-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
metadata.yaml
324 lines (320 loc) · 13.9 KB
/
metadata.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: blueprints.cloud.google.com/v1alpha1
kind: BlueprintMetadata
metadata:
name: terraform-google-network
annotations:
config.kubernetes.io/local-config: "true"
spec:
info:
title: Terraform Network Module
source:
repo: https://github.com/terraform-google-modules/terraform-google-network.git
sourceType: git
version: 10.0.0
actuationTool:
flavor: Terraform
version: ">= 1.3"
description: {}
content:
subBlueprints:
- name: fabric-net-firewall
location: modules/fabric-net-firewall
- name: fabric-net-svpc-access
location: modules/fabric-net-svpc-access
- name: firewall-rules
location: modules/firewall-rules
- name: hierarchical-firewall-policy
location: modules/hierarchical-firewall-policy
- name: network-firewall-policy
location: modules/network-firewall-policy
- name: network-peering
location: modules/network-peering
- name: private-service-connect
location: modules/private-service-connect
- name: routes
location: modules/routes
- name: routes-beta
location: modules/routes-beta
- name: subnets
location: modules/subnets
- name: subnets-beta
location: modules/subnets-beta
- name: vpc
location: modules/vpc
- name: vpc-serverless-connector-beta
location: modules/vpc-serverless-connector-beta
examples:
- name: basic_auto_mode
location: examples/basic_auto_mode
- name: basic_custom_mode
location: examples/basic_custom_mode
- name: basic_firewall_rule
location: examples/basic_firewall_rule
- name: basic_secondary_ranges
location: examples/basic_secondary_ranges
- name: basic_shared_vpc
location: examples/basic_shared_vpc
- name: basic_vpc_peering
location: examples/basic_vpc_peering
- name: bidirectional-firewall-rules
location: examples/bidirectional-firewall-rules
- name: delete_default_gateway_routes
location: examples/delete_default_gateway_routes
- name: firewall_logging
location: examples/firewall_logging
- name: global-network-firewall-policy
location: examples/global-network-firewall-policy
- name: hierarchical-firewall-policy
location: examples/hierarchical-firewall-policy
- name: ilb_routing
location: examples/ilb_routing
- name: multi_vpc
location: examples/multi_vpc
- name: network_service_tiers
location: examples/network_service_tiers
- name: packet_mirroring
location: examples/packet_mirroring
- name: private_service_connect
location: examples/private_service_connect
- name: private_service_connect_google_apis
location: examples/private_service_connect_google_apis
- name: regional-network-firewall-policy
location: examples/regional-network-firewall-policy
- name: routes
location: examples/routes
- name: secondary_ranges
location: examples/secondary_ranges
- name: simple_ipv6_project
location: examples/simple_ipv6_project
- name: simple_project
location: examples/simple_project
- name: simple_project_with_regional_network
location: examples/simple_project_with_regional_network
- name: submodule_firewall
location: examples/submodule_firewall
- name: submodule_network_peering
location: examples/submodule_network_peering
- name: submodule_svpc_access
location: examples/submodule_svpc_access
- name: submodule_vpc_serverless_connector
location: examples/submodule_vpc_serverless_connector
interfaces:
variables:
- name: auto_create_subnetworks
description: When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources.
varType: bool
defaultValue: false
- name: delete_default_internet_gateway_routes
description: If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted
varType: bool
defaultValue: false
- name: description
description: An optional description of this resource. The resource must be recreated to modify this field.
