This repo is part of a multipart guide that shows how to configure and deploy the example.com reference architecture described in Google Cloud security foundations guide (PDF). The following table lists the parts of the guide.
| 0-bootstrap (this file) | Bootstraps a Google Cloud organization, creating all the required resources and permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CI/CD pipeline for foundations code in subsequent stages. |
For an overview of the architecture and the parts, see the Using the Terraform example.
The purpose of this step is to bootstrap a Google Cloud organization, creating all the required resources & permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CI/CD pipeline for foundations code in subsequent stages. The CI/CD pipeline can use either Cloud Build and Cloud Source Repos or Jenkins and your own Git repos (which might live on-premises).
Copyright 2021 Google LLC
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
| Name | Version |
|---|---|
| terraform | >= 1.0.9 |
| >= 3.89.0 |
| Name | Version |
|---|---|
| 4.64.0 |
| Name | Source | Version |
|---|---|---|
| cloudbuild_bootstrap | ../modules/cloudbuild | 1.0.0 |
| runner-mig | ../modules/terraform-google-github-actions-runners/modules/gh-runner-mig-vm | 1.0.0 |
| seed_bootstrap | ../modules/terraform-google-bootstrap | 1.0.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| activate_apis | List of APIs to enable in the seed project. | list(string) |
[ |
no |
| allow-inbound-source-ranges | Ingress firewall rule for untrusted network | list(string) |
[ |
no |
| allow-mgmt-source-ranges | Firewall rule for management network. | list(string) |
[ |
no |
| allow-outbound-source-ranges | egress firewall rule for untrusted network | list(string) |
[ |
no |
| base_vpc_firewall_egress_dest_ranges | Used in shared vpc firewall egress destination ranges | list(any) |
n/a | yes |
| base_vpc_firewall_ingress_src_ranges | Used in shared vpc firewall ingress source ranges | list(any) |
n/a | yes |
| base_vpc_global_address_private | IP address range supplied as an input to reserve a specific address in a network - Internal | map(any) |
{ |
no |
| base_vpc_private_subnet_default_region | Subnet range for creating subnet for a region, this variable is used in google network module, subnets | map(any) |
{ |
no |
| base_vpc_private_subnet_default_region2 | Subnet range for creating subnet in default region2, this variable is used in google network module, subnets | map(any) |
{ |
no |
| base_vpc_subnet_secondary_ip_range_gke_pod | Secondary IP ranges for VM instances contained in the subnetwork. This is used in 3-network, shared vpc, subnets module | map(any) |
{ |
no |
| base_vpc_subnet_secondary_ip_range_gke_svc | Secondary IP ranges for VM instances contained in the subnetwork. This is used in 3-network, shared vpc, subnets module | map(any) |
{ |
no |
| billing_account | The ID of the billing account to associate projects with. | string |
n/a | yes |
| billing_data_users | Google Workspace or Cloud Identity group that have access to billing data set. | string |
n/a | yes |
| bootstrap_bucket_fw | gcp bucket for bootstrap script which will be used to bootstrap the firewall. | string |
"bootstrap-alb" |
no |
| bootstrap_env_code | Environment code used for bootstrap stage | string |
n/a | yes |
| bootstrap_environment_name | Environment name used for bootstrap stage | string |
n/a | yes |
| bucket_prefix | Name prefix to use for state bucket created. | string |
"bkt" |
no |
| cfo | Google Workspace or Cloud Identity group billing data users. | string |
n/a | yes |
| cloud_source_repos | List of Cloud Source Repositories created during bootstrap project build stage for use with Cloud Build. | list(string) |
[ |
no |
| cto_audit_compliance_operations_group | Google Workspace or Cloud Identity group for audit and compliance users. | string |
n/a | yes |
| cto_build_group | Google Workspace or Cloud Identity group of guild users. | string |
n/a | yes |
| cto_core_networking_build_group | Google Workspace or Cloud Identity group for networking build users. | string |
n/a | yes |
| cto_core_networking_operations_group | Google Workspace or Cloud Identity group responsible for network operations. | string |
n/a | yes |
| cto_elevated_security_build_group | Google Workspace or Cloud Identity group responsible for elevated security build users. | string |
n/a | yes |
| cto_elevated_security_operations_group | Google Workspace or Cloud Identity group responsible for security operations. | string |
