The purpose of this step is to set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, onprem Dedicated Interconnect, onprem VPN and baseline firewall rules for environment development.
- 0-bootstrap executed successfully.
- 1-org executed successfully.
- 2-environments/envs/development executed successfully.
- 3-networks-dual-svpc/envs/shared executed successfully.
- Obtain the value for the access_context_manager_policy_id variable. Can be obtained by running
gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)".
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_context_manager_policy_id | The id of the default Access Context Manager policy created in step 1-org. Can be obtained by running gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)". |
number |
n/a | yes |
| domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | string |
n/a | yes |
| egress_policies | A list of all egress policies to use in an enforced perimeter. Each list object has a from and to value that describes egress_from and egress_to.Example: [{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]Valid Values: ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNTSRV_NAME = "*" (allow all services) or Specific ServicesOP_TYPE = methods or permissions |
list(object({ |
[] |
no |
| egress_policies_dry_run | A list of all egress policies to use in a dry-run perimeter. Each list object has a from and to value that describes egress_from and egress_to.Example: [{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]Valid Values: ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNTSRV_NAME = "*" (allow all services) or Specific ServicesOP_TYPE = methods or permissions |
list(object({ |
[] |
no |
| ingress_policies | A list of all ingress policies to use in an enforced perimeter. Each list object has a from and to value that describes ingress_from and ingress_to.Example: [{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]Valid Values: ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNTSRV_NAME = "*" (allow all services) or Specific ServicesOP_TYPE = methods or permissions |
list(object({ |
[] |
no |
| ingress_policies_dry_run | A list of all ingress policies to use in a dry-run perimeter. Each list object has a from and to value that describes ingress_from and ingress_to.Example: [{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]Valid Values: ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNTSRV_NAME = "*" (allow all services) or Specific ServicesOP_TYPE = methods or permissions |
list(object({ |
[] |
no |
| perimeter_additional_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: user:[email protected] or serviceAccount:[email protected]. |
list(string) |
[] |
no |
| perimeter_additional_members_dry_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: user:[email protected] or serviceAccount:[email protected]. |
list(string) |
[] |
no |
| remote_state_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | string |
n/a | yes |
| tfc_org_name | Name of the TFC organization | string |
"" |
no |
| Name | Description |
|---|---|
| access_context_manager_policy_id | Access Context Manager Policy ID. |
| access_level_name | Access context manager access level name |
| access_level_name_dry_run | Access context manager access level name for the dry-run perimeter |
| base_host_project_id | The base host project ID |
| base_network_name | The name of the VPC being created |
| base_network_self_link | The URI of the VPC being created |
| base_subnets_ips | The IPs and CIDRs of the subnets being created |
| base_subnets_names | The names of the subnets being created |
| base_subnets_secondary_ranges | The secondary ranges associated with these subnets |
| base_subnets_self_links | The self-links of subnets being created |
| enforce_vpcsc | Enable the enforced mode for VPC Service Controls. It is not recommended to enable VPC-SC on the first run deploying your foundation. Review best practices for enabling VPC Service Controls, then only enforce the perimeter after you have analyzed the access patterns in your dry-run perimeter and created the necessary exceptions for your use cases. |
| restricted_host_project_id | The restricted host project ID |
| restricted_network_name | The name of the VPC being created |
| restricted_network_self_link | The URI of the VPC being created |
| restricted_service_perimeter_name | Access context manager service perimeter name |
| restricted_subnets_ips | The IPs and CIDRs of the subnets being created |
| restricted_subnets_names | The names of the subnets being created |
| restricted_subnets_secondary_ranges | The secondary ranges associated with these subnets |
| restricted_subnets_self_links | The self-links of subnets being created |