diff --git a/fast/plugins/2-networking-serverless-connector/README.md b/fast/plugins/2-networking-serverless-connector/README.md
index f8ba8b2f..2a6ad8d5 100644
--- a/fast/plugins/2-networking-serverless-connector/README.md
+++ b/fast/plugins/2-networking-serverless-connector/README.md
@@ -35,6 +35,6 @@ To enable the plugin, simply copy or link its files in the networking stage.
| name | description | sensitive | consumers |
|---|---|:---:|---|
-| [plugin_sc_connectors](local-serverless-connector-outputs.tf#L43) | VPC Access Connectors. | | |
+| [plugin_sc_connectors](local-serverless-connector-outputs.tf#L47) | VPC Access Connectors. | | |
diff --git a/fast/plugins/2-networking-serverless-connector/local-serverless-connector-outputs.tf b/fast/plugins/2-networking-serverless-connector/local-serverless-connector-outputs.tf
index 0e1d7b00..f5d8b0d3 100644
--- a/fast/plugins/2-networking-serverless-connector/local-serverless-connector-outputs.tf
+++ b/fast/plugins/2-networking-serverless-connector/local-serverless-connector-outputs.tf
@@ -29,13 +29,17 @@ resource "local_file" "plugin_sc_tfvars" {
for_each = var.outputs_location == null ? {} : { 1 = 1 }
file_permission = "0644"
filename = "${try(pathexpand(var.outputs_location), "")}/tfvars/2-networking-serverless-connnector.auto.tfvars.json"
- content = jsonencode(local.plugin_sc_tfvars)
+ content = jsonencode({
+ vpc_connectors = local.plugin_sc_tfvars
+ })
}
resource "google_storage_bucket_object" "plugin_sc_tfvars" {
- bucket = var.automation.outputs_bucket
- name = "tfvars/2-networking-serverless-connnector.auto.tfvars.json"
- content = jsonencode(local.plugin_sc_tfvars)
+ bucket = var.automation.outputs_bucket
+ name = "tfvars/2-networking-serverless-connnector.auto.tfvars.json"
+ content = jsonencode({
+ vpc_connectors = local.plugin_sc_tfvars
+ })
}
# outputs
diff --git a/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf b/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf
index f3789fb4..e70de806 100644
--- a/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf
+++ b/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf
@@ -39,12 +39,7 @@ module "dev-spoke-vpc-serverless" {
region = var.regions.primary
}]
# these should be create from the main VPC
- create_googleapis_routes = {
- private = false
- private-6 = false
- restricted = false
- restricted-6 = false
- }
+ create_googleapis_routes = null
}
module "prod-spoke-vpc-serverless" {
@@ -59,12 +54,7 @@ module "prod-spoke-vpc-serverless" {
region = var.regions.primary
}]
# these should be create from the main VPC
- create_googleapis_routes = {
- private = false
- private-6 = false
- restricted = false
- restricted-6 = false
- }
+ create_googleapis_routes = null
}
resource "google_vpc_access_connector" "dev-primary" {
diff --git a/fast/stages/1-resman/data/org-policies/serverless.yaml b/fast/stages/1-resman/data/org-policies/serverless.yaml
index 3efb23cd..4931c41b 100644
--- a/fast/stages/1-resman/data/org-policies/serverless.yaml
+++ b/fast/stages/1-resman/data/org-policies/serverless.yaml
@@ -7,6 +7,7 @@ run.allowedIngress:
- allow:
values:
- is:internal
+ - is:internal-and-cloud-load-balancing
# run.allowedVPCEgress:
# rules:
diff --git a/fast/stages/2-networking-c-nva/landing.tf b/fast/stages/2-networking-c-nva/landing.tf
index 0dd7d982..75cb9e81 100644
--- a/fast/stages/2-networking-c-nva/landing.tf
+++ b/fast/stages/2-networking-c-nva/landing.tf
@@ -53,11 +53,8 @@ module "landing-untrusted-vpc" {
inbound = false
logging = false
}
- create_googleapis_routes = {
- private = false
- restricted = false
- }
- data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
+ create_googleapis_routes = null
+ data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
}
module "landing-untrusted-firewall" {
diff --git a/fast/stages/2-networking-e-nva-bgp/landing.tf b/fast/stages/2-networking-e-nva-bgp/landing.tf
index bbac8c52..434adb85 100644
--- a/fast/stages/2-networking-e-nva-bgp/landing.tf
+++ b/fast/stages/2-networking-e-nva-bgp/landing.tf
@@ -54,11 +54,8 @@ module "landing-untrusted-vpc" {
inbound = false
logging = false
}
- create_googleapis_routes = {
- private = false
- restricted = false
- }
- data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
+ create_googleapis_routes = null
+ data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
}
module "landing-untrusted-firewall" {
diff --git a/modules/cloud-run/README.md b/modules/cloud-run/README.md
index b1c44f4c..baedcc4f 100644
--- a/modules/cloud-run/README.md
+++ b/modules/cloud-run/README.md
@@ -310,24 +310,24 @@ module "cloud_run" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L123) | Name used for cloud run service. | string
| ✓ | |
-| [project_id](variables.tf#L138) | Project id used for all resources. | string
| ✓ | |
+| [name](variables.tf#L130) | Name used for cloud run service. | string
| ✓ | |
+| [project_id](variables.tf#L145) | Project id used for all resources. | string
| ✓ | |
| [container_concurrency](variables.tf#L18) | Maximum allowed in-flight (concurrent) requests per container of the revision. | string
| | null
|
| [containers](variables.tf#L24) | Containers in arbitrary key => attributes format. | map(object({…}))
| | {}
|
| [eventarc_triggers](variables.tf#L91) | Event arc triggers for different sources. | object({…})
| | {}
|
| [iam](variables.tf#L105) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | map(list(string))
| | {}
|
| [ingress_settings](variables.tf#L111) | Ingress settings. | string
| | null
|
-| [labels](variables.tf#L117) | Resource labels. | map(string)
| | {}
|
-| [prefix](variables.tf#L128) | Optional prefix used for resource names. | string
| | null
|
-| [region](variables.tf#L143) | Region used for all resources. | string
| | "europe-west1"
|
-| [revision_annotations](variables.tf#L149) | Configure revision template annotations. | object({…})
| | {}
|
-| [revision_name](variables.tf#L164) | Revision name. | string
| | null
|
-| [service_account](variables.tf#L170) | Service account email. Unused if service account is auto-created. | string
| | null
|
-| [service_account_create](variables.tf#L176) | Auto-create service account. | bool
| | false
|
-| [timeout_seconds](variables.tf#L182) | Maximum duration the instance is allowed for responding to a request. | number
| | null
|
-| [traffic](variables.tf#L188) | Traffic steering configuration. If revision name is null the latest revision will be used. | map(object({…}))
| | {}
|
-| [volumes](variables.tf#L199) | Named volumes in containers in name => attributes format. | map(object({…}))
| | {}
|
-| [vpc_connector_create](variables.tf#L213) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | object({…})
| | null
|
+| [labels](variables.tf#L124) | Resource labels. | map(string)
| | {}
|
+| [prefix](variables.tf#L135) | Optional prefix used for resource names. | string
| | null
|
+| [region](variables.tf#L150) | Region used for all resources. | string
| | "europe-west1"
|
+| [revision_annotations](variables.tf#L156) | Configure revision template annotations. | object({…})
| | {}
|
+| [revision_name](variables.tf#L171) | Revision name. | string
| | null
|
+| [service_account](variables.tf#L177) | Service account email. Unused if service account is auto-created. | string
| | null
|
+| [service_account_create](variables.tf#L183) | Auto-create service account. | bool
| | false
|
+| [timeout_seconds](variables.tf#L189) | Maximum duration the instance is allowed for responding to a request. | number
| | null
|
+| [traffic](variables.tf#L195) | Traffic steering configuration. If revision name is null the latest revision will be used. | map(object({…}))
| | {}
|
+| [volumes](variables.tf#L206) | Named volumes in containers in name => attributes format. | map(object({…}))
| | {}
|
+| [vpc_connector_create](variables.tf#L220) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | object({…})
| | null
|
## Outputs
diff --git a/modules/cloud-run/variables.tf b/modules/cloud-run/variables.tf
index 69499c18..f176ae40 100644
--- a/modules/cloud-run/variables.tf
+++ b/modules/cloud-run/variables.tf
@@ -112,6 +112,13 @@ variable "ingress_settings" {
description = "Ingress settings."
type = string
default = null
+ validation {
+ condition = contains(
+ ["all", "internal", "internal-and-cloud-load-balancing"],
+ coalesce(var.ingress_settings, "all")
+ )
+ error_message = "Ingress settings can be one of 'all', 'internal', 'internal-and-cloud-load-balancing'."
+ }
}
variable "labels" {
diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index b5340af8..45f47027 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -422,17 +422,12 @@ module "vpc" {
next_hop = "global/gateways/default-internet-gateway"
}
}
- create_googleapis_routes = {
- restricted = false
- restricted-6 = false
- private = false
- private-6 = false
- }
+ create_googleapis_routes = null
}
# tftest modules=5 resources=15 inventory=routes.yaml
```
-### Private Google Access routes
+### Private Google Access routes
By default the VPC module creates IPv4 routes for the [Private Google Access ranges](https://cloud.google.com/vpc/docs/configure-private-google-access#config-routing). This behavior can be controlled through the `create_googleapis_routes` variable:
@@ -451,7 +446,6 @@ module "vpc" {
# tftest modules=1 resources=3 inventory=googleapis.yaml
```
-
### Allow Firewall Policy to be evaluated before Firewall Rules
```hcl
@@ -485,28 +479,28 @@ module "vpc" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L84) | The name of the network being created. | string
| ✓ | |
-| [project_id](variables.tf#L100) | The ID of the project where this VPC will be created. | string
| ✓ | |
+| [name](variables.tf#L83) | The name of the network being created. | string
| ✓ | |
+| [project_id](variables.tf#L99) | The ID of the project where this VPC will be created. | string
| ✓ | |
| [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | bool
| | false
|
-| [create_googleapis_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | object({…})
| | {}
|
-| [data_folder](variables.tf#L35) | An optional folder containing the subnet configurations in YaML format. | string
| | null
|
-| [delete_default_routes_on_create](variables.tf#L41) | Set to true to delete the default routes at creation time. | bool
| | false
|
-| [description](variables.tf#L47) | An optional description of this resource (triggers recreation on change). | string
| | "Terraform-managed."
|
-| [dns_policy](variables.tf#L53) | DNS policy setup for the VPC. | object({…})
| | null
|
-| [firewall_policy_enforcement_order](variables.tf#L66) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string
| | "AFTER_CLASSIC_FIREWALL"
|
-| [mtu](variables.tf#L78) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number
| | null
|
-| [peering_config](variables.tf#L89) | VPC peering configuration. | object({…})
| | null
|
-| [psa_config](variables.tf#L105) | The Private Service Access configuration for Service Networking. | object({…})
| | null
|
-| [routes](variables.tf#L115) | Network routes, keyed by name. | map(object({…}))
| | {}
|
-| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | string
| | "GLOBAL"
|
-| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | bool
| | false
|
-| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | list(string)
| | []
|
-| [subnet_iam](variables.tf#L157) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string)))
| | {}
|
-| [subnet_iam_additive](variables.tf#L163) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string)))
| | {}
|
-| [subnets](variables.tf#L170) | Subnet configuration. | list(object({…}))
| | []
|
-| [subnets_proxy_only](variables.tf#L195) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
-| [subnets_psc](variables.tf#L207) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
-| [vpc_create](variables.tf#L218) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
+| [create_googleapis_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. Set to null to disable creation. | object({…})
| | {}
|
+| [data_folder](variables.tf#L34) | An optional folder containing the subnet configurations in YaML format. | string
| | null
|
+| [delete_default_routes_on_create](variables.tf#L40) | Set to true to delete the default routes at creation time. | bool
| | false
|
+| [description](variables.tf#L46) | An optional description of this resource (triggers recreation on change). | string
| | "Terraform-managed."
|
+| [dns_policy](variables.tf#L52) | DNS policy setup for the VPC. | object({…})
| | null
|
+| [firewall_policy_enforcement_order](variables.tf#L65) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string
| | "AFTER_CLASSIC_FIREWALL"
|
+| [mtu](variables.tf#L77) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number
| | null
|
+| [peering_config](variables.tf#L88) | VPC peering configuration. | object({…})
| | null
|
+| [psa_config](variables.tf#L104) | The Private Service Access configuration for Service Networking. | object({…})
| | null
|
+| [routes](variables.tf#L114) | Network routes, keyed by name. | map(object({…}))
| | {}
|
+| [routing_mode](variables.tf#L134) | The network routing mode (default 'GLOBAL'). | string
| | "GLOBAL"
|
+| [shared_vpc_host](variables.tf#L144) | Enable shared VPC for this project. | bool
| | false
|
+| [shared_vpc_service_projects](variables.tf#L150) | Shared VPC service projects to register with this host. | list(string)
| | []
|
+| [subnet_iam](variables.tf#L156) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string)))
| | {}
|
+| [subnet_iam_additive](variables.tf#L162) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string)))
| | {}
|
+| [subnets](variables.tf#L169) | Subnet configuration. | list(object({…}))
| | []
|
+| [subnets_proxy_only](variables.tf#L194) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
+| [subnets_psc](variables.tf#L206) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
+| [vpc_create](variables.tf#L217) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
## Outputs
diff --git a/modules/net-vpc/routes.tf b/modules/net-vpc/routes.tf
index 493b248b..7280f904 100644
--- a/modules/net-vpc/routes.tf
+++ b/modules/net-vpc/routes.tf
@@ -31,7 +31,7 @@ locals {
priority = 1000
tags = null
}
- if var.create_googleapis_routes[k]
+ if lookup(coalesce(var.create_googleapis_routes, {}), k, false)
}
_routes = merge(local._googleapis_routes, coalesce(var.routes, {}))
routes = {
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index 2cb1cdbf..b20e54fe 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -21,15 +21,14 @@ variable "auto_create_subnetworks" {
}
variable "create_googleapis_routes" {
- description = "Toggle creation of googleapis private/restricted routes."
+ description = "Toggle creation of googleapis private/restricted routes. Set to null to disable creation."
type = object({
private = optional(bool, true)
private-6 = optional(bool, false)
restricted = optional(bool, true)
restricted-6 = optional(bool, false)
})
- default = {}
- nullable = false
+ default = {}
}
variable "data_folder" {