zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

subnets with the same name in different regions (#67) 

* support for subnets with the same name in different regions

* fix net-vpc tests
This commit is contained in:
Roberto Jung Drebes 2020-05-04 08:25:53 +02:00 committed by GitHub
parent 711f113cf0
commit 14ec791556
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 166 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
infrastructure/hub-and-spoke-peering/main.tf
View File

@ -31,14 +31,14 @@ module "vpc-hub" {
source = "../../modules/net-vpc"
project_id = var.project_id
name = "hub"
subnets = {
default = {
subnets = [
{
ip_cidr_range = var.ip_ranges.hub
name = null
name = "hub-default"
region = var.region
secondary_ip_range = {}
}
}
]
}
module "vpc-hub-firewall" {
@ -57,14 +57,14 @@ module "vpc-spoke-1" {
source = "../../modules/net-vpc"
project_id = var.project_id
name = "spoke-1"
subnets = {
default = {
subnets = [
{
ip_cidr_range = var.ip_ranges.spoke-1
name = null
name = "spoke-1-default"
region = var.region
secondary_ip_range = {}
}
}
]
}
module "vpc-spoke-1-firewall" {
@ -78,7 +78,7 @@ module "vpc-spoke-1-firewall" {
module "nat-spoke-1" {
source = "../../modules/net-cloudnat"
project_id = var.project_id
region = module.vpc-spoke-1.subnet_regions.default
region = module.vpc-spoke-1.subnet_regions["${var.region}/spoke-1-default"]
name = "spoke-1"
router_name = "spoke-1"
router_network = module.vpc-spoke-1.self_link
@ -100,17 +100,17 @@ module "vpc-spoke-2" {
source = "../../modules/net-vpc"
project_id = var.project_id
name = "spoke-2"
subnets = {
default = {
subnets = [
{
ip_cidr_range = var.ip_ranges.spoke-2
name = null
name = "spoke-2-default"
region = var.region
secondary_ip_range = {
pods = var.ip_secondary_ranges.spoke-2-pods
services = var.ip_secondary_ranges.spoke-2-services
}
}
}
]
}
module "vpc-spoke-2-firewall" {
@ -124,7 +124,7 @@ module "vpc-spoke-2-firewall" {
module "nat-spoke-2" {
source = "../../modules/net-cloudnat"
project_id = var.project_id
region = module.vpc-spoke-2.subnet_regions.default
region = module.vpc-spoke-2.subnet_regions["${var.region}/spoke-2-default"]
name = "spoke-2"
router_name = "spoke-2"
router_network = module.vpc-spoke-2.self_link
@ -146,12 +146,12 @@ module "hub-to-spoke-2-peering" {
module "vm-spoke-1" {
source = "../../modules/compute-vm"
project_id = var.project_id
region = module.vpc-spoke-1.subnet_regions.default
zone = "${module.vpc-spoke-1.subnet_regions.default}-b"
region = module.vpc-spoke-1.subnet_regions["${var.region}/spoke-1-default"]
zone = "${module.vpc-spoke-1.subnet_regions["${var.region}/spoke-1-default"]}-b"
name = "spoke-1-test"
network_interfaces = [{
network = module.vpc-spoke-1.self_link,
subnetwork = module.vpc-spoke-1.subnet_self_links.default,
subnetwork = module.vpc-spoke-1.subnet_self_links["${var.region}/spoke-1-default"]
nat = false,
addresses = null
}]
@ -164,12 +164,12 @@ module "vm-spoke-1" {
module "vm-spoke-2" {
source = "../../modules/compute-vm"
project_id = var.project_id
region = module.vpc-spoke-2.subnet_regions.default
zone = "${module.vpc-spoke-2.subnet_regions.default}-b"
region = module.vpc-spoke-2.subnet_regions["${var.region}/spoke-2-default"]
zone = "${module.vpc-spoke-2.subnet_regions["${var.region}/spoke-2-default"]}-b"
name = "spoke-2-test"
network_interfaces = [{
network = module.vpc-spoke-2.self_link,
subnetwork = module.vpc-spoke-2.subnet_self_links.default,
subnetwork = module.vpc-spoke-2.subnet_self_links["${var.region}/spoke-2-default"]
nat = false,
addresses = null
}]
@ -200,9 +200,9 @@ module "cluster-1" {
source = "../../modules/gke-cluster"
name = "cluster-1"
project_id = var.project_id
location = "${module.vpc-spoke-2.subnet_regions.default}-b"
location = "${module.vpc-spoke-2.subnet_regions["${var.region}/spoke-2-default"]}-b"
network = module.vpc-spoke-2.self_link
subnetwork = module.vpc-spoke-2.subnet_self_links.default
