GoogleCloudPlatform · ludoo · Dec 8, 2022 · Nov 29, 2022 · Nov 30, 2022 · Dec 1, 2022
diff --git a/blueprints/README.md b/blueprints/README.md
@@ -8,7 +8,7 @@ Currently available blueprints:
 - **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground)
 - **factories** - [The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory)
 - **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/)
-- **networking** - [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [Nginx-based reverse proxy cluster](./networking/nginx-reverse-proxy-cluster), [On-prem DNS and Google Private Access](./networking/onprem-google-access-dns), [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
+- **networking** - [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [On-prem DNS and Google Private Access](./networking/onprem-google-access-dns), [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
 - **serverless** - [Creating multi-region deployments for API Gateway](./serverless/api-gateway)
 - **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun)
 

diff --git a/blueprints/cloud-operations/adfs/main.tf b/blueprints/cloud-operations/adfs/main.tf
@@ -87,7 +87,7 @@ module "server" {
   }
   group = {
     named_ports = {
-      http = 443
+      https = 443
     }
   }
   tags = ["https-server"]
@@ -97,69 +97,25 @@ module "glb" {
   source     = "../../../modules/net-glb"
   name       = "${var.prefix}-glb"
   project_id = module.project.project_id
-
-  https              = true
-  reserve_ip_address = true
-
-  ssl_certificates_config = {
-    adfs-domain = {
-      domains = [
-        "${var.adfs_dns_domain_name}"
-      ],
-      unmanaged_config = null
+  protocol   = "HTTPS"
+  backend_service_configs = {
+    default = {
+      backends        = [{ backend = module.server.group.id }]
+      log_sample_rate = 1
+      protocol        = "HTTPS"
     }
   }
-
-  target_proxy_https_config = {
-    ssl_certificates = [
-      "adfs-domain"
-    ]
-  }
-
-  backend_services_config = {
-    adfs-group-backend = {
-      bucket_config = null
-      enable_cdn    = false
-      cdn_config    = null
-      group_config = {
-        backends = [
-          {
-            group   = module.server.group.id
-            options = null
-          }
-        ],
-        health_checks = ["hc"]
-        log_config = {
-          enable      = true
-          sample_rate = 1
-        }
-        options = {
-          affinity_cookie_ttl_sec         = null
-          custom_request_headers          = null
-          custom_response_headers         = null
-          connection_draining_timeout_sec = null
-          load_balancing_scheme           = null
-          locality_lb_policy              = null
-          port_name                       = null
-          security_policy                 = null
-          session_affinity                = null
-          timeout_sec                     = null
-          circuits_breakers               = null
-          consistent_hash                 = null
-          iap                             = null
-          protocol                        = "HTTPS"
-        }
+  health_check_configs = {
+    default = {
+      https = {
+        port_specification = "USE_SERVING_PORT"
       }
     }
   }
-  health_checks_config = {
-    hc = {
-      type    = "tcp"
-      logging = true
-      options = null
-      check = {
-        port_name          = "http"
-        port_specification = "USE_NAMED_PORT"
+  ssl_certificates = {
+    managed_configs = {
+      adfs-domain = {
+        domains = ["${var.adfs_dns_domain_name}"]
       }
     }
   }

diff --git a/blueprints/cloud-operations/adfs/outputs.tf b/blueprints/cloud-operations/adfs/outputs.tf
@@ -14,5 +14,5 @@
 
 output "ip_address" {
   description = "IP address."
-  value       = module.glb.ip_address
-}
+  value       = module.glb.address
+}
diff --git a/blueprints/cloud-operations/apigee/main.tf b/blueprints/cloud-operations/apigee/main.tf
@@ -39,11 +39,21 @@ module "project" {
     "storage.googleapis.com"
   ]
   iam = {
-    "roles/bigquery.jobUser"  = [module.function_gcs2bq.service_account_iam_email]
-    "roles/logging.logWriter" = [module.function_export.service_account_iam_email]
-    "roles/logging.logWriter" = [module.function_gcs2bq.service_account_iam_email]
-    "roles/apigee.admin"      = [module.function_export.service_account_iam_email]
-    "roles/storage.admin"     = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
+    "roles/bigquery.jobUser" = [
+      module.function_gcs2bq.service_account_iam_email
+    ]
+    "roles/logging.logWriter" = [
+      module.function_export.service_account_iam_email
+    ]
+    "roles/logging.logWriter" = [
+      module.function_gcs2bq.service_account_iam_email
+    ]
+    "roles/apigee.admin" = [
+      module.function_export.service_account_iam_email
+    ]
+    "roles/storage.admin" = [
+      "serviceAccount:${module.project.service_accounts.robots.apigee}"
+    ]
   }
 }
 
