Skip to content

Commit

Permalink
Adding base NCC config
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Feb 7, 2023
1 parent 3ae1c80 commit 3cb589c
Show file tree
Hide file tree
Showing 3 changed files with 173 additions and 105 deletions.
196 changes: 105 additions & 91 deletions fast/stages/02-networking-nva/ncc.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,66 +15,19 @@
*/

locals {
ncc_cr_intf_configs = {
int-untrusted-ew11 = {
address = cidrhost(module.landing-untrusted-vpc.subnet_ips["europe-west1/landing-untrusted-default-ew1"], 201)
area = "untrusted"
nva_zone = "europe-west1-b"
region = "europe-west1"
subnetwork = module.landing-untrusted-vpc.subnet_self_links["europe-west1/landing-untrusted-default-ew1"]
}
int-untrusted-ew12 = {
address = cidrhost(module.landing-untrusted-vpc.subnet_ips["europe-west1/landing-untrusted-default-ew1"], 202)
area = "untrusted"
nva_zone = "europe-west1-c"
region = "europe-west1"
subnetwork = module.landing-untrusted-vpc.subnet_self_links["europe-west1/landing-untrusted-default-ew1"]
}
int-untrusted-ew41 = {
address = cidrhost(module.landing-untrusted-vpc.subnet_ips["europe-west4/landing-untrusted-default-ew4"], 201)
area = "untrusted"
nva_zone = "europe-west4-b"
region = "europe-west4"
subnetwork = module.landing-untrusted-vpc.subnet_self_links["europe-west4/landing-untrusted-default-ew4"]
}
int-untrusted-ew42 = {
address = cidrhost(module.landing-untrusted-vpc.subnet_ips["europe-west4/landing-untrusted-default-ew4"], 202)
area = "untrusted"
nva_zone = "europe-west4-c"
region = "europe-west4"
subnetwork = module.landing-untrusted-vpc.subnet_self_links["europe-west4/landing-untrusted-default-ew4"]
}
int-trusted-ew11 = {
address = cidrhost(module.landing-trusted-vpc.subnet_ips["europe-west1/landing-trusted-default-ew1"], 201)
area = "trusted"
nva_zone = "europe-west1-b"
region = "europe-west1"
subnetwork = module.landing-trusted-vpc.subnet_self_links["europe-west1/landing-trusted-default-ew1"]
}
int-trusted-ew12 = {
address = cidrhost(module.landing-trusted-vpc.subnet_ips["europe-west1/landing-trusted-default-ew1"], 202)
area = "trusted"
nva_zone = "europe-west1-c"
region = "europe-west1"
subnetwork = module.landing-trusted-vpc.subnet_self_links["europe-west1/landing-trusted-default-ew1"]
}
int-trusted-ew41 = {
address = cidrhost(module.landing-trusted-vpc.subnet_ips["europe-west4/landing-trusted-default-ew4"], 201)
area = "trusted"
nva_zone = "europe-west4-b"
region = "europe-west4"
subnetwork = module.landing-trusted-vpc.subnet_self_links["europe-west4/landing-trusted-default-ew4"]
}
int-trusted-ew42 = {
address = cidrhost(module.landing-trusted-vpc.subnet_ips["europe-west4/landing-trusted-default-ew4"], 202)
area = "trusted"
nva_zone = "europe-west4-c"
region = "europe-west4"
subnetwork = module.landing-trusted-vpc.subnet_self_links["europe-west4/landing-trusted-default-ew4"]
}
ncc_cr_intf_untrusted_configs = {
ew10 = { host_number = 201, region = "europe-west1", redundant = "ew11" }
ew11 = { host_number = 202, region = "europe-west1", redundant = "ew10" }
ew41 = { host_number = 201, region = "europe-west4", redundant = "ew41" }
ew42 = { host_number = 202, region = "europe-west4", redundant = "ew40" }
}

ncc_cr_intf_trusted_configs = {
ew10 = { host_number = 201, region = "europe-west1", redundant = "ew11" }
ew11 = { host_number = 202, region = "europe-west1", redundant = "ew10" }
ew41 = { host_number = 201, region = "europe-west4", redundant = "ew41" }
ew42 = { host_number = 202, region = "europe-west4", redundant = "ew40" }
}
ncc_routers = toset([for config in local.ncc_cr_intf_configs : "prod-${config.area}-${config.region}"])
nva_regions = toset([for config in local.nva_configs : config.region])
}