varType: string
defaultValue: ""
- name: egress_rules
description: List of egress rules. This will be ignored if variable 'rules' is non-empty
varType: |-
list(object({
name = string
description = optional(string, null)
disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
}))
defaultValue: []
- name: enable_ipv6_ula
description: Enabled IPv6 ULA, this is a permenant change and cannot be undone! (default 'false')
varType: bool
defaultValue: false
- name: firewall_rules
description: This is DEPRICATED and available for backward compatiblity. Use ingress_rules and egress_rules variables. List of firewall rules
varType: |-
list(object({
name = string
description = optional(string, null)
direction = optional(string, "INGRESS")
disabled = optional(bool, null)
priority = optional(number, null)
ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
}))
defaultValue: []
- name: ingress_rules
description: List of ingress rules. This will be ignored if variable 'rules' is non-empty
varType: |-
list(object({
name = string
description = optional(string, null)
disabled = optional(bool, null)
priority = optional(number, null)
destination_ranges = optional(list(string), [])
source_ranges = optional(list(string), [])
source_tags = optional(list(string))
source_service_accounts = optional(list(string))
target_tags = optional(list(string))
target_service_accounts = optional(list(string))
allow = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
deny = optional(list(object({
protocol = string
ports = optional(list(string))
})), [])
log_config = optional(object({
metadata = string
}))
}))
defaultValue: []
- name: internal_ipv6_range
description: When enabling IPv6 ULA, optionally, specify a /48 from fd20::/20 (default null)
varType: string
- name: mtu
description: "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively."
varType: number
defaultValue: 0
- name: network_firewall_policy_enforcement_order
description: Set the order that Firewall Rules and Firewall Policies are evaluated. Valid values are `BEFORE_CLASSIC_FIREWALL` and `AFTER_CLASSIC_FIREWALL`. (default null or equivalent to `AFTER_CLASSIC_FIREWALL`)
varType: string
- name: network_name
description: The name of the network being created
varType: string
required: true
- name: project_id
description: The ID of the project where this VPC will be created
varType: string
required: true
- name: routes
description: List of routes being created in this VPC
varType: list(map(string))
defaultValue: []
- name: routing_mode
description: The network routing mode (default 'GLOBAL')
varType: string
defaultValue: GLOBAL
- name: secondary_ranges
description: Secondary ranges that will be used in some of the subnets
varType: map(list(object({ range_name = string, ip_cidr_range = string })))
defaultValue: {}
- name: shared_vpc_host
description: Makes this project a Shared VPC host if 'true' (default 'false')
varType: bool
defaultValue: false
- name: subnets
description: The list of subnets being created
varType: |-
list(object({
subnet_name = string
subnet_ip = string
subnet_region = string
subnet_private_access = optional(string)
subnet_private_ipv6_access = optional(string)
subnet_flow_logs = optional(string)
subnet_flow_logs_interval = optional(string)
subnet_flow_logs_sampling = optional(string)
subnet_flow_logs_metadata = optional(string)
subnet_flow_logs_filter = optional(string)
subnet_flow_logs_metadata_fields = optional(list(string))
description = optional(string)
purpose = optional(string)
role = optional(string)
stack_type = optional(string)
ipv6_access_type = optional(string)
}))
required: true
outputs:
- name: network
description: The created network
- name: network_id
description: The ID of the VPC being created
- name: network_name
description: The name of the VPC being created
- name: network_self_link
description: The URI of the VPC being created
- name: project_id
description: VPC project id
- name: route_names
description: The route names associated with this VPC
- name: subnets
description: A map with keys of form subnet_region/subnet_name and values being the outputs of the google_compute_subnetwork resources used to create corresponding subnets.
- name: subnets_flow_logs
description: Whether the subnets will have VPC flow logs enabled
- name: subnets_ids
description: The IDs of the subnets being created
- name: subnets_ips
description: The IPs and CIDRs of the subnets being created
- name: subnets_names
description: The names of the subnets being created
- name: subnets_private_access
description: Whether the subnets will have access to Google API's without a public IP
- name: subnets_regions
description: The region where the subnets will be created
- name: subnets_secondary_ranges
description: The secondary ranges associated with these subnets
- name: subnets_self_links
description: The self-links of subnets being created
requirements:
roles:
- level: Project
roles:
- roles/compute.networkAdmin
- roles/compute.securityAdmin
- roles/iam.serviceAccountUser
- roles/vpcaccess.admin
- roles/serviceusage.serviceUsageAdmin
- roles/dns.admin
- roles/resourcemanager.tagAdmin
- roles/iam.serviceAccountAdmin
- roles/compute.orgFirewallPolicyAdmin
services:
- cloudresourcemanager.googleapis.com
- compute.googleapis.com
- serviceusage.googleapis.com
- vpcaccess.googleapis.com
- dns.googleapis.com
- networksecurity.googleapis.com
- iam.googleapis.com