terraform-google-modules · mariammartins · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025
@@ -565,12 +565,11 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu
    chmod 755 ./tf-wrapper.sh
    ```
 
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, and rename `production.auto.example.tfvars` to `production.auto.tfvars`.
 
    ```bash
    mv common.auto.example.tfvars common.auto.tfvars
    mv production.auto.example.tfvars production.auto.tfvars
-   mv access_context.auto.example.tfvars access_context.auto.tfvars
    ```
 
 1. Update the file `production.auto.tfvars` with the values for the `target_name_server_addresses`.
@@ -665,7 +664,7 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
 
 1. Push your production branch since development and nonproduction depends it.
 
-*Note:** The Production envrionment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments.
+*Note:** The Production environment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments.
 
    ```bash
    git add .
@@ -762,12 +761,11 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
    chmod 755 ./tf-wrapper.sh
    ```
 
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, and rename `shared.auto.example.tfvars` to `shared.auto.tfvars`.
 
    ```bash
    mv common.auto.example.tfvars common.auto.tfvars
    mv shared.auto.example.tfvars shared.auto.tfvars
-   mv access_context.auto.example.tfvars access_context.auto.tfvars
    ```
 
 1. Update `common.auto.tfvars` file with values from your GCP environment.

@@ -568,12 +568,11 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu
    chmod 755 ./*.sh
    ```
 
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, and rename `production.auto.example.tfvars` to `production.auto.tfvars`.
 
    ```bash
    mv common.auto.example.tfvars common.auto.tfvars
    mv production.auto.example.tfvars production.auto.tfvars
-   mv access_context.auto.example.tfvars access_context.auto.tfvars
    ```
 
 1. Update the file `production.auto.tfvars` with the values for the `target_name_server_addresses`.
@@ -668,7 +667,7 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
 
    1. Push your production branch since development and nonproduction depends it.
 
-*Note:** The Production envrionment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments.
+*Note:** The Production environment must be the first branch to be pushed as it includes the DNS Hub communication that will be used by other environments.
 
    ```bash
    git add .
@@ -742,12 +741,11 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
    chmod 755 ./*.sh
    ```
 
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, and rename `shared.auto.example.tfvars` to `shared.auto.tfvars`.
 
    ```bash
    mv common.auto.example.tfvars common.auto.tfvars
    mv shared.auto.example.tfvars shared.auto.tfvars
-   mv access_context.auto.example.tfvars access_context.auto.tfvars
    ```
 
 1. Update `common.auto.tfvars` file with values from your GCP environment.

@@ -599,12 +599,11 @@ Here you will configure a VPN Network tunnel to enable connectivity between the
    sed -i'' -e "s/CICD_PROJECT_ID/${CICD_PROJECT_ID}/" ./Jenkinsfile
    ```
 
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, and rename `production.auto.example.tfvars` to `production.auto.tfvars`.
 
    ```bash
    mv common.auto.example.tfvars common.auto.tfvars
    mv production.auto.example.tfvars production.auto.tfvars
-   mv access_context.auto.example.tfvars access_context.auto.tfvars
    ```
 
 1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](../3-networks-svpc/envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file.
@@ -752,12 +751,11 @@ Here you will configure a VPN Network tunnel to enable connectivity between the
    sed -i'' -e "s/CICD_PROJECT_ID/${CICD_PROJECT_ID}/" ./Jenkinsfile
    ```
 
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, and rename `shared.auto.example.tfvars` to `shared.auto.tfvars`.
 
    ```bash
    mv common.auto.example.tfvars common.auto.tfvars
    mv shared.auto.example.tfvars shared.auto.tfvars
-   mv access_context.auto.example.tfvars access_context.auto.tfvars
    ```
 
 1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](../3-networks-hub-and-spoke/envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file.

@@ -476,12 +476,11 @@ or go to [Deploying step 3-networks-hub-and-spoke](#deploying-step-3-networks-hu
    chmod 755 ./tf-wrapper.sh
    ```
 
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `production.auto.example.tfvars` to `production.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, and rename `production.auto.example.tfvars` to `production.auto.tfvars`.
 
    ```bash
    mv common.auto.example.tfvars common.auto.tfvars
    mv production.auto.example.tfvars production.auto.tfvars
-   mv access_context.auto.example.tfvars access_context.auto.tfvars
    ```
 
 1. Update the file `production.auto.tfvars` with the values for the `target_name_server_addresses`.
@@ -639,12 +638,11 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
    chmod 755 ./tf-wrapper.sh
    ```
 
-1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`.
+1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, and rename `shared.auto.example.tfvars` to `shared.auto.tfvars`.
 