resource "google_network_connectivity_hub" "hub" {
Expand All @@ -84,7 +37,7 @@ resource "google_network_connectivity_hub" "hub" {
}

resource "google_network_connectivity_spoke" "spoke_untrusted" {
for_each = local.nva_regions
for_each = var.region_trigram
name = "prod-spoke-untrusted-${each.key}"
project = module.landing-project.project_id
location = each.key
Expand All @@ -108,7 +61,7 @@ resource "google_network_connectivity_spoke" "spoke_untrusted" {
}

resource "google_network_connectivity_spoke" "spoke_trusted" {
for_each = local.nva_regions
for_each = var.region_trigram
name = "prod-spoke-trusted-${each.key}"
project = module.landing-project.project_id
location = each.key
Expand All @@ -131,43 +84,104 @@ resource "google_network_connectivity_spoke" "spoke_trusted" {
}
}

resource "google_compute_address" "router_intf_addrs" {
for_each = {
for key, config in local.ncc_cr_intf_configs :
key => config.area
resource "google_compute_router" "routers_untrusted" {
for_each = var.region_trigram
name = "prod-untrusted-${each.value}"
region = each.key
network = module.landing-untrusted-vpc.self_link
bgp {
asn = var.router_configs.landing-untrusted-ncc.asn
}
name = each.key
region = each.value.region
subnetwork = each.value.subnetwork
address = each.value.address
address_type = "INTERNAL"
}

resource "google_compute_router" "router_untrusted" {
for_each = keys(var.region_trigram)
name = "prod-untrusted-${each.value}"
region = each.value
network = module.landing-untrusted-vpc.self_link
resource "google_compute_router" "routers_trusted" {
for_each = var.region_trigram
name = "prod-trusted-${each.value}"
region = each.key
network = module.landing-trusted-vpc.self_link
bgp {
asn = 64512
asn = var.router_configs.landing-trusted-ncc.asn
}
}

resource "google_compute_router" "router_trusted" {
for_each = keys(var.region_trigram)
name = "prod-trusted-${each.value}"
region = each.value
network = module.landing-trusted-vpc.self
bgp {
asn = 64512
}
resource "google_compute_address" "router_intf_addrs_untrusted" {
for_each = local.ncc_cr_intf_untrusted_configs
name = "prod-untrusted-${each.key}"
region = each.value.region
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${var.region_trigram[each.value.region]}"]
address = cidrhost(module.landing-untrusted-vpc.subnet_ips["${each.value.region}/landing-untrusted-default-${var.region_trigram[each.value.region]}"], each.value.host_number)
address_type = "INTERNAL"
}

resource "google_compute_address" "router_intf_addrs_trusted" {
for_each = local.ncc_cr_intf_trusted_configs
name = "prod-trusted-${each.key}"
region = each.value.region
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${var.region_trigram[each.value.region]}"]
address = cidrhost(module.landing-trusted-vpc.subnet_ips["${each.value.region}/landing-trusted-default-${var.region_trigram[each.value.region]}"], each.value.host_number)
address_type = "INTERNAL"
}

resource "google_compute_router_interface" "router_intfs_untrusted" {
for_each = local.ncc_cr_intf_untrusted_configs
name = "prod-untrusted-${each.key}"
region = each.value.region
router = google_compute_router.routers_untrusted[each.value.region].name
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${var.region_trigram[each.value.region]}"]
private_ip_address = google_compute_address.router_intf_addrs_trusted[each.key].address
redundant_interface = each.value.redundant
}

resource "google_compute_router_interface" "router_intfs_trusted" {
for_each = local.ncc_cr_intf_trusted_configs
name = "prod-trusted-${each.key}"
region = each.value.region
router = google_compute_router.routers_trusted[each.value.region].name
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${var.region_trigram[each.value.region]}"]
private_ip_address = google_compute_address.router_intf_addrs_untrusted[each.key].address
redundant_interface = each.value.redundant
}