subnetwork = module.vpc-spoke-2.subnet_self_links["${var.region}/spoke-2-default"]
secondary_range_pods = "pods"
secondary_range_services = "services"
default_max_pods_per_node = 32
@ -273,7 +273,7 @@ module "vpn-spoke-2" {
# routes exchanged via peering
remote_ranges = ["10.0.0.0/8"]
tunnels = {
spoke-2 = {
hub = {
ike_version = 2
peer_ip = module.vpn-hub.address
shared_secret = module.vpn-hub.random_secret

73
infrastructure/hub-and-spoke-vpn/main.tf
View File

@ -14,7 +14,8 @@
locals {
vm-instances = concat(
module.vm-spoke-1.instances, module.vm-spoke-2.instances
module.vm-spoke-1.instances,
module.vm-spoke-2.instances
)
vm-startup-script = join("\n", [
"#! /bin/bash",
@ -30,20 +31,20 @@ module "vpc-hub" {
source = "../../modules/net-vpc"
project_id = var.project_id
name = "hub"
subnets = {
a = {
subnets = [
{
ip_cidr_range = var.ip_ranges.hub-a
name = null
name = "hub-a"
region = var.regions.a
secondary_ip_range = {}
}
b = {
},
{
ip_cidr_range = var.ip_ranges.hub-b
name = null
name = "hub-b"
region = var.regions.b
secondary_ip_range = {}
}
}
]
}
module "vpc-hub-firewall" {
@ -57,7 +58,7 @@ module "vpc-hub-firewall" {
module "vpn-hub-a" {
source = "../../modules/net-vpn-dynamic"
project_id = var.project_id
region = module.vpc-hub.subnet_regions["a"]
region = module.vpc-hub.subnet_regions["${var.regions.a}/hub-a"]
network = module.vpc-hub.name
name = "hub-a"
router_asn = var.bgp_asn.hub
@ -86,7 +87,7 @@ module "vpn-hub-a" {
module "vpn-hub-b" {
source = "../../modules/net-vpn-dynamic"
project_id = var.project_id
region = module.vpc-hub.subnet_regions["b"]
region = module.vpc-hub.subnet_regions["${var.regions.b}/hub-b"]
network = module.vpc-hub.name
name = "hub-b"
router_asn = var.bgp_asn.hub
@ -120,20 +121,20 @@ module "vpc-spoke-1" {
source = "../../modules/net-vpc"
project_id = var.project_id
name = "spoke-1"
subnets = {
a = {
subnets = [
{
ip_cidr_range = var.ip_ranges.spoke-1-a
name = null
name = "spoke-1-a"
region = var.regions.a
secondary_ip_range = {}
}
b = {
},
{
ip_cidr_range = var.ip_ranges.spoke-1-b
name = null
region = var.regions.a
name = "spoke-1-b"
region = var.regions.b
secondary_ip_range = {}
}
}
]
}
module "vpc-spoke-1-firewall" {
@ -147,7 +148,7 @@ module "vpc-spoke-1-firewall" {
module "vpn-spoke-1" {
source = "../../modules/net-vpn-dynamic"
project_id = var.project_id
region = module.vpc-spoke-1.subnet_regions["a"]
region = module.vpc-spoke-1.subnet_regions["${var.regions.a}/spoke-1-a"]
network = module.vpc-spoke-1.name
name = "spoke-1"
router_asn = var.bgp_asn.spoke-1
@ -169,7 +170,7 @@ module "vpn-spoke-1" {
module "nat-spoke-1" {
source = "../../modules/net-cloudnat"
project_id = var.project_id
region = module.vpc-spoke-1.subnet_regions["a"]
region = module.vpc-spoke-1.subnet_regions["${var.regions.a}/spoke-1-a"]
name = "spoke-1"
router_create = false
router_name = module.vpn-spoke-1.router_name
@ -183,20 +184,20 @@ module "vpc-spoke-2" {
source = "../../modules/net-vpc"
project_id = var.project_id
name = "spoke-2"
subnets = {
a = {
subnets = [
{
ip_cidr_range = var.ip_ranges.spoke-2-a
name = null
region = var.regions.b
name = "spoke-2-a"
region = var.regions.a
secondary_ip_range = {}
}
b = {
},
{
ip_cidr_range = var.ip_ranges.spoke-2-b
name = null
name = "spoke-2-b"
region = var.regions.b
secondary_ip_range = {}
}
}
]
}
module "vpc-spoke-2-firewall" {
@ -210,7 +211,7 @@ module "vpc-spoke-2-firewall" {
module "vpn-spoke-2" {
source = "../../modules/net-vpn-dynamic"
project_id = var.project_id
region = module.vpc-spoke-2.subnet_regions["a"]
region = module.vpc-spoke-2.subnet_regions["${var.regions.a}/spoke-2-a"]
network = module.vpc-spoke-2.name
name = "spoke-2"
router_asn = var.bgp_asn.spoke-2
@ -232,7 +233,7 @@ module "vpn-spoke-2" {
module "nat-spoke-2" {
source = "../../modules/net-cloudnat"
project_id = var.project_id
region = module.vpc-spoke-2.subnet_regions["a"]
region = module.vpc-spoke-2.subnet_regions["${var.regions.a}/spoke-2-a"]
