From 6c33d34c287f1f8a932dd5b872b2d1a316fc13e1 Mon Sep 17 00:00:00 2001
From: Rob Heckel <billabongrob@gmail.com>
Date: Wed, 23 Aug 2023 15:49:56 -0500
Subject: [PATCH] Adding support for NAT in Apigee

---
 modules/apigee/README.md    | 19 +++++++++++--------
 modules/apigee/main.tf      | 10 ++++++++++
 modules/apigee/outputs.tf   |  7 ++++++-
 modules/apigee/variables.tf |  1 +
 4 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/modules/apigee/README.md b/modules/apigee/README.md
index 353fb528..319f6bb8 100644
--- a/modules/apigee/README.md
+++ b/modules/apigee/README.md
@@ -42,10 +42,12 @@ module "apigee" {
   }
   instances = {
     europe-west1 = {
+      nat_required                  = true
       runtime_ip_cidr_range         = "10.0.4.0/22"
       troubleshooting_ip_cidr_range = "10.1.1.0.0/28"
     }
     europe-west3 = {
+      nat_required                  = false
       runtime_ip_cidr_range         = "10.0.8.0/22"
       troubleshooting_ip_cidr_range = "10.1.16.0/28"
     }
@@ -179,13 +181,13 @@ module "apigee" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L90) | Project ID. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L91) | Project ID. | <code>string</code> | ✓ |  |
 | [addons_config](variables.tf#L17) | Addons configuration. | <code title="object&#40;&#123;&#10;  advanced_api_ops    &#61; optional&#40;bool, false&#41;&#10;  api_security        &#61; optional&#40;bool, false&#41;&#10;  connectors_platform &#61; optional&#40;bool, false&#41;&#10;  integration         &#61; optional&#40;bool, false&#41;&#10;  monetization        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [endpoint_attachments](variables.tf#L29) | Endpoint attachments. | <code title="map&#40;object&#40;&#123;&#10;  region             &#61; string&#10;  service_attachment &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |
 | [envgroups](variables.tf#L38) | Environment groups (NAME => [HOSTNAMES]). | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>null</code> |
 | [environments](variables.tf#L44) | Environments. | <code title="map&#40;object&#40;&#123;&#10;  display_name    &#61; optional&#40;string&#41;&#10;  description     &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  deployment_type &#61; optional&#40;string&#41;&#10;  api_proxy_type  &#61; optional&#40;string&#41;&#10;  node_config &#61; optional&#40;object&#40;&#123;&#10;    min_node_count &#61; optional&#40;number&#41;&#10;    max_node_count &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;  iam       &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;  envgroups &#61; optional&#40;list&#40;string&#41;&#41;&#10;  regions   &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |
-| [instances](variables.tf#L62) | Instances ([REGION] => [INSTANCE]). | <code title="map&#40;object&#40;&#123;&#10;  display_name                  &#61; optional&#40;string&#41;&#10;  description                   &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  runtime_ip_cidr_range         &#61; string&#10;  troubleshooting_ip_cidr_range &#61; string&#10;  disk_encryption_key           &#61; optional&#40;string&#41;&#10;  consumer_accept_list          &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |
-| [organization](variables.tf#L75) | Apigee organization. If set to null the organization must already exist. | <code title="object&#40;&#123;&#10;  display_name            &#61; optional&#40;string&#41;&#10;  description             &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  authorized_network      &#61; optional&#40;string&#41;&#10;  runtime_type            &#61; optional&#40;string, &#34;CLOUD&#34;&#41;&#10;  billing_type            &#61; optional&#40;string&#41;&#10;  database_encryption_key &#61; optional&#40;string&#41;&#10;  analytics_region        &#61; optional&#40;string, &#34;europe-west1&#34;&#41;&#10;  retention               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [instances](variables.tf#L62) | Instances ([REGION] => [INSTANCE]). | <code title="map&#40;object&#40;&#123;&#10;  display_name                  &#61; optional&#40;string&#41;&#10;  description                   &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  runtime_ip_cidr_range         &#61; string&#10;  troubleshooting_ip_cidr_range &#61; string&#10;  disk_encryption_key           &#61; optional&#40;string&#41;&#10;  consumer_accept_list          &#61; optional&#40;list&#40;string&#41;&#41;&#10;  nat_required                  &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |
+| [organization](variables.tf#L76) | Apigee organization. If set to null the organization must already exist. | <code title="object&#40;&#123;&#10;  display_name            &#61; optional&#40;string&#41;&#10;  description             &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  authorized_network      &#61; optional&#40;string&#41;&#10;  runtime_type            &#61; optional&#40;string, &#34;CLOUD&#34;&#41;&#10;  billing_type            &#61; optional&#40;string&#41;&#10;  database_encryption_key &#61; optional&#40;string&#41;&#10;  analytics_region        &#61; optional&#40;string, &#34;europe-west1&#34;&#41;&#10;  retention               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
@@ -194,9 +196,10 @@ module "apigee" {
 | [endpoint_attachment_hosts](outputs.tf#L17) | Endpoint hosts. |  |
 | [envgroups](outputs.tf#L22) | Environment groups. |  |
 | [environments](outputs.tf#L27) | Environment. |  |
-| [instances](outputs.tf#L32) | Instances. |  |
-| [org_id](outputs.tf#L37) | Organization ID. |  |
-| [org_name](outputs.tf#L42) | Organization name. |  |
-| [organization](outputs.tf#L47) | Organization. |  |
-| [service_attachments](outputs.tf#L52) | Service attachments. |  |
+| [instance_nat_ips](outputs.tf#L32) | NAT IP addresses used in instances. |  |
+| [instances](outputs.tf#L37) | Instances. |  |
+| [org_id](outputs.tf#L42) | Organization ID. |  |
+| [org_name](outputs.tf#L47) | Organization name. |  |
+| [organization](outputs.tf#L52) | Organization. |  |
+| [service_attachments](outputs.tf#L57) | Service attachments. |  |
 <!-- END TFDOC -->
diff --git a/modules/apigee/main.tf b/modules/apigee/main.tf
index e68c5f90..74246056 100644
--- a/modules/apigee/main.tf
+++ b/modules/apigee/main.tf
@@ -100,6 +100,16 @@ resource "google_apigee_instance" "instances" {
   consumer_accept_list     = each.value.consumer_accept_list
 }
 
