zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor net-vpc module for Terraform 1.3 (#880) 

* module tests pass

* doc examples

* refactor blueprints

* fast stages

* fix comment typo

* fix module factory test
This commit is contained in:
Ludovico Magnocavallo 2022-10-14 11:02:33 +02:00 committed by GitHub
parent 1ead60122d
commit 4fa1dc431d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
57 changed files with 419 additions and 594 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
blueprints/cloud-operations/adfs/main.tf
View File

@ -44,10 +44,9 @@ module "vpc" {
name = "${local.prefix}vpc"
subnets = [
{
ip_cidr_range = var.subnet_ip_cidr_block
name = "subnet"
region = var.region
secondary_ip_range = null
ip_cidr_range = var.subnet_ip_cidr_block
name = "subnet"
region = var.region
}
]
}

7
blueprints/cloud-operations/asset-inventory-feed-remediation/main.tf
View File

@ -48,10 +48,9 @@ module "vpc" {
project_id = module.project.project_id
name = var.name
subnets = [{
ip_cidr_range = "192.168.0.0/24"
name = "${var.name}-default"
region = var.region
secondary_ip_range = {}
ip_cidr_range = "192.168.0.0/24"
name = "${var.name}-default"
region = var.region
}]
}

7
blueprints/cloud-operations/dns-fine-grained-iam/main.tf
View File

@ -37,10 +37,9 @@ module "vpc" {
project_id = module.project.project_id
name = var.name
subnets = [{
ip_cidr_range = "192.168.0.0/24"
name = "${var.name}-default"
region = var.region
secondary_ip_range = {}
ip_cidr_range = "192.168.0.0/24"
name = "${var.name}-default"
region = var.region
}]
}

7
blueprints/cloud-operations/dns-shared-vpc/examples/shared-vpc-example/network.tf
View File

@ -22,10 +22,9 @@ module "shared-vpc" {
subnets = [
{
name = "subnet-01"
ip_cidr_range = "10.10.1.0/24"
region = var.region
secondary_ip_range = {}
name = "subnet-01"
ip_cidr_range = "10.10.1.0/24"
region = var.region
}
]
}

21
blueprints/cloud-operations/glb_and_armor/main.tf
View File

@ -43,22 +43,19 @@ module "vpc" {
name = "${local.prefix}vpc"
subnets = [
{
ip_cidr_range = "10.0.1.0/24"
name = "subnet-ew1"
region = "europe-west1"
secondary_ip_range = null
ip_cidr_range = "10.0.1.0/24"
name = "subnet-ew1"
region = "europe-west1"
},
{
ip_cidr_range = "10.0.2.0/24"
name = "subnet-ue1"
region = "us-east1"
secondary_ip_range = null
ip_cidr_range = "10.0.2.0/24"
name = "subnet-ue1"
region = "us-east1"
},
{
ip_cidr_range = "10.0.3.0/24"
name = "subnet-uw1"
region = "us-west1"
secondary_ip_range = null
ip_cidr_range = "10.0.3.0/24"
name = "subnet-uw1"
region = "us-west1"
}
]
}

21
blueprints/cloud-operations/network-dashboard/tests/test.tf
View File

@ -40,10 +40,9 @@ module "vpc-hub" {
name = "vpc-hub"
subnets = [
{
ip_cidr_range = "10.0.10.0/24"
name = "subnet-hub-1"
region = var.region
secondary_ip_range = {}
ip_cidr_range = "10.0.10.0/24"
name = "subnet-hub-1"
region = var.region
}
]
}
@ -81,10 +80,9 @@ module "vpc-prod" {
name = "vpc-prod"
subnets = [
{
ip_cidr_range = "10.0.20.0/24"
name = "subnet-prod-1"
region = var.region
secondary_ip_range = {}
ip_cidr_range = "10.0.20.0/24"
name = "subnet-prod-1"
region = var.region
}
]
}
@ -122,10 +120,9 @@ module "vpc-dev" {
name = "vpc-dev"
subnets = [
{
ip_cidr_range = "10.0.30.0/24"
name = "subnet-dev-1"
region = var.region
secondary_ip_range = {}
ip_cidr_range = "10.0.30.0/24"
name = "subnet-dev-1"
region = var.region
}
]
}

7
blueprints/cloud-operations/packer-image-builder/main.tf
View File

@ -56,10 +56,9 @@ module "vpc" {
name = "image-builder"
subnets = [
{
name = local.compute_subnet_name
ip_cidr_range = var.cidrs.image-builder
region = var.region
secondary_ip_range = null
name = local.compute_subnet_name
ip_cidr_range = var.cidrs.image-builder
region = var.region
}
]
}

7
blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf
View File

@ -43,10 +43,9 @@ module "vpc" {
name = "vpc"
subnets = [
{
name = "apps"
ip_cidr_range = "10.8.32.0/24"
region = var.region
secondary_ip_range = null
name = "apps"
ip_cidr_range = "10.8.32.0/24"
region = var.region
}
]
}

7
blueprints/cloud-operations/vm-migration/single-project/main.tf
View File

@ -58,10 +58,9 @@ module "landing-vpc" {
name = "landing-vpc"
subnets = [
{
ip_cidr_range = var.vpc_config.ip_cidr_range
name = "landing-vpc-${var.vpc_config.region}"
region = var.vpc_config.region
secondary_ip_range = {}
ip_cidr_range = var.vpc_config.ip_cidr_range
name = "landing-vpc-${var.vpc_config.region}"
region = var.vpc_config.region
}
]
}

9
blueprints/data-solutions/cloudsql-multiregion/main.tf
View File

@ -36,7 +36,7 @@ locals {
local.data_eng_principals_iam,
[module.service-account-sql.iam_email]
)
# compute engeneering
# compute engineering
"roles/compute.instanceAdmin.v1" = local.data_eng_principals_iam
"roles/compute.osLogin" = local.data_eng_principals_iam
"roles/compute.viewer" = local.data_eng_principals_iam
@ -115,10 +115,9 @@ module "vpc" {
name = "vpc"
subnets = [
{
ip_cidr_range = "10.0.0.0/20"
name = "subnet"
region = var.regions.primary
secondary_ip_range = {}
ip_cidr_range = "10.0.0.0/20"
name = "subnet"
region = var.regions.primary
}
]

7
blueprints/data-solutions/cmek-via-centralized-kms/main.tf
View File

@ -51,10 +51,9 @@ module "vpc" {
name = var.vpc_name
subnets = [
{
ip_cidr_range = var.vpc_ip_cidr_range
name = var.vpc_subnet_name
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.vpc_ip_cidr_range
name = var.vpc_subnet_name
region = var.region
}
]
}

2
blueprints/data-solutions/composer-2/main.tf
View File

@ -120,7 +120,7 @@ module "vpc" {
ip_cidr_range = "10.0.0.0/20"
name = "subnet"
region = var.region
secondary_ip_range = {
secondary_ip_ranges = {
pods = "10.10.8.0/22"
services = "10.10.12.0/24"
}

7
blueprints/data-solutions/data-platform-foundations/02-load.tf
View File

@ -110,10 +110,9 @@ module "load-vpc" {
name = "${var.prefix}-default"
subnets = [
{
ip_cidr_range = "10.10.0.0/24"
name = "default"
region = var.region
secondary_ip_range = {}
ip_cidr_range = "10.10.0.0/24"
name = "default"
region = var.region
}
]
}