name = "spoke-2"
router_create = false
router_name = module.vpn-spoke-2.router_name
@ -245,12 +246,12 @@ module "nat-spoke-2" {
module "vm-spoke-1" {
source = "../../modules/compute-vm"
project_id = var.project_id
region = module.vpc-spoke-1.subnet_regions.b
zone = "${module.vpc-spoke-1.subnet_regions.b}-b"
region = module.vpc-spoke-1.subnet_regions["${var.regions.b}/spoke-1-b"]
zone = "${module.vpc-spoke-1.subnet_regions["${var.regions.b}/spoke-1-b"]}-b"
name = "spoke-1-test"
network_interfaces = [{
network = module.vpc-spoke-1.self_link,
subnetwork = module.vpc-spoke-1.subnet_self_links.b,
subnetwork = module.vpc-spoke-1.subnet_self_links["${var.regions.b}/spoke-1-b"]
nat = false,
addresses = null
}]
@ -261,12 +262,12 @@ module "vm-spoke-1" {
module "vm-spoke-2" {
source = "../../modules/compute-vm"
project_id = var.project_id
region = module.vpc-spoke-2.subnet_regions.b
zone = "${module.vpc-spoke-2.subnet_regions.b}-b"
region = module.vpc-spoke-2.subnet_regions["${var.regions.b}/spoke-2-b"]
zone = "${module.vpc-spoke-2.subnet_regions["${var.regions.b}/spoke-2-b"]}-b"
name = "spoke-2-test"
network_interfaces = [{
network = module.vpc-spoke-2.self_link,
subnetwork = module.vpc-spoke-2.subnet_self_links.b,
subnetwork = module.vpc-spoke-2.subnet_self_links["${var.regions.b}/spoke-2-b"],
nat = false,
addresses = null
}]

20
infrastructure/onprem-google-access-dns/main.tf
View File

@ -52,14 +52,14 @@ module "vpc" {
source = "../../modules/net-vpc"
project_id = var.project_id
name = "to-onprem"
subnets = {
default = {
subnets = [
{
ip_cidr_range = var.ip_ranges.gcp
name = null
name = "subnet"
region = var.region
secondary_ip_range = {}
}
}
]
}
module "vpc-firewall" {
@ -74,7 +74,7 @@ module "vpc-firewall" {
module "vpn" {
source = "../../modules/net-vpn-dynamic"
project_id = var.project_id
region = module.vpc.subnet_regions["default"]
region = module.vpc.subnet_regions["${var.region}/subnet"]
network = module.vpc.name
name = "to-onprem"
router_asn = var.bgp_asn.gcp
@ -105,7 +105,7 @@ module "vpn" {
module "nat" {
source = "../../modules/net-cloudnat"
project_id = var.project_id
region = module.vpc.subnet_regions.default
region = module.vpc.subnet_regions["${var.region}/subnet"]
name = "default"
router_create = false
router_name = module.vpn.router_name
@ -184,12 +184,12 @@ module "service-account-gce" {
module "vm-test" {
source = "../../modules/compute-vm"
project_id = var.project_id
region = module.vpc.subnet_regions.default
zone = "${module.vpc.subnet_regions.default}-b"
region = module.vpc.subnet_regions["${var.region}/subnet"]
zone = "${module.vpc.subnet_regions["${var.region}/subnet"]}-b"
name = "test"
network_interfaces = [{
network = module.vpc.self_link,
subnetwork = module.vpc.subnet_self_links.default,
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
nat = false,
addresses = null
}]
@ -251,7 +251,7 @@ module "vm-onprem" {
}
network_interfaces = [{
network = module.vpc.name
subnetwork = module.vpc.subnet_self_links.default
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
nat = true,
addresses = null
}]

32
infrastructure/shared-vpc-gke/main.tf
View File

@ -98,34 +98,34 @@ module "vpc-shared" {
module.project-svc-gce.project_id,
module.project-svc-gke.project_id
]
subnets = {
gce = {
subnets = [
{
ip_cidr_range = var.ip_ranges.gce
name = null
name = "gce"
region = var.region
secondary_ip_range = {}
}
gke = {
},
{
ip_cidr_range = var.ip_ranges.gke
name = null
name = "gke"
region = var.region
secondary_ip_range = {
pods = var.ip_secondary_ranges.gke-pods
services = var.ip_secondary_ranges.gke-services
}
}
}
]
iam_roles = {
gke = ["roles/compute.networkUser", "roles/compute.securityAdmin"]
gce = ["roles/compute.networkUser"]
"${var.region}/gke" = ["roles/compute.networkUser", "roles/compute.securityAdmin"]
"${var.region}/gce" = ["roles/compute.networkUser"]
}
iam_members = {
gce = {
"${var.region}/gce" = {