    ```bash
    mv common.auto.example.tfvars common.auto.tfvars
    mv shared.auto.example.tfvars shared.auto.tfvars
-   mv access_context.auto.example.tfvars access_context.auto.tfvars
    ```
 
 1. Update `common.auto.tfvars` file with values from your GCP environment.

@@ -546,6 +546,7 @@ The following steps will guide you through deploying without using Cloud Build.
 | cloud\_build\_worker\_range\_id | The Cloud Build private worker IP range ID. |
 | cloud\_builder\_artifact\_repo | Artifact Registry (AR) Repository created to store TF Cloud Builder images. |
 | cloudbuild\_project\_id | Project where Cloud Build configuration and terraform container image will reside. |
+| cloudbuild\_project\_number | The cloudbuild project number. |
 | common\_config | Common configuration data to be used in other steps. |
 | csr\_repos | List of Cloud Source Repos created by the module, linked to Cloud Build triggers. |
 | environment\_step\_terraform\_service\_account\_email | Environment Step Terraform Account |
@@ -555,9 +556,11 @@ The following steps will guide you through deploying without using Cloud Build.
 | networks\_step\_terraform\_service\_account\_email | Networks Step Terraform Account |
 | optional\_groups | List of Google Groups created that are optional to the Example Foundation steps. |
 | organization\_step\_terraform\_service\_account\_email | Organization Step Terraform Account |
+| parent\_id | Parent ID service account. |
 | projects\_gcs\_bucket\_tfstate | Bucket used for storing terraform state for stage 4-projects foundations pipelines in seed project. |
 | projects\_step\_terraform\_service\_account\_email | Projects Step Terraform Account |
 | required\_groups | List of Google Groups created that are required by the Example Foundation steps. |
 | seed\_project\_id | Project where service accounts and core APIs will be enabled. |
+| seed\_project\_number | The seed project number. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -280,3 +280,8 @@ resource "google_sourcerepo_repository_iam_member" "member" {
 
   depends_on = [module.tf_source]
 }
+
+data "google_project" "cloudbuild_project" {
+  project_id = module.tf_source.cloudbuild_project_id
+  depends_on = [module.tf_source]
+}
@@ -106,3 +106,8 @@ module "seed_bootstrap" {
 