+resource "google_apigee_nat_address" "apigee_nat" {
+  for_each = {
+    for instance_name, instance_config in local.instances :
+    instance_name => instance_config.nat_required ? instance_config : null
+  }
+
+  name        = "nat-${each.key}"
+  instance_id = google_apigee_instance.instances[each.key].id
+}
+
 resource "google_apigee_instance_attachment" "instance_attachments" {
   for_each = merge(concat([for k1, v1 in local.environments : {
     for v2 in coalesce(v1.regions, []) :
diff --git a/modules/apigee/outputs.tf b/modules/apigee/outputs.tf
index 74ad9f18..473fbea8 100644
--- a/modules/apigee/outputs.tf
+++ b/modules/apigee/outputs.tf
@@ -29,6 +29,11 @@ output "environments" {
   value       = try(google_apigee_environment.environments, null)
 }
 
+output "instance_nat_ips" {
+  description = "NAT IP addresses used in instances."
+  value       = try(google_apigee_nat_address.apigee_nat, null)
+}
+
 output "instances" {
   description = "Instances."
   value       = try(google_apigee_instance.instances, null)
@@ -52,4 +57,4 @@ output "organization" {
 output "service_attachments" {
   description = "Service attachments."
   value       = { for k, v in google_apigee_instance.instances : k => v.service_attachment }
-}
+}
\ No newline at end of file
diff --git a/modules/apigee/variables.tf b/modules/apigee/variables.tf
index 4c2f0308..cae48e99 100644
--- a/modules/apigee/variables.tf
+++ b/modules/apigee/variables.tf
@@ -68,6 +68,7 @@ variable "instances" {
     troubleshooting_ip_cidr_range = string
     disk_encryption_key           = optional(string)
     consumer_accept_list          = optional(list(string))
+    nat_required                  = optional(bool, false)
   }))
   default = null
 }