Merge pull request #59 from GoogleCloudPlatform/q4-2024-release

feat: implementation of alloydb-psc, NCC and other patches

Author: mamgainparas

README.md

@@ -2,9 +2,10 @@
 
 ## Introduction
 
-This repository leverages pre-built Terraform templates to streamline the setup and management of Google Cloud's networking infrastructure. This project accelerates your access to managed services like AlloyDB, Cloud SQL and Memorystore for Redis Clusters while maintaining robust security boundaries between your on-premises resources and the cloud environment. By defining role-based stages, the solution ensures that only authorized users can modify specific network components, adhering to the principle of least privilege and enhancing overall security.
+This repository leverages pre-built Terraform templates to streamline the setup and management of Google Cloud's networking infrastructure. This project accelerates your access to managed services like AlloyDB, GKE, Vertex AI services, Cloud SQL and Memorystore for Redis Clusters while maintaining robust security boundaries between your on-premises resources and the cloud environment. By defining role-based stages, the solution ensures that only authorized users can modify specific network components, adhering to the principle of least privilege and enhancing overall security.
 
 ### Project Goals
+
 * Simplified setup
 * Enhanced security
 * Scalability
@@ -20,6 +21,16 @@ The project is structured into the following folders:
           ├── organization.tfvars
           ├── networking.tfvars
           ├── networking-manual.tfvars
+          ├── producer
+              ├── alloydb
+              ├── cloudsql
+              ├── gke
+              ├── vectorsearch
+              ├── vertex-ai-online-endpoints
+              └── mrc
+          ├── consumer
+              ├── cloudrun
+              └── gce
           └── security
               ├── alloydb.tfvars
               ├── cloudsql.tfvars
@@ -36,12 +47,14 @@ The project is structured into the following folders:
       └──modules
           ├── net-vpc
           └── psc_forwarding_rule
+          └── vector-search
+          └── vertex-ai-online-endpoints
   ```
 * `configuration`: This folder contains Terraform configuration files (*.tfvars) that hold variables used for multiple stages. These **.tfvars** files would include configurable variables such as project IDs, region or other values that you want to customize for your specific environment.
 
 * `execution`: This folder houses the main Terraform code, organized into stages:
 
-  *  `00-bootstrap`: Sets up foundational resources like service accounts and Terraform state storage.
+  * `00-bootstrap`: Sets up foundational resources like service accounts and Terraform state storage.
   * `01-organization`:  Manages organization-level policies for network resources.
   * `02-networking`: Manages VPCs, subnets, Cloud HA VPN and other core networking components like PSA, SCP, Cloud NAT.
   * `03-security`:  Configures firewalls and other security measures.

configuration/bootstrap.tfvars

@@ -1,9 +1,19 @@
-bootstrap_project_id                  = ""
-network_hostproject_id                = ""
-network_serviceproject_id             = "" // <service(producer/consumer)-project-id>
-organization_stage_administrator      = ["user:user-example@example.com"]
-networking_stage_administrator        = ["user:user-example@example.com"]
-security_stage_administrator          = ["user:user-example@example.com"]
-producer_stage_administrator          = ["user:user-example@example.com"]
-networking_manual_stage_administrator = ["user:user-example@example.com"]
-consumer_stage_administrator          = ["user:user-example@example.com"]
+folder_id                 = ""
+bootstrap_project_id      = ""
+network_hostproject_id    = ""
+network_serviceproject_id = "" // <service(producer/consumer)-project-id>
+
+organization_administrator = ["user:user-example@example.com"]
+networking_administrator   = ["user:user-example@example.com"]
+security_administrator     = ["user:user-example@example.com"]
+
+producer_cloudsql_administrator = ["user:user-example@example.com"]
+producer_gke_administrator      = ["user:user-example@example.com"]
+producer_alloydb_administrator  = ["user:user-example@example.com"]
+producer_vertex_administrator   = ["user:user-example@example.com"]
+producer_mrc_administrator      = ["user:user-example@example.com"]
+
+networking_manual_administrator = ["user:user-example@example.com"]
+
+consumer_gce_administrator      = ["user:user-example@example.com"]
+consumer_cloudrun_administrator = ["user:user-example@example.com"]

configuration/networking.tfvars

@@ -42,3 +42,7 @@ tunnel_2_shared_secret            = ""
 ## Cloud Interconnect input variables
 
 create_interconnect = false # Use true or false
+
+## NCC input variables
+
+create_ncc = false

configuration/producer/AlloyDB/config/instance-psa.yaml.example

@@ -0,0 +1,14 @@
+cluster_id: <cluster-id-here>
+cluster_display_name: <cluster-display-name-here>
+project_id: <project-id>
+region: <region> #e.g. : us-central1
+network_id: <network-id> #e.g. : projects/<project-id>/global/networks/<network-name>
+primary_instance:
+  instance_id : <instance-id-here>
+  display_name : <instance-display-name-here>
+  instance_type : PRIMARY
+  machine_cpu_count : 2
+  database_flags : null
+read_pool_instance : null
+automated_backup_policy : null
+connectivity_options: "PSC" # Use "PSA" for PSA connectivity

configuration/producer/AlloyDB/config/instance-psc.yaml.example

@@ -0,0 +1,15 @@
+cluster_id: <cluster-id-here>
+cluster_display_name: <cluster-display-name-here>
+project_id: <project-id>
+region: <region> #e.g. : us-central1
+primary_instance:
+  instance_id : <instance-id-here>
+  display_name : <instance-display-name-here>
+  instance_type : PRIMARY
+  machine_cpu_count : 2
+  database_flags : null
+read_pool_instance : null
+automated_backup_policy : null
+connectivity_options: "PSC" # Use "PSA" for PSA connectivity
+psc_allowed_consumer_projects: ["<project-number>, <project-number>"] # Include the list of allowed consumer projects here
+

configuration/producer/AlloyDB/config/instance.yaml.example

@@ -1,9 +1,8 @@
 cluster_id: <cluster-id-here>
 cluster_display_name: <cluster-display-name-here>
 project_id: <project-id>
-region: us-central1
+region: <region> #e.g. : us-central1
 network_id: <network-id> #e.g. : projects/<project-id>/global/networks/<network-name>
-allocated_ip_range: range1
 primary_instance:
   instance_id : <instance-id-here>
   display_name : <instance-display-name-here>
@@ -12,3 +11,5 @@ primary_instance:
   database_flags : null
 read_pool_instance : null
 automated_backup_policy : null
+connectivity_options: "psc" # Use "psa" for PSA connectivity
+psc_allowed_consumer_projects: ["<project-number>, <project-number>"] # Include the list of allowed consumer projects here

configuration/producer/GKE/config/instance.yaml.example

@@ -4,4 +4,4 @@ network : <cluster-vpc>
 subnetwork : <cluster-vpc-subnetwork>
 ip_range_pods : <cluster-range-for-pods>
 ip_range_services : <cluster-range-for-services>
-kubernetes_version : <cluster-version> # e.g. : 1.27
+kubernetes_version : <cluster-version> # e.g. : 1.31.1-gke.2105000

docs/AlloyDB/alloydbinstance-using-psa-accessed-from-gce.md

@@ -267,7 +267,7 @@ To use this configuration solution, ensure the following are installed:
 2. Remove the resources that were provisioned by the solution guide:
 
     ```
-    ./run.sh -s all -t init-destroy-auto-approve
+    ./run.sh -s all -t destroy-auto-approve
     ```
 
 Terraform displays a list of the resources that will be destroyed.