   depends_on = [module.required_group]
 }
+
+data "google_project" "seed_project" {
+  project_id = module.seed_bootstrap.seed_project_id
+  depends_on = [module.seed_bootstrap]
+}
@@ -3,8 +3,9 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| private\_worker\_pool | name: Name of the worker pool. A name with a random suffix is generated if not set.<br>  region: The private worker pool region. See https://cloud.google.com/build/docs/locations for available locations.<br>  disk\_size\_gb: Size of the disk attached to the worker, in GB.<br>  machine\_type: Machine type of a worker.<br>  no\_external\_ip: If true, workers are created without any public address, which prevents network egress to public IPs.<br>  enable\_network\_peering: Set to true to enable configuration of networking peering for the private worker pool.<br>  create\_peered\_network: If true a network will be created to stablish the network peering.<br>  peered\_network\_id: The ID of the existing network to configure peering for the private worker pool if create\_peered\_network false. The project containing the network must have Service Networking API (`servicenetworking.googleapis.com`) enabled.<br>  peered\_network\_subnet\_ip: The IP range to be used for the subnet that a will created in the peered network if create\_peered\_network true.<br>  peering\_address: The IP address or beginning of the peering address range. This can be supplied as an input to reserve a specific address or omitted to allow GCP to choose a valid one.<br>  peering\_prefix\_length: The prefix length of the IP peering range. If not present, it means the address field is a single IP address. | <pre>object({<br>    name                     = optional(string, "")<br>    region                   = optional(string, "us-central1")<br>    disk_size_gb             = optional(number, 100)<br>    machine_type             = optional(string, "e2-medium")<br>    no_external_ip           = optional(bool, false)<br>    enable_network_peering   = optional(bool, false)<br>    create_peered_network    = optional(bool, false)<br>    peered_network_id        = optional(string, "")<br>    peered_network_subnet_ip = optional(string, "")<br>    peering_address          = optional(string, null)<br>    peering_prefix_length    = optional(number, 24)<br>  })</pre> | `{}` | no |
+| private\_worker\_pool | name: Name of the worker pool. A name with a random suffix is generated if not set.<br>  region: The private worker pool region. See https://cloud.google.com/build/docs/locations for available locations.<br>  disk\_size\_gb: Size of the disk attached to the worker, in GB.<br>  machine\_type: Machine type of a worker.<br>  no\_external\_ip: If true, workers are created without any public address, which prevents network egress to public IPs.<br>  enable\_network\_peering: Set to true to enable configuration of networking peering for the private worker pool.<br>  create\_peered\_network: If true a network will be created to stablish the network peering.<br>  peered\_network\_id: The ID of the existing network to configure peering for the private worker pool if create\_peered\_network false. The project containing the network must have Service Networking API (`servicenetworking.googleapis.com`) enabled.<br>  peered\_network\_subnet\_ip: The IP range to be used for the subnet that a will created in the peered network if create\_peered\_network true.<br>  peering\_address: The IP address or beginning of the peering address range. This can be supplied as an input to reserve a specific address or omitted to allow GCP to choose a valid one.<br>  peering\_prefix\_length: The prefix length of the IP peering range. If not present, it means the address field is a single IP address. | <pre>object({<br>    name                     = optional(string, "")<br>    region                   = optional(string, "us-central1")<br>    disk_size_gb             = optional(number, 100)<br>    machine_type             = optional(string, "e2-medium")<br>    no_external_ip           = optional(bool, true)<br>    enable_network_peering   = optional(bool, true)<br>    create_peered_network    = optional(bool, true)<br>    peered_network_id        = optional(string, "")<br>    peered_network_subnet_ip = optional(string, "")<br>    peering_address          = optional(string, null)<br>    peering_prefix_length    = optional(number, 24)<br>  })</pre> | `{}` | no |
 | project\_id | ID of the project where the private pool will be created | `string` | n/a | yes |
+| subnet\_region | Region where a subnet will be created in the sigle project network. | `string` | `"us-central1"` | no |
 | vpc\_flow\_logs | aggregation\_interval: Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Possible values are: INTERVAL\_5\_SEC, INTERVAL\_30\_SEC, INTERVAL\_1\_MIN, INTERVAL\_5\_MIN, INTERVAL\_10\_MIN, INTERVAL\_15\_MIN.<br>  flow\_sampling: Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. The value of the field must be in [0, 1].<br>  metadata: Configures whether metadata fields should be added to the reported VPC flow logs. Possible values are: EXCLUDE\_ALL\_METADATA, INCLUDE\_ALL\_METADATA, CUSTOM\_METADATA.<br>  metadata\_fields: ist of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM\_METADATA.<br>  filter\_expr: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. | <pre>object({<br>    aggregation_interval = optional(string, "INTERVAL_5_SEC")<br>    flow_sampling        = optional(string, "0.5")<br>    metadata             = optional(string, "INCLUDE_ALL_METADATA")<br>    metadata_fields      = optional(list(string), [])<br>    filter_expr          = optional(string, "true")<br>  })</pre> | `{}` | no |
 | vpn\_configuration | enable\_vpn: set to true to create VPN connection to on prem. If true, the following values must be valid.<br>  on\_prem\_public\_ip\_address0: The first public IP address for on prem VPN connection.<br>  on\_prem\_public\_ip\_address1: The second public IP address for on prem VPN connection.<br>  router\_asn: Border Gateway Protocol (BGP) Autonomous System Number (ASN) for cloud routes.<br>  bgp\_peer\_asn: Border Gateway Protocol (BGP) Autonomous System Number (ASN) for peer cloud routes.<br>  shared\_secret: The shared secret used in the VPN.<br>  psk\_secret\_project\_id: The ID of the project that contains the secret from secret manager that holds the VPN pre-shared key.<br>  psk\_secret\_name: The name of the secret to retrieve from secret manager that holds the VPN pre-shared key.<br>  tunnel0\_bgp\_peer\_address: BGP peer address for tunnel 0.<br>  tunnel0\_bgp\_session\_range: BGP session range for tunnel 0.<br>  tunnel1\_bgp\_peer\_address: BGP peer address for tunnel 1.<br>  tunnel1\_bgp\_session\_range: BGP session range for tunnel 1. | <pre>object({<br>    enable_vpn                 = optional(bool, false)<br>    on_prem_public_ip_address0 = optional(string, "")<br>    on_prem_public_ip_address1 = optional(string, "")<br>    router_asn                 = optional(number, 64515)<br>    bgp_peer_asn               = optional(number, 64513)<br>    psk_secret_project_id      = optional(string, "")<br>    psk_secret_name            = optional(string, "")<br>    tunnel0_bgp_peer_address   = optional(string, "")<br>    tunnel0_bgp_session_range  = optional(string, "")<br>    tunnel1_bgp_peer_address   = optional(string, "")<br>    tunnel1_bgp_session_range  = optional(string, "")<br>  })</pre> | `{}` | no |