"roles/compute.networkUser" = concat(var.owners_gce, [
"serviceAccount:${module.project-svc-gce.cloudsvc_service_account}",
])
}
gke = {
"${var.region}/gke" = {
"roles/compute.networkUser" = concat(var.owners_gke, [
"serviceAccount:${module.project-svc-gke.cloudsvc_service_account}",
"serviceAccount:${module.project-svc-gke.gke_service_account}",
@ -178,12 +178,12 @@ module "host-dns" {
module "vm-bastion" {
source = "../../modules/compute-vm"
project_id = module.project-svc-gce.project_id
region = module.vpc-shared.subnet_regions.gce
zone = "${module.vpc-shared.subnet_regions.gce}-b"
region = module.vpc-shared.subnet_regions["${var.region}/gce"]
zone = "${module.vpc-shared.subnet_regions["${var.region}/gce"]}-b"
name = "bastion"
network_interfaces = [{
network = module.vpc-shared.self_link,
subnetwork = lookup(module.vpc-shared.subnet_self_links, "gce", null),
subnetwork = lookup(module.vpc-shared.subnet_self_links, "${var.region}/gce", null),
nat = false,
addresses = null
}]
@ -207,9 +207,9 @@ module "cluster-1" {
source = "../../modules/gke-cluster"
name = "cluster-1"
project_id = module.project-svc-gke.project_id
location = "${module.vpc-shared.subnet_regions.gke}-b"
location = "${module.vpc-shared.subnet_regions["${var.region}/gke"]}-b"
network = module.vpc-shared.self_link
subnetwork = module.vpc-shared.subnet_self_links.gke
subnetwork = module.vpc-shared.subnet_self_links["${var.region}/gke"]
secondary_range_pods = "pods"
secondary_range_services = "services"
default_max_pods_per_node = 32

52
modules/net-vpc/README.md
View File

@ -13,8 +13,8 @@ module "vpc" {
source = "../modules/net-vpc"
project_id = "my-project"
name = "my-network"
subnets = {
subnet-1 = {
subnets = [
{
ip_cidr_range = "10.0.0.0/24"
name = "production"
region = "europe-west1"
@ -22,14 +22,14 @@ module "vpc" {
pods = "172.16.0.0/20"
services = "192.168.0.0/24"
}
}
subnet-2 = {
},
{
ip_cidr_range = "10.0.16.0/24"
name = "production"
region = "europe-west2"
secondary_ip_range = {}
}
}
]
}
```
@ -42,17 +42,17 @@ module "vpc-spoke-1" {
source = "../modules/net-vpc"
project_id = "my-project"
name = "my-network"
subnets = {
subnet-1 = {
subnets = [
{
ip_cidr_range = "10.0.0.0/24"
name = null
name = "subnet-1"
region = "europe-west1"
secondary_ip_range = {
pods = "172.16.0.0/20"
services = "192.168.0.0/24"
}
}
}
]
peering_config = {
peer_vpc_self_link = module.vpc-hub.self_link
export_routes = false
@ -68,30 +68,30 @@ module "vpc-host" {
source = "../modules/net-vpc"
project_id = "my-project"
name = "my-host-network"
subnets = {
subnet-1 = {
subnets = [
{
ip_cidr_range = "10.0.0.0/24"
name = null
name = "subnet-1"
region = "europe-west1"
secondary_ip_range = {
pods = "172.16.0.0/20"
services = "192.168.0.0/24"
}
}
}
]
shared_vpc_host = true
shared_vpc_service_projects = [
local.service_project_1.project_id,
local.service_project_2.project_id
]
iam_roles = {
subnet-1 = [
"europe-west1/subnet-1" = [
"roles/compute.networkUser",
"roles/compute.securityAdmin"
]
}
iam_members = {
subnet-1 = {
"europe-west1/subnet-1" = {
"roles/compute.networkUser" = [
local.service_project_1.cloudsvc_sa,
local.service_project_1.gke_sa
@ -113,19 +113,19 @@ module "vpc-host" {
| project_id | The ID of the project where this VPC will be created | <code title="">string</code> | ✓ | |
| *auto_create_subnetworks* | Set to true to create an auto mode subnet, defaults to custom mode. | <code title="">bool</code> | | <code title="">false</code> |
| *description* | An optional description of this resource (triggers recreation on change). | <code title="">string</code> | | <code title="">Terraform-managed.</code> |
| *iam_members* | List of IAM members keyed by subnet and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">null</code> |
| *iam_roles* | List of IAM roles keyed by subnet. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">null</code> |