2
blueprints/data-solutions/data-platform-foundations/03-orchestration.tf
View File

@ -121,7 +121,7 @@ module "orch-vpc" {
ip_cidr_range = "10.10.0.0/24"
name = "default"
region = var.region
secondary_ip_range = {
secondary_ip_ranges = {
pods = "10.10.8.0/22"
services = "10.10.12.0/24"
}

7
blueprints/data-solutions/data-platform-foundations/04-transformation.tf
View File

@ -134,10 +134,9 @@ module "transf-vpc" {
name = "${var.prefix}-default"
subnets = [
{
ip_cidr_range = "10.10.0.0/24"
name = "default"
region = var.region
secondary_ip_range = {}
ip_cidr_range = "10.10.0.0/24"
name = "default"
region = var.region
}
]
}

9
blueprints/data-solutions/data-playground/main.tf
View File

@ -41,7 +41,7 @@ module "project" {
"storage-component.googleapis.com"
]
policy_boolean = {
# "constraints/compute.requireOsLogin" = false
# "constraints/compute.requireOsLogin" = false
# Example of applying a project wide policy, mainly useful for Composer
}
service_encryption_key_ids = {
@ -61,10 +61,9 @@ module "vpc" {
name = "${var.prefix}-vpc"
subnets = [
{
ip_cidr_range = var.vpc_config.ip_cidr_range
name = "${var.prefix}-subnet"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.vpc_config.ip_cidr_range
name = "${var.prefix}-subnet"
region = var.region
}
]
}

7
blueprints/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf
View File

@ -19,10 +19,9 @@ module "vpc" {
name = "${var.prefix}-vpc"
subnets = [
{
ip_cidr_range = var.vpc_subnet_range
name = "subnet"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.vpc_subnet_range
name = "subnet"
region = var.region
}
]
}

7
blueprints/data-solutions/sqlserver-alwayson/vpc.tf
View File

@ -58,10 +58,9 @@ module "vpc" {
name = var.network
subnets = var.project_create != null ? [
{
ip_cidr_range = var.vpc_ip_cidr_range
name = var.subnetwork
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.vpc_ip_cidr_range
name = var.subnetwork
region = var.region
}
] : []
vpc_create = var.project_create != null ? true : false

2
blueprints/gke/binauthz/main.tf
View File

@ -66,7 +66,7 @@ module "vpc" {
ip_cidr_range = var.subnet_cidr_block
name = "subnet"
region = var.region
secondary_ip_range = {
secondary_ip_ranges = {
pods = var.pods_cidr_block
services = var.services_cidr_block
}

9
blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf
View File

@ -25,15 +25,14 @@ module "svpc" {
ip_cidr_range = config.subnet_cidr_block
name = "subnet-${key}"
region = var.region
secondary_ip_range = {
secondary_ip_ranges = {
pods = config.pods_cidr_block
services = config.services_cidr_block
}
}], [{
ip_cidr_range = var.mgmt_subnet_cidr_block
name = "subnet-mgmt"
region = var.mgmt_server_config.region
secondary_ip_range = null
ip_cidr_range = var.mgmt_subnet_cidr_block
name = "subnet-mgmt"
region = var.mgmt_server_config.region
}])
}

14
blueprints/networking/decentralized-firewall/main.tf
View File

@ -52,10 +52,9 @@ module "vpc-prod" {
name = "prod-vpc"
subnets = [
{
ip_cidr_range = var.ip_ranges.prod
name = "prod"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.prod
name = "prod"
region = var.region
}
]
}
@ -66,10 +65,9 @@ module "vpc-dev" {
name = "dev-vpc"
subnets = [
{
ip_cidr_range = var.ip_ranges.dev
name = "dev"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.dev
name = "dev"
region = var.region
}
]
}

14
blueprints/networking/filtering-proxy/main.tf
View File

@ -58,16 +58,14 @@ module "vpc" {
name = "vpc"
subnets = [
{
name = "apps"
ip_cidr_range = var.cidrs.apps
region = var.region
secondary_ip_range = null
name = "apps"
ip_cidr_range = var.cidrs.apps
region = var.region
},
{
name = "proxy"
ip_cidr_range = var.cidrs.proxy
region = var.region
secondary_ip_range = null
name = "proxy"
ip_cidr_range = var.cidrs.proxy
region = var.region
}
]
}

16
blueprints/networking/hub-and-spoke-peering/main.tf
View File

@ -52,10 +52,9 @@ module "vpc-hub" {
name = "${local.prefix}hub"
subnets = [
{
ip_cidr_range = var.ip_ranges.hub
name = "${local.prefix}hub-1"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.hub
name = "${local.prefix}hub-1"
region = var.region
}
]
}
@ -86,10 +85,9 @@ module "vpc-spoke-1" {
name = "${local.prefix}spoke-1"
subnets = [
{
ip_cidr_range = var.ip_ranges.spoke-1
name = "${local.prefix}spoke-1-1"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.spoke-1
name = "${local.prefix}spoke-1-1"
region = var.region
}
]
}
@ -131,7 +129,7 @@ module "vpc-spoke-2" {
ip_cidr_range = var.ip_ranges.spoke-2
name = "${local.prefix}spoke-2-1"
region = var.region
secondary_ip_range = {
secondary_ip_ranges = {
pods = var.ip_secondary_ranges.spoke-2-pods
services = var.ip_secondary_ranges.spoke-2-services
}

4
blueprints/networking/hub-and-spoke-vpn/net-dev.tf
View File

@ -23,7 +23,7 @@ module "dev-vpc" {
ip_cidr_range = var.ip_ranges.dev-0-r1
name = "${local.prefix}dev-0"
region = var.regions.r1
secondary_ip_range = try(
secondary_ip_ranges = try(
var.ip_secondary_ranges.dev-0-r1, {}
)
},
@ -31,7 +31,7 @@ module "dev-vpc" {
ip_cidr_range = var.ip_ranges.dev-0-r2
name = "${local.prefix}dev-0"
region = var.regions.r2
secondary_ip_range = try(
secondary_ip_ranges = try(
var.ip_secondary_ranges.dev-0-r2, {}
)
}

4
blueprints/networking/hub-and-spoke-vpn/net-landing.tf
View File

@ -23,7 +23,7 @@ module "landing-vpc" {
ip_cidr_range = var.ip_ranges.land-0-r1
name = "${local.prefix}lnd-0"
region = var.regions.r1
secondary_ip_range = try(
secondary_ip_ranges = try(
var.ip_secondary_ranges.land-0-r1, {}
)
},
@ -31,7 +31,7 @@ module "landing-vpc" {
ip_cidr_range = var.ip_ranges.land-0-r2
name = "${local.prefix}lnd-0"
region = var.regions.r2
secondary_ip_range = try(
secondary_ip_ranges = try(
var.ip_secondary_ranges.land-0-r2, {}
)
}

4
blueprints/networking/hub-and-spoke-vpn/net-prod.tf
View File

@ -23,7 +23,7 @@ module "prod-vpc" {
ip_cidr_range = var.ip_ranges.prod-0-r1
name = "${local.prefix}prd-0"
region = var.regions.r1
secondary_ip_range = try(
secondary_ip_ranges = try(
var.ip_secondary_ranges.prod-0-r1, {}
)
},
@ -31,7 +31,7 @@ module "prod-vpc" {
ip_cidr_range = var.ip_ranges.prod-0-r2
name = "${local.prefix}prd-0"
region = var.regions.r2
secondary_ip_range = try(
secondary_ip_ranges = try(
var.ip_secondary_ranges.prod-0-r2, {}
)
}

9
blueprints/networking/ilb-next-hop/vpc-left.tf
View File

@ -20,17 +20,14 @@ module "vpc-left" {
name = "${local.prefix}left"
subnets = [
{
ip_cidr_range = var.ip_ranges.left
name = "${local.prefix}left"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.left
name = "${local.prefix}left"
region = var.region
},
]
routes = {
to-right = {
dest_range = var.ip_ranges.right
priority = null
tags = null
next_hop_type = "ilb"
next_hop = module.ilb-left.forwarding_rule.self_link
}

12
blueprints/networking/ilb-next-hop/vpc-right.tf
View File

@ -20,31 +20,25 @@ module "vpc-right" {
name = "${local.prefix}right"
subnets = [
{
ip_cidr_range = var.ip_ranges.right
name = "${local.prefix}right"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.right
name = "${local.prefix}right"
region = var.region
},
]
routes = {
to-left-ilb = {
dest_range = var.ip_ranges.left
priority = var.ilb_right_enable ? 900 : 1100
tags = null
next_hop_type = "ilb"
next_hop = module.ilb-right.forwarding_rule.self_link
}
to-left-gw-1 = {
dest_range = var.ip_ranges.left
priority = null
tags = null
next_hop_type = "instance"
next_hop = module.gw[var.zones[0]].self_link
}
to-left-gw-2 = {
dest_range = var.ip_ranges.left
priority = null
tags = null
next_hop_type = "instance"
next_hop = module.gw[var.zones[1]].self_link
}

8
blueprints/networking/nginx-reverse-proxy-cluster/main.tf
View File

@ -149,13 +149,11 @@ module "vpc" {
name = var.network
subnets = [
{
name = var.subnetwork
ip_cidr_range = var.cidrs[var.subnetwork]
region = var.region
secondary_ip_range = null
name = var.subnetwork
ip_cidr_range = var.cidrs[var.subnetwork]
region = var.region
},
]
vpc_create = var.network_create
}

14
blueprints/networking/onprem-google-access-dns/main.tf
View File

@ -56,16 +56,14 @@ module "vpc" {
name = "to-onprem"
subnets = [
{
ip_cidr_range = var.ip_ranges.gcp1
name = "subnet1"
region = var.region.gcp1
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.gcp1
name = "subnet1"
region = var.region.gcp1
},
{
ip_cidr_range = var.ip_ranges.gcp2
name = "subnet2"
region = var.region.gcp2
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.gcp2
name = "subnet2"
region = var.region.gcp2
}
]
}

18
blueprints/networking/private-cloud-function-from-onprem/main.tf
View File

@ -42,15 +42,12 @@ module "vpc-onprem" {
name = "${var.name}-onprem"
subnets = [
{
ip_cidr_range = var.ip_ranges.onprem
name = "${var.name}-onprem"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.onprem
name = "${var.name}-onprem"
region = var.region
enable_private_access = false
}
]
subnet_private_access = {
"${var.region}/${var.name}-onprem" = false
}
}
module "firewall-onprem" {
@ -65,10 +62,9 @@ module "vpc-hub" {
name = "${var.name}-hub"
subnets = [
{
ip_cidr_range = var.ip_ranges.hub
name = "${var.name}-hub"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.hub
name = "${var.name}-hub"
region = var.region
}
]
}

11
blueprints/networking/shared-vpc-gke/main.tf
View File

@ -97,22 +97,21 @@ module "vpc-shared" {
name = "shared-vpc"
subnets = [
{
ip_cidr_range = var.ip_ranges.gce
name = "gce"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.gce
name = "gce"
region = var.region
},
{
ip_cidr_range = var.ip_ranges.gke
name = "gke"
region = var.region
secondary_ip_range = {
secondary_ip_ranges = {
pods = var.ip_secondary_ranges.gke-pods
services = var.ip_secondary_ranges.gke-services
}
}
]
iam = {
subnet_iam = {
"${var.region}/gce" = {
"roles/compute.networkUser" = concat(var.owners_gce, [
"serviceAccount:${module.project-svc-gce.service_accounts.cloud_services}",

12
blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf
View File

@ -26,19 +26,15 @@ module "vpc" {
name = "${local.prefix}sql-vpc"
subnets = [
{
ip_cidr_range = var.ip_ranges.sql_vpc
name = "subnet"
region = var.region
secondary_ip_range = {}
ip_cidr_range = var.ip_ranges.sql_vpc
name = "subnet"
region = var.region
}
]
# Private Service Access
psa_config = {
ranges = {
cloud-sql = var.ip_ranges.psa
}
routes = null
}
}
@ -67,4 +63,4 @@ module "cloudsql" {
users = {
"${local.cloudsql_conf.user}" = "${local.cloudsql_conf.pass}"
}
}
}

6
fast/assets/schemas/subnet.schema.yaml
View File

@ -16,14 +16,16 @@ region: str()
description: str()
ip_cidr_range: str()
# optional attributes
private_ip_google_access: bool(required=False) # defaults to true
enable_private_access: bool(required=False) # defaults to true
iam_users: list(str(), required=False)
iam_groups: list(str(), required=False)
iam_service_accounts: list(str(), required=False)
secondary_ip_range: map(str(), key=str(), required=False)
secondary_ip_ranges: map(str(), key=str(), required=False)
flow_logs: any(include('flow_logs'), required=False)
---
flow_logs:
- aggregation_interval: enum('INTERVAL_5_SEC', 'INTERVAL_30_SEC', 'INTERVAL_1_MIN', 'INTERVAL_5_MIN', 'INTERVAL_10_MIN', 'INTERVAL_15_MIN', required=False)
- filter_expression: str()
- flow_sampling: num(min=0, max=1, required=False)
- metadata: enum('EXCLUDE_ALL_METADATA', 'INCLUDE_ALL_METADATA', 'CUSTOM_METADATA', required=False)
- metadata_fields: map(str(), key=str(), required=False)

2
fast/stages/02-networking-nva/data/subnets/dev/dev-dataplatform-ew1.yaml
View File

@ -3,6 +3,6 @@
region: europe-west1
description: Default subnet for dev Data Platform
ip_cidr_range: 10.128.48.0/24
secondary_ip_range:
secondary_ip_ranges:
pods: 100.128.48.0/20
services: 100.255.48.0/24

15
fast/stages/02-networking-nva/landing.tf
View File

@ -49,13 +49,10 @@ module "landing-untrusted-vpc" {
project_id = module.landing-project.project_id
name = "prod-untrusted-landing-0"
mtu = 1500
dns_policy = {
inbound = false
logging = false
outbound = null
inbound = false
logging = false
}
data_folder = "${var.data_dir}/subnets/landing-untrusted"
}
@ -108,24 +105,18 @@ module "landing-trusted-vpc" {
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
}
dns_policy = {
inbound = true
logging = false
outbound = null
inbound = true
}
data_folder = "${var.data_dir}/subnets/landing-trusted"

2
fast/stages/02-networking-nva/spoke-dev.tf
View File

@ -56,14 +56,12 @@ module "dev-spoke-vpc" {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 999
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 999
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

2
fast/stages/02-networking-nva/spoke-prod.tf
View File

@ -56,14 +56,12 @@ module "prod-spoke-vpc" {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 999
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 999
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

8
fast/stages/02-networking-peering/landing.tf
View File

@ -48,23 +48,17 @@ module "landing-vpc" {
name = "prod-landing-0"
mtu = 1500
dns_policy = {
inbound = true
logging = false
outbound = null
inbound = true
}
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

4
fast/stages/02-networking-peering/spoke-dev.tf
View File

@ -55,15 +55,11 @@ module "dev-spoke-vpc" {
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

4
fast/stages/02-networking-peering/spoke-prod.tf
View File

@ -55,15 +55,11 @@ module "prod-spoke-vpc" {
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

4
fast/stages/02-networking-separate-envs/spoke-dev.tf
View File

@ -54,15 +54,11 @@ module "dev-spoke-vpc" {
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

4
fast/stages/02-networking-separate-envs/spoke-prod.tf
View File

@ -54,15 +54,11 @@ module "prod-spoke-vpc" {
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

8
fast/stages/02-networking-vpn/landing.tf
View File

@ -48,23 +48,17 @@ module "landing-vpc" {
name = "prod-landing-0"
mtu = 1500
dns_policy = {
inbound = true
logging = false
outbound = null
inbound = true
}
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

4
fast/stages/02-networking-vpn/spoke-dev.tf
View File

@ -55,15 +55,11 @@ module "dev-spoke-vpc" {
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

4
fast/stages/02-networking-vpn/spoke-prod.tf
View File

@ -55,15 +55,11 @@ module "prod-spoke-vpc" {
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 1000
tags = []
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}

56
modules/net-vpc/README.md
View File

@ -18,7 +18,7 @@ module "vpc" {
ip_cidr_range = "10.0.0.0/24"
name = "production"
region = "europe-west1"
secondary_ip_range = {
secondary_ip_ranges = {
pods = "172.16.0.0/20"
services = "192.168.0.0/24"
}
@ -27,7 +27,6 @@ module "vpc" {
ip_cidr_range = "10.0.16.0/24"
name = "production"
region = "europe-west2"
secondary_ip_range = {}
}
]
}
@ -49,7 +48,6 @@ module "vpc-hub" {
ip_cidr_range = "10.0.0.0/24"
name = "subnet-1"
region = "europe-west1"
secondary_ip_range = null
}]
}
@ -61,11 +59,9 @@ module "vpc-spoke-1" {
ip_cidr_range = "10.0.1.0/24"
name = "subnet-2"
region = "europe-west1"
secondary_ip_range = null
}]
peering_config = {
peer_vpc_self_link = module.vpc-hub.self_link
export_routes = false
import_routes = true
}
}
@ -108,7 +104,7 @@ module "vpc-host" {
local.service_project_1.project_id,
local.service_project_2.project_id
]
iam = {
subnet_iam = {
"europe-west1/subnet-1" = {
"roles/compute.networkUser" = [
local.service_project_1.cloud_services_service_account,
@ -135,12 +131,10 @@ module "vpc" {
ip_cidr_range = "10.0.0.0/24"
name = "production"
region = "europe-west1"
secondary_ip_range = null
}
]
psa_config = {
ranges = { myrange = "10.0.1.0/24" }
routes = null
}
}
# tftest modules=1 resources=5
@ -160,12 +154,12 @@ module "vpc" {
ip_cidr_range = "10.0.0.0/24"
name = "production"
region = "europe-west1"
secondary_ip_range = null
}
]
psa_config = {
ranges = { myrange = "10.0.1.0/24" }
routes = { export=true, import=true }
export_routes = true
import_routes = true
}
}
# tftest modules=1 resources=5
@ -212,7 +206,6 @@ module "vpc" {
name = "my-network"
dns_policy = {
inbound = true
logging = false
outbound = {
private_ns = ["10.0.0.1"]
public_ns = ["8.8.8.8"]
@ -223,7 +216,6 @@ module "vpc" {
ip_cidr_range = "10.0.0.0/24"
name = "production"
region = "europe-west1"
secondary_ip_range = {}
}
]
}
@ -250,11 +242,11 @@ region: europe-west1
description: Sample description
ip_cidr_range: 10.0.0.0/24
# optional attributes
private_ip_google_access: false # defaults to true
enable_private_access: false # defaults to true
iam_users: ["foobar@example.com"] # grant compute/networkUser to users
iam_groups: ["lorem@example.com"] # grant compute/networkUser to groups
iam_service_accounts: ["fbz@prj.iam.gserviceaccount.com"]
secondary_ip_range: # map of secondary ip ranges
secondary_ip_ranges: # map of secondary ip ranges
secondary-range-a: 192.168.0.0/24
flow_logs: # enable, set to empty map to use defaults
- aggregation_interval: "INTERVAL_5_SEC"
@ -267,31 +259,25 @@ flow_logs: # enable, set to empty map to use defaults
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L85) | The name of the network being created. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L106) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
| [name](variables.tf#L60) | The name of the network being created. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L76) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
| [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | <code>bool</code> | | <code>false</code> |
| [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | <code>string</code> | | <code>null</code> |
| [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | <code>bool</code> | | <code>false</code> |
| [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | <code>string</code> | | <code>&#34;Terraform-managed.&#34;</code> |
| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | <code title="object&#40;&#123;&#10; inbound &#61; bool&#10; logging &#61; bool&#10; outbound &#61; object&#40;&#123;&#10; private_ns &#61; list&#40;string&#41;&#10; public_ns &#61; list&#40;string&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [iam](variables.tf#L54) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [log_config_defaults](variables.tf#L60) | Default configuration for flow logs when enabled. | <code title="object&#40;&#123;&#10; aggregation_interval &#61; string&#10; flow_sampling &#61; number&#10; metadata &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; aggregation_interval &#61; &#34;INTERVAL_5_SEC&#34;&#10; flow_sampling &#61; 0.5&#10; metadata &#61; &#34;INCLUDE_ALL_METADATA&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [log_configs](variables.tf#L74) | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code>map&#40;map&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code></code> | | <code>null</code> |
| [peering_config](variables.tf#L90) | VPC peering configuration. | <code title="object&#40;&#123;&#10; peer_vpc_self_link &#61; string&#10; export_routes &#61; bool&#10; import_routes &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | <code>bool</code> | | <code>true</code> |
| [psa_config](variables.tf#L111) | The Private Service Access configuration for Service Networking. | <code title="object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; routes &#61; object&#40;&#123;&#10; export &#61; bool&#10; import &#61; bool&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [routes](variables.tf#L123) | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10; dest_range &#61; string&#10; priority &#61; number&#10; tags &#61; list&#40;string&#41;&#10; next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10; next_hop &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>&#34;GLOBAL&#34;</code> |
| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [subnet_descriptions](variables.tf#L157) | Optional map of subnet descriptions, keyed by subnet 'region/name'. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [subnet_flow_logs](variables.tf#L163) | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | <code>map&#40;bool&#41;</code> | | <code>&#123;&#125;</code> |
| [subnet_private_access](variables.tf#L169) | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | <code>map&#40;bool&#41;</code> | | <code>&#123;&#125;</code> |
| [subnets](variables.tf#L175) | List of subnets being created. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10; secondary_ip_range &#61; map&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [subnets_proxy_only](variables.tf#L186) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10; active &#61; bool&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [subnets_psc](variables.tf#L197) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [vpc_create](variables.tf#L207) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | <code title="object&#40;&#123;&#10; inbound &#61; optional&#40;bool&#41;&#10; logging &#61; optional&#40;bool&#41;&#10; outbound &#61; optional&#40;object&#40;&#123;&#10; private_ns &#61; list&#40;string&#41;&#10; public_ns &#61; list&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [mtu](variables.tf#L54) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code>number</code> | | <code>null</code> |
| [peering_config](variables.tf#L65) | VPC peering configuration. | <code title="object&#40;&#123;&#10; peer_vpc_self_link &#61; string&#10; create_remote_peer &#61; optional&#40;bool, true&#41;&#10; export_routes &#61; optional&#40;bool&#41;&#10; import_routes &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [psa_config](variables.tf#L81) | The Private Service Access configuration for Service Networking. | <code title="object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; export_routes &#61; optional&#40;bool, false&#41;&#10; import_routes &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [routes](variables.tf#L91) | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10; dest_range &#61; string&#10; next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10; next_hop &#61; string&#10; priority &#61; optional&#40;number&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [routing_mode](variables.tf#L111) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>&#34;GLOBAL&#34;</code> |
| [shared_vpc_host](variables.tf#L121) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
| [shared_vpc_service_projects](variables.tf#L127) | Shared VPC service projects to register with this host. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [subnet_iam](variables.tf#L133) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [subnets](variables.tf#L139) | Subnet configuration. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10; description &#61; optional&#40;string&#41;&#10; enable_private_access &#61; optional&#40;bool, true&#41;&#10; flow_logs_config &#61; optional&#40;object&#40;&#123;&#10; aggregation_interval &#61; optional&#40;string&#41;&#10; filter_expression &#61; optional&#40;string&#41;&#10; flow_sampling &#61; optional&#40;number&#41;&#10; metadata &#61; optional&#40;string&#41;&#10; metadata_fields &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; ipv6 &#61; optional&#40;object&#40;&#123;&#10; access_type &#61; optional&#40;string&#41;&#10; enable_private_access &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;&#41;&#10; secondary_ip_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [subnets_proxy_only](variables.tf#L164) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10; description &#61; optional&#40;string&#41;&#10; active &#61; bool&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [subnets_psc](variables.tf#L176) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [vpc_create](variables.tf#L186) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
## Outputs

34
modules/net-vpc/main.tf
View File

@ -55,8 +55,12 @@ resource "google_compute_network_peering" "local" {
}
resource "google_compute_network_peering" "remote" {
provider = google-beta
count = var.peering_config != null && var.peering_create_remote_end ? 1 : 0
provider = google-beta
count = (
var.peering_config != null && try(var.peering_config.create_remote_peer, true)
? 1
: 0
)
name = "${local.peer_network}-${var.name}"
network = var.peering_config.peer_vpc_self_link
peer_network = local.network.self_link
@ -74,10 +78,10 @@ resource "google_compute_shared_vpc_host_project" "shared_vpc_host" {
resource "google_compute_shared_vpc_service_project" "service_projects" {
provider = google-beta
for_each = (
for_each = toset(
var.shared_vpc_host && var.shared_vpc_service_projects != null
? toset(var.shared_vpc_service_projects)
: toset([])
? var.shared_vpc_service_projects
: []
)
host_project = var.project_id
service_project = each.value
@ -86,19 +90,23 @@ resource "google_compute_shared_vpc_service_project" "service_projects" {
resource "google_dns_policy" "default" {
count = var.dns_policy == null ? 0 : 1
enable_inbound_forwarding = var.dns_policy.inbound
enable_logging = var.dns_policy.logging
name = var.name
project = var.project_id
name = var.name
enable_inbound_forwarding = try(var.dns_policy.inbound, null)
enable_logging = try(var.dns_policy.logging, null)
networks {
network_url = local.network.id
}
dynamic "alternative_name_server_config" {
for_each = toset(var.dns_policy.outbound == null ? [] : [""])
for_each = var.dns_policy.outbound != null ? [""] : []
content {
dynamic "target_name_servers" {
for_each = toset(var.dns_policy.outbound.private_ns)
for_each = (
var.dns_policy.outbound.private_ns != null
? var.dns_policy.outbound.private_ns
: []
)
iterator = ns
content {
ipv4_address = ns.key
@ -106,7 +114,11 @@ resource "google_dns_policy" "default" {
}
}
dynamic "target_name_servers" {
for_each = toset(var.dns_policy.outbound.public_ns)
for_each = (
var.dns_policy.outbound.public_ns != null
? var.dns_policy.outbound.public_ns
: []
)
iterator = ns
content {
ipv4_address = ns.key

16
modules/net-vpc/psa.tf
View File

@ -17,15 +17,11 @@
# tfdoc:file:description Private Service Access resources.
locals {
psa_config = (
var.psa_config == null
? { ranges = {}, routes = null }
: var.psa_config
)
psa_config_ranges = try(var.psa_config.ranges, {})
}
resource "google_compute_global_address" "psa_ranges" {
for_each = local.psa_config.ranges
for_each = local.psa_config_ranges
project = var.project_id
name = each.key
purpose = "VPC_PEERING"
@ -36,7 +32,7 @@ resource "google_compute_global_address" "psa_ranges" {
}
resource "google_service_networking_connection" "psa_connection" {
for_each = var.psa_config == null ? {} : { 1 = 1 }
for_each = var.psa_config != null ? { 1 = 1 } : {}
network = local.network.id
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = [
@ -45,10 +41,10 @@ resource "google_service_networking_connection" "psa_connection" {
}
resource "google_compute_network_peering_routes_config" "psa_routes" {
for_each = var.psa_config == null ? {} : { 1 = 1 }
for_each = var.psa_config != null ? { 1 = 1 } : {}
project = var.project_id
peering = google_service_networking_connection.psa_connection["1"].peering
network = local.network.name
export_custom_routes = try(var.psa_config.routes.export, false)
import_custom_routes = try(var.psa_config.routes.import, false)
export_custom_routes = var.psa_config.export_routes
import_custom_routes = var.psa_config.import_routes
}

118
modules/net-vpc/subnets.tf
View File

@ -21,11 +21,19 @@ locals {
for f in fileset(var.data_folder, "**/*.yaml") :
trimsuffix(basename(f), ".yaml") => yamldecode(file("${var.data_folder}/${f}"))
}
_factory_descriptions = {
for k, v in local._factory_data :
"${v.region}/${k}" => try(v.description, null)
_factory_subnets = {
for k, v in local._factory_data : "${v.region}/${k}" => {
name = k
ip_cidr_range = v.ip_cidr_range
region = v.region
description = try(v.description, null)
enable_private_access = try(v.enable_private_access, true)
flow_logs_config = try(v.flow_logs, null)
ipv6 = try(v.ipv6, null)
secondary_ip_ranges = try(v.secondary_ip_ranges, null)
}
}
_factory_iam_members = [
_factory_subnets_iam = [
for k, v in local._factory_subnets : {
subnet = k
role = "roles/compute.networkUser"
@ -36,32 +44,8 @@ locals {
)
}
]
_factory_flow_logs = {
for k, v in local._factory_data : "${v.region}/${k}" => merge(
var.log_config_defaults, try(v.flow_logs, {})
) if try(v.flow_logs, null) != null
}
_factory_private_access = {
for k, v in local._factory_data : "${v.region}/${k}" => try(
v.private_ip_google_access, true
)
}
_factory_subnets = {
for k, v in local._factory_data : "${v.region}/${k}" => {
ip_cidr_range = v.ip_cidr_range
name = k
region = v.region
secondary_ip_range = try(v.secondary_ip_range, {})
}
}
_iam = var.iam == null ? {} : var.iam
_subnet_flow_logs = {
for k, v in var.subnet_flow_logs : k => merge(
var.log_config_defaults, try(var.log_configs[k], {})
)
}
_subnet_iam_members = flatten([
for subnet, roles in local._iam : [
for subnet, roles in(var.subnet_iam == null ? {} : var.subnet_iam) : [
for role, members in roles : {
members = members
role = role
@ -69,19 +53,10 @@ locals {
}
]
])
subnet_descriptions = merge(
local._factory_descriptions, var.subnet_descriptions
)
subnet_iam_members = concat(
[for k in local._factory_iam_members : k if length(k.members) > 0],
[for k in local._factory_subnets_iam : k if length(k.members) > 0],
local._subnet_iam_members
)
subnet_flow_logs = merge(
local._factory_flow_logs, local._subnet_flow_logs
)
subnet_private_access = merge(
local._factory_private_access, var.subnet_private_access
)
subnets = merge(
{ for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet },
local._factory_subnets
@ -97,33 +72,30 @@ locals {
}
resource "google_compute_subnetwork" "subnetwork" {
for_each = local.subnets
project = var.project_id
network = local.network.name
region = each.value.region
name = each.value.name
ip_cidr_range = each.value.ip_cidr_range
secondary_ip_range = each.value.secondary_ip_range == null ? [] : [
for name, range in each.value.secondary_ip_range :
for_each = local.subnets
project = var.project_id
network = local.network.name
name = each.value.name
region = each.value.region
ip_cidr_range = each.value.ip_cidr_range
description = try(each.value.description, "Terraform-managed.")
private_ip_google_access = each.value.enable_private_access
secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
for name, range in each.value.secondary_ip_ranges :
{ range_name = name, ip_cidr_range = range }
]
description = lookup(
local.subnet_descriptions, each.key, "Terraform-managed."
)
private_ip_google_access = lookup(
local.subnet_private_access, each.key, true
)
dynamic "log_config" {
for_each = toset(
try(local.subnet_flow_logs[each.key], {}) != {}
? [local.subnet_flow_logs[each.key]]
: []
)
iterator = config
for_each = each.value.flow_logs_config != null ? [""] : []
content {
aggregation_interval = config.value.aggregation_interval
flow_sampling = config.value.flow_sampling
metadata = config.value.metadata
aggregation_interval = each.value.flow_logs_config.aggregation_interval
filter_expr = each.value.flow_logs_config.filter_expression
flow_sampling = each.value.flow_logs_config.flow_sampling
metadata = each.value.flow_logs_config.metadata
metadata_fields = (
each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
? each.value.flow_logs_config.metadata_fields
: null
)
}
}
}
@ -132,33 +104,31 @@ resource "google_compute_subnetwork" "proxy_only" {
for_each = local.subnets_proxy_only
project = var.project_id
network = local.network.name
region = each.value.region
name = each.value.name
region = each.value.region
ip_cidr_range = each.value.ip_cidr_range
purpose = "REGIONAL_MANAGED_PROXY"
description = try(
each.value.description,
"Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB."
)
purpose = "REGIONAL_MANAGED_PROXY"
role = (
each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP"
)
description = lookup(
local.subnet_descriptions,
"${each.value.region}/${each.value.name}",
"Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB."
)
}
resource "google_compute_subnetwork" "psc" {
for_each = local.subnets_psc
project = var.project_id
network = local.network.name
region = each.value.region
name = each.value.name
region = each.value.region
ip_cidr_range = each.value.ip_cidr_range
purpose = "PRIVATE_SERVICE_CONNECT"
description = lookup(
local.subnet_descriptions,
"${each.value.region}/${each.value.name}",
description = try(
each.value.description,
"Terraform-managed subnet for Private Service Connect (PSC NAT)."
)
purpose = "PRIVATE_SERVICE_CONNECT"
}
resource "google_compute_subnetwork_iam_binding" "binding" {

113
modules/net-vpc/variables.tf
View File

@ -41,44 +41,19 @@ variable "description" {
variable "dns_policy" {
description = "DNS policy setup for the VPC."
type = object({
inbound = bool
logging = bool
outbound = object({
inbound = optional(bool)
logging = optional(bool)
outbound = optional(object({
private_ns = list(string)
public_ns = list(string)
})
}))
})
default = null
}
variable "iam" {
description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
type = map(map(list(string)))
default = {}
}
variable "log_config_defaults" {
description = "Default configuration for flow logs when enabled."
type = object({
aggregation_interval = string
flow_sampling = number
metadata = string
})
default = {
aggregation_interval = "INTERVAL_5_SEC"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
}
variable "log_configs" {
description = "Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled."
type = map(map(string))
default = {}
}
variable "mtu" {
description = "Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes."
type = number
default = null
}
@ -91,18 +66,13 @@ variable "peering_config" {
description = "VPC peering configuration."
type = object({
peer_vpc_self_link = string
export_routes = bool
import_routes = bool
create_remote_peer = optional(bool, true)
export_routes = optional(bool)
import_routes = optional(bool)
})
default = null
}
variable "peering_create_remote_end" {
description = "Skip creation of peering on the remote end when using peering_config."
type = bool
default = true
}
variable "project_id" {
description = "The ID of the project where this VPC will be created."
type = string
@ -111,11 +81,9 @@ variable "project_id" {
variable "psa_config" {
description = "The Private Service Access configuration for Service Networking."
type = object({
ranges = map(string)
routes = object({
export = bool
import = bool
})
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
})
default = null
}
@ -124,12 +92,20 @@ variable "routes" {
description = "Network routes, keyed by name."
type = map(object({
dest_range = string
priority = number
tags = list(string)
next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb
next_hop = string
priority = optional(number)
tags = optional(list(string))
}))
default = {}
default = {}
nullable = false
validation {
condition = alltrue([
for r in var.routes :
contains(["gateway", "instance", "ip", "vpn_tunnel", "ilb"], r.next_hop_type)
])
error_message = "Unsupported next hop type for route."
}
}
variable "routing_mode" {
@ -154,31 +130,33 @@ variable "shared_vpc_service_projects" {
default = []
}
variable "subnet_descriptions" {
description = "Optional map of subnet descriptions, keyed by subnet 'region/name'."
type = map(string)
default = {}
}
variable "subnet_flow_logs" {
description = "Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'."
type = map(bool)
default = {}
}
variable "subnet_private_access" {
description = "Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'."
type = map(bool)
variable "subnet_iam" {
description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
type = map(map(list(string)))
default = {}
}
variable "subnets" {
description = "List of subnets being created."
description = "Subnet configuration."
type = list(object({
name = string
ip_cidr_range = string
region = string
secondary_ip_range = map(string)
name = string
ip_cidr_range = string
region = string
description = optional(string)
enable_private_access = optional(bool, true)
flow_logs_config = optional(object({
aggregation_interval = optional(string)
filter_expression = optional(string)
flow_sampling = optional(number)
metadata = optional(string)
# only if metadata == "CUSTOM_METADATA"
metadata_fields = optional(list(string))
}))
ipv6 = optional(object({
access_type = optional(string)
enable_private_access = optional(bool, true)
}))
secondary_ip_ranges = optional(map(string))
}))
default = []
}
@ -186,10 +164,11 @@ variable "subnets" {
variable "subnets_proxy_only" {
description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
type = list(object({
active = bool
name = string
ip_cidr_range = string
region = string
description = optional(string)
active = bool
}))
default = []
}

4
tests/modules/net_vpc/fixture/data/factory-subnet.yaml
View File

@ -15,9 +15,9 @@
region: europe-west1
description: Sample description
ip_cidr_range: 10.128.0.0/24
private_ip_google_access: false
enable_private_access: false
iam_users: ["foobar@example.com"]
iam_groups: ["lorem@example.com"]
iam_service_accounts: ["foobar@project-id.iam.gserviceaccount.com"]
secondary_ip_range:
secondary_ip_ranges:
secondary-range-a: 192.168.128.0/24

11
tests/modules/net_vpc/fixture/main.tf
View File

@ -16,19 +16,14 @@
module "test" {
source = "../../../../modules/net-vpc"
project_id = var.project_id
name = var.name
iam = var.iam
log_configs = var.log_configs
log_config_defaults = var.log_config_defaults
project_id = "test-project"
name = "test"
peering_config = var.peering_config
routes = var.routes
shared_vpc_host = var.shared_vpc_host
shared_vpc_service_projects = var.shared_vpc_service_projects
subnet_iam = var.subnet_iam
subnets = var.subnets
subnet_descriptions = var.subnet_descriptions
subnet_flow_logs = var.subnet_flow_logs
subnet_private_access = var.subnet_private_access
auto_create_subnetworks = var.auto_create_subnetworks
psa_config = var.psa_config
data_folder = var.data_folder

108
tests/modules/net_vpc/fixture/variables.tf
View File

@ -14,110 +14,88 @@
* limitations under the License.
*/
variable "project_id" {
type = string
default = "my-project"
}
variable "name" {
type = string
default = "my-vpc"
}
variable "auto_create_subnetworks" {
type = bool
default = false
}
variable "iam" {
type = map(map(set(string)))
variable "data_folder" {
type = string
default = null
}
variable "log_configs" {
variable "delete_default_routes_on_create" {
type = bool
default = false
}
variable "description" {
type = string
default = "Terraform-managed."
}
variable "dns_policy" {
type = any
default = null
}
variable "log_config_defaults" {
type = any
default = {
aggregation_interval = "INTERVAL_5_SEC"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
variable "mtu" {
type = number
default = null
}
variable "peering_config" {
type = object({
peer_vpc_self_link = string
export_routes = bool
import_routes = bool
})
type = any
default = null
}
variable "psa_config" {
description = "The Private Service Access configuration."
type = any
default = null
}
variable "routes" {
type = any
default = null
}
variable "routes" {
type = any
default = {}
nullable = false
}
variable "routing_mode" {
description = "The network routing mode (default 'GLOBAL')."
type = string
default = "GLOBAL"
type = string
default = "GLOBAL"
}
variable "shared_vpc_host" {
description = "Enable shared VPC for this project."
type = bool
default = false
type = bool
default = false
}
variable "shared_vpc_service_projects" {
description = "Shared VPC service projects to register with this host."
type = list(string)
default = []
type = list(string)
default = []
}
variable "subnets" {
description = "The list of subnets being created."
type = any
default = []
type = any
default = []
}
variable "subnet_descriptions" {
description = "Optional map of subnet descriptions, keyed by subnet name."
type = map(string)
default = {}
variable "subnet_iam" {
type = map(map(list(string)))
default = {}
}
variable "subnet_flow_logs" {
description = "Optional map of boolean to control flow logs (default is disabled), keyed by subnet name."
type = map(bool)
default = {}
variable "subnets_proxy_only" {
type = any
default = []
}
variable "subnet_private_access" {
description = "Optional map of boolean to control private Google access (default is enabled), keyed by subnet name."
type = map(bool)
default = {}
variable "subnets_psc" {
type = any
default = []
}
variable "private_service_networking_range" {
description = "RFC1919 CIDR range used for Google services that support private service networking."
type = string
default = null
}
variable "data_folder" {
description = "An optional folder containing the subnet configurations in YaML format."
type = string
default = null
variable "vpc_create" {
type = bool
default = true
}

53
tests/modules/net_vpc/test_plan.py
View File

@ -12,23 +12,19 @@
# See the License for the specific language governing permissions and
# limitations under the License.
_VAR_PEER_VPC_CONFIG = (
'{'
'peer_vpc_self_link="projects/my-project/global/networks/my-peer-vpc", '
'export_routes=true, import_routes=null'
'}'
)
_VAR_ROUTES_TEMPLATE = (
'{'
' next-hop-test = {'
' dest_range="192.168.128.0/24", priority=1000, tags=null, '
' next_hop_type="%s", next_hop="%s"},'
' gateway-test = {'
' dest_range="0.0.0.0/0", priority=100, tags=["tag-a"], '
' next_hop_type="gateway", '
' next_hop="global/gateways/default-internet-gateway"}'
'}'
)
_VAR_PEER_VPC_CONFIG = '''{
peer_vpc_self_link="projects/my-project/global/networks/peer",
export_routes=true, import_routes=null
}'''
_VAR_ROUTES_TEMPLATE = '''{
next-hop = {
dest_range="192.168.128.0/24", tags=null,
next_hop_type="%s", next_hop="%s"},
gateway = {
dest_range="0.0.0.0/0", priority=100, tags=["tag-a"],
next_hop_type="gateway",
next_hop="global/gateways/default-internet-gateway"}
}'''
_VAR_ROUTES_NEXT_HOPS = {
'gateway': 'global/gateways/default-internet-gateway',
'instance': 'zones/europe-west1-b/test',
@ -43,8 +39,8 @@ def test_vpc_simple(plan_runner):
_, resources = plan_runner()
assert len(resources) == 1
assert [r['type'] for r in resources] == ['google_compute_network']
assert [r['values']['name'] for r in resources] == ['my-vpc']
assert [r['values']['project'] for r in resources] == ['my-project']
assert [r['values']['name'] for r in resources] == ['test']
assert [r['values']['project'] for r in resources] == ['test-project']
def test_vpc_shared(plan_runner):
@ -62,13 +58,14 @@ def test_vpc_peering(plan_runner):
"Test vpc peering variables."
_, resources = plan_runner(peering_config=_VAR_PEER_VPC_CONFIG)
assert len(resources) == 3
assert set(r['type'] for r in resources) == set([
'google_compute_network', 'google_compute_network_peering'
])
peerings = [r['values']
for r in resources if r['type'] == 'google_compute_network_peering']
assert [p['name'] for p in peerings] == [
'my-vpc-my-peer-vpc', 'my-peer-vpc-my-vpc']
assert set(r['type'] for r in resources) == set(
['google_compute_network', 'google_compute_network_peering'])
peerings = [
r['values']
for r in resources
if r['type'] == 'google_compute_network_peering'
]
assert [p['name'] for p in peerings] == ['test-peer', 'peer-test']
assert [p['export_custom_routes'] for p in peerings] == [True, False]
assert [p['import_custom_routes'] for p in peerings] == [False, True]
@ -79,6 +76,6 @@ def test_vpc_routes(plan_runner):
_var_routes = _VAR_ROUTES_TEMPLATE % (next_hop_type, next_hop)
_, resources = plan_runner(routes=_var_routes)
assert len(resources) == 3
resource = [r for r in resources if r['values']
['name'] == 'my-vpc-next-hop-test'][0]
resource = [r for r in resources if r['values']['name'] == 'test-next-hop'
][0]
assert resource['values']['next_hop_%s' % next_hop_type]

