The purpose of this step is to set up the global DNS Hub that will be used by all environments. This step will also create the Network Hubs that are part of the Hub and Spoke setup.
- 0-bootstrap executed successfully.
- 1-org executed successfully.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_context_manager_policy_id | The id of the default Access Context Manager policy created in step 1-org. Can be obtained by running gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)". |
number |
n/a | yes |
| base_hub_dns_enable_inbound_forwarding | Toggle inbound query forwarding for Base Hub VPC DNS. | bool |
true |
no |
| base_hub_dns_enable_logging | Toggle DNS logging for Base Hub VPC DNS. | bool |
true |
no |
| base_hub_firewall_enable_logging | Toggle firewall logging for VPC Firewalls in Base Hub VPC. | bool |
true |
no |
| base_hub_nat_bgp_asn | BGP ASN for first NAT cloud routes in Base Hub. | number |
64514 |
no |
| base_hub_nat_enabled | Toggle creation of NAT cloud router in Base Hub. | bool |
false |
no |
| base_hub_nat_num_addresses_region1 | Number of external IPs to reserve for first Cloud NAT in Base Hub. | number |
2 |
no |
| base_hub_nat_num_addresses_region2 | Number of external IPs to reserve for second Cloud NAT in Base Hub. | number |
2 |
no |
| base_hub_windows_activation_enabled | Enable Windows license activation for Windows workloads in Base Hub | bool |
false |
no |
| bgp_asn_dns | BGP Autonomous System Number (ASN). | number |
64667 |
no |
| custom_restricted_services | List of custom services to be protected by the VPC-SC perimeter. If empty, all supported services (https://cloud.google.com/vpc-service-controls/docs/supported-products) will be protected. | list(string) |
[] |
no |
| dns_enable_logging | Toggle DNS logging for VPC DNS. | bool |
true |
no |
| domain | The DNS name of forwarding managed zone, for instance 'example.com'. Must end with a period. | string |
n/a | yes |
| egress_policies | A list of all egress policies, each list object has a from and to value that describes egress_from and egress_to.Example: [{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]Valid Values: ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNTSRV_NAME = "*" (allow all services) or Specific ServicesOP_TYPE = methods or permissions |
list(object({ |
[] |
no |
| enable_dedicated_interconnect | Enable Dedicated Interconnect in the environment. | bool |
false |
no |
| enable_hub_and_spoke_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | bool |
false |
no |
| enable_partner_interconnect | Enable Partner Interconnect in the environment. | bool |
false |
no |
| firewall_policies_enable_logging | Toggle hierarchical firewall logging. | bool |
true |
no |
| ingress_policies | A list of all ingress policies, each list object has a from and to value that describes ingress_from and ingress_to.Example: [{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]Valid Values: ID_TYPE = null or IDENTITY_TYPE_UNSPECIFIED (only allow indentities from list); ANY_IDENTITY; ANY_USER_ACCOUNT; ANY_SERVICE_ACCOUNTSRV_NAME = "*" (allow all services) or Specific ServicesOP_TYPE = methods or permissions |
list(object({ |
[] |
no |
| perimeter_additional_members | The list of additional members to be added to the perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: user:email@example.com or serviceAccount:my-service-account@example.com. |
list(string) |
n/a | yes |
| preactivate_partner_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | bool |
false |
no |
| remote_state_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | string |
n/a | yes |
| restricted_hub_dns_enable_inbound_forwarding | Toggle inbound query forwarding for Restricted Hub VPC DNS. | bool |
true |
no |
| restricted_hub_dns_enable_logging | Toggle DNS logging for Restricted Hub VPC DNS. | bool |
true |
no |
| restricted_hub_firewall_enable_logging | Toggle firewall logging for VPC Firewalls in Restricted Hub VPC. | bool |
true |
no |
| restricted_hub_nat_bgp_asn | BGP ASN for first NAT cloud routes in Restricted Hub. | number |
64514 |
no |
| restricted_hub_nat_enabled | Toggle creation of NAT cloud router in Restricted Hub. | bool |
false |
no |
| restricted_hub_nat_num_addresses_region1 | Number of external IPs to reserve for first Cloud NAT in Restricted Hub. | number |
2 |
no |
| restricted_hub_nat_num_addresses_region2 | Number of external IPs to reserve for second Cloud NAT in Restricted Hub. | number |
2 |
no |
| restricted_hub_windows_activation_enabled | Enable Windows license activation for Windows workloads in Restricted Hub. | bool |
false |
no |
| subnetworks_enable_logging | Toggle subnetworks flow logging for VPC Subnetworks. | bool |
true |
no |
| target_name_server_addresses | List of IPv4 address of target name servers for the forwarding zone configuration. See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones for details on target name servers in the context of Cloud DNS forwarding zones. | list(map(any)) |
n/a | yes |
| Name | Description |
|---|---|
| dns_hub_project_id | The DNS hub project ID |