DNS Policies in net-vpc module (#238)
This commit is contained in:
parent
afb4cb9c5c
commit
36d253f1d3
|
@ -141,6 +141,33 @@ module "vpc" {
|
|||
# tftest:modules=1:resources=4
|
||||
```
|
||||
|
||||
### DNS Policies
|
||||
|
||||
```hcl
|
||||
module "vpc" {
|
||||
source = "./modules/net-vpc"
|
||||
project_id = "my-project"
|
||||
name = "my-network"
|
||||
dns_policy = {
|
||||
inbound = true
|
||||
logging = false
|
||||
outbound = {
|
||||
private_ns = ["10.0.0.1"]
|
||||
public_ns = ["8.8.8.8"]
|
||||
}
|
||||
}
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = {}
|
||||
}
|
||||
]
|
||||
}
|
||||
# tftest:modules=1:resources=3
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
|
@ -151,6 +178,7 @@ module "vpc" {
|
|||
| *auto_create_subnetworks* | Set to true to create an auto mode subnet, defaults to custom mode. | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *delete_default_routes_on_create* | Set to true to delete the default routes at creation time. | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *description* | An optional description of this resource (triggers recreation on change). | <code title="">string</code> | | <code title="">Terraform-managed.</code> |
|
||||
| *dns_policy* | None | <code title="object({ inbound = bool logging = bool outbound = object({ private_ns = list(string) public_ns = list(string) }) })">object({...})</code> | | <code title="">null</code> |
|
||||
| *iam* | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||
| *log_config_defaults* | Default configuration for flow logs when enabled. | <code title="object({ aggregation_interval = string flow_sampling = number metadata = string })">object({...})</code> | | <code title="{ aggregation_interval = "INTERVAL_5_SEC" flow_sampling = 0.5 metadata = "INCLUDE_ALL_METADATA" }">...</code> |
|
||||
| *log_configs* | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code title="map(map(string))">map(map(string))</code> | | <code title="">{}</code> |
|
||||
|
|
|
@ -239,6 +239,38 @@ resource "google_compute_global_address" "psn_range" {
|
|||
network = local.network.id
|
||||
}
|
||||
|
||||
resource "google_dns_policy" "dns_policy" {
|
||||
count = var.dns_policy == null ? 0 : 1
|
||||
enable_inbound_forwarding = var.dns_policy.inbound
|
||||
enable_logging = var.dns_policy.logging
|
||||
name = "${var.name}-inbound-policy"
|
||||
project = var.project_id
|
||||
networks {
|
||||
network_url = local.network.id
|
||||
}
|
||||
|
||||
dynamic "alternative_name_server_config" {
|
||||
for_each = var.dns_policy.outbound == null ? [] : [1]
|
||||
content {
|
||||
dynamic "target_name_servers" {
|
||||
for_each = toset(var.dns_policy.outbound.private_ns)
|
||||
iterator = ns
|
||||
content {
|
||||
ipv4_address = ns.key
|
||||
forwarding_path = "private"
|
||||
}
|
||||
}
|
||||
dynamic "target_name_servers" {
|
||||
for_each = toset(var.dns_policy.outbound.public_ns)
|
||||
iterator = ns
|
||||
content {
|
||||
ipv4_address = ns.key
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_service_networking_connection" "psn_connection" {
|
||||
count = var.private_service_networking_range == null ? 0 : 1
|
||||
network = local.network.id
|
||||
|
|
|
@ -32,6 +32,18 @@ variable "description" {
|
|||
default = "Terraform-managed."
|
||||
}
|
||||
|
||||
variable "dns_policy" {
|
||||
type = object({
|
||||
inbound = bool
|
||||
logging = bool
|
||||
outbound = object({
|
||||
private_ns = list(string)
|
||||
public_ns = list(string)
|
||||
})
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "iam" {
|
||||
description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
|
||||
type = map(map(list(string)))
|
||||
|
@ -84,6 +96,19 @@ variable "peering_create_remote_end" {
|
|||
default = true
|
||||
}
|
||||
|
||||
variable "private_service_networking_range" {
|
||||
description = "RFC1919 CIDR range used for Google services that support private service networking."
|
||||
type = string
|
||||
default = null
|
||||
validation {
|
||||
condition = (
|
||||
var.private_service_networking_range == null ||
|
||||
can(cidrnetmask(var.private_service_networking_range))
|
||||
)
|
||||
error_message = "Specify a valid RFC1918 CIDR range for private service networking."
|
||||
}
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
description = "The ID of the project where this VPC will be created"
|
||||
type = string
|
||||
|
@ -159,16 +184,3 @@ variable "vpc_create" {
|
|||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "private_service_networking_range" {
|
||||
description = "RFC1919 CIDR range used for Google services that support private service networking."
|
||||
type = string
|
||||
default = null
|
||||
validation {
|
||||
condition = (
|
||||
var.private_service_networking_range == null ||
|
||||
can(cidrnetmask(var.private_service_networking_range))
|
||||
)
|
||||
error_message = "Specify a valid RFC1918 CIDR range for private service networking."
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue