Extend net-vpc README with more tested examples

modules/net-vpc/README.md

@@ -33,6 +33,87 @@ module "vpc" {
 # tftest modules=1 resources=3 inventory=simple.yaml
 ```
 
+### Subnet Options
+```hcl
+module "vpc" {
+  source     = "./fabric/modules/net-vpc"
+  project_id = "my-project"
+  name       = "my-network"
+  subnets = [
+    # simple subnet
+    {
+      name          = "simple"
+      region        = "europe-west1"
+      ip_cidr_range = "10.0.0.0/24"
+    },
+    # custom description and PGA disabled
+    {
+      name                  = "no-pga"
+      region                = "europe-west1"
+      ip_cidr_range         = "10.0.1.0/24",
+      description           = "Subnet b"
+      enable_private_access = false
+    },
+    # secondary ranges
+    {
+      name          = "with-secondary-ranges"
+      region        = "europe-west1"
+      ip_cidr_range = "10.0.2.0/24"
+      secondary_ip_ranges = {
+        a = "192.168.0.0/24"
+        b = "192.168.1.0/24"
+      }
+    },
+    # enable flow logs
+    {
+      name          = "with-flow-logs"
+      region        = "europe-west1"
+      ip_cidr_range = "10.0.3.0/24"
+      flow_logs_config = {
+        flow_sampling        = 0.5
+        aggregation_interval = "INTERVAL_10_MIN"
+      }
+    }
+  ]
+}
+# tftest modules=1 resources=5 inventory=subnet-options.yaml
+```
+
+### Subnet IAM
+
+```hcl
+module "vpc" {
+  source     = "./fabric/modules/net-vpc"
+  project_id = "my-project"
+  name       = "my-network"
+  subnets = [
+    {
+      name          = "subnet-1"
+      region        = "europe-west1"
+      ip_cidr_range = "10.0.1.0/24"
+    },
+    {
+      name          = "subnet-2"
+      region        = "europe-west1"
+      ip_cidr_range = "10.0.1.0/24"
+    }
+  ]
+  subnet_iam = {
+    "europe-west1/subnet-1" = {
+      "roles/compute.networkUser" = [
+        "user:user1@example.com", "group:group1@example.com"
+      ]
+    }
+    "europe-west1/subnet-2" = {
+      "roles/compute.networkUser" = [
+        "user:user2@example.com", "group:group2@example.com"
+      ]
+    }
+  }
+}
+# tftest modules=1 resources=5 inventory=subnet-iam.yaml
+```
+
 ### Peering
 
 A single peering can be configured for the VPC, so as to allow management of simple scenarios, and more complex configurations like hub and spoke by defining the peering configuration on the spoke VPCs. Care must be taken so as a single peering is created/changed/destroyed at a time, due to the specific behaviour of the peering API calls.

tests/examples/test_plan.py

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -49,10 +49,10 @@ def test_example(plan_validator, tmp_path, example):
     summary = plan_validator(module_path=tmp_path, inventory_paths=inventory,
                              tf_var_files=[])
 
-    import yaml
-    print(yaml.dump({"values": summary.values}))
-    print(yaml.dump({"counts": summary.counts}))
-    print(yaml.dump({"outputs": summary.outputs}))
+    # import yaml
+    # print(yaml.dump({"values": summary.values}))
+    # print(yaml.dump({"counts": summary.counts}))
+    # print(yaml.dump({"outputs": summary.outputs}))
 
     counts = summary.counts
     num_modules, num_resources = counts['modules'], counts['resources']

tests/modules/net_vpc/examples/subnet-iam.yaml

@@ -0,0 +1,54 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.vpc.google_compute_network.network[0]:
+    name: my-network
+    project: my-project
+  module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]:
+    name: subnet-1
+    project: my-project
+    region: europe-west1
+  module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-2"]:
+    name: subnet-2
+    private_ip_google_access: true
+    project: my-project
+    region: europe-west1
+  module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.networkUser"]:
+    condition: []
+    members:
+    - group:group1@example.com
+    - user:user1@example.com
+    project: my-project
+    region: europe-west1
+    role: roles/compute.networkUser
+    subnetwork: subnet-1
+  module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-2.roles/compute.networkUser"]:
+    condition: []
+    members:
+    - group:group2@example.com
+    - user:user2@example.com
+    project: my-project
+    region: europe-west1
+    role: roles/compute.networkUser
+    subnetwork: subnet-2
+
+counts:
+  google_compute_network: 1
+  google_compute_subnetwork: 2
+  google_compute_subnetwork_iam_binding: 2
+  modules: 1
+  resources: 5
+
+outputs: {}

tests/modules/net_vpc/examples/subnet-options.yaml

@@ -0,0 +1,70 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.vpc.google_compute_network.network[0]:
+    name: my-network
+    project: my-project
+  module.vpc.google_compute_subnetwork.subnetwork["europe-west1/no-pga"]:
+    description: Subnet b
+    ip_cidr_range: 10.0.1.0/24
+    log_config: []
+    name: no-pga
+    private_ip_google_access: false
+    project: my-project
+    region: europe-west1
+    secondary_ip_range: []
+  module.vpc.google_compute_subnetwork.subnetwork["europe-west1/simple"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.0.0/24
+    log_config: []
+    name: simple
+    private_ip_google_access: true
+    project: my-project
+    region: europe-west1
+    secondary_ip_range: []
+  module.vpc.google_compute_subnetwork.subnetwork["europe-west1/with-flow-logs"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.3.0/24
+    ipv6_access_type: null
+    log_config:
+    - aggregation_interval: INTERVAL_10_MIN
+      filter_expr: 'true'
+      flow_sampling: 0.5
+      metadata: INCLUDE_ALL_METADATA
+      metadata_fields: null
+    name: with-flow-logs
+    private_ip_google_access: true
+    project: my-project
+    region: europe-west1
+    role: null
+    secondary_ip_range: []
+  module.vpc.google_compute_subnetwork.subnetwork["europe-west1/with-secondary-ranges"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.2.0/24
+    log_config: []
+    name: with-secondary-ranges
+    private_ip_google_access: true
+    project: my-project
+    region: europe-west1
+    role: null
+    secondary_ip_range:
+    - ip_cidr_range: 192.168.0.0/24
+      range_name: a
+    - ip_cidr_range: 192.168.1.0/24
+      range_name: b
+
+counts:
+  google_compute_network: 1
+  google_compute_subnetwork: 4

tests/modules/net_vpc/fixture/main.tf

@@ -1,30 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-module "test" {
-  source                      = "../../../../modules/net-vpc"
-  project_id                  = "test-project"
-  name                        = "test"
-  peering_config              = var.peering_config
-  routes                      = var.routes
-  shared_vpc_host             = var.shared_vpc_host
-  shared_vpc_service_projects = var.shared_vpc_service_projects
-  subnet_iam                  = var.subnet_iam
-  subnets                     = var.subnets
-  auto_create_subnetworks     = var.auto_create_subnetworks
-  psa_config                  = var.psa_config
-  data_folder                 = var.data_folder
-}

tests/modules/net_vpc/fixture/test.subnets.tfvars

@@ -1,44 +0,0 @@
-subnet_iam = {
-  "europe-west1/a" = {
-    "roles/compute.networkUser" = [
-      "user:a@example.com", "group:g-a@example.com"
-    ]
-  }
-  "europe-west1/c" = {
-    "roles/compute.networkUser" = [
-      "user:c@example.com", "group:g-c@example.com"
-    ]
-  }
-}
-subnets = [
-  {
-    name          = "a"
-    region        = "europe-west1"
-    ip_cidr_range = "10.0.0.0/24"
-  },
-  {
-    name                  = "b"
-    region                = "europe-west1"
-    ip_cidr_range         = "10.0.1.0/24",
-    description           = "Subnet b"
-    enable_private_access = false
-  },
-  {
-    name          = "c"
-    region        = "europe-west1"
-    ip_cidr_range = "10.0.2.0/24"
-    secondary_ip_ranges = {
-      a = "192.168.0.0/24"
-      b = "192.168.1.0/24"
-    }
-  },
-  {
-    name          = "d"
-    region        = "europe-west1"
-    ip_cidr_range = "10.0.3.0/24"
-    flow_logs_config = {
-      flow_sampling        = 0.5
-      aggregation_interval = "INTERVAL_10_MIN"
-    }
-  }
-]

tests/modules/net_vpc/fixture/variables.tf

@@ -1,101 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-variable "auto_create_subnetworks" {
-  type    = bool
-  default = false
-}
-
-variable "data_folder" {
-  type    = string
-  default = null
-}
-
-variable "delete_default_routes_on_create" {
-  type    = bool
-  default = false
-}
-
-variable "description" {
-  type    = string
-  default = "Terraform-managed."
-}
-
-variable "dns_policy" {
-  type    = any
-  default = null
-}
-
-variable "mtu" {
-  type    = number
-  default = null
-}
-
-variable "peering_config" {
-  type    = any
-  default = null
-}
-
-variable "psa_config" {
-  type    = any
-  default = null
-}
-
-variable "routes" {
-  type     = any
-  default  = {}
-  nullable = false
-}
-
-variable "routing_mode" {
-  type    = string
-  default = "GLOBAL"
-}
-
-variable "shared_vpc_host" {
-  type    = bool
-  default = false
-}
-
-variable "shared_vpc_service_projects" {
-  type    = list(string)
-  default = []
-}
-
-variable "subnets" {
-  type    = any
-  default = []
-}
-
-variable "subnet_iam" {
-  type    = map(map(list(string)))
-  default = {}
-}
-
-variable "subnets_proxy_only" {
-  type    = any
-  default = []
-}
-
-variable "subnets_psc" {
-  type    = any
-  default = []
-}
-
-variable "vpc_create" {
-  type    = bool
-  default = true
-}

tests/modules/net_vpc/peering.tfvars

@@ -1,5 +0,0 @@
-peering_config = {
-  peer_vpc_self_link = "projects/my-project/global/networks/peer"
-  export_routes      = true
-  import_routes      = null
-}

tests/modules/net_vpc/peering.yaml

@@ -1,47 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  google_compute_network.network[0]:
-    auto_create_subnetworks: false
-    delete_default_routes_on_create: false
-    description: Terraform-managed.
-    name: test
-    project: test-project
-    routing_mode: GLOBAL
-  google_compute_network_peering.local[0]:
-    export_custom_routes: true
-    import_custom_routes: false
-    name: test-peer
-    peer_network: projects/my-project/global/networks/peer
-  google_compute_network_peering.remote[0]:
-    export_custom_routes: false
-    import_custom_routes: true
-    name: peer-test
-    network: projects/my-project/global/networks/peer
-
-counts:
-  google_compute_network: 1
-  google_compute_network_peering: 2
-
-outputs:
-  bindings: {}
-  project_id: test-project
-  subnet_ips: {}
-  subnet_regions: {}
-  subnet_secondary_ranges: {}
-  subnet_self_links: {}
-  subnets: {}
-  subnets_proxy_only: {}
-  subnets_psc: {}

tests/modules/net_vpc/psa_simple.tfvars

@@ -1,7 +0,0 @@
-psa_config = {
-  ranges = {
-    bar = "172.16.100.0/24"
-    foo = "172.16.101.0/24"
-  }
-  routes = null
-}

tests/modules/net_vpc/psa_simple.yaml

@@ -1,70 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  google_compute_global_address.psa_ranges["bar"]:
-    address: 172.16.100.0
-    address_type: INTERNAL
-    description: null
-    ip_version: null
-    name: bar
-    prefix_length: 24
-    project: test-project
-    purpose: VPC_PEERING
-  google_compute_global_address.psa_ranges["foo"]:
-    address: 172.16.101.0
-    address_type: INTERNAL
-    description: null
-    ip_version: null
-    name: foo
-    prefix_length: 24
-    project: test-project
-    purpose: VPC_PEERING
-  google_compute_network.network[0]:
-    auto_create_subnetworks: false
-    delete_default_routes_on_create: false
-    description: Terraform-managed.
-    enable_ula_internal_ipv6: null
-    name: test
-    project: test-project
-    routing_mode: GLOBAL
-  google_compute_network_peering_routes_config.psa_routes["1"]:
-    export_custom_routes: false
-    import_custom_routes: false
-    project: test-project
-  google_service_networking_connection.psa_connection["1"]:
-    reserved_peering_ranges:
-    - bar
-    - foo
-    service: servicenetworking.googleapis.com
-
-counts:
-  google_compute_global_address: 2
-  google_compute_network: 1
-  google_compute_network_peering_routes_config: 1
-  google_service_networking_connection: 1
-
-outputs:
-  bindings: {}
-  name: __missing__
-  network: __missing__
-  project_id: test-project
-  self_link: __missing__
-  subnet_ips: {}
-  subnet_regions: {}
-  subnet_secondary_ranges: {}
-  subnet_self_links: {}
-  subnets: {}
-  subnets_proxy_only: {}
-  subnets_psc: {}

tests/modules/net_vpc/simple.tfvars

@@ -1 +0,0 @@
-# skip boilerplate check

tests/modules/net_vpc/simple.yaml

@@ -1,36 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  google_compute_network.network[0]:
-    auto_create_subnetworks: false
-    delete_default_routes_on_create: false
-    description: Terraform-managed.
-    name: test
-    project: test-project
-    routing_mode: GLOBAL
-
-counts:
-  google_compute_network: 1
-
-outputs:
-  bindings: {}
-  project_id: test-project
-  subnet_ips: {}
-  subnet_regions: {}
-  subnet_secondary_ranges: {}
-  subnet_self_links: {}
-  subnets: {}
-  subnets_proxy_only: {}
-  subnets_psc: {}

tests/modules/net_vpc/subnets.tfvars

@@ -1,44 +0,0 @@
-subnet_iam = {
-  "europe-west1/a" = {
-    "roles/compute.networkUser" = [
-      "user:a@example.com", "group:g-a@example.com"
-    ]
-  }
-  "europe-west1/c" = {
-    "roles/compute.networkUser" = [
-      "user:c@example.com", "group:g-c@example.com"
-    ]
-  }
-}
-subnets = [
-  {
-    name          = "a"
-    region        = "europe-west1"
-    ip_cidr_range = "10.0.0.0/24"
-  },
-  {
-    name                  = "b"
-    region                = "europe-west1"
-    ip_cidr_range         = "10.0.1.0/24",
-    description           = "Subnet b"
-    enable_private_access = false
-  },
-  {
-    name          = "c"
-    region        = "europe-west1"
-    ip_cidr_range = "10.0.2.0/24"
-    secondary_ip_ranges = {
-      a = "192.168.0.0/24"
-      b = "192.168.1.0/24"
-    }
-  },
-  {
-    name          = "d"
-    region        = "europe-west1"
-    ip_cidr_range = "10.0.3.0/24"
-    flow_logs_config = {
-      flow_sampling        = 0.5
-      aggregation_interval = "INTERVAL_10_MIN"
-    }
-  }
-]

tests/modules/net_vpc/subnets.yaml

@@ -1,120 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  google_compute_network.network[0]:
-    auto_create_subnetworks: false
-    delete_default_routes_on_create: false
-    description: Terraform-managed.
-    name: test
-    project: test-project
-    routing_mode: GLOBAL
-  google_compute_subnetwork.subnetwork["europe-west1/a"]:
-    description: Terraform-managed.
-    ip_cidr_range: 10.0.0.0/24
-    log_config: []
-    name: a
-    private_ip_google_access: true
-    project: test-project
-    region: europe-west1
-    role: null
-    secondary_ip_range: []
-  google_compute_subnetwork.subnetwork["europe-west1/b"]:
-    description: Subnet b
-    ip_cidr_range: 10.0.1.0/24
-    log_config: []
-    name: b
-    private_ip_google_access: false
-    project: test-project
-    region: europe-west1
-    role: null
-    secondary_ip_range: []
-  google_compute_subnetwork.subnetwork["europe-west1/c"]:
-    description: Terraform-managed.
-    ip_cidr_range: 10.0.2.0/24
-    ipv6_access_type: null
-    log_config: []
-    name: c
-    private_ip_google_access: true
-    project: test-project
-    region: europe-west1
-    role: null
-    secondary_ip_range:
-      - ip_cidr_range: 192.168.0.0/24
-        range_name: a
-      - ip_cidr_range: 192.168.1.0/24
-        range_name: b 
-  google_compute_subnetwork.subnetwork["europe-west1/d"]:
-    description: Terraform-managed.
-    ip_cidr_range: 10.0.3.0/24
-    log_config:
-    - aggregation_interval: INTERVAL_10_MIN
-      filter_expr: 'true'
-      flow_sampling: 0.5
-      metadata: INCLUDE_ALL_METADATA
-      metadata_fields: null
-    name: d
-    private_ip_google_access: true
-    project: test-project
-    region: europe-west1
-    role: null
-    secondary_ip_range: []
-  google_compute_subnetwork_iam_binding.binding["europe-west1/a.roles/compute.networkUser"]:
-    condition: []
-    members:
-    - group:g-a@example.com
-    - user:a@example.com
-    project: test-project
-    region: europe-west1
-    role: roles/compute.networkUser
-    subnetwork: a
-  google_compute_subnetwork_iam_binding.binding["europe-west1/c.roles/compute.networkUser"]:
-    condition: []
-    members:
-    - group:g-c@example.com
-    - user:c@example.com
-    project: test-project
-    region: europe-west1
-    role: roles/compute.networkUser
-    subnetwork: c
-
-counts:
-  google_compute_network: 1
-  google_compute_subnetwork: 4
-  google_compute_subnetwork_iam_binding: 2
-
-outputs:
-  bindings: __missing__
-  project_id: test-project
-  subnet_ips:
-    europe-west1/a: 10.0.0.0/24
-    europe-west1/b: 10.0.1.0/24
-    europe-west1/c: 10.0.2.0/24
-    europe-west1/d: 10.0.3.0/24
-  subnet_regions:
-    europe-west1/a: europe-west1
-    europe-west1/b: europe-west1
-    europe-west1/c: europe-west1
-    europe-west1/d: europe-west1
-  subnet_secondary_ranges:
-    europe-west1/a: {}
-    europe-west1/b: {}
-    europe-west1/c:
-      a: 192.168.0.0/24
-      b: 192.168.1.0/24
-    europe-west1/d: {}
-  subnet_self_links: __missing__
-  subnets: __missing__
-  subnets_proxy_only: {}
-  subnets_psc: {}

tests/modules/net_vpc/tftest.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,12 +17,8 @@ common_tfvars:
   - common.tfvars
 
 tests:
-  simple:
-  subnets:
-  peering:
   shared_vpc:
   factory:
-  psa_simple:
   psa_routes_export:
   psa_routes_import:
   psa_routes_import_export: