This Terraform configuration provides a modular and YAML-driven approach for deploying and managing Google Cloud Network Connectivity Center (NCC) resources. It enables you to create and manage NCC hubs, VPC spokes, producer VPC spokes, hybrid spokes, and router appliance spokes, supporting both mesh and hub-and-spoke topologies.
Key features of this configuration include:
- YAML-driven configuration: Define NCC hubs and spokes in YAML files for easy management and reproducibility.
- Multiple topologies: Choose between mesh and hub-and-spoke using the
preset_topologyvariable. - Flexible spoke types: Configure VPC, producer, hybrid, and router appliance spokes.
- Auto-accept projects: Automatically accept connections from specified projects.
- PSC transitivity: Optionally enable Private Service Connect transitivity.
- Modularity: Easily add or remove NCC resources by editing YAML files.
- Reusability: Use the same configuration structure for different environments.
- Automation: Supports automated deployment of complex NCC topologies.
Before creating NCC resources, ensure you have completed the following prerequisites:
-
Completed Prior Stages:
- 01-organization: This stage handles the activation of required Google Cloud APIs.
-
Enable the following APIs:
- Compute Engine API: Used for VPC networks, subnets, and related resources.
- Service Networking API: Required for Private Service Access (PSA) configurations.
- Network Connectivity API: Enables NCC resources.
- Service Consumer Management API: Required for Private Service Connect endpoints.
-
Permissions required for this stage:
- Network Connectivity Admin:
roles/networkconnectivity.admin– Full control over NCC resources. - Compute Network Admin:
roles/compute.networkAdmin– Manage VPC networks and related resources.
- Network Connectivity Admin:
locals.tf: Loads and processes YAML configuration files for NCC.ncc.tf: Instantiates the NCC module for each hub defined in the configuration.variables.tf: Input variables for customizing the deployment.output.tf: Exposes module outputs.
To configure NCC for your environment, create YAML files in the ../../../configuration/ncc/config/ directory. Example:
hubs:
- name: <hub_name>
project_id: <hub_project_id>
description: "Example NCC Hub"
labels:
env: prod
export_psc: true
policy_mode: PRESET
preset_topology: MESH
auto_accept_projects:
- <hub_project_id>
- <secondary_project_id>
create_new_hub: false
existing_hub_uri: "projects/<hub_project_id>/locations/global/hubs/<hub_name>"
group_name: default
group_decription: "Auto-accept group"
spoke_labels:
team: network
- type: "producer_vpc_spoke"
name: "producer-spoke-1"
project_id: "producerspoke1-project-id"
location: "global"
uri: "projects/producerspoke1-project-id/global/networks/producer-spoke-1-vpc"
description: "Producer VPC spoke for shared services"
peering: "servicenetworking-googleapis-com"
exclude_export_ranges: []
labels:
env: "prod"NOTE: Run Terraform commands with the -var-file referencing your NCC tfvars file if you override defaults.
terraform init
terraform plan
terraform applyThe module will read all YAML files in the config folder and create the corresponding NCC resources.
hubs:
- name: <hub_name>
project_id: <hub_project_id>
description: "Example NCC Hub"
labels:
env: prod
export_psc: true
policy_mode: PRESET
preset_topology: MESH
auto_accept_projects:
- <hub_project_id>
- <secondary_project_id>
create_new_hub: true
existing_hub_uri: ""
group_name: default
group_decription: "Auto-accept group"
spoke_labels:
team: network
spokes:
- type: "vpc_spoke"
name: "spoke-1"
project_id: "<spoke1_project_id>"
uri: "projects/<spoke1_project_id>/global/networks/spoke-1-vpc"
description: "Primary VPC spoke for production"
labels:
env: "prod"
- type: "producer_vpc_spoke"
name: "producer-spoke-1"
project_id: "producerspoke1-project-id"
location: "global"
uri: "projects/producerspoke1-project-id/global/networks/producer-spoke-1-vpc"
description: "Producer VPC spoke for shared services"
peering: "servicenetworking-googleapis-com"
exclude_export_ranges: []
labels:
env: "prod"hubs:
- name: <hub_name>
project_id: <hub_project_id>
description: "Example NCC Hub"
labels:
env: prod
export_psc: true
policy_mode: PRESET
preset_topology: MESH
auto_accept_projects:
- <hub_project_id>
- <secondary_project_id>
create_new_hub: false
existing_hub_uri: "projects/<hub_project_id>/locations/global/hubs/<hub_name>"
group_name: default
group_decription: "Auto-accept group"
spoke_labels:
team: network
spokes:
- type: "vpc_spoke"
name: "spoke-1"
project_id: "<spoke1_project_id>"
uri: "projects/<spoke1_project_id>/global/networks/spoke-1-vpc"
description: "Primary VPC spoke for production"
labels:
env: "prod"
- type: "producer_vpc_spoke"
name: "producer-spoke-1"
project_id: "producerspoke1-project-id"
location: "global"