n/a | yes |
| cto_operations_group | Google Workspace or Cloud Identity group responsible for operations. | string |
n/a | yes |
| cto_security_build_group | Google Workspace or Cloud Identity group for security build group. | string |
n/a | yes |
| cto_security_operations_group | Google Workspace or Cloud Identity group responsible for security operations. | string |
n/a | yes |
| cto_user_management_operations_group | Google Workspace or Cloud Identity group for management operations. | string |
n/a | yes |
| custom_labels | Customer desigend labels for project | map(string) |
{} |
no |
| d_cloud_router_labels | A map of suffixes for labelling vlans with four entries like "vlan_1" => "suffix1" with keys from vlan_1 to vlan_4. |
map(string) |
{} |
no |
| d_enable_dedicated_interconnect | Set the value to true if you want to create dedicated interconnect. default, false | bool |
false |
no |
| d_peer_asn | BGP Autonomous System Number (ASN). | string |
n/a | yes |
| d_region1_interconnect1_candidate_subnets | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). | list(string) |
null |
no |
| d_region1_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the first location of region1 | string |
n/a | yes |
| d_region1_interconnect1_self_link | URL of the underlying Interconnect object that this attachment's traffic will traverse through. | string |
n/a | yes |
| d_region1_interconnect1_vlan_tag8021q | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. | string |
null |
no |
| d_region1_interconnect2_candidate_subnets | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). | list(string) |
null |
no |
| d_region1_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 | string |
n/a | yes |
| d_region1_interconnect2_self_link | URL of the underlying Interconnect object that this attachment's traffic will traverse through. | string |
n/a | yes |
| d_region1_interconnect2_vlan_tag8021q | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. | string |
null |
no |
| d_region2_interconnect1_candidate_subnets | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). | list(string) |
null |
no |
| d_region2_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the first location of region2 | string |
n/a | yes |
| d_region2_interconnect1_self_link | URL of the underlying Interconnect object that this attachment's traffic will traverse through. | string |
n/a | yes |
| d_region2_interconnect1_vlan_tag8021q | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. | string |
null |
no |
| d_region2_interconnect2_candidate_subnets | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). | list(string) |
null |
no |
| d_region2_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region2 | string |
n/a | yes |
| d_region2_interconnect2_self_link | URL of the underlying Interconnect object that this attachment's traffic will traverse through. | string |
n/a | yes |
| d_region2_interconnect2_vlan_tag8021q | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. | string |
null |
no |
| default_region | Default region to create resources where applicable. | string |
"us-central1" |
no |
| default_region2 | Second subnet region for DNS Hub network. | string |
n/a | yes |
| dev_environment_code | Environment code used in 2-envs and 3-networks stages | string |
n/a | yes |
| development_folder | development environment folder name | string |
n/a | yes |
| domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | string |
n/a | yes |
| domains_to_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the terraform service account used in the deploy. | list(any) |
n/a | yes |
| egress_ranges_firewall | Destination IP address range in CIDR format. Required for EGRESS rules. | list(any) |
n/a | yes |
| enable_env_log_sink | Enable environment log sink. | bool |
false |
no |
| enable_hub_and_spoke | Enable Hub-and-Spoke architecture. | bool |
n/a | yes |
| enable_hub_and_spoke_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | bool |
false |
no |
| enable_interconnect_projects | Create interconnect projects | bool |
false |
no |
| enable_restricted_network | Enable restricted network | bool |
false |
no |
| encrypt_gcs_bucket_tfstate | Encrypt bucket used for storing terraform state files in seed project. | bool |
false |
no |
| firewall_name | name of firewall | string |
"firewall" |
no |
| folder_id | The ID of a folder to host this project | string |
"" |
no |
| folder_prefix | Name prefix to use for folders created. Should be the same in all steps. | string |
"fldr" |
no |
| force_destroy | If supplied, the state bucket will be deleted even while containing objects. | bool |
false |
no |
| gar_repo_name | GCP Artifact Registry Name to store container image for Cloud Build builder. | string |
n/a | yes |
| gh_token | Github token that is used for generating Self Hosted Runner Token | string |
"default-runner-token" |
no |
| git_pvt_key_scrt_name | The name / secret id which holds the private key for the deploy keys added to the Github repo. | string |
"git-gcplz-ssh-pvt" |
no |
| grant_billing_user | Grant roles/billing.user role to CFT service account | bool |
true |
no |
| group_billing_admins | Google Group for GCP Billing Administrators | string |
n/a | yes |
| group_org_admins | Google Group for GCP Organization Administrators | string |
n/a | yes |
| image_fw | image from marketplace to pick for firewall server deployment | string |
"https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-bundle1-810" |
no |
| image_web | upstream webserver image type for testing, this is optional | string |
"debian-8" |
no |
| ingress_ranges_firewall | Source IP address range in CIDR format. Required for INGRESS rules. | list(any) |
n/a | yes |
| interconnect-firewall | interconnect-firewall | bool |
false |
no |
| interface_0_name | interface name for management server | string |
"management" |
no |
| interface_1_name | interface name for untrust server | string |
"untrust" |
no |
| interface_2_name | interface name for trust server | string |
"trust" |
no |
| key_protection_level | The protection level to use when creating a version based on this template. | string |
"SOFTWARE" |
no |
| key_rotation_period | n/a | string |
null |
no |
| kms_prevent_destroy | Set the prevent_destroy lifecycle attribute on keys. | bool |
true |
no |
| log_sink_prefix | Add log sink prefix example, snk. | string |
n/a | yes |
| machine_cpu_fw | cpu processor type for firewall server deployment | string |
"Intel Skylake" |
no |
| machine_type_fw | machine size for firewall server deployment | string |
"n1-standard-4" |
no |
| machine_type_web | upstream webserver type for testing, this is optional. | string |
"f1-micro" |
no |
| management-sub-ip_cidr_range | IP ranges for management subnet, this subnet will be used for managing state between firewall servers. | string |
"10.0.0.0/24" |
no |
| monitoring_workspace_users | Google Workspace or Cloud Identity group that have access to Monitoring Workspaces. | string |
n/a | yes |
| num_instances | Number of compute instances to be spinned up as Github Self hosted runners. | number |
n/a | yes |
| org_admins_org_iam_permissions | List of permissions granted to the group supplied in group_org_admins variable across the GCP organization. | list(string) |
[] |
no |
| org_id | GCP Organization ID | string |
n/a | yes |
| org_policy_admin_role | Additional Org Policy Admin role for admin group. You can use this for testing purposes. | bool |
false |
no |
| org_project_creators | Additional list of members to have project creator role across the organization. Prefix of group: user: or serviceAccount: is required. | list(string) |
[] |
no |
| p_r_cloud_router_labels | A map of suffixes for labelling vlans with four entries like "vlan_1" => "suffix1" with keys from vlan_1 to vlan_4. |
map(string) |
{} |
no |
| p_r_preactivate_partner_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | bool |
false |
no |
| p_r_region1_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 | string |
n/a | yes |
| p_r_region1_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 | string |
n/a | yes |
| p_r_region2_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region2 | string |
n/a | yes |
| p_r_region2_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region2 | string |
n/a | yes |
| p_s_cloud_router_labels | A map of suffixes for labelling vlans with four entries like "vlan_1" => "suffix1" with keys from vlan_1 to vlan_4. |
map(string) |
{} |
no |
| p_s_preactivate_partner_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | bool |
false |
no |
| p_s_region1_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 | string |
n/a | yes |
| p_s_region1_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 | string |
n/a | yes |
| p_s_region2_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 | string |
n/a | yes |
| p_s_region2_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 | string |
n/a | yes |
| parent_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. | string |
"" |
no |
| primary_contact | Email of primary contact | string |
n/a | yes |
| prod_environment_code | Environment code used in 2-envs and 3-networks stages | string |
n/a | yes |
| production_folder | production environment folder name | string |
n/a | yes |
| project_id | Custom project ID to use for project created. If not supplied, the default id is {project_prefix}-seed-{random suffix}. | string |
"" |
no |
| project_labels | Labels to apply to the project. | map(string) |
{} |
no |
| project_name | Project Name | string |
"" |
no |
| project_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | string |
"prj" |
no |
| random_suffix | Appends a 4 character random suffix to project ID and GCS bucket name. | bool |
true |
no |
| region_zone | region NGFW HA servers to deploy in | string |
"us-west1-a" |
no |
| rest_vpc_firewall_egress_dest_ranges | Used in shared vpc firewall egress destination ranges | list(any) |
n/a | yes |
| rest_vpc_firewall_ingress_src_ranges | Used in shared vpc firewall ingress source ranges | list(any) |
n/a | yes |
| rest_vpc_global_address_private | IP address range supplied as an input to reserve a specific address in a network - Internal | map(any) |
{ |
no |
| rest_vpc_private_subnet_default_region | Subnet range for creating subnet for a region, this variable is used in google network module, subnets | map(any) |
{ |
no |
| rest_vpc_private_subnet_default_region2 | Subnet range for creating subnet in default region2, this variable is used in google network module, subnets | map(any) |
{ |
no |
| rest_vpc_subnet_secondary_ip_range_gke_pod | Secondary IP ranges for VM instances contained in the subnetwork. This is used in 3-network, shared vpc, subnets module | map(any) |
{ |
no |
| rest_vpc_subnet_secondary_ip_range_gke_svc | Secondary IP ranges for VM instances contained in the subnetwork. This is used in 3-network, shared vpc, subnets module | map(any) |
{ |
no |
| restricted_enable_partner_interconnect | Set the value to true if you want to create restricted partner interconnect. default, false | bool |
false |
no |
| runner_machine_type | Machine type for Github Self hosted runners. | string |
"n1-standard-1" |
no |
| runner_repo_name | Name of the repo for the Github Action | string |
n/a | yes |
| runner_repo_owner | Owner of the repo for the Github Action | string |
n/a | yes |
| runner_subnet_ip | The subnet range in which the runner instances will be built. For e.g. 192.168.168.0/24 | string |
n/a | yes |
| sa_enable_impersonation | Allow org_admins group to impersonate service account & enable APIs required. | bool |
false |
no |
| sa_org_cb_iam_permissions | List of permissions granted to Cloudbuild service account from CICD project across the organization. | list(string) |
[ |
no |
| sa_org_iam_permissions | List of permissions granted to Terraform service account across the GCP organization. | list(string) |
[ |
no |
| sa_prj_cb_iam_permissions | List of permissions granted to Cloudbuild service account from CICD project across the CICD Project. | list(string) |
[ |
no |
| sa_prj_rnr_iam_permissions | List of permissions granted to Runner service account across the CICD Project. | list(string) |
[ |
no |
| scopes_fw | scopes attached to server VMS. | list(string) |
[ |
no |
| scopes_web | scopes attached to web-server VMS, this is optional | list(string) |
[ |
no |
| secondary_contact | Email of secondary contact | string |
n/a | yes |
| shared_enable_partner_interconnect | Set the value to true if you want to create shared partner interconnect. default, false | bool |
false |
no |
| shared_env | Environment code used in 2-envs and 3-networks stages | string |
n/a | yes |
| shared_environment_code | Environment code used in 1-org, 2-envs and 3-networks stages | string |
n/a | yes |
| source_image_family | Source Image family of the image from which to initialize the disk. for e.g. ubuntu-2004-lts | string |
"ubuntu-2004-lts" |
no |
| source_image_project | The Project for Source Image. for e.g. ubuntu-os-cloud | string |
"ubuntu-os-cloud" |
no |
| staging_environment_code | Environment code used in 2-envs and 3-networks stages | string |
n/a | yes |
| staging_folder | staging environment folder name | string |
n/a | yes |
| state_bucket_name | Custom state bucket name. If not supplied, the default name is {project_prefix}-tfstate-{random suffix}. | string |
"" |
no |
| storage_bucket_labels | Labels to apply to the storage bucket. | map(string) |
{} |
no |
| subnet_ip_cidr_range_region1 | The range of internal addresses that are owned by this subnetwork. Only IPv4 is supported | string |
n/a | yes |
| subnet_ip_cidr_range_region2 | The range of internal addresses that are owned by this subnetwork. Only IPv4 is supported | string |
n/a | yes |
| target_name_server_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | list(string) |
n/a | yes |
| tf_service_account_id | ID of service account for terraform in seed project | string |
"org-terraform" |
no |
| tf_service_account_name | Display name of service account for terraform in seed project | string |
"CFT Organization Terraform Account" |
no |
| trust-dest_range | destination firewall rule for trusted network | string |
"0.0.0.0/0" |
no |
| trust-sub-ip_cidr_range | IP ranges for trusted subnet, this subnet will be used for trusted traffic traffic for upstream services. | string |
"10.0.2.0/24" |
no |
| untrust-sub-ip_cidr_range | IP ranges for untrusted subnet, this subnet will be used for incoming untrusted traffic. | string |
"10.0.1.0/24" |
no |
| vpc_prefix | VPC prefix used to create the vpc | string |
n/a | yes |
| web_server_name | upstream webserver name for testing, this is optional. | string |
"webserver" |
no |
| zone | region NGFW HA servers to deploy in | string |
"us-west1-a" |
no |
| zone_2 | region NGFW HA servers to deploy in | string |
"us-west1-b" |
no |
| Name | Description |
|---|---|
| allow-inbound-source-ranges | Ingress firewall rule for untrusted network |
| allow-mgmt-source-ranges | Firewall rule for management network. |
| allow-outbound-source-ranges | egress firewall rule for untrusted network |
| base_vpc_firewall_egress_dest_ranges | Used in shared vpc firewall egress destination ranges. |
| base_vpc_firewall_ingress_src_ranges | Used in shared vpc firewall ingress source ranges. |
| base_vpc_global_address_private | IP address range supplied as an input to reserve a specific address in a network - Internal. |
| base_vpc_private_subnet_default_region | Subnet range for creating subnet for a region, this variable is used in google network module, subnets. |
| base_vpc_private_subnet_default_region2 | Subnet range for creating subnet for a region2, this variable is used in google network module, subnets. |
| base_vpc_subnet_secondary_ip_range_gke_pod | Secondary IP ranges for VM instances contained in the subnetwork. This is used in 3-network, shared vpc, subnets module. |
| base_vpc_subnet_secondary_ip_range_gke_svc | Secondary IP ranges for VM instances contained in the subnetwork. This is used in 3-network, shared vpc, subnets module. |
| billing_account | Billing account ID details. |
| billing_data_users | Google Workspace or Cloud Identity group that have access to billing data set. |
| bootstrap_bucket_fw | gcp bucket for bootstrap script which will be used to bootstrap the firewall. |
| bootstrap_folder | Environment name used for bootstrap stage. |
| bucket_prefix | Bucket prefix used by Cloud Storage buckets. |
| cfo | Google Workspace or Cloud Identity group responsible for security operations. |
| cloudbuild_project_id | Project where CloudBuild configuration and terraform container image will reside. |
| csr_repos | List of Cloud Source Repos created by the module, linked to Cloud Build triggers. |
| cto_audit_compliance_operations_group | Google Workspace or Cloud Identity group responsible for security operations. |
| cto_build_group | Google Workspace or Cloud Identity group responsible for security operations. |
| cto_core_networking_build_group | Google Workspace or Cloud Identity group responsible for security operations. |
| cto_core_networking_operations_group | Google Workspace or Cloud Identity group responsible for security operations. |
| cto_elevated_security_build_group | Google Workspace or Cloud Identity group responsible for security operations. |
| cto_elevated_security_operations_group | Google Workspace or Cloud Identity group responsible for security operations. |
| cto_operations_group | Google Workspace or Cloud Identity group responsible for security operations. |
| cto_security_build_group | Google Workspace or Cloud Identity group responsible for security operations. |
| cto_security_operations_group | Google Workspace or Cloud Identity group responsible for security operations. |
| cto_user_management_operations_group | Google Workspace or Cloud Identity group responsible for security operations. |