| *iam_members* | List of IAM members keyed by subnet 'region/name' and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">null</code> |
| *iam_roles* | List of IAM roles keyed by subnet 'region/name'. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">null</code> |
| *log_config_defaults* | Default configuration for flow logs when enabled. | <code title="object&#40;&#123;&#10;aggregation_interval &#61; string&#10;flow_sampling &#61; number&#10;metadata &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;aggregation_interval &#61; &#34;INTERVAL_5_SEC&#34;&#10;flow_sampling &#61; 0.5&#10;metadata &#61; &#34;INCLUDE_ALL_METADATA&#34;&#10;&#125;">...</code> |
| *log_configs* | Map of per-subnet optional configurations for flow logs when enabled. | <code title="map&#40;map&#40;string&#41;&#41;">map(map(string))</code> | | <code title="">null</code> |
| *log_configs* | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code title="map&#40;map&#40;string&#41;&#41;">map(map(string))</code> | | <code title="">null</code> |
| *peering_config* | VPC peering configuration. | <code title="object&#40;&#123;&#10;peer_vpc_self_link &#61; string&#10;export_routes &#61; bool&#10;import_routes &#61; bool&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *routes* | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;dest_range &#61; string&#10;priority &#61; number&#10;tags &#61; list&#40;string&#41;&#10;next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10;next_hop &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">null</code> |
| *routing_mode* | The network routing mode (default 'GLOBAL') | <code title="">string</code> | | <code title="">GLOBAL</code> |
| *shared_vpc_host* | Enable shared VPC for this project. | <code title="">bool</code> | | <code title="">false</code> |
| *shared_vpc_service_projects* | Shared VPC service projects to register with this host | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *subnet_descriptions* | Optional map of subnet descriptions, keyed by subnet name. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *subnet_flow_logs* | Optional map of boolean to control flow logs (default is disabled), keyed by subnet name. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *subnet_private_access* | Optional map of boolean to control private Google access (default is enabled), keyed by subnet name. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *subnets* | Subnets being created. If name is set to null, a default will be used combining network name and this map key. | <code title="map&#40;object&#40;&#123;&#10;ip_cidr_range &#61; string&#10;name &#61; string&#10;region &#61; string&#10;secondary_ip_range &#61; map&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">null</code> |
| *subnet_descriptions* | Optional map of subnet descriptions, keyed by subnet 'region/name'. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *subnet_flow_logs* | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *subnet_private_access* | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *subnets* | The list of subnets being created | <code title="map&#40;object&#40;&#123;&#10;ip_cidr_range &#61; string&#10;region &#61; string&#10;secondary_ip_range &#61; map&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">null</code> |
## Outputs
@ -136,10 +136,10 @@ module "vpc-host" {
| network | Network resource. | |
| project_id | Shared VPC host project id. | |
| self_link | The URI of the VPC being created. | |
| subnet_ips | Map of subnet address ranges keyed by name. | |
| subnet_regions | Map of subnet regions keyed by name. | |
| subnet_secondary_ranges | Map of subnet secondary ranges keyed by name. | |
| subnet_self_links | Map of subnet self links keyed by name. | |
| subnet_ips | Map of subnet address ranges keyed by 'region/name'. | |
| subnet_regions | Map of subnet regions keyed by 'region/name'. | |
| subnet_secondary_ranges | Map of subnet secondary ranges keyed by 'region/name'. | |
| subnet_self_links | Map of subnet self links keyed by 'region/name'. | |
| subnets | Subnet resources. | |
<!-- END TFDOC -->

26
modules/net-vpc/main.tf
View File

@ -52,7 +52,7 @@ locals {
name => data if data.next_hop_type == "vpn_tunnel"
}
subnet_log_configs = {
for name, attrs in local.subnets : name => (
for name, attrs in { for s in local.subnets : format("%s/%s", s.region, s.name) => s } : name => (
lookup(var.subnet_flow_logs, name, false)
? [{
for key, value in var.log_config_defaults : key => lookup(
@ -62,15 +62,19 @@ locals {
: []
)
}
subnets = var.subnets == null ? {} : var.subnets
subnets = {
for subnet in var.subnets :
"${subnet.region}/${subnet.name}" => subnet
}
}
resource "google_compute_network" "network" {
project = var.project_id
name = var.name
description = var.description
auto_create_subnetworks = var.auto_create_subnetworks
routing_mode = var.routing_mode
project = var.project_id
name = var.name
description = var.description
auto_create_subnetworks = var.auto_create_subnetworks
delete_default_routes_on_create = var.delete_default_routes_on_create
routing_mode = var.routing_mode
}
resource "google_compute_network_peering" "local" {
@ -116,16 +120,16 @@ resource "google_compute_subnetwork" "subnetwork" {
project = var.project_id
network = google_compute_network.network.name
region = each.value.region
name = each.value.name != null ? each.value.name : "${var.name}-${each.key}"
name = each.value.name
ip_cidr_range = each.value.ip_cidr_range
secondary_ip_range = each.value.secondary_ip_range == null ? [] : [
for name, range in each.value.secondary_ip_range :
{ range_name = name, ip_cidr_range = range }
]
description = lookup(var.subnet_descriptions, each.key, "Terraform-managed.")
private_ip_google_access = lookup(var.subnet_private_access, each.key, true)
description = lookup(var.subnet_descriptions, "${each.value.region}/${each.value.name}", "Terraform-managed.")
private_ip_google_access = lookup(var.subnet_private_access, "${each.value.region}/${each.value.name}", true)
dynamic "log_config" {
for_each = local.subnet_log_configs[each.key]
for_each = local.subnet_log_configs["${each.value.region}/${each.value.name}"]
iterator = config
content {
aggregation_interval = config.value.aggregation_interval

25
modules/net-vpc/variables.tf
View File

@ -20,6 +20,12 @@ variable "auto_create_subnetworks" {
default = false
}
variable "delete_default_routes_on_create" {
description = "Set to true to delete the default routes at creation time."
type = bool
default = false
}
variable "description" {
description = "An optional description of this resource (triggers recreation on change)."
type = string
@ -27,19 +33,19 @@ variable "description" {
}
variable "iam_roles" {
description = "List of IAM roles keyed by subnet."
description = "List of IAM roles keyed by subnet 'region/name'."
type = map(list(string))
default = null
}
variable "iam_members" {
description = "List of IAM members keyed by subnet and role."
description = "List of IAM members keyed by subnet 'region/name' and role."
type = map(map(list(string)))
default = null
}
variable "log_configs" {
description = "Map of per-subnet optional configurations for flow logs when enabled."
description = "Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled."
type = map(map(string))
default = null
}
@ -109,30 +115,31 @@ variable "shared_vpc_service_projects" {
}
variable "subnets" {
description = "Subnets being created. If name is set to null, a default will be used combining network name and this map key."
type = map(object({
description = "The list of subnets being created"
type = list(object({
name = string
ip_cidr_range = string
name = string
region = string
secondary_ip_range = map(string)
}))
default = null
default = []
}
variable "subnet_descriptions" {
description = "Optional map of subnet descriptions, keyed by subnet name."
description = "Optional map of subnet descriptions, keyed by subnet 'region/name'."
type = map(string)
default = {}
}
variable "subnet_flow_logs" {
description = "Optional map of boolean to control flow logs (default is disabled), keyed by subnet name."
description = "Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'."
type = map(bool)
default = {}
}
variable "subnet_private_access" {
description = "Optional map of boolean to control private Google access (default is enabled), keyed by subnet name."
description = "Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'."
type = map(bool)
default = {}
}

5
tests/modules/net_vpc/fixture/variables.tf
View File

@ -97,13 +97,14 @@ variable "shared_vpc_service_projects" {
variable "subnets" {
description = "The list of subnets being created"
type = map(object({
type = list(object({
name = string
ip_cidr_range = string
name = string
region = string
secondary_ip_range = map(string)
}))
default = null
default = []
}
variable "subnet_descriptions" {

42
tests/modules/net_vpc/test_plan_subnets.py
View File

@ -19,22 +19,14 @@ import pytest
FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
_VAR_SUBNETS = (
'{ '
'a={region = "europe-west1", ip_cidr_range = "10.0.0.0/24",'
' name=null, secondary_ip_range=null},'
'b={region = "europe-west1", ip_cidr_range = "10.0.1.0/24",'
' name=null, secondary_ip_range=null},'
'c={region = "europe-west1", ip_cidr_range = "10.0.2.0/24",'
' name="c", secondary_ip_range={a="192.168.0.0/24", b="192.168.1.0/24"}},'
'}'
)
_VAR_LOG_CONFIG = '{a = { flow_sampling = 0.1 }}'
_VAR_LOG_CONFIG_DEFAULTS = (
'{'
'aggregation_interval = "INTERVAL_10_MIN", '
'flow_sampling = 0.5, '
'metadata = "INCLUDE_ALL_METADATA"'
'}'
'[ '
'{name = "a", region = "europe-west1", ip_cidr_range = "10.0.0.0/24",'
' secondary_ip_range=null},'
'{name = "b", region = "europe-west1", ip_cidr_range = "10.0.1.0/24",'
' secondary_ip_range=null},'
'{name = "c", region = "europe-west1", ip_cidr_range = "10.0.2.0/24",'
' secondary_ip_range={a="192.168.0.0/24", b="192.168.1.0/24"}},'
']'
)
@ -45,16 +37,22 @@ def test_subnets_simple(plan_runner):
subnets = [r['values']
for r in resources if r['type'] == 'google_compute_subnetwork']
assert set(s['name'] for s in subnets) == set(
['my-vpc-a', 'my-vpc-b', 'c'])
['a', 'b', 'c'])
assert set(len(s['secondary_ip_range']) for s in subnets) == set([0, 0, 2])
def test_subnet_log_configs(plan_runner):
"Test subnets flow logs configuration and defaults."
log_config = '{"europe-west1/a" = { flow_sampling = 0.1 }}'
log_config_defaults = (
'{aggregation_interval = "INTERVAL_10_MIN", flow_sampling = 0.5, '
'metadata = "INCLUDE_ALL_METADATA"}'
)
subnet_flow_logs = '{"europe-west1/a"=true, "europe-west1/b"=true}'
_, resources = plan_runner(FIXTURES_DIR, subnets=_VAR_SUBNETS,
log_configs=_VAR_LOG_CONFIG,
log_config_defaults=_VAR_LOG_CONFIG_DEFAULTS,
subnet_flow_logs='{a=true, b=true}')
log_configs=log_config,
log_config_defaults=log_config_defaults,
subnet_flow_logs=subnet_flow_logs)
assert len(resources) == 4
flow_logs = {}
for r in resources:
@ -63,13 +61,13 @@ def test_subnet_log_configs(plan_runner):
flow_logs[r['values']['name']] = r['values']['log_config']
assert flow_logs == {
# enable, override one default option
'my-vpc-a': [{
'a': [{
'aggregation_interval': 'INTERVAL_10_MIN',
'flow_sampling': 0.1,
'metadata': 'INCLUDE_ALL_METADATA'
}],
# enable, use defaults
'my-vpc-b': [{
'b': [{
'aggregation_interval': 'INTERVAL_10_MIN',
'flow_sampling': 0.5,
'metadata': 'INCLUDE_ALL_METADATA'