@@ -52,16 +62,14 @@ module "vpc" {
   project_id = module.project.project_id
   name       = var.organization.authorized_network
   vpc_create = var.vpc_create
-  subnets_psc = [for k, v in var.psc_config :
-    {
-      ip_cidr_range = v
-      name          = "subnet-psc-${k}"
-      region        = k
-    }
-  ]
+  subnets_psc = [for k, v in var.psc_config : {
+    ip_cidr_range = v
+    name          = "subnet-psc-${k}"
+    region        = k
+  }]
   psa_config = {
-    ranges = { for k, v in var.instances :
-      "apigee-${k}" => v.psa_ip_cidr_range
+    ranges = {
+      for k, v in var.instances : "apigee-${k}" => v.psa_ip_cidr_range
     }
   }
 }
@@ -78,76 +86,39 @@ module "apigee" {
   ]
 }
 
-resource "google_compute_region_network_endpoint_group" "neg" {
-  for_each              = var.instances
-  name                  = "apigee-neg-${each.key}"
-  project               = module.project.project_id
-  region                = each.value.region
-  network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
-  psc_target_service    = module.apigee.instances[each.key].service_attachment
-  network               = module.vpc.network.self_link
-  subnetwork            = module.vpc.subnets_psc["${each.value.region}/subnet-psc-${each.value.region}"].self_link
-}
-
 module "glb" {
-  source     = "../../../modules/net-glb"
-  name       = "glb"
-  project_id = module.project.project_id
-
-  https              = true
-  reserve_ip_address = true
-
-  ssl_certificates_config = { for k, v in var.envgroups :
-    "${k}-domain" => {
-      domains          = v,
-      unmanaged_config = null
+  source              = "../../../modules/net-glb"
+  name                = "glb"
+  project_id          = module.project.project_id
+  protocol            = "HTTPS"
+  use_classic_version = false
+  backend_service_configs = {
+    default = {
+      backends = [for k, v in var.instances : { backend = k }]
+      protocol = "HTTPS"
     }
   }
-
-  target_proxy_https_config = {
-    ssl_certificates = [for k, v in var.envgroups : "${k}-domain"]
+  health_check_configs = {
+    default = {
+      https = { port_specification = "USE_SERVING_PORT" }
+    }
   }
-
-  health_checks_config_defaults = null
-
-  backend_services_config = {
-    apigee = {
-      bucket_config = null
-      enable_cdn    = false
-      cdn_config    = null
-      group_config = {
-        backends = [for k, v in google_compute_region_network_endpoint_group.neg :
-          {
-            group   = v.id
-            options = null
-          }
-        ],
-        health_checks = []
-        log_config    = null
-        options = {
-          affinity_cookie_ttl_sec         = null
-          custom_request_headers          = null
-          custom_response_headers         = null
-          connection_draining_timeout_sec = null
-          load_balancing_scheme           = "EXTERNAL_MANAGED"
-          locality_lb_policy              = null
-          port_name                       = null
-          security_policy                 = null
-          session_affinity                = null
-          timeout_sec                     = null
-          circuits_breakers               = null
-          consistent_hash                 = null
-          iap                             = null
-          protocol                        = "HTTPS"
-        }
+  neg_configs = {
+    for k, v in var.instances : k => {
+      psc = {
+        region         = v.region
+        target_service = module.apigee.instances[k].service_attachment
+        network        = module.vpc.network.self_link
+        subnetwork = (
+          module.vpc.subnets_psc["${v.region}/subnet-psc-${v.region}"].self_link
+        )
       }
     }
   }
-  global_forwarding_rule_config = {
-    load_balancing_scheme = "EXTERNAL_MANAGED"
-    ip_protocol           = "TCP"
-    ip_version            = "IPV4"
-    port_range            = null
+  ssl_certificates = {
+    managed_config = {
+      for k, v in var.envgroups : k => { domains = [v] }
+    }
   }
 }
 
@@ -162,7 +133,9 @@ module "bucket_export" {
   project_id = module.project.project_id
   name       = "${module.project.project_id}-export"
   iam = {
-    "roles/storage.objectViewer" = [module.function_gcs2bq.service_account_iam_email]
+    "roles/storage.objectViewer" = [
+      module.function_gcs2bq.service_account_iam_email
+    ]
   }
   notification_config = {
     enabled           = true
@@ -266,15 +239,24 @@ module "bigquery_dataset" {
     }
   }
   iam = {
-    "roles/bigquery.dataEditor" = [module.function_gcs2bq.service_account_iam_email]
+    "roles/bigquery.dataEditor" = [
+      module.function_gcs2bq.service_account_iam_email
+    ]
   }
 }
 
 resource "google_app_engine_application" "app" {
   project = module.project.project_id
-  location_id = ((var.organization.analytics_region == "europe-west1" || var.organization.analytics_region == "us-central1") ?
-    substr(var.organization.analytics_region, 0, length(var.organization.analytics_region) - 1) :
-  var.organization.analytics_region)
+  location_id = (
+    (
+      var.organization.analytics_region == "europe-west1" ||
+      var.organization.analytics_region == "us-central1"
+    )
+    ? substr(
+      var.organization.analytics_region, 0, length(var.organization.analytics_region) - 1
+    )
+    : var.organization.analytics_region
+  )
 }
 
 resource "google_cloud_scheduler_job" "job" {

diff --git a/blueprints/cloud-operations/apigee/outputs.tf b/blueprints/cloud-operations/apigee/outputs.tf
@@ -16,5 +16,5 @@
 
 output "ip_address" {
   description = "IP address."
-  value       = module.glb.ip_address
+  value       = module.glb.address
 }
diff --git a/blueprints/networking/README.md b/blueprints/networking/README.md
@@ -46,11 +46,13 @@ The blueprint shows how to implement spoke transitivity via BGP advertisements,
 
 <br clear="left">
 
+<!--
 ### Nginx-based reverse proxy cluster
 
-<a href="./nginx-reverse-proxy-cluster/" title="Nginx-based reverse proxy cluster"><img src="./nginx-reverse-proxy-cluster/reverse-proxy.png" align="left" width="280px"></a> This [blueprint](./nginx-reverse-proxy-cluster/) how to deploy an autoscaling reverse proxy cluster using Nginx, based on regional Managed Instance Groups. The autoscaling is driven by Nginx current connections metric, sent by Cloud Ops Agent.
+<a href="./_deprecated/nginx-reverse-proxy-cluster/" title="Nginx-based reverse proxy cluster"><img src="./_deprecated/nginx-reverse-proxy-cluster/reverse-proxy.png" align="left" width="280px"></a> This [blueprint](./nginx-reverse-proxy-cluster/) how to deploy an autoscaling reverse proxy cluster using Nginx, based on regional Managed Instance Groups. The autoscaling is driven by Nginx current connections metric, sent by Cloud Ops Agent.
 
 <br clear="left">
+-->
 
 ### DNS and Private Access for On-premises
 

diff --git a/blueprints/networking/_deprecated/README.md b/blueprints/networking/_deprecated/README.md
@@ -0,0 +1,5 @@
+# Deprecated or unsupported blueprints
+
+The blueprints in this folder are either deprecated or need work on them.
+
+- nginx reverse proxy cluster needs tests and resolving a cycle
diff --git a/...ng/nginx-reverse-proxy-cluster/Dockerfile → ...ed/nginx-reverse-proxy-cluster/Dockerfile b/...ng/nginx-reverse-proxy-cluster/Dockerfile → ...ed/nginx-reverse-proxy-cluster/Dockerfile
diff --git a/...ing/nginx-reverse-proxy-cluster/README.md → ...ted/nginx-reverse-proxy-cluster/README.md b/...ing/nginx-reverse-proxy-cluster/README.md → ...ted/nginx-reverse-proxy-cluster/README.md