| custom_labels | Customer desigend labels for project |
| d_cloud_router_labels | A map of suffixes for labelling vlans with four entries like "vlan_1" => "suffix1" with keys from vlan_1 to vlan_4. |
| d_enable_dedicated_interconnect | Set the value to true if you want to create dedicated interconnect. default, false |
| d_peer_asn | BGP Autonomous System Number (ASN). |
| d_region1_interconnect1_candidate_subnets | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). |
| d_region1_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the first location of region1 |
| d_region1_interconnect1_self_link | URL of the underlying Interconnect object that this attachment's traffic will traverse through. |
| d_region1_interconnect1_vlan_tag8021q | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. |
| d_region1_interconnect2_candidate_subnets | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). |
| d_region1_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 |
| d_region1_interconnect2_self_link | URL of the underlying Interconnect object that this attachment's traffic will traverse through. |
| d_region1_interconnect2_vlan_tag8021q | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. |
| d_region2_interconnect1_candidate_subnets | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). |
| d_region2_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the first location of region2 |
| d_region2_interconnect1_self_link | URL of the underlying Interconnect object that this attachment's traffic will traverse through. |
| d_region2_interconnect1_vlan_tag8021q | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. |
| d_region2_interconnect2_candidate_subnets | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). |
| d_region2_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region2 |
| d_region2_interconnect2_self_link | URL of the underlying Interconnect object that this attachment's traffic will traverse through. |
| d_region2_interconnect2_vlan_tag8021q | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. |
| default_region2 | Second subnet region for DNS Hub network. |
| dev_environment_code | Development environment code. |
| development_folder | Development environment folder name. |
| domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. |
| domains_to_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the terraform service account used in the deploy. |
| egress_ranges_firewall | Destination IP address range in CIDR format. Required for EGRESS rules. |
| enable_env_log_sink | Enable environment log sink. |
| enable_hub_and_spoke | Enable Hub-and-Spoke architecture. |
| enable_hub_and_spoke_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. |
| enable_interconnect_projects | Create interconnect projects |
| enable_restricted_network | Enable restricted network |
| firewall_name | name of firewall. |
| folder_prefix | Folder prefix used by folders. |
| gar_repo_name | Github Repo name. |
| gcp_region | Default GCP region. |
| gcs_bucket_cloudbuild_artifacts | Bucket used to store Cloud/Build artifacts in CloudBuild project. |
| gcs_bucket_tfstate | Bucket used for storing terraform state for foundations pipelines in seed project. |
| group_org_admins | Google Group for GCP Organization Administrators. |
| image_fw | image from marketplace to pick for firewall server deployment |
| image_web | upstream webserver image type for testing, this is optional |
| ingress_ranges_firewall | Source IP address range in CIDR format. Required for INGRESS rules. |
| interconnect-firewall | interconnect-firewall |
| interface_0_name | interface name for management server |
| interface_1_name | interface name for untrust server |
| interface_2_name | interface name for trust server |
| kms_crypto_key | KMS key created by the module. |
| kms_keyring | KMS Keyring created by the module. |
| log_sink_prefix | Log sink prefix. |
| machine_cpu_fw | cpu processor type for firewall server deployment |
| machine_type_fw | machine size for firewall server deployment |
| machine_type_web | upstream webserver type for testing, this is optional. |
| management-sub-ip_cidr_range | IP ranges for management subnet, this subnet will be used for managing state between firewall servers. |
| monitoring_workspace_users | Google Workspace or Cloud Identity group responsible for security operations. |
| org_id | Organization Id |
| p_r_cloud_router_labels | A map of suffixes for labelling vlans with four entries like "vlan_1" => "suffix1" with keys from vlan_1 to vlan_4. |
| p_r_preactivate_partner_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. |
| p_r_region1_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 |
| p_r_region1_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 |
| p_r_region2_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 |
| p_r_region2_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 |
| p_s_cloud_router_labels | A map of suffixes for labelling vlans with four entries like "vlan_1" => "suffix1" with keys from vlan_1 to vlan_4. |
| p_s_preactivate_partner_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. |
| p_s_region1_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 |
| p_s_region1_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 |
| p_s_region2_interconnect1_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 |
| p_s_region2_interconnect2_location | Name of the interconnect location used in the creation of the Interconnect for the second location of region1 |
| parent_folder | The Parent folder ID. |
| primary_contact | Email of primary contact. |
| prod_environment_code | Projection environment code. |
| production_folder | Production environment folder name. |
| project_name | Project name, example: cldcvr. |
| project_prefix | Project prefix used by projects. |
| region_zone | region NGFW HA servers to deploy in |
| rest_vpc_firewall_egress_dest_ranges | Used in shared vpc firewall egress destination ranges. |
| rest_vpc_firewall_ingress_src_ranges | Used in shared vpc firewall ingress source ranges. |
| rest_vpc_global_address_private | IP address range supplied as an input to reserve a specific address in a network - Internal. |
| rest_vpc_private_subnet_default_region | Subnet range for creating subnet for a region, this variable is used in google network module, subnets. |
| rest_vpc_private_subnet_default_region2 | Subnet range for creating subnet in default region2, this variable is used in google network module, subnets. |
| rest_vpc_subnet_secondary_ip_range_gke_pod | Secondary IP ranges for VM instances contained in the subnetwork. This is used in 3-network, shared vpc, subnets module. |
| rest_vpc_subnet_secondary_ip_range_gke_svc | Secondary IP ranges for VM instances contained in the subnetwork. This is used in 3-network, shared vpc, subnets module. |
| restricted_enable_partner_interconnect | Set the value to true if you want to create restricted partner interconnect. default, false |
| runner_labels | Github runner labels. |
| runner_network_name | n/a |
| runner_repo_name | Name of the repo for the Github Action. |
| runner_repo_owner | Owner of the repo for the Github Action. |
| scopes_fw | scopes attached to server VMS. |
| scopes_web | scopes attached to web-server VMS, this is optional |
| secondary_contact | Email of secondary contact. |
| seed_project_id | Project where service accounts and core APIs will be enabled. |
| shared_enable_partner_interconnect | Set the value to true if you want to create shared partner interconnect. default, false |
| shared_env | Environment code used in 2-envs and 3-networks stages. |
| shared_environment_code | Shared environment code. |
| staging_environment_code | Staging environment code. |
| staging_folder | staging environment folder name. |
| subnet_ip_cidr_range_region1 | The range of internal addresses that are owned by this subnetwork. Only IPv4 is supported. |
| subnet_ip_cidr_range_region2 | The range of internal addresses that are owned by this subnetwork. Only IPv4 is supported. |
| target_name_server_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. |
| terraform_sa_name | Fully qualified name for privileged service account for Terraform. |
| terraform_service_account | Email for privileged service account for Terraform. |
| terraform_validator_policies_repo | Cloud Source Repository created for terraform-validator policies. |
| trust-dest_range | destination firewall rule for trusted network |
| trust-sub-ip_cidr_range | IP ranges for trusted subnet, this subnet will be used for trusted traffic traffic for upstream services |
| untrust-sub-ip_cidr_range | IP ranges for untrusted subnet, this subnet will be used for incoming untrusted traffic. |
| vpc_prefix | VPC prefix used to create the vpc. |
| web_server_name | upstream webserver name for testing, this is optional. |
| zone | region NGFW HA servers to deploy in |
| zone_2 | region NGFW HA servers to deploy in |