From 7bd6e5d57baf43cf0908f718b2ab5d538bdcf983 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Wed, 7 Jun 2023 19:37:46 +0200 Subject: [PATCH] Small fixes (#1425) * fix serverless connector plugin outputs * add internal and lb to allowed ingress org policy * add validation condition on cloud run ingress settings * tfdoc * plugin tfdoc * allow disabling googleapis routes with a single instruction in net-vpc * fix variable def * fix variable description * fix cr variable validation * fix usage of create_googleapis_routes in examples and stages --- .../README.md | 2 +- .../local-serverless-connector-outputs.tf | 12 +++-- .../local-serverless-connector.tf | 14 +---- .../data/org-policies/serverless.yaml | 1 + fast/stages/2-networking-c-nva/landing.tf | 7 +-- fast/stages/2-networking-e-nva-bgp/landing.tf | 7 +-- modules/cloud-run/README.md | 26 +++++----- modules/cloud-run/variables.tf | 7 +++ modules/net-vpc/README.md | 52 ++++++++----------- modules/net-vpc/routes.tf | 2 +- modules/net-vpc/variables.tf | 5 +- 11 files changed, 62 insertions(+), 73 deletions(-) diff --git a/fast/plugins/2-networking-serverless-connector/README.md b/fast/plugins/2-networking-serverless-connector/README.md index f8ba8b2f..2a6ad8d5 100644 --- a/fast/plugins/2-networking-serverless-connector/README.md +++ b/fast/plugins/2-networking-serverless-connector/README.md @@ -35,6 +35,6 @@ To enable the plugin, simply copy or link its files in the networking stage. | name | description | sensitive | consumers | |---|---|:---:|---| -| [plugin_sc_connectors](local-serverless-connector-outputs.tf#L43) | VPC Access Connectors. | | | +| [plugin_sc_connectors](local-serverless-connector-outputs.tf#L47) | VPC Access Connectors. | | | diff --git a/fast/plugins/2-networking-serverless-connector/local-serverless-connector-outputs.tf b/fast/plugins/2-networking-serverless-connector/local-serverless-connector-outputs.tf index 0e1d7b00..f5d8b0d3 100644 --- a/fast/plugins/2-networking-serverless-connector/local-serverless-connector-outputs.tf +++ b/fast/plugins/2-networking-serverless-connector/local-serverless-connector-outputs.tf @@ -29,13 +29,17 @@ resource "local_file" "plugin_sc_tfvars" { for_each = var.outputs_location == null ? {} : { 1 = 1 } file_permission = "0644" filename = "${try(pathexpand(var.outputs_location), "")}/tfvars/2-networking-serverless-connnector.auto.tfvars.json" - content = jsonencode(local.plugin_sc_tfvars) + content = jsonencode({ + vpc_connectors = local.plugin_sc_tfvars + }) } resource "google_storage_bucket_object" "plugin_sc_tfvars" { - bucket = var.automation.outputs_bucket - name = "tfvars/2-networking-serverless-connnector.auto.tfvars.json" - content = jsonencode(local.plugin_sc_tfvars) + bucket = var.automation.outputs_bucket + name = "tfvars/2-networking-serverless-connnector.auto.tfvars.json" + content = jsonencode({ + vpc_connectors = local.plugin_sc_tfvars + }) } # outputs diff --git a/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf b/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf index f3789fb4..e70de806 100644 --- a/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf +++ b/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf @@ -39,12 +39,7 @@ module "dev-spoke-vpc-serverless" { region = var.regions.primary }] # these should be create from the main VPC - create_googleapis_routes = { - private = false - private-6 = false - restricted = false - restricted-6 = false - } + create_googleapis_routes = null } module "prod-spoke-vpc-serverless" { @@ -59,12 +54,7 @@ module "prod-spoke-vpc-serverless" { region = var.regions.primary }] # these should be create from the main VPC - create_googleapis_routes = { - private = false - private-6 = false - restricted = false - restricted-6 = false - } + create_googleapis_routes = null } resource "google_vpc_access_connector" "dev-primary" { diff --git a/fast/stages/1-resman/data/org-policies/serverless.yaml b/fast/stages/1-resman/data/org-policies/serverless.yaml index 3efb23cd..4931c41b 100644 --- a/fast/stages/1-resman/data/org-policies/serverless.yaml +++ b/fast/stages/1-resman/data/org-policies/serverless.yaml @@ -7,6 +7,7 @@ run.allowedIngress: - allow: values: - is:internal + - is:internal-and-cloud-load-balancing # run.allowedVPCEgress: # rules: diff --git a/fast/stages/2-networking-c-nva/landing.tf b/fast/stages/2-networking-c-nva/landing.tf index 0dd7d982..75cb9e81 100644 --- a/fast/stages/2-networking-c-nva/landing.tf +++ b/fast/stages/2-networking-c-nva/landing.tf @@ -53,11 +53,8 @@ module "landing-untrusted-vpc" { inbound = false logging = false } - create_googleapis_routes = { - private = false - restricted = false - } - data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted" + create_googleapis_routes = null + data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted" } module "landing-untrusted-firewall" { diff --git a/fast/stages/2-networking-e-nva-bgp/landing.tf b/fast/stages/2-networking-e-nva-bgp/landing.tf index bbac8c52..434adb85 100644 --- a/fast/stages/2-networking-e-nva-bgp/landing.tf +++ b/fast/stages/2-networking-e-nva-bgp/landing.tf @@ -54,11 +54,8 @@ module "landing-untrusted-vpc" { inbound = false logging = false } - create_googleapis_routes = { - private = false - restricted = false - } - data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted" + create_googleapis_routes = null + data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted" } module "landing-untrusted-firewall" { diff --git a/modules/cloud-run/README.md b/modules/cloud-run/README.md index b1c44f4c..baedcc4f 100644 --- a/modules/cloud-run/README.md +++ b/modules/cloud-run/README.md @@ -310,24 +310,24 @@ module "cloud_run" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L123) | Name used for cloud run service. | string | ✓ | | -| [project_id](variables.tf#L138) | Project id used for all resources. | string | ✓ | | +| [name](variables.tf#L130) | Name used for cloud run service. | string | ✓ | | +| [project_id](variables.tf#L145) | Project id used for all resources. | string | ✓ | | | [container_concurrency](variables.tf#L18) | Maximum allowed in-flight (concurrent) requests per container of the revision. | string | | null | | [containers](variables.tf#L24) | Containers in arbitrary key => attributes format. | map(object({…})) | | {} | | [eventarc_triggers](variables.tf#L91) | Event arc triggers for different sources. | object({…}) | | {} | | [iam](variables.tf#L105) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [ingress_settings](variables.tf#L111) | Ingress settings. | string | | null | -| [labels](variables.tf#L117) | Resource labels. | map(string) | | {} | -| [prefix](variables.tf#L128) | Optional prefix