uri: "projects/producerspoke1-project-id/global/networks/producer-spoke-1-vpc"
description: "Producer VPC spoke for shared services"
peering: "servicenetworking-googleapis-com"
exclude_export_ranges: []
labels:
env: "prod"hubs:
- name: <hub_name>
project_id: <hub_project_id>
description: "Example NCC Hub"
labels:
env: prod
export_psc: true
policy_mode: PRESET
preset_topology: MESH
auto_accept_projects:
- <hub_project_id>
- <secondary_project_id>
create_new_hub: false
existing_hub_uri: "projects/<hub_project_id>/locations/global/hubs/<hub_name>"
group_name: default
group_decription: "Auto-accept group"
spoke_labels:
team: network
spokes:
- type: "producer_vpc_spoke"
name: "producer-spoke-1"
project_id: "producerspoke1-project-id"
location: "global"
uri: "projects/producerspoke1-project-id/global/networks/producer-spoke-1-vpc"
description: "Producer VPC spoke for shared services"
peering: "servicenetworking-googleapis-com"
exclude_export_ranges: []
labels:
env: "prod"hubs:
- name: <hub_name>
project_id: <hub_project_id>
description: "Example NCC Hub"
labels:
env: prod
export_psc: true
policy_mode: PRESET
preset_topology: MESH
auto_accept_projects:
- <hub_project_id>
- <secondary_project_id>
create_new_hub: true
existing_hub_uri: ""
group_name: default
group_decription: "Auto-accept group"
spoke_labels:
team: network
spokes:
- type: "vpc_spoke"
name: "spoke-1"
project_id: "<spoke1_project_id>"
uri: "projects/<spoke1_project_id>/global/networks/spoke-1-vpc"
description: "Primary VPC spoke for production"
labels:
env: "prod"
- type: "producer_vpc_spoke"
name: "producer-spoke-1"
project_id: "producerspoke1-project-id"
location: "global"
uri: "projects/producerspoke1-project-id/global/networks/producer-spoke-1-vpc"
description: "Producer VPC spoke for shared services"
peering: "servicenetworking-googleapis-com"
exclude_export_ranges: []
labels:
env: "prod"hubs:
- name: <hub_name>
project_id: <hub_project_id>
description: "Example NCC Hub"
labels:
env: prod
export_psc: true
policy_mode: PRESET
preset_topology: MESH
auto_accept_projects:
- <hub_project_id>
- <secondary_project_id>
create_new_hub: true
existing_hub_uri: ""
group_name: default
group_decription: "Auto-accept group"
spoke_labels:
team: network
spokes:
- type: "vpc_spoke"
name: "spoke-1"
project_id: "<spoke1_project_id>"
uri: "projects/<spoke1_project_id>/global/networks/spoke-1-vpc"
description: "Primary VPC spoke for production"
labels:
env: "prod"
- type: linked_interconnect_attachments
name: <linked_interconnect_attachments_name>
project_id: <spoke_project_id>
location: <region>
uris:
- projects/<spoke_project_id>/regions/<region>/interconnectAttachments/<linked_interconnect_attachments_name>
- projects/<spoke_project_id>/regions/<region>/interconnectAttachments/<linked_interconnect_attachments_name>
description: interconnect-attachment
labels:
env: devNOTE : run the terraform commands with the -var-file referencing the networking stage present under the /configuration folder.
ncc_module: Outputs from the NCC module, including hub and spoke details.
- Ensure all required APIs are enabled and permissions are granted.
- Adjust YAML fields as per your environment and naming conventions.
- For advanced topologies, refer to the Google Cloud NCC documentation.
| Name | Source | Version |
|---|---|---|
| network_connectivity_center | ../../../modules/network-connectivity-center | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| auto_accept_projects | List of projects to auto-accept. | list(string) |
[] |
no |
| config_folder_path | Location of YAML files holding NCC configuration values. | string |
"../../../configuration/networking/ncc/config" |
no |
| create_new_hub | Indicates if a new hub should be created. | bool |
false |
no |
| existing_hub_uri | URI of an existing NCC hub to use, if null a new one is created. | string |
null |
no |
| export_psc | Whether Private Service Connect transitivity is enabled for the hub. | bool |
false |
no |
| group_decription | Description for the network connectivity group. | string |
"Used for auto-accepting projects" |
no |
| group_name | Name of the network connectivity group. | string |
"default" |
no |
| ncc_hub_description | This can be used to provide additional context or details about the purpose or usage of the hub. | string |
"Network Connectivity Center hub for managing and connecting multiple network resources." |
no |
| ncc_hub_labels | Labels to be attached to network connectivity center hub resource. | map(string) |
null |
no |
| policy_mode | Policy mode for the NCC hub. | string |
"PRESET" |
no |
| preset_topology | Preset topology for the NCC hub. | string |
"MESH" |
no |
| spoke_labels | Labels to be attached to network connectivity center spoke resource. | map(string) |
null |
no |
| Name | Description |
|---|---|
| ncc_module | The NCC Module outputs |