Refactor net-vpc module for Terraform 1.3 (#880)
* module tests pass * doc examples * refactor blueprints * fast stages * fix comment typo * fix module factory test
This commit is contained in:
parent
1ead60122d
commit
4fa1dc431d
|
@ -44,10 +44,9 @@ module "vpc" {
|
|||
name = "${local.prefix}vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.subnet_ip_cidr_block
|
||||
name = "subnet"
|
||||
region = var.region
|
||||
secondary_ip_range = null
|
||||
ip_cidr_range = var.subnet_ip_cidr_block
|
||||
name = "subnet"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -48,10 +48,9 @@ module "vpc" {
|
|||
project_id = module.project.project_id
|
||||
name = var.name
|
||||
subnets = [{
|
||||
ip_cidr_range = "192.168.0.0/24"
|
||||
name = "${var.name}-default"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = "192.168.0.0/24"
|
||||
name = "${var.name}-default"
|
||||
region = var.region
|
||||
}]
|
||||
}
|
||||
|
||||
|
|
|
@ -37,10 +37,9 @@ module "vpc" {
|
|||
project_id = module.project.project_id
|
||||
name = var.name
|
||||
subnets = [{
|
||||
ip_cidr_range = "192.168.0.0/24"
|
||||
name = "${var.name}-default"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = "192.168.0.0/24"
|
||||
name = "${var.name}-default"
|
||||
region = var.region
|
||||
}]
|
||||
}
|
||||
|
||||
|
|
|
@ -22,10 +22,9 @@ module "shared-vpc" {
|
|||
|
||||
subnets = [
|
||||
{
|
||||
name = "subnet-01"
|
||||
ip_cidr_range = "10.10.1.0/24"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
name = "subnet-01"
|
||||
ip_cidr_range = "10.10.1.0/24"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -43,22 +43,19 @@ module "vpc" {
|
|||
name = "${local.prefix}vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = "10.0.1.0/24"
|
||||
name = "subnet-ew1"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = null
|
||||
ip_cidr_range = "10.0.1.0/24"
|
||||
name = "subnet-ew1"
|
||||
region = "europe-west1"
|
||||
},
|
||||
{
|
||||
ip_cidr_range = "10.0.2.0/24"
|
||||
name = "subnet-ue1"
|
||||
region = "us-east1"
|
||||
secondary_ip_range = null
|
||||
ip_cidr_range = "10.0.2.0/24"
|
||||
name = "subnet-ue1"
|
||||
region = "us-east1"
|
||||
},
|
||||
{
|
||||
ip_cidr_range = "10.0.3.0/24"
|
||||
name = "subnet-uw1"
|
||||
region = "us-west1"
|
||||
secondary_ip_range = null
|
||||
ip_cidr_range = "10.0.3.0/24"
|
||||
name = "subnet-uw1"
|
||||
region = "us-west1"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -40,10 +40,9 @@ module "vpc-hub" {
|
|||
name = "vpc-hub"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = "10.0.10.0/24"
|
||||
name = "subnet-hub-1"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = "10.0.10.0/24"
|
||||
name = "subnet-hub-1"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -81,10 +80,9 @@ module "vpc-prod" {
|
|||
name = "vpc-prod"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = "10.0.20.0/24"
|
||||
name = "subnet-prod-1"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = "10.0.20.0/24"
|
||||
name = "subnet-prod-1"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -122,10 +120,9 @@ module "vpc-dev" {
|
|||
name = "vpc-dev"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = "10.0.30.0/24"
|
||||
name = "subnet-dev-1"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = "10.0.30.0/24"
|
||||
name = "subnet-dev-1"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -56,10 +56,9 @@ module "vpc" {
|
|||
name = "image-builder"
|
||||
subnets = [
|
||||
{
|
||||
name = local.compute_subnet_name
|
||||
ip_cidr_range = var.cidrs.image-builder
|
||||
region = var.region
|
||||
secondary_ip_range = null
|
||||
name = local.compute_subnet_name
|
||||
ip_cidr_range = var.cidrs.image-builder
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -43,10 +43,9 @@ module "vpc" {
|
|||
name = "vpc"
|
||||
subnets = [
|
||||
{
|
||||
name = "apps"
|
||||
ip_cidr_range = "10.8.32.0/24"
|
||||
region = var.region
|
||||
secondary_ip_range = null
|
||||
name = "apps"
|
||||
ip_cidr_range = "10.8.32.0/24"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -58,10 +58,9 @@ module "landing-vpc" {
|
|||
name = "landing-vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.vpc_config.ip_cidr_range
|
||||
name = "landing-vpc-${var.vpc_config.region}"
|
||||
region = var.vpc_config.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.vpc_config.ip_cidr_range
|
||||
name = "landing-vpc-${var.vpc_config.region}"
|
||||
region = var.vpc_config.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -36,7 +36,7 @@ locals {
|
|||
local.data_eng_principals_iam,
|
||||
[module.service-account-sql.iam_email]
|
||||
)
|
||||
# compute engeneering
|
||||
# compute engineering
|
||||
"roles/compute.instanceAdmin.v1" = local.data_eng_principals_iam
|
||||
"roles/compute.osLogin" = local.data_eng_principals_iam
|
||||
"roles/compute.viewer" = local.data_eng_principals_iam
|
||||
|
@ -115,10 +115,9 @@ module "vpc" {
|
|||
name = "vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = "10.0.0.0/20"
|
||||
name = "subnet"
|
||||
region = var.regions.primary
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = "10.0.0.0/20"
|
||||
name = "subnet"
|
||||
region = var.regions.primary
|
||||
}
|
||||
]
|
||||
|
||||
|
|
|
@ -51,10 +51,9 @@ module "vpc" {
|
|||
name = var.vpc_name
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.vpc_ip_cidr_range
|
||||
name = var.vpc_subnet_name
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.vpc_ip_cidr_range
|
||||
name = var.vpc_subnet_name
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -120,7 +120,7 @@ module "vpc" {
|
|||
ip_cidr_range = "10.0.0.0/20"
|
||||
name = "subnet"
|
||||
region = var.region
|
||||
secondary_ip_range = {
|
||||
secondary_ip_ranges = {
|
||||
pods = "10.10.8.0/22"
|
||||
services = "10.10.12.0/24"
|
||||
}
|
||||
|
|
|
@ -110,10 +110,9 @@ module "load-vpc" {
|
|||
name = "${var.prefix}-default"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = "10.10.0.0/24"
|
||||
name = "default"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = "10.10.0.0/24"
|
||||
name = "default"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -121,7 +121,7 @@ module "orch-vpc" {
|
|||
ip_cidr_range = "10.10.0.0/24"
|
||||
name = "default"
|
||||
region = var.region
|
||||
secondary_ip_range = {
|
||||
secondary_ip_ranges = {
|
||||
pods = "10.10.8.0/22"
|
||||
services = "10.10.12.0/24"
|
||||
}
|
||||
|
|
|
@ -134,10 +134,9 @@ module "transf-vpc" {
|
|||
name = "${var.prefix}-default"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = "10.10.0.0/24"
|
||||
name = "default"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = "10.10.0.0/24"
|
||||
name = "default"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -41,7 +41,7 @@ module "project" {
|
|||
"storage-component.googleapis.com"
|
||||
]
|
||||
policy_boolean = {
|
||||
# "constraints/compute.requireOsLogin" = false
|
||||
# "constraints/compute.requireOsLogin" = false
|
||||
# Example of applying a project wide policy, mainly useful for Composer
|
||||
}
|
||||
service_encryption_key_ids = {
|
||||
|
@ -61,10 +61,9 @@ module "vpc" {
|
|||
name = "${var.prefix}-vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.vpc_config.ip_cidr_range
|
||||
name = "${var.prefix}-subnet"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.vpc_config.ip_cidr_range
|
||||
name = "${var.prefix}-subnet"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -19,10 +19,9 @@ module "vpc" {
|
|||
name = "${var.prefix}-vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.vpc_subnet_range
|
||||
name = "subnet"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.vpc_subnet_range
|
||||
name = "subnet"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -58,10 +58,9 @@ module "vpc" {
|
|||
name = var.network
|
||||
subnets = var.project_create != null ? [
|
||||
{
|
||||
ip_cidr_range = var.vpc_ip_cidr_range
|
||||
name = var.subnetwork
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.vpc_ip_cidr_range
|
||||
name = var.subnetwork
|
||||
region = var.region
|
||||
}
|
||||
] : []
|
||||
vpc_create = var.project_create != null ? true : false
|
||||
|
|
|
@ -66,7 +66,7 @@ module "vpc" {
|
|||
ip_cidr_range = var.subnet_cidr_block
|
||||
name = "subnet"
|
||||
region = var.region
|
||||
secondary_ip_range = {
|
||||
secondary_ip_ranges = {
|
||||
pods = var.pods_cidr_block
|
||||
services = var.services_cidr_block
|
||||
}
|
||||
|
|
|
@ -25,15 +25,14 @@ module "svpc" {
|
|||
ip_cidr_range = config.subnet_cidr_block
|
||||
name = "subnet-${key}"
|
||||
region = var.region
|
||||
secondary_ip_range = {
|
||||
secondary_ip_ranges = {
|
||||
pods = config.pods_cidr_block
|
||||
services = config.services_cidr_block
|
||||
}
|
||||
}], [{
|
||||
ip_cidr_range = var.mgmt_subnet_cidr_block
|
||||
name = "subnet-mgmt"
|
||||
region = var.mgmt_server_config.region
|
||||
secondary_ip_range = null
|
||||
ip_cidr_range = var.mgmt_subnet_cidr_block
|
||||
name = "subnet-mgmt"
|
||||
region = var.mgmt_server_config.region
|
||||
}])
|
||||
}
|
||||
|
||||
|
|
|
@ -52,10 +52,9 @@ module "vpc-prod" {
|
|||
name = "prod-vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.prod
|
||||
name = "prod"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.prod
|
||||
name = "prod"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -66,10 +65,9 @@ module "vpc-dev" {
|
|||
name = "dev-vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.dev
|
||||
name = "dev"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.dev
|
||||
name = "dev"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -58,16 +58,14 @@ module "vpc" {
|
|||
name = "vpc"
|
||||
subnets = [
|
||||
{
|
||||
name = "apps"
|
||||
ip_cidr_range = var.cidrs.apps
|
||||
region = var.region
|
||||
secondary_ip_range = null
|
||||
name = "apps"
|
||||
ip_cidr_range = var.cidrs.apps
|
||||
region = var.region
|
||||
},
|
||||
{
|
||||
name = "proxy"
|
||||
ip_cidr_range = var.cidrs.proxy
|
||||
region = var.region
|
||||
secondary_ip_range = null
|
||||
name = "proxy"
|
||||
ip_cidr_range = var.cidrs.proxy
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -52,10 +52,9 @@ module "vpc-hub" {
|
|||
name = "${local.prefix}hub"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.hub
|
||||
name = "${local.prefix}hub-1"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.hub
|
||||
name = "${local.prefix}hub-1"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -86,10 +85,9 @@ module "vpc-spoke-1" {
|
|||
name = "${local.prefix}spoke-1"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.spoke-1
|
||||
name = "${local.prefix}spoke-1-1"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.spoke-1
|
||||
name = "${local.prefix}spoke-1-1"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -131,7 +129,7 @@ module "vpc-spoke-2" {
|
|||
ip_cidr_range = var.ip_ranges.spoke-2
|
||||
name = "${local.prefix}spoke-2-1"
|
||||
region = var.region
|
||||
secondary_ip_range = {
|
||||
secondary_ip_ranges = {
|
||||
pods = var.ip_secondary_ranges.spoke-2-pods
|
||||
services = var.ip_secondary_ranges.spoke-2-services
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ module "dev-vpc" {
|
|||
ip_cidr_range = var.ip_ranges.dev-0-r1
|
||||
name = "${local.prefix}dev-0"
|
||||
region = var.regions.r1
|
||||
secondary_ip_range = try(
|
||||
secondary_ip_ranges = try(
|
||||
var.ip_secondary_ranges.dev-0-r1, {}
|
||||
)
|
||||
},
|
||||
|
@ -31,7 +31,7 @@ module "dev-vpc" {
|
|||
ip_cidr_range = var.ip_ranges.dev-0-r2
|
||||
name = "${local.prefix}dev-0"
|
||||
region = var.regions.r2
|
||||
secondary_ip_range = try(
|
||||
secondary_ip_ranges = try(
|
||||
var.ip_secondary_ranges.dev-0-r2, {}
|
||||
)
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ module "landing-vpc" {
|
|||
ip_cidr_range = var.ip_ranges.land-0-r1
|
||||
name = "${local.prefix}lnd-0"
|
||||
region = var.regions.r1
|
||||
secondary_ip_range = try(
|
||||
secondary_ip_ranges = try(
|
||||
var.ip_secondary_ranges.land-0-r1, {}
|
||||
)
|
||||
},
|
||||
|
@ -31,7 +31,7 @@ module "landing-vpc" {
|
|||
ip_cidr_range = var.ip_ranges.land-0-r2
|
||||
name = "${local.prefix}lnd-0"
|
||||
region = var.regions.r2
|
||||
secondary_ip_range = try(
|
||||
secondary_ip_ranges = try(
|
||||
var.ip_secondary_ranges.land-0-r2, {}
|
||||
)
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ module "prod-vpc" {
|
|||
ip_cidr_range = var.ip_ranges.prod-0-r1
|
||||
name = "${local.prefix}prd-0"
|
||||
region = var.regions.r1
|
||||
secondary_ip_range = try(
|
||||
secondary_ip_ranges = try(
|
||||
var.ip_secondary_ranges.prod-0-r1, {}
|
||||
)
|
||||
},
|
||||
|
@ -31,7 +31,7 @@ module "prod-vpc" {
|
|||
ip_cidr_range = var.ip_ranges.prod-0-r2
|
||||
name = "${local.prefix}prd-0"
|
||||
region = var.regions.r2
|
||||
secondary_ip_range = try(
|
||||
secondary_ip_ranges = try(
|
||||
var.ip_secondary_ranges.prod-0-r2, {}
|
||||
)
|
||||
}
|
||||
|
|
|
@ -20,17 +20,14 @@ module "vpc-left" {
|
|||
name = "${local.prefix}left"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.left
|
||||
name = "${local.prefix}left"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.left
|
||||
name = "${local.prefix}left"
|
||||
region = var.region
|
||||
},
|
||||
]
|
||||
routes = {
|
||||
to-right = {
|
||||
dest_range = var.ip_ranges.right
|
||||
priority = null
|
||||
tags = null
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-left.forwarding_rule.self_link
|
||||
}
|
||||
|
|
|
@ -20,31 +20,25 @@ module "vpc-right" {
|
|||
name = "${local.prefix}right"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.right
|
||||
name = "${local.prefix}right"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.right
|
||||
name = "${local.prefix}right"
|
||||
region = var.region
|
||||
},
|
||||
]
|
||||
routes = {
|
||||
to-left-ilb = {
|
||||
dest_range = var.ip_ranges.left
|
||||
priority = var.ilb_right_enable ? 900 : 1100
|
||||
tags = null
|
||||
next_hop_type = "ilb"
|
||||
next_hop = module.ilb-right.forwarding_rule.self_link
|
||||
}
|
||||
to-left-gw-1 = {
|
||||
dest_range = var.ip_ranges.left
|
||||
priority = null
|
||||
tags = null
|
||||
next_hop_type = "instance"
|
||||
next_hop = module.gw[var.zones[0]].self_link
|
||||
}
|
||||
to-left-gw-2 = {
|
||||
dest_range = var.ip_ranges.left
|
||||
priority = null
|
||||
tags = null
|
||||
next_hop_type = "instance"
|
||||
next_hop = module.gw[var.zones[1]].self_link
|
||||
}
|
||||
|
|
|
@ -149,13 +149,11 @@ module "vpc" {
|
|||
name = var.network
|
||||
subnets = [
|
||||
{
|
||||
name = var.subnetwork
|
||||
ip_cidr_range = var.cidrs[var.subnetwork]
|
||||
region = var.region
|
||||
secondary_ip_range = null
|
||||
name = var.subnetwork
|
||||
ip_cidr_range = var.cidrs[var.subnetwork]
|
||||
region = var.region
|
||||
},
|
||||
]
|
||||
|
||||
vpc_create = var.network_create
|
||||
}
|
||||
|
||||
|
|
|
@ -56,16 +56,14 @@ module "vpc" {
|
|||
name = "to-onprem"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.gcp1
|
||||
name = "subnet1"
|
||||
region = var.region.gcp1
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.gcp1
|
||||
name = "subnet1"
|
||||
region = var.region.gcp1
|
||||
},
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.gcp2
|
||||
name = "subnet2"
|
||||
region = var.region.gcp2
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.gcp2
|
||||
name = "subnet2"
|
||||
region = var.region.gcp2
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -42,15 +42,12 @@ module "vpc-onprem" {
|
|||
name = "${var.name}-onprem"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.onprem
|
||||
name = "${var.name}-onprem"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.onprem
|
||||
name = "${var.name}-onprem"
|
||||
region = var.region
|
||||
enable_private_access = false
|
||||
}
|
||||
]
|
||||
subnet_private_access = {
|
||||
"${var.region}/${var.name}-onprem" = false
|
||||
}
|
||||
}
|
||||
|
||||
module "firewall-onprem" {
|
||||
|
@ -65,10 +62,9 @@ module "vpc-hub" {
|
|||
name = "${var.name}-hub"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.hub
|
||||
name = "${var.name}-hub"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.hub
|
||||
name = "${var.name}-hub"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -97,22 +97,21 @@ module "vpc-shared" {
|
|||
name = "shared-vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.gce
|
||||
name = "gce"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.gce
|
||||
name = "gce"
|
||||
region = var.region
|
||||
},
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.gke
|
||||
name = "gke"
|
||||
region = var.region
|
||||
secondary_ip_range = {
|
||||
secondary_ip_ranges = {
|
||||
pods = var.ip_secondary_ranges.gke-pods
|
||||
services = var.ip_secondary_ranges.gke-services
|
||||
}
|
||||
}
|
||||
]
|
||||
iam = {
|
||||
subnet_iam = {
|
||||
"${var.region}/gce" = {
|
||||
"roles/compute.networkUser" = concat(var.owners_gce, [
|
||||
"serviceAccount:${module.project-svc-gce.service_accounts.cloud_services}",
|
||||
|
|
|
@ -26,19 +26,15 @@ module "vpc" {
|
|||
name = "${local.prefix}sql-vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.sql_vpc
|
||||
name = "subnet"
|
||||
region = var.region
|
||||
secondary_ip_range = {}
|
||||
ip_cidr_range = var.ip_ranges.sql_vpc
|
||||
name = "subnet"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
|
||||
# Private Service Access
|
||||
psa_config = {
|
||||
ranges = {
|
||||
cloud-sql = var.ip_ranges.psa
|
||||
}
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -67,4 +63,4 @@ module "cloudsql" {
|
|||
users = {
|
||||
"${local.cloudsql_conf.user}" = "${local.cloudsql_conf.pass}"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -16,14 +16,16 @@ region: str()
|
|||
description: str()
|
||||
ip_cidr_range: str()
|
||||
# optional attributes
|
||||
private_ip_google_access: bool(required=False) # defaults to true
|
||||
enable_private_access: bool(required=False) # defaults to true
|
||||
iam_users: list(str(), required=False)
|
||||
iam_groups: list(str(), required=False)
|
||||
iam_service_accounts: list(str(), required=False)
|
||||
secondary_ip_range: map(str(), key=str(), required=False)
|
||||
secondary_ip_ranges: map(str(), key=str(), required=False)
|
||||
flow_logs: any(include('flow_logs'), required=False)
|
||||
---
|
||||
flow_logs:
|
||||
- aggregation_interval: enum('INTERVAL_5_SEC', 'INTERVAL_30_SEC', 'INTERVAL_1_MIN', 'INTERVAL_5_MIN', 'INTERVAL_10_MIN', 'INTERVAL_15_MIN', required=False)
|
||||
- filter_expression: str()
|
||||
- flow_sampling: num(min=0, max=1, required=False)
|
||||
- metadata: enum('EXCLUDE_ALL_METADATA', 'INCLUDE_ALL_METADATA', 'CUSTOM_METADATA', required=False)
|
||||
- metadata_fields: map(str(), key=str(), required=False)
|
||||
|
|
|
@ -3,6 +3,6 @@
|
|||
region: europe-west1
|
||||
description: Default subnet for dev Data Platform
|
||||
ip_cidr_range: 10.128.48.0/24
|
||||
secondary_ip_range:
|
||||
secondary_ip_ranges:
|
||||
pods: 100.128.48.0/20
|
||||
services: 100.255.48.0/24
|
||||
|
|
|
@ -49,13 +49,10 @@ module "landing-untrusted-vpc" {
|
|||
project_id = module.landing-project.project_id
|
||||
name = "prod-untrusted-landing-0"
|
||||
mtu = 1500
|
||||
|
||||
dns_policy = {
|
||||
inbound = false
|
||||
logging = false
|
||||
outbound = null
|
||||
inbound = false
|
||||
logging = false
|
||||
}
|
||||
|
||||
data_folder = "${var.data_dir}/subnets/landing-untrusted"
|
||||
}
|
||||
|
||||
|
@ -108,24 +105,18 @@ module "landing-trusted-vpc" {
|
|||
routes = {
|
||||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
}
|
||||
|
||||
dns_policy = {
|
||||
inbound = true
|
||||
logging = false
|
||||
outbound = null
|
||||
inbound = true
|
||||
}
|
||||
|
||||
data_folder = "${var.data_dir}/subnets/landing-trusted"
|
||||
|
|
|
@ -56,14 +56,12 @@ module "dev-spoke-vpc" {
|
|||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 999
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 999
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -56,14 +56,12 @@ module "prod-spoke-vpc" {
|
|||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 999
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 999
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -48,23 +48,17 @@ module "landing-vpc" {
|
|||
name = "prod-landing-0"
|
||||
mtu = 1500
|
||||
dns_policy = {
|
||||
inbound = true
|
||||
logging = false
|
||||
outbound = null
|
||||
inbound = true
|
||||
}
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -55,15 +55,11 @@ module "dev-spoke-vpc" {
|
|||
routes = {
|
||||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -55,15 +55,11 @@ module "prod-spoke-vpc" {
|
|||
routes = {
|
||||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -54,15 +54,11 @@ module "dev-spoke-vpc" {
|
|||
routes = {
|
||||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -54,15 +54,11 @@ module "prod-spoke-vpc" {
|
|||
routes = {
|
||||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -48,23 +48,17 @@ module "landing-vpc" {
|
|||
name = "prod-landing-0"
|
||||
mtu = 1500
|
||||
dns_policy = {
|
||||
inbound = true
|
||||
logging = false
|
||||
outbound = null
|
||||
inbound = true
|
||||
}
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -55,15 +55,11 @@ module "dev-spoke-vpc" {
|
|||
routes = {
|
||||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -55,15 +55,11 @@ module "prod-spoke-vpc" {
|
|||
routes = {
|
||||
private-googleapis = {
|
||||
dest_range = "199.36.153.8/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
restricted-googleapis = {
|
||||
dest_range = "199.36.153.4/30"
|
||||
priority = 1000
|
||||
tags = []
|
||||
next_hop_type = "gateway"
|
||||
next_hop = "default-internet-gateway"
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@ module "vpc" {
|
|||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = {
|
||||
secondary_ip_ranges = {
|
||||
pods = "172.16.0.0/20"
|
||||
services = "192.168.0.0/24"
|
||||
}
|
||||
|
@ -27,7 +27,6 @@ module "vpc" {
|
|||
ip_cidr_range = "10.0.16.0/24"
|
||||
name = "production"
|
||||
region = "europe-west2"
|
||||
secondary_ip_range = {}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -49,7 +48,6 @@ module "vpc-hub" {
|
|||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "subnet-1"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = null
|
||||
}]
|
||||
}
|
||||
|
||||
|
@ -61,11 +59,9 @@ module "vpc-spoke-1" {
|
|||
ip_cidr_range = "10.0.1.0/24"
|
||||
name = "subnet-2"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = null
|
||||
}]
|
||||
peering_config = {
|
||||
peer_vpc_self_link = module.vpc-hub.self_link
|
||||
export_routes = false
|
||||
import_routes = true
|
||||
}
|
||||
}
|
||||
|
@ -108,7 +104,7 @@ module "vpc-host" {
|
|||
local.service_project_1.project_id,
|
||||
local.service_project_2.project_id
|
||||
]
|
||||
iam = {
|
||||
subnet_iam = {
|
||||
"europe-west1/subnet-1" = {
|
||||
"roles/compute.networkUser" = [
|
||||
local.service_project_1.cloud_services_service_account,
|
||||
|
@ -135,12 +131,10 @@ module "vpc" {
|
|||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = null
|
||||
}
|
||||
]
|
||||
psa_config = {
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5
|
||||
|
@ -160,12 +154,12 @@ module "vpc" {
|
|||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = null
|
||||
}
|
||||
]
|
||||
psa_config = {
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
routes = { export=true, import=true }
|
||||
export_routes = true
|
||||
import_routes = true
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5
|
||||
|
@ -212,7 +206,6 @@ module "vpc" {
|
|||
name = "my-network"
|
||||
dns_policy = {
|
||||
inbound = true
|
||||
logging = false
|
||||
outbound = {
|
||||
private_ns = ["10.0.0.1"]
|
||||
public_ns = ["8.8.8.8"]
|
||||
|
@ -223,7 +216,6 @@ module "vpc" {
|
|||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = {}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -250,11 +242,11 @@ region: europe-west1
|
|||
description: Sample description
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
# optional attributes
|
||||
private_ip_google_access: false # defaults to true
|
||||
enable_private_access: false # defaults to true
|
||||
iam_users: ["foobar@example.com"] # grant compute/networkUser to users
|
||||
iam_groups: ["lorem@example.com"] # grant compute/networkUser to groups
|
||||
iam_service_accounts: ["fbz@prj.iam.gserviceaccount.com"]
|
||||
secondary_ip_range: # map of secondary ip ranges
|
||||
secondary_ip_ranges: # map of secondary ip ranges
|
||||
secondary-range-a: 192.168.0.0/24
|
||||
flow_logs: # enable, set to empty map to use defaults
|
||||
- aggregation_interval: "INTERVAL_5_SEC"
|
||||
|
@ -267,31 +259,25 @@ flow_logs: # enable, set to empty map to use defaults
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L85) | The name of the network being created. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L106) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L60) | The name of the network being created. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L76) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
|
||||
| [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | <code>bool</code> | | <code>false</code> |
|
||||
| [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | <code>string</code> | | <code>null</code> |
|
||||
| [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | <code>bool</code> | | <code>false</code> |
|
||||
| [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | <code>string</code> | | <code>"Terraform-managed."</code> |
|
||||
| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | <code title="object({ inbound = bool logging = bool outbound = object({ private_ns = list(string) public_ns = list(string) }) })">object({…})</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L54) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [log_config_defaults](variables.tf#L60) | Default configuration for flow logs when enabled. | <code title="object({ aggregation_interval = string flow_sampling = number metadata = string })">object({…})</code> | | <code title="{ aggregation_interval = "INTERVAL_5_SEC" flow_sampling = 0.5 metadata = "INCLUDE_ALL_METADATA" }">{…}</code> |
|
||||
| [log_configs](variables.tf#L74) | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code>map(map(string))</code> | | <code>{}</code> |
|
||||
| [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code></code> | | <code>null</code> |
|
||||
| [peering_config](variables.tf#L90) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string export_routes = bool import_routes = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | <code>bool</code> | | <code>true</code> |
|
||||
| [psa_config](variables.tf#L111) | The Private Service Access configuration for Service Networking. | <code title="object({ ranges = map(string) routes = object({ export = bool import = bool }) })">object({…})</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L123) | Network routes, keyed by name. | <code title="map(object({ dest_range = string priority = number tags = list(string) next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnet_descriptions](variables.tf#L157) | Optional map of subnet descriptions, keyed by subnet 'region/name'. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [subnet_flow_logs](variables.tf#L163) | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [subnet_private_access](variables.tf#L169) | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [subnets](variables.tf#L175) | List of subnets being created. | <code title="list(object({ name = string ip_cidr_range = string region = string secondary_ip_range = map(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L186) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ active = bool name = string ip_cidr_range = string region = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L197) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L207) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | <code title="object({ inbound = optional(bool) logging = optional(bool) outbound = optional(object({ private_ns = list(string) public_ns = list(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| [mtu](variables.tf#L54) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code>number</code> | | <code>null</code> |
|
||||
| [peering_config](variables.tf#L65) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string create_remote_peer = optional(bool, true) export_routes = optional(bool) import_routes = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||
| [psa_config](variables.tf#L81) | The Private Service Access configuration for Service Networking. | <code title="object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) })">object({…})</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L91) | Network routes, keyed by name. | <code title="map(object({ dest_range = string next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string priority = optional(number) tags = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L111) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L121) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L127) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnet_iam](variables.tf#L133) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [subnets](variables.tf#L139) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string) enable_private_access = optional(bool, true) })) secondary_ip_ranges = optional(map(string)) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L164) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = bool }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L176) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L186) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -55,8 +55,12 @@ resource "google_compute_network_peering" "local" {
|
|||
}
|
||||
|
||||
resource "google_compute_network_peering" "remote" {
|
||||
provider = google-beta
|
||||
count = var.peering_config != null && var.peering_create_remote_end ? 1 : 0
|
||||
provider = google-beta
|
||||
count = (
|
||||
var.peering_config != null && try(var.peering_config.create_remote_peer, true)
|
||||
? 1
|
||||
: 0
|
||||
)
|
||||
name = "${local.peer_network}-${var.name}"
|
||||
network = var.peering_config.peer_vpc_self_link
|
||||
peer_network = local.network.self_link
|
||||
|
@ -74,10 +78,10 @@ resource "google_compute_shared_vpc_host_project" "shared_vpc_host" {
|
|||
|
||||
resource "google_compute_shared_vpc_service_project" "service_projects" {
|
||||
provider = google-beta
|
||||
for_each = (
|
||||
for_each = toset(
|
||||
var.shared_vpc_host && var.shared_vpc_service_projects != null
|
||||
? toset(var.shared_vpc_service_projects)
|
||||
: toset([])
|
||||
? var.shared_vpc_service_projects
|
||||
: []
|
||||
)
|
||||
host_project = var.project_id
|
||||
service_project = each.value
|
||||
|
@ -86,19 +90,23 @@ resource "google_compute_shared_vpc_service_project" "service_projects" {
|
|||
|
||||
resource "google_dns_policy" "default" {
|
||||
count = var.dns_policy == null ? 0 : 1
|
||||
enable_inbound_forwarding = var.dns_policy.inbound
|
||||
enable_logging = var.dns_policy.logging
|
||||
name = var.name
|
||||
project = var.project_id
|
||||
name = var.name
|
||||
enable_inbound_forwarding = try(var.dns_policy.inbound, null)
|
||||
enable_logging = try(var.dns_policy.logging, null)
|
||||
networks {
|
||||
network_url = local.network.id
|
||||
}
|
||||
|
||||
dynamic "alternative_name_server_config" {
|
||||
for_each = toset(var.dns_policy.outbound == null ? [] : [""])
|
||||
for_each = var.dns_policy.outbound != null ? [""] : []
|
||||
content {
|
||||
dynamic "target_name_servers" {
|
||||
for_each = toset(var.dns_policy.outbound.private_ns)
|
||||
for_each = (
|
||||
var.dns_policy.outbound.private_ns != null
|
||||
? var.dns_policy.outbound.private_ns
|
||||
: []
|
||||
)
|
||||
iterator = ns
|
||||
content {
|
||||
ipv4_address = ns.key
|
||||
|
@ -106,7 +114,11 @@ resource "google_dns_policy" "default" {
|
|||
}
|
||||
}
|
||||
dynamic "target_name_servers" {
|
||||
for_each = toset(var.dns_policy.outbound.public_ns)
|
||||
for_each = (
|
||||
var.dns_policy.outbound.public_ns != null
|
||||
? var.dns_policy.outbound.public_ns
|
||||
: []
|
||||
)
|
||||
iterator = ns
|
||||
content {
|
||||
ipv4_address = ns.key
|
||||
|
|
|
@ -17,15 +17,11 @@
|
|||
# tfdoc:file:description Private Service Access resources.
|
||||
|
||||
locals {
|
||||
psa_config = (
|
||||
var.psa_config == null
|
||||
? { ranges = {}, routes = null }
|
||||
: var.psa_config
|
||||
)
|
||||
psa_config_ranges = try(var.psa_config.ranges, {})
|
||||
}
|
||||
|
||||
resource "google_compute_global_address" "psa_ranges" {
|
||||
for_each = local.psa_config.ranges
|
||||
for_each = local.psa_config_ranges
|
||||
project = var.project_id
|
||||
name = each.key
|
||||
purpose = "VPC_PEERING"
|
||||
|
@ -36,7 +32,7 @@ resource "google_compute_global_address" "psa_ranges" {
|
|||
}
|
||||
|
||||
resource "google_service_networking_connection" "psa_connection" {
|
||||
for_each = var.psa_config == null ? {} : { 1 = 1 }
|
||||
for_each = var.psa_config != null ? { 1 = 1 } : {}
|
||||
network = local.network.id
|
||||
service = "servicenetworking.googleapis.com"
|
||||
reserved_peering_ranges = [
|
||||
|
@ -45,10 +41,10 @@ resource "google_service_networking_connection" "psa_connection" {
|
|||
}
|
||||
|
||||
resource "google_compute_network_peering_routes_config" "psa_routes" {
|
||||
for_each = var.psa_config == null ? {} : { 1 = 1 }
|
||||
for_each = var.psa_config != null ? { 1 = 1 } : {}
|
||||
project = var.project_id
|
||||
peering = google_service_networking_connection.psa_connection["1"].peering
|
||||
network = local.network.name
|
||||
export_custom_routes = try(var.psa_config.routes.export, false)
|
||||
import_custom_routes = try(var.psa_config.routes.import, false)
|
||||
export_custom_routes = var.psa_config.export_routes
|
||||
import_custom_routes = var.psa_config.import_routes
|
||||
}
|
||||
|
|
|
@ -21,11 +21,19 @@ locals {
|
|||
for f in fileset(var.data_folder, "**/*.yaml") :
|
||||
trimsuffix(basename(f), ".yaml") => yamldecode(file("${var.data_folder}/${f}"))
|
||||
}
|
||||
_factory_descriptions = {
|
||||
for k, v in local._factory_data :
|
||||
"${v.region}/${k}" => try(v.description, null)
|
||||
_factory_subnets = {
|
||||
for k, v in local._factory_data : "${v.region}/${k}" => {
|
||||
name = k
|
||||
ip_cidr_range = v.ip_cidr_range
|
||||
region = v.region
|
||||
description = try(v.description, null)
|
||||
enable_private_access = try(v.enable_private_access, true)
|
||||
flow_logs_config = try(v.flow_logs, null)
|
||||
ipv6 = try(v.ipv6, null)
|
||||
secondary_ip_ranges = try(v.secondary_ip_ranges, null)
|
||||
}
|
||||
}
|
||||
_factory_iam_members = [
|
||||
_factory_subnets_iam = [
|
||||
for k, v in local._factory_subnets : {
|
||||
subnet = k
|
||||
role = "roles/compute.networkUser"
|
||||
|
@ -36,32 +44,8 @@ locals {
|
|||
)
|
||||
}
|
||||
]
|
||||
_factory_flow_logs = {
|
||||
for k, v in local._factory_data : "${v.region}/${k}" => merge(
|
||||
var.log_config_defaults, try(v.flow_logs, {})
|
||||
) if try(v.flow_logs, null) != null
|
||||
}
|
||||
_factory_private_access = {
|
||||
for k, v in local._factory_data : "${v.region}/${k}" => try(
|
||||
v.private_ip_google_access, true
|
||||
)
|
||||
}
|
||||
_factory_subnets = {
|
||||
for k, v in local._factory_data : "${v.region}/${k}" => {
|
||||
ip_cidr_range = v.ip_cidr_range
|
||||
name = k
|
||||
region = v.region
|
||||
secondary_ip_range = try(v.secondary_ip_range, {})
|
||||
}
|
||||
}
|
||||
_iam = var.iam == null ? {} : var.iam
|
||||
_subnet_flow_logs = {
|
||||
for k, v in var.subnet_flow_logs : k => merge(
|
||||
var.log_config_defaults, try(var.log_configs[k], {})
|
||||
)
|
||||
}
|
||||
_subnet_iam_members = flatten([
|
||||
for subnet, roles in local._iam : [
|
||||
for subnet, roles in(var.subnet_iam == null ? {} : var.subnet_iam) : [
|
||||
for role, members in roles : {
|
||||
members = members
|
||||
role = role
|
||||
|
@ -69,19 +53,10 @@ locals {
|
|||
}
|
||||
]
|
||||
])
|
||||
subnet_descriptions = merge(
|
||||
local._factory_descriptions, var.subnet_descriptions
|
||||
)
|
||||
subnet_iam_members = concat(
|
||||
[for k in local._factory_iam_members : k if length(k.members) > 0],
|
||||
[for k in local._factory_subnets_iam : k if length(k.members) > 0],
|
||||
local._subnet_iam_members
|
||||
)
|
||||
subnet_flow_logs = merge(
|
||||
local._factory_flow_logs, local._subnet_flow_logs
|
||||
)
|
||||
subnet_private_access = merge(
|
||||
local._factory_private_access, var.subnet_private_access
|
||||
)
|
||||
subnets = merge(
|
||||
{ for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet },
|
||||
local._factory_subnets
|
||||
|
@ -97,33 +72,30 @@ locals {
|
|||
}
|
||||
|
||||
resource "google_compute_subnetwork" "subnetwork" {
|
||||
for_each = local.subnets
|
||||
project = var.project_id
|
||||
network = local.network.name
|
||||
region = each.value.region
|
||||
name = each.value.name
|
||||
ip_cidr_range = each.value.ip_cidr_range
|
||||
secondary_ip_range = each.value.secondary_ip_range == null ? [] : [
|
||||
for name, range in each.value.secondary_ip_range :
|
||||
for_each = local.subnets
|
||||
project = var.project_id
|
||||
network = local.network.name
|
||||
name = each.value.name
|
||||
region = each.value.region
|
||||
ip_cidr_range = each.value.ip_cidr_range
|
||||
description = try(each.value.description, "Terraform-managed.")
|
||||
private_ip_google_access = each.value.enable_private_access
|
||||
secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
|
||||
for name, range in each.value.secondary_ip_ranges :
|
||||
{ range_name = name, ip_cidr_range = range }
|
||||
]
|
||||
description = lookup(
|
||||
local.subnet_descriptions, each.key, "Terraform-managed."
|
||||
)
|
||||
private_ip_google_access = lookup(
|
||||
local.subnet_private_access, each.key, true
|
||||
)
|
||||
dynamic "log_config" {
|
||||
for_each = toset(
|
||||
try(local.subnet_flow_logs[each.key], {}) != {}
|
||||
? [local.subnet_flow_logs[each.key]]
|
||||
: []
|
||||
)
|
||||
iterator = config
|
||||
for_each = each.value.flow_logs_config != null ? [""] : []
|
||||
content {
|
||||
aggregation_interval = config.value.aggregation_interval
|
||||
flow_sampling = config.value.flow_sampling
|
||||
metadata = config.value.metadata
|
||||
aggregation_interval = each.value.flow_logs_config.aggregation_interval
|
||||
filter_expr = each.value.flow_logs_config.filter_expression
|
||||
flow_sampling = each.value.flow_logs_config.flow_sampling
|
||||
metadata = each.value.flow_logs_config.metadata
|
||||
metadata_fields = (
|
||||
each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
|
||||
? each.value.flow_logs_config.metadata_fields
|
||||
: null
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -132,33 +104,31 @@ resource "google_compute_subnetwork" "proxy_only" {
|
|||
for_each = local.subnets_proxy_only
|
||||
project = var.project_id
|
||||
network = local.network.name
|
||||
region = each.value.region
|
||||
name = each.value.name
|
||||
region = each.value.region
|
||||
ip_cidr_range = each.value.ip_cidr_range
|
||||
purpose = "REGIONAL_MANAGED_PROXY"
|
||||
description = try(
|
||||
each.value.description,
|
||||
"Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB."
|
||||
)
|
||||
purpose = "REGIONAL_MANAGED_PROXY"
|
||||
role = (
|
||||
each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP"
|
||||
)
|
||||
description = lookup(
|
||||
local.subnet_descriptions,
|
||||
"${each.value.region}/${each.value.name}",
|
||||
"Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB."
|
||||
)
|
||||
}
|
||||
|
||||
resource "google_compute_subnetwork" "psc" {
|
||||
for_each = local.subnets_psc
|
||||
project = var.project_id
|
||||
network = local.network.name
|
||||
region = each.value.region
|
||||
name = each.value.name
|
||||
region = each.value.region
|
||||
ip_cidr_range = each.value.ip_cidr_range
|
||||
purpose = "PRIVATE_SERVICE_CONNECT"
|
||||
description = lookup(
|
||||
local.subnet_descriptions,
|
||||
"${each.value.region}/${each.value.name}",
|
||||
description = try(
|
||||
each.value.description,
|
||||
"Terraform-managed subnet for Private Service Connect (PSC NAT)."
|
||||
)
|
||||
purpose = "PRIVATE_SERVICE_CONNECT"
|
||||
}
|
||||
|
||||
resource "google_compute_subnetwork_iam_binding" "binding" {
|
||||
|
|
|
@ -41,44 +41,19 @@ variable "description" {
|
|||
variable "dns_policy" {
|
||||
description = "DNS policy setup for the VPC."
|
||||
type = object({
|
||||
inbound = bool
|
||||
logging = bool
|
||||
outbound = object({
|
||||
inbound = optional(bool)
|
||||
logging = optional(bool)
|
||||
outbound = optional(object({
|
||||
private_ns = list(string)
|
||||
public_ns = list(string)
|
||||
})
|
||||
}))
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "iam" {
|
||||
description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "log_config_defaults" {
|
||||
description = "Default configuration for flow logs when enabled."
|
||||
type = object({
|
||||
aggregation_interval = string
|
||||
flow_sampling = number
|
||||
metadata = string
|
||||
})
|
||||
default = {
|
||||
aggregation_interval = "INTERVAL_5_SEC"
|
||||
flow_sampling = 0.5
|
||||
metadata = "INCLUDE_ALL_METADATA"
|
||||
}
|
||||
}
|
||||
|
||||
variable "log_configs" {
|
||||
description = "Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled."
|
||||
type = map(map(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "mtu" {
|
||||
description = "Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes."
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
|
@ -91,18 +66,13 @@ variable "peering_config" {
|
|||
description = "VPC peering configuration."
|
||||
type = object({
|
||||
peer_vpc_self_link = string
|
||||
export_routes = bool
|
||||
import_routes = bool
|
||||
create_remote_peer = optional(bool, true)
|
||||
export_routes = optional(bool)
|
||||
import_routes = optional(bool)
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "peering_create_remote_end" {
|
||||
description = "Skip creation of peering on the remote end when using peering_config."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
description = "The ID of the project where this VPC will be created."
|
||||
type = string
|
||||
|
@ -111,11 +81,9 @@ variable "project_id" {
|
|||
variable "psa_config" {
|
||||
description = "The Private Service Access configuration for Service Networking."
|
||||
type = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
ranges = map(string)
|
||||
export_routes = optional(bool, false)
|
||||
import_routes = optional(bool, false)
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
@ -124,12 +92,20 @@ variable "routes" {
|
|||
description = "Network routes, keyed by name."
|
||||
type = map(object({
|
||||
dest_range = string
|
||||
priority = number
|
||||
tags = list(string)
|
||||
next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb
|
||||
next_hop = string
|
||||
priority = optional(number)
|
||||
tags = optional(list(string))
|
||||
}))
|
||||
default = {}
|
||||
default = {}
|
||||
nullable = false
|
||||
validation {
|
||||
condition = alltrue([
|
||||
for r in var.routes :
|
||||
contains(["gateway", "instance", "ip", "vpn_tunnel", "ilb"], r.next_hop_type)
|
||||
])
|
||||
error_message = "Unsupported next hop type for route."
|
||||
}
|
||||
}
|
||||
|
||||
variable "routing_mode" {
|
||||
|
@ -154,31 +130,33 @@ variable "shared_vpc_service_projects" {
|
|||
default = []
|
||||
}
|
||||
|
||||
variable "subnet_descriptions" {
|
||||
description = "Optional map of subnet descriptions, keyed by subnet 'region/name'."
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "subnet_flow_logs" {
|
||||
description = "Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'."
|
||||
type = map(bool)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "subnet_private_access" {
|
||||
description = "Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'."
|
||||
type = map(bool)
|
||||
variable "subnet_iam" {
|
||||
description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "subnets" {
|
||||
description = "List of subnets being created."
|
||||
description = "Subnet configuration."
|
||||
type = list(object({
|
||||
name = string
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
secondary_ip_range = map(string)
|
||||
name = string
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
description = optional(string)
|
||||
enable_private_access = optional(bool, true)
|
||||
flow_logs_config = optional(object({
|
||||
aggregation_interval = optional(string)
|
||||
filter_expression = optional(string)
|
||||
flow_sampling = optional(number)
|
||||
metadata = optional(string)
|
||||
# only if metadata == "CUSTOM_METADATA"
|
||||
metadata_fields = optional(list(string))
|
||||
}))
|
||||
ipv6 = optional(object({
|
||||
access_type = optional(string)
|
||||
enable_private_access = optional(bool, true)
|
||||
}))
|
||||
secondary_ip_ranges = optional(map(string))
|
||||
}))
|
||||
default = []
|
||||
}
|
||||
|
@ -186,10 +164,11 @@ variable "subnets" {
|
|||
variable "subnets_proxy_only" {
|
||||
description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
|
||||
type = list(object({
|
||||
active = bool
|
||||
name = string
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
description = optional(string)
|
||||
active = bool
|
||||
}))
|
||||
default = []
|
||||
}
|
||||
|
|
|
@ -15,9 +15,9 @@
|
|||
region: europe-west1
|
||||
description: Sample description
|
||||
ip_cidr_range: 10.128.0.0/24
|
||||
private_ip_google_access: false
|
||||
enable_private_access: false
|
||||
iam_users: ["foobar@example.com"]
|
||||
iam_groups: ["lorem@example.com"]
|
||||
iam_service_accounts: ["foobar@project-id.iam.gserviceaccount.com"]
|
||||
secondary_ip_range:
|
||||
secondary_ip_ranges:
|
||||
secondary-range-a: 192.168.128.0/24
|
||||
|
|
|
@ -16,19 +16,14 @@
|
|||
|
||||
module "test" {
|
||||
source = "../../../../modules/net-vpc"
|
||||
project_id = var.project_id
|
||||
name = var.name
|
||||
iam = var.iam
|
||||
log_configs = var.log_configs
|
||||
log_config_defaults = var.log_config_defaults
|
||||
project_id = "test-project"
|
||||
name = "test"
|
||||
peering_config = var.peering_config
|
||||
routes = var.routes
|
||||
shared_vpc_host = var.shared_vpc_host
|
||||
shared_vpc_service_projects = var.shared_vpc_service_projects
|
||||
subnet_iam = var.subnet_iam
|
||||
subnets = var.subnets
|
||||
subnet_descriptions = var.subnet_descriptions
|
||||
subnet_flow_logs = var.subnet_flow_logs
|
||||
subnet_private_access = var.subnet_private_access
|
||||
auto_create_subnetworks = var.auto_create_subnetworks
|
||||
psa_config = var.psa_config
|
||||
data_folder = var.data_folder
|
||||
|
|
|
@ -14,110 +14,88 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "project_id" {
|
||||
type = string
|
||||
default = "my-project"
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
type = string
|
||||
default = "my-vpc"
|
||||
}
|
||||
|
||||
variable "auto_create_subnetworks" {
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "iam" {
|
||||
type = map(map(set(string)))
|
||||
variable "data_folder" {
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "log_configs" {
|
||||
variable "delete_default_routes_on_create" {
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
type = string
|
||||
default = "Terraform-managed."
|
||||
}
|
||||
|
||||
variable "dns_policy" {
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "log_config_defaults" {
|
||||
type = any
|
||||
default = {
|
||||
aggregation_interval = "INTERVAL_5_SEC"
|
||||
flow_sampling = 0.5
|
||||
metadata = "INCLUDE_ALL_METADATA"
|
||||
}
|
||||
variable "mtu" {
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "peering_config" {
|
||||
type = object({
|
||||
peer_vpc_self_link = string
|
||||
export_routes = bool
|
||||
import_routes = bool
|
||||
})
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "psa_config" {
|
||||
description = "The Private Service Access configuration."
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "routes" {
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "routes" {
|
||||
type = any
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "routing_mode" {
|
||||
description = "The network routing mode (default 'GLOBAL')."
|
||||
type = string
|
||||
default = "GLOBAL"
|
||||
type = string
|
||||
default = "GLOBAL"
|
||||
}
|
||||
|
||||
variable "shared_vpc_host" {
|
||||
description = "Enable shared VPC for this project."
|
||||
type = bool
|
||||
default = false
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "shared_vpc_service_projects" {
|
||||
description = "Shared VPC service projects to register with this host."
|
||||
type = list(string)
|
||||
default = []
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "subnets" {
|
||||
description = "The list of subnets being created."
|
||||
type = any
|
||||
default = []
|
||||
type = any
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "subnet_descriptions" {
|
||||
description = "Optional map of subnet descriptions, keyed by subnet name."
|
||||
type = map(string)
|
||||
default = {}
|
||||
variable "subnet_iam" {
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "subnet_flow_logs" {
|
||||
description = "Optional map of boolean to control flow logs (default is disabled), keyed by subnet name."
|
||||
type = map(bool)
|
||||
default = {}
|
||||
variable "subnets_proxy_only" {
|
||||
type = any
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "subnet_private_access" {
|
||||
description = "Optional map of boolean to control private Google access (default is enabled), keyed by subnet name."
|
||||
type = map(bool)
|
||||
default = {}
|
||||
variable "subnets_psc" {
|
||||
type = any
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "private_service_networking_range" {
|
||||
description = "RFC1919 CIDR range used for Google services that support private service networking."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "data_folder" {
|
||||
description = "An optional folder containing the subnet configurations in YaML format."
|
||||
type = string
|
||||
default = null
|
||||
variable "vpc_create" {
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
|
|
@ -12,23 +12,19 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
_VAR_PEER_VPC_CONFIG = (
|
||||
'{'
|
||||
'peer_vpc_self_link="projects/my-project/global/networks/my-peer-vpc", '
|
||||
'export_routes=true, import_routes=null'
|
||||
'}'
|
||||
)
|
||||
_VAR_ROUTES_TEMPLATE = (
|
||||
'{'
|
||||
' next-hop-test = {'
|
||||
' dest_range="192.168.128.0/24", priority=1000, tags=null, '
|
||||
' next_hop_type="%s", next_hop="%s"},'
|
||||
' gateway-test = {'
|
||||
' dest_range="0.0.0.0/0", priority=100, tags=["tag-a"], '
|
||||
' next_hop_type="gateway", '
|
||||
' next_hop="global/gateways/default-internet-gateway"}'
|
||||
'}'
|
||||
)
|
||||
_VAR_PEER_VPC_CONFIG = '''{
|
||||
peer_vpc_self_link="projects/my-project/global/networks/peer",
|
||||
export_routes=true, import_routes=null
|
||||
}'''
|
||||
_VAR_ROUTES_TEMPLATE = '''{
|
||||
next-hop = {
|
||||
dest_range="192.168.128.0/24", tags=null,
|
||||
next_hop_type="%s", next_hop="%s"},
|
||||
gateway = {
|
||||
dest_range="0.0.0.0/0", priority=100, tags=["tag-a"],
|
||||
next_hop_type="gateway",
|
||||
next_hop="global/gateways/default-internet-gateway"}
|
||||
}'''
|
||||
_VAR_ROUTES_NEXT_HOPS = {
|
||||
'gateway': 'global/gateways/default-internet-gateway',
|
||||
'instance': 'zones/europe-west1-b/test',
|
||||
|
@ -43,8 +39,8 @@ def test_vpc_simple(plan_runner):
|
|||
_, resources = plan_runner()
|
||||
assert len(resources) == 1
|
||||
assert [r['type'] for r in resources] == ['google_compute_network']
|
||||
assert [r['values']['name'] for r in resources] == ['my-vpc']
|
||||
assert [r['values']['project'] for r in resources] == ['my-project']
|
||||
assert [r['values']['name'] for r in resources] == ['test']
|
||||
assert [r['values']['project'] for r in resources] == ['test-project']
|
||||
|
||||
|
||||
def test_vpc_shared(plan_runner):
|
||||
|
@ -62,13 +58,14 @@ def test_vpc_peering(plan_runner):
|
|||
"Test vpc peering variables."
|
||||
_, resources = plan_runner(peering_config=_VAR_PEER_VPC_CONFIG)
|
||||
assert len(resources) == 3
|
||||
assert set(r['type'] for r in resources) == set([
|
||||
'google_compute_network', 'google_compute_network_peering'
|
||||
])
|
||||
peerings = [r['values']
|
||||
for r in resources if r['type'] == 'google_compute_network_peering']
|
||||
assert [p['name'] for p in peerings] == [
|
||||
'my-vpc-my-peer-vpc', 'my-peer-vpc-my-vpc']
|
||||
assert set(r['type'] for r in resources) == set(
|
||||
['google_compute_network', 'google_compute_network_peering'])
|
||||
peerings = [
|
||||
r['values']
|
||||
for r in resources
|
||||
if r['type'] == 'google_compute_network_peering'
|
||||
]
|
||||
assert [p['name'] for p in peerings] == ['test-peer', 'peer-test']
|
||||
assert [p['export_custom_routes'] for p in peerings] == [True, False]
|
||||
assert [p['import_custom_routes'] for p in peerings] == [False, True]
|
||||
|
||||
|
@ -79,6 +76,6 @@ def test_vpc_routes(plan_runner):
|
|||
_var_routes = _VAR_ROUTES_TEMPLATE % (next_hop_type, next_hop)
|
||||
_, resources = plan_runner(routes=_var_routes)
|
||||
assert len(resources) == 3
|
||||
resource = [r for r in resources if r['values']
|
||||
['name'] == 'my-vpc-next-hop-test'][0]
|
||||
resource = [r for r in resources if r['values']['name'] == 'test-next-hop'
|
||||
][0]
|
||||
assert resource['values']['next_hop_%s' % next_hop_type]
|
||||
|
|
|
@ -35,11 +35,9 @@ def test_routes_export(plan_runner):
|
|||
psa_config = '''{
|
||||
ranges = {
|
||||
bar = "172.16.100.0/24"
|
||||
},
|
||||
routes = {
|
||||
export = true
|
||||
import = false
|
||||
}
|
||||
export_routes = true
|
||||
import_routes = false
|
||||
}'''
|
||||
_, resources = plan_runner(psa_config=psa_config)
|
||||
assert len(resources) == 4
|
||||
|
@ -55,10 +53,8 @@ def test_routes_import(plan_runner):
|
|||
ranges = {
|
||||
bar = "172.16.100.0/24"
|
||||
},
|
||||
routes = {
|
||||
export = false
|
||||
import = true
|
||||
}
|
||||
export_routes = false
|
||||
import_routes = true
|
||||
}'''
|
||||
_, resources = plan_runner(psa_config=psa_config)
|
||||
for r in resources:
|
||||
|
@ -73,10 +69,8 @@ def test_routes_export_import(plan_runner):
|
|||
ranges = {
|
||||
bar = "172.16.100.0/24"
|
||||
},
|
||||
routes = {
|
||||
export = true
|
||||
import = true
|
||||
}
|
||||
export_routes = true
|
||||
import_routes = true
|
||||
}'''
|
||||
_, resources = plan_runner(psa_config=psa_config)
|
||||
for r in resources:
|
||||
|
|
|
@ -12,73 +12,87 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
_VAR_SUBNETS = (
|
||||
'[ '
|
||||
'{name = "a", region = "europe-west1", ip_cidr_range = "10.0.0.0/24",'
|
||||
' secondary_ip_range=null},'
|
||||
'{name = "b", region = "europe-west1", ip_cidr_range = "10.0.1.0/24",'
|
||||
' secondary_ip_range=null},'
|
||||
'{name = "c", region = "europe-west1", ip_cidr_range = "10.0.2.0/24",'
|
||||
' secondary_ip_range={a="192.168.0.0/24", b="192.168.1.0/24"}},'
|
||||
']')
|
||||
|
||||
_VAR_DATA_FOLDER = "data"
|
||||
DATA_FOLDER = "data"
|
||||
SUBNET_IAM = '''{
|
||||
"europe-west1/a" = {
|
||||
"roles/compute.networkUser" = ["user:a@example.com", "group:g-a@example.com"]
|
||||
}
|
||||
"europe-west1/c" = {
|
||||
"roles/compute.networkUser" = ["user:c@example.com", "group:g-c@example.com"]
|
||||
}
|
||||
}'''
|
||||
SUBNETS = '''[
|
||||
{
|
||||
name = "a", region = "europe-west1", ip_cidr_range = "10.0.0.0/24"
|
||||
},
|
||||
{
|
||||
name = "b", region = "europe-west1", ip_cidr_range = "10.0.1.0/24",
|
||||
description="Subnet b", enable_private_access=false
|
||||
},
|
||||
{
|
||||
name = "c", region = "europe-west1", ip_cidr_range = "10.0.2.0/24",
|
||||
secondary_ip_ranges={a="192.168.0.0/24", b="192.168.1.0/24"}
|
||||
},
|
||||
{
|
||||
name = "d", region = "europe-west1", ip_cidr_range = "10.0.3.0/24",
|
||||
flow_logs_config = {
|
||||
flow_sampling = 0.5, aggregation_interval = "INTERVAL_10_MIN"
|
||||
}
|
||||
},
|
||||
]'''
|
||||
|
||||
|
||||
def test_subnet_factory(plan_runner):
|
||||
"Test subnet factory."
|
||||
_, resources = plan_runner(data_folder=_VAR_DATA_FOLDER)
|
||||
_, resources = plan_runner(data_folder=DATA_FOLDER)
|
||||
assert len(resources) == 3
|
||||
subnets = [
|
||||
r['values'] for r in resources if r['type'] == 'google_compute_subnetwork'
|
||||
]
|
||||
assert {s['name'] for s in subnets} == {'factory-subnet', 'factory-subnet2'}
|
||||
assert {len(s['secondary_ip_range']) for s in subnets} == {0, 1}
|
||||
assert {s['private_ip_google_access'] for s in subnets} == {True, False}
|
||||
|
||||
|
||||
def test_subnets_simple(plan_runner):
|
||||
def test_subnets(plan_runner):
|
||||
"Test subnets variable."
|
||||
_, resources = plan_runner(subnets=_VAR_SUBNETS)
|
||||
assert len(resources) == 4
|
||||
_, resources = plan_runner(subnet_iam=SUBNET_IAM, subnets=SUBNETS)
|
||||
assert len(resources) == 7
|
||||
subnets = [
|
||||
r['values'] for r in resources if r['type'] == 'google_compute_subnetwork'
|
||||
]
|
||||
assert {s['name'] for s in subnets} == {'a', 'b', 'c'}
|
||||
assert {len(s['secondary_ip_range']) for s in subnets} == {0, 0, 2}
|
||||
|
||||
|
||||
def test_subnet_log_configs(plan_runner):
|
||||
"Test subnets flow logs configuration and defaults."
|
||||
log_config = '{"europe-west1/a" = { flow_sampling = 0.1 }}'
|
||||
log_config_defaults = (
|
||||
'{aggregation_interval = "INTERVAL_10_MIN", flow_sampling = 0.5, '
|
||||
'metadata = "INCLUDE_ALL_METADATA"}')
|
||||
subnet_flow_logs = '{"europe-west1/a"=true, "europe-west1/b"=true}'
|
||||
_, resources = plan_runner(subnets=_VAR_SUBNETS, log_configs=log_config,
|
||||
log_config_defaults=log_config_defaults,
|
||||
subnet_flow_logs=subnet_flow_logs)
|
||||
assert len(resources) == 4
|
||||
flow_logs = {}
|
||||
for r in resources:
|
||||
if r['type'] != 'google_compute_subnetwork':
|
||||
continue
|
||||
flow_logs[r['values']['name']] = [{
|
||||
key: config[key] for key in config.keys() &
|
||||
{'aggregation_interval', 'flow_sampling', 'metadata'}
|
||||
} for config in r['values']['log_config']]
|
||||
assert flow_logs == {
|
||||
# enable, override one default option
|
||||
'a': [{
|
||||
'aggregation_interval': 'INTERVAL_10_MIN',
|
||||
'flow_sampling': 0.1,
|
||||
'metadata': 'INCLUDE_ALL_METADATA'
|
||||
}],
|
||||
# enable, use defaults
|
||||
'b': [{
|
||||
assert {s['name'] for s in subnets} == {'a', 'b', 'c', 'd'}
|
||||
assert {len(s['secondary_ip_range']) for s in subnets} == {0, 0, 2, 0}
|
||||
log_config = {s['name']: s['log_config'] for s in subnets if s['log_config']}
|
||||
assert log_config == {
|
||||
'd': [{
|
||||
'aggregation_interval': 'INTERVAL_10_MIN',
|
||||
'filter_expr': 'true',
|
||||
'flow_sampling': 0.5,
|
||||
'metadata': 'INCLUDE_ALL_METADATA'
|
||||
}],
|
||||
# don't enable
|
||||
'c': []
|
||||
'metadata': 'INCLUDE_ALL_METADATA',
|
||||
'metadata_fields': None
|
||||
}]
|
||||
}
|
||||
bindings = {
|
||||
r['index']: r['values']
|
||||
for r in resources
|
||||
if r['type'] == 'google_compute_subnetwork_iam_binding'
|
||||
}
|
||||
assert bindings == {
|
||||
'europe-west1/a.roles/compute.networkUser': {
|
||||
'condition': [],
|
||||
'members': ['group:g-a@example.com', 'user:a@example.com'],
|
||||
'project': 'test-project',
|
||||
'region': 'europe-west1',
|
||||
'role': 'roles/compute.networkUser',
|
||||
'subnetwork': 'a'
|
||||
},
|
||||
'europe-west1/c.roles/compute.networkUser': {
|
||||
'condition': [],
|
||||
'members': ['group:g-c@example.com', 'user:c@example.com'],
|
||||
'project': 'test-project',
|
||||
'region': 'europe-west1',
|
||||
'role': 'roles/compute.networkUser',
|
||||
'subnetwork': 'c'
|
||||
},
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue