terraform-example-foundation icon indicating copy to clipboard operation
terraform-example-foundation copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

ER: Provincial Client: Fortinet based hub-spoke Landing Zone

Open fmichaelobrien opened this issue 11 months ago • 17 comments

Start: 20240305 High Level Strategy: last update 20240314 with client team

  • all 4 bring system up in one of the following ways
  • unchanged = existing repo issues
    • output: defaults only
  • localization - run tf locally with 1.3
    • output: local issues only
  • replace with TF 1.6 (for PBR)
    • output: TF 1.3 to 1.6 upgrade problems
  • architecture update (Fortigate 4 + 2+ VPCs) - get diff between (optionally running) TEF arch and target Arch
  • scripting changes below (local, tfvars, symlinks)
  • Integrate Fortinet TF for VMs - disable TEF transitive VMs

20240314: in parallel plan

  • lower priority: 0: running the TEF unmodified as CB/CSR - to avoid CB related issues for now

  • All-devs: 1: Local: Run locally as TF 1.3 (check optional support removed in 1.4) - no build tool - no CB/CSR: start with TF 1.6 (not necessarily 1.7) we know 1.3.0 , check 1.6.0 works out-of-the box - locally with no build tool (no cloud build for now) - keep terraform-google-modules links for now - see https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/1-org/README.md#running-terraform-locally

  • Andres: 1: run local TF on TF 1.6 - follow see https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/1-org/README.md#running-terraform-locally check if TF 1.6 local build fails - if it does we need a 1.3-1.6 upgrade what are the mods last upgrade reference - what could modifiable in 1.3.0 upgrade under https://github.com/terraform-google-modules/terraform-example-foundation/pull/831/files see 1.7.4 to 1.3.0 downgrade comment

  • no need to update the Dockerfile from 1.3 - as CB is out of the picture for local deployment

  • Marian, Youssef 3: localize terraform-google-modules links - either static or dynamic(current)

  • Marian, Youssef 4: scripts for localized modules (sed removals, version removal and ../local rewrites), fix symlinks - including those that point to a n/a tfvars

Priority: split why vs how

  • P1 - FG into TEF (req for: zero-trust, pbr over default routing)
    • P1.1 - PBR (policy based routing) as part of FG - see https://github.com/terraform-google-modules/terraform-example-foundation/issues/1141
    • P1.2 - VMs for transitivity refactor (TG like routing handled by FGs) - see https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/3-networks-hub-and-spoke/modules/transitivity/main.tf#L38
    • P1.1.1 - TF 1.6+ upgrade required for PBR (in concert with the ILB) -
      • will need likely a repo wide upgrade to mitigate chained and x-ref state imports between modules
  • P2 - hardcoding into root script/yaml
    • P2.1 add sh script at least for 0-bootstrap
  • P3 - CB/CSR retrofit for bringing in ADO
    • P3.1 - localized deployment - aka "../path" no double google/tf-gcp links (as in PBMM repo)

Future:

  • cover off armor standard, waf, acm
  • fix 0-bootrap run locally - expand it like 1, 2,3

refere to symlinks https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/environments/bootstrap/bootstrap.sh#L453

Tracking Issue: https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/345 org: olapp branch: https://github.com/CloudLandingZone/terraform-example-foundation Previous TEF run Sept 2023 - https://github.com/terraform-google-modules/terraform-example-foundation/issues/940

Take the existing TEF V4 and adapt the Fortinet terraform example LB sandwich HA cluster below Verified https://github.com/fortinet/fortigate-tutorial-gcp/tree/main/terraform Unverified https://github.com/40net-cloud/fortinet-gcp-solutions/tree/master/FortiGate look at the best one from Fortinet https://github.com/fortinet/fortigate-terraform-deploy/tree/main/gcp/7.4

Architecture

  • https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Architecture

Base Landing Zone

Screenshot 2024-03-04 at 12 48 02 PM

Merged with Fortigate LB sandwich cluster - re-peer with above

Screenshot 2024-03-04 at 12 47 18 PM
  • see existing LZ V2 architecture that we will generally model off as a defacto port from KCC LZ V2
  • core-landing-zone - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/core-landing-zone
  • client-setup - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/client-setup
  • client-landing-zone - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/client-landing-zone
  • client-project-setup - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/client-project-setup
  • guardrails - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/guardrails

fmichaelobrien avatar Mar 05 '24 20:03 fmichaelobrien