apiVersion: v1 kind: ConfigMap metadata: name: setters annotations: config.kubernetes.io/local-config: "true" data: # Organization ID org-id: "123456789012" # Billing Account ID to be associated with this project project-billing-id: "AAAAAA-BBBBBB-CCCCCC" # GCP folder to use as parent to this project, lowercase K8S resource name project-parent-folder: project-parent-folder # Naming Convention for project-id : <tenant-code><environment-code>m<data-classification>-<project-owner>-<user defined string> # Max 30 characters hub-project-id: xxdmu-admin1-projectname # Project ID of the project hosting the config controller instance management-project-id: management-project-id # Identity that should be allowed to access the management VM using IAP TCP forwarding # https://cloud.google.com/iap/docs/using-tcp-forwarding hub-admin: group:group@domain.com ################# # Org Policies ####### # This list constraint defines the set of VPC networks # that are allowed to be peered with the VPC networks belonging to this project, see YAML file for more info: # org-policies/exceptions/compute-restrict-vpc-peering-except-hub-project.yaml # this setting MUST be changed to include the ORG ID project-allowed-restrict-vpc-peering: | - under:organizations/ORGANIZATION_ID # This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses, see YAML file for more info: # org-policies/exceptions/compute-vm-external-ip-access-except-hub-project.yaml # this setting MUST be changed to include the hub project ID project-allowed-vm-external-ip-access: | - "projects/HUB_PROJECT_ID/zones/northamerica-northeast1-a/instances/fgt-primary-instance" - "projects/HUB_PROJECT_ID/zones/northamerica-northeast1-b/instances/fgt-secondary-instance" # This list constraint defines the set of VM instances that can enable IP forwarding., see YAML file for more info: # org-policies/exceptions/compute-vm-can-ip-forward-except-hub-project.yaml # this setting MUST be changed to include the hub project ID project-allowed-vm-can-ip-forward: | - "projects/HUB_PROJECT_ID/zones/northamerica-northeast1-a/instances/fgt-primary-instance" - "projects/HUB_PROJECT_ID/zones/northamerica-northeast1-b/instances/fgt-secondary-instance" ################# # Fortigate ################# # The Fortigate admin password cannot be defined in the setters.yaml file at the moment. # Until this is fixed, you will need to set it in the search-replace-config.yaml file. # fgt-admin-password: CHANGE_IN_search-replace-config.yaml ####### # Primary # Having disctinct images allows one to use a Licensed Fortigate for the primary and a Pay-as-you-Go license for the secondary # and run the secondary just a couple of minutes each day for synching purposes thus obtaining an affordable cold standby. fgt-primary-image: projects/fortigcp-project-001/global/images/fortinet-fgtondemand-724-20230201-001-w-license # replace the word LICENSE below with the actual license value. Not required if using the Pay-as-you-Go image. fgt-primary-license: | LICENSE ####### # Secondary fgt-secondary-image: projects/fortigcp-project-001/global/images/fortinet-fgtondemand-724-20230201-001-w-license # replace the word LICENSE below with the actual license value. Not required if using the Pay-as-you-Go image. fgt-secondary-license: | LICENSE