resource "google_compute_router_peer" "peers_untrusted_to_nvas_zone_b" {
for_each = local.ncc_cr_intf_untrusted_configs
interface = "prod-untrusted-${each.key}"
name = "prod-untrusted-${each.key}-b"
peer_asn = 65513
peer_ip_address = local.nva_configs["${each.value.region}-b"].ip_untrusted
region = each.value.region
router = google_compute_router.routers_untrusted[each.value.region].name
router_appliance_instance = module.nva["${each.value.region}-b"].self_link
}

resource "google_compute_router_peer" "peers_untrusted_to_nvas_zone_c" {
for_each = local.ncc_cr_intf_untrusted_configs
interface = "prod-untrusted-${each.key}"
name = "prod-untrusted-${each.key}-c"
peer_asn = 65513
peer_ip_address = local.nva_configs["${each.value.region}-c"].ip_untrusted
region = each.value.region
router = google_compute_router.routers_untrusted[each.value.region].name
router_appliance_instance = module.nva["${each.value.region}-c"].self_link
}

resource "google_compute_router_peer" "peers_trusted_to_nvas_zone_b" {
for_each = local.ncc_cr_intf_trusted_configs
interface = "prod-trusted-${each.key}"
name = "prod-trusted-${each.key}-b"
peer_asn = 65514
peer_ip_address = local.nva_configs["${each.value.region}-b"].ip_trusted
region = each.value.region
router = google_compute_router.routers_trusted[each.value.region].name
router_appliance_instance = module.nva["${each.value.region}-b"].self_link
}

resource "google_compute_router_interface" "interface_untrusted" {
for_each = keys(var.region_trigram)
name = "prod-untrusted-${each.value}-"
region = google_compute_router.router.region
router = google_compute_router.router.name
subnetwork = google_compute_subnetwork.subnetwork.self_link
private_ip_address = google_compute_address.addr_intf_redundant.address
resource "google_compute_router_peer" "peers_trusted_to_nvas_zone_c" {
for_each = local.ncc_cr_intf_trusted_configs
interface = "prod-trusted-${each.key}"
name = "prod-trusted-${each.key}-c"
peer_asn = 65514
peer_ip_address = local.nva_configs["${each.value.region}-c"].ip_trusted
region = each.value.region
router = google_compute_router.routers_trusted[each.value.region].name
router_appliance_instance = module.nva["${each.value.region}-c"].self_link
}
70 changes: 57 additions & 13 deletions fast/stages/02-networking-nva/nva.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@
*/

locals {
nva_locality = {
europe-west1-b = { region = "europe-west1", trigram = "ew1", zone = "b" },
europe-west1-c = { region = "europe-west1", trigram = "ew1", zone = "c" },
europe-west4-b = { region = "europe-west4", trigram = "ew4", zone = "b" },
europe-west4-c = { region = "europe-west4", trigram = "ew4", zone = "c" },
}

# routing_config should be aligned to the NVA network interfaces - i.e.
# local.routing_config[0] sets up the first interface, and so on.
routing_config = [
Expand All @@ -37,39 +44,36 @@ locals {
]
},
]

nva_configs = {
europe-west1-b = {
region = "europe-west1",
trigram = "ew1",
zone = "b",
ip_untrusted = cidrhost(module.landing-untrusted-vpc.subnet_ips["europe-west1/landing-untrusted-default-ew1"], 101)
ip_trusted = cidrhost(module.landing-trusted-vpc.subnet_ips["europe-west1/landing-trusted-default-ew1"], 101)
},
europe-west1-c = {
region = "europe-west1",
trigram = "ew1",
zone = "c",
ip_untrusted = cidrhost(module.landing-untrusted-vpc.subnet_ips["europe-west1/landing-untrusted-default-ew1"], 102)
ip_trusted = cidrhost(module.landing-trusted-vpc.subnet_ips["europe-west1/landing-trusted-default-ew1"], 102)
},
europe-west4-b = {
region = "europe-west4",
trigram = "ew4",
zone = "b",
ip_untrusted = cidrhost(module.landing-untrusted-vpc.subnet_ips["europe-west4/landing-untrusted-default-ew4"], 101)
ip_trusted = cidrhost(module.landing-trusted-vpc.subnet_ips["europe-west4/landing-trusted-default-ew4"], 101)
},
europe-west4-c = {
region = "europe-west4",
trigram = "ew4",
zone = "c",
ip_untrusted = cidrhost(module.landing-untrusted-vpc.subnet_ips["europe-west4/landing-untrusted-default-ew4"], 102)
ip_trusted = cidrhost(module.landing-trusted-vpc.subnet_ips["europe-west4/landing-trusted-default-ew4"], 102)
}
}
}