18
tests/modules/net_vpc/test_plan_psa.py
View File

@ -35,11 +35,9 @@ def test_routes_export(plan_runner):
psa_config = '''{
ranges = {
bar = "172.16.100.0/24"
},
routes = {
export = true
import = false
}
export_routes = true
import_routes = false
}'''
_, resources = plan_runner(psa_config=psa_config)
assert len(resources) == 4
@ -55,10 +53,8 @@ def test_routes_import(plan_runner):
ranges = {
bar = "172.16.100.0/24"
},
routes = {
export = false
import = true
}
export_routes = false
import_routes = true
}'''
_, resources = plan_runner(psa_config=psa_config)
for r in resources:
@ -73,10 +69,8 @@ def test_routes_export_import(plan_runner):
ranges = {
bar = "172.16.100.0/24"
},
routes = {
export = true
import = true
}
export_routes = true
import_routes = true
}'''
_, resources = plan_runner(psa_config=psa_config)
for r in resources:

116
tests/modules/net_vpc/test_plan_subnets.py
View File

@ -12,73 +12,87 @@
# See the License for the specific language governing permissions and
# limitations under the License.
_VAR_SUBNETS = (
'[ '
'{name = "a", region = "europe-west1", ip_cidr_range = "10.0.0.0/24",'
' secondary_ip_range=null},'
'{name = "b", region = "europe-west1", ip_cidr_range = "10.0.1.0/24",'
' secondary_ip_range=null},'
'{name = "c", region = "europe-west1", ip_cidr_range = "10.0.2.0/24",'
' secondary_ip_range={a="192.168.0.0/24", b="192.168.1.0/24"}},'
']')
_VAR_DATA_FOLDER = "data"
DATA_FOLDER = "data"
SUBNET_IAM = '''{
"europe-west1/a" = {
"roles/compute.networkUser" = ["user:a@example.com", "group:g-a@example.com"]
}
"europe-west1/c" = {
"roles/compute.networkUser" = ["user:c@example.com", "group:g-c@example.com"]
}
}'''
SUBNETS = '''[
{
name = "a", region = "europe-west1", ip_cidr_range = "10.0.0.0/24"
},
{
name = "b", region = "europe-west1", ip_cidr_range = "10.0.1.0/24",
description="Subnet b", enable_private_access=false
},
{
name = "c", region = "europe-west1", ip_cidr_range = "10.0.2.0/24",
secondary_ip_ranges={a="192.168.0.0/24", b="192.168.1.0/24"}
},
{
name = "d", region = "europe-west1", ip_cidr_range = "10.0.3.0/24",
flow_logs_config = {
flow_sampling = 0.5, aggregation_interval = "INTERVAL_10_MIN"
}
},
]'''
def test_subnet_factory(plan_runner):
"Test subnet factory."
_, resources = plan_runner(data_folder=_VAR_DATA_FOLDER)
_, resources = plan_runner(data_folder=DATA_FOLDER)
assert len(resources) == 3
subnets = [
r['values'] for r in resources if r['type'] == 'google_compute_subnetwork'
]
assert {s['name'] for s in subnets} == {'factory-subnet', 'factory-subnet2'}
assert {len(s['secondary_ip_range']) for s in subnets} == {0, 1}
assert {s['private_ip_google_access'] for s in subnets} == {True, False}
def test_subnets_simple(plan_runner):
def test_subnets(plan_runner):
"Test subnets variable."
_, resources = plan_runner(subnets=_VAR_SUBNETS)
assert len(resources) == 4
_, resources = plan_runner(subnet_iam=SUBNET_IAM, subnets=SUBNETS)
assert len(resources) == 7
subnets = [
r['values'] for r in resources if r['type'] == 'google_compute_subnetwork'
]
assert {s['name'] for s in subnets} == {'a', 'b', 'c'}
assert {len(s['secondary_ip_range']) for s in subnets} == {0, 0, 2}
def test_subnet_log_configs(plan_runner):
"Test subnets flow logs configuration and defaults."
log_config = '{"europe-west1/a" = { flow_sampling = 0.1 }}'
log_config_defaults = (
'{aggregation_interval = "INTERVAL_10_MIN", flow_sampling = 0.5, '
'metadata = "INCLUDE_ALL_METADATA"}')
subnet_flow_logs = '{"europe-west1/a"=true, "europe-west1/b"=true}'
_, resources = plan_runner(subnets=_VAR_SUBNETS, log_configs=log_config,
log_config_defaults=log_config_defaults,
subnet_flow_logs=subnet_flow_logs)
assert len(resources) == 4
flow_logs = {}
for r in resources:
if r['type'] != 'google_compute_subnetwork':
continue
flow_logs[r['values']['name']] = [{
key: config[key] for key in config.keys() &
{'aggregation_interval', 'flow_sampling', 'metadata'}
} for config in r['values']['log_config']]
assert flow_logs == {
# enable, override one default option
'a': [{
'aggregation_interval': 'INTERVAL_10_MIN',
'flow_sampling': 0.1,
'metadata': 'INCLUDE_ALL_METADATA'
}],
# enable, use defaults
'b': [{
assert {s['name'] for s in subnets} == {'a', 'b', 'c', 'd'}
assert {len(s['secondary_ip_range']) for s in subnets} == {0, 0, 2, 0}
log_config = {s['name']: s['log_config'] for s in subnets if s['log_config']}
assert log_config == {
'd': [{
'aggregation_interval': 'INTERVAL_10_MIN',
'filter_expr': 'true',
'flow_sampling': 0.5,
'metadata': 'INCLUDE_ALL_METADATA'
}],
# don't enable
'c': []
'metadata': 'INCLUDE_ALL_METADATA',
'metadata_fields': None
}]
}
bindings = {
r['index']: r['values']
for r in resources
if r['type'] == 'google_compute_subnetwork_iam_binding'
}
assert bindings == {
'europe-west1/a.roles/compute.networkUser': {
'condition': [],
'members': ['group:g-a@example.com', 'user:a@example.com'],
'project': 'test-project',
'region': 'europe-west1',
'role': 'roles/compute.networkUser',
'subnetwork': 'a'
},
'europe-west1/c.roles/compute.networkUser': {
'condition': [],
'members': ['group:g-c@example.com', 'user:c@example.com'],
'project': 'test-project',
'region': 'europe-west1',
'role': 'roles/compute.networkUser',
'subnetwork': 'c'
},
}