.remote_state_bucket
+}
diff --git a/5-app-infra/business_unit_1/production/outputs.tf b/5-app-infra/business_unit_1/production/outputs.tf
index 216f7a128..0fa8c81ab 100644
--- a/5-app-infra/business_unit_1/production/outputs.tf
+++ b/5-app-infra/business_unit_1/production/outputs.tf
@@ -22,11 +22,13 @@ output "instances_self_links" {
output "instances_names" {
description = "List of names for compute instances"
value = [for u in module.base_shared_gce_instance.instances_details : u.name]
+ sensitive = true
}
output "instances_zones" {
description = "List of zone for compute instances"
value = [for u in module.base_shared_gce_instance.instances_details : u.zone]
+ sensitive = true
}
output "instances_details" {
diff --git a/5-app-infra/modules/env_base/main.tf b/5-app-infra/modules/env_base/main.tf
index 303dda404..fccb0d6b6 100644
--- a/5-app-infra/modules/env_base/main.tf
+++ b/5-app-infra/modules/env_base/main.tf
@@ -21,9 +21,25 @@ locals {
"sample-peering" = data.terraform_remote_state.projects_env.outputs.peering_project,
"sample-restrict" = data.terraform_remote_state.projects_env.outputs.restricted_shared_vpc_project,
}
+ env_project_subnets = {
+ "sample-base" = local.base_subnetwork_self_link,
+ "sample-floating" = local.base_subnetwork_self_link,
+ "sample-peering" = data.terraform_remote_state.projects_env.outputs.peering_subnetwork_self_link,
+ "sample-restrict" = local.base_subnetwork_self_link,
+ }
+ env_project_resource_manager_tags = {
+ "sample-base" = null,
+ "sample-floating" = null,
+ "sample-peering" = data.terraform_remote_state.projects_env.outputs.iap_firewall_tags,
+ "sample-restrict" = null,
+ }
+
+ subnetwork_self_links = data.terraform_remote_state.projects_env.outputs.base_subnets_self_links
+ base_subnetwork_self_link = [for subnet in local.subnetwork_self_links : subnet if length(regexall("regions/${var.region}/subnetworks", subnet)) > 0][0]
+
env_project_id = local.env_project_ids[var.project_suffix]
- subnetwork_self_links = data.terraform_remote_state.projects_env.outputs.base_subnets_self_links
- subnetwork_self_link = [for subnet in local.subnetwork_self_links : subnet if length(regexall("regions/${var.region}/subnetworks", subnet)) > 0][0]
+ subnetwork_self_link = local.env_project_subnets[var.project_suffix]
+ resource_manager_tags = local.env_project_resource_manager_tags[var.project_suffix]
}
@@ -63,11 +79,12 @@ module "instance_template" {
module "compute_instance" {
source = "terraform-google-modules/vm/google//modules/compute_instance"
- version = "~> 8.0"
+ version = "~> 10.0"
- region = var.region
- subnetwork = local.subnetwork_self_link
- num_instances = var.num_instances
- hostname = var.hostname
- instance_template = module.instance_template.self_link
+ region = var.region
+ subnetwork = local.subnetwork_self_link
+ num_instances = var.num_instances
+ hostname = var.hostname
+ instance_template = module.instance_template.self_link
+ resource_manager_tags = local.resource_manager_tags
}
diff --git a/test/integration/projects/projects_test.go b/test/integration/projects/projects_test.go
index 235ff0859..6e2323eb3 100644
--- a/test/integration/projects/projects_test.go
+++ b/test/integration/projects/projects_test.go
@@ -16,6 +16,7 @@ package projects
import (
"fmt"
+ "strings"
"testing"
"time"
@@ -221,8 +222,39 @@ func TestProjects(t *testing.T) {
}
if projectOutput == "peering_project" {
+
+ peeringProjectSaRoles := append(project_sa_roles, "roles/resourcemanager.tagUser")
+ iamFilter := fmt.Sprintf("bindings.members:'serviceAccount:%s'", sharedCloudBuildSA)
+ iamOpts := gcloud.WithCommonArgs([]string{"--flatten", "bindings", "--filter", iamFilter, "--format", "json"})
+ projectPolicy := gcloud.Run(t, fmt.Sprintf("projects get-iam-policy %s", projectID), iamOpts).Array()
+ listRoles := testutils.GetResultFieldStrSlice(projectPolicy, "bindings.role")
+ assert.Subset(listRoles, peeringProjectSaRoles, fmt.Sprintf("service account %s should have project level roles", sharedCloudBuildSA))
+
peering := gcloud.Runf(t, "compute networks peerings list --project %s", projectID).Array()[0]
assert.Contains(peering.Get("peerings.0.network").String(), tt.baseNetwork, "should have a peering network")
+
+ instanceRegion := utils.ValFromEnv(t, "TF_VAR_instance_region")
+ peeringSubnetworkSelfLink := projects.GetStringOutput("peering_subnetwork_self_link")
+ peeringSubnetworkSelfLinkSplitted := strings.Split(peeringSubnetworkSelfLink, "/")
+ peering_subnetwork_name := peeringSubnetworkSelfLinkSplitted[len(peeringSubnetworkSelfLinkSplitted)-1]
+ subnet := gcloud.Run(t, fmt.Sprintf("compute networks subnets describe %s --project %s --region %s", peering_subnetwork_name, projectID, instanceRegion))
+ assert.Equal("PRIVATE", subnet.Get("purpose").String(), "Purpose should be PRIVATE")
+
+ iapFirewallPolicy := gcloud.Run(t, fmt.Sprintf("compute network-firewall-policies list --project=%s --global", projectID)).Array()[0]
+ iapFirewallPolicyName := iapFirewallPolicy.Get("name")
+
+ iapSshRule := gcloud.Run(t, fmt.Sprintf("compute network-firewall-policies rules describe 1000 --firewall-policy=%s --global-firewall-policy --project=%s", iapFirewallPolicyName, projectID)).Array()[0]
+ assert.Equal("INGRESS", iapSshRule.Get("direction").String(), "Direction should be INGRESS")
+ assert.Equal("allow", iapSshRule.Get("action").String(), "Action should be ALLOW")
+ assert.Equal("EFFECTIVE", iapSshRule.Get("targetSecureTags.0.state").String(), "Should be bound to an effective terget secure tag")
+ assert.Equal("22", iapSshRule.Get("match.layer4Configs.0.ports.0").String(), "Protocol port should be 22")
+
+ iapRdpRule := gcloud.Run(t, fmt.Sprintf("compute network-firewall-policies rules describe 1001 --firewall-policy=%s --global-firewall-policy --project=%s", iapFirewallPolicyName, projectID)).Array()[0]
+ assert.Equal("INGRESS", iapRdpRule.Get("direction").String(), "Direction should be INGRESS")
+ assert.Equal("allow", iapRdpRule.Get("action").String(), "Action should be ALLOW")
+ assert.Equal("EFFECTIVE", iapRdpRule.Get("targetSecureTags.0.state").String(), "Should be bound to an effective terget secure tag")
+ assert.Equal("3389", iapRdpRule.Get("match.layer4Configs.0.ports.0").String(), "Protocol port should be 3389")
+
}
}
})