# NVA config
# NVA configs
module "nva-cloud-config" {
source = "../../../modules/cloud-config-container/simple-nva"
enable_health_checks = true
Expand All @@ -78,19 +82,19 @@ module "nva-cloud-config" {

resource "google_compute_address" "nva_static_ip_untrusted" {
for_each = local.nva_configs
name = "nva-ip-untrusted-${each.value.trigram}-${each.value.zone}"
name = "nva-ip-untrusted-${var.region_trigram[each.value.region]}-${each.value.zone}"
project = module.landing-project.project_id
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.trigram}"]
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${var.region_trigram[each.value.region]}"]
address_type = "INTERNAL"
address = each.value.ip_untrusted
region = each.value.region
}

resource "google_compute_address" "nva_static_ip_trusted" {
for_each = local.nva_configs
name = "nva-ip-trusted-${each.value.trigram}-${each.value.zone}"
name = "nva-ip-trusted-${var.region_trigram[each.value.region]}-${each.value.zone}"
project = module.landing-project.project_id
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.trigram}"]
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${var.region_trigram[each.value.region]}"]
address_type = "INTERNAL"
address = each.value.ip_trusted
region = each.value.region
Expand All @@ -100,15 +104,15 @@ module "nva" {
for_each = local.nva_configs
source = "../../../modules/compute-vm"
project_id = module.landing-project.project_id
name = "nva-${each.value.trigram}-${each.value.zone}"
name = "nva-${var.region_trigram[each.value.region]}-${each.value.zone}"
zone = "${each.value.region}-${each.value.zone}"
instance_type = "e2-standard-2"
tags = ["nva"]
can_ip_forward = true
network_interfaces = [
{
network = module.landing-untrusted-vpc.self_link
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.trigram}"]
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${var.region_trigram[each.value.region]}"]
nat = false
addresses = {
external = null
Expand All @@ -117,7 +121,7 @@ module "nva" {
},
{
network = module.landing-trusted-vpc.self_link
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.trigram}"]
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${var.region_trigram[each.value.region]}"]
nat = false
addresses = {
external = null
Expand All @@ -141,12 +145,52 @@ module "nva" {
}
}

module "nva-template" {
for_each = local.nva_locality
source = "../../../modules/compute-vm"
project_id = module.landing-project.project_id
name = "nva-template-${each.value.trigram}-${each.value.zone}"
zone = "${each.value.region}-${each.value.zone}"
instance_type = "e2-standard-2"
tags = ["nva"]
create_template = true
can_ip_forward = true
network_interfaces = [
{
network = module.landing-untrusted-vpc.self_link
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.trigram}"]
nat = false
addresses = null
},
{
network = module.landing-trusted-vpc.self_link
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.trigram}"]
nat = false
addresses = null
}
]
boot_disk = {
image = "projects/cos-cloud/global/images/family/cos-stable"
size = 10
type = "pd-balanced"
}
options = {
allow_stopping_for_update = true
deletion_protection = false
spot = true
termination_action = "STOP"
}
metadata = {
user-data = module.nva-cloud-config.cloud_config
}
}

module "nva-mig" {
for_each = local.nva_locality
source = "../../../modules/compute-mig"
project_id = module.landing-project.project_id
location = each.value.region
name = "nva-cos-${each.value.trigram}-${each.value.zone}"
name = "nva-cos-${var.region_trigram[each.value.region]}-${each.value.zone}"
instance_template = module.nva-template[each.key].template.self_link
target_size = 1
auto_healing_policies = {
Expand Down
Loading

0 comments on commit 3cb589c

Please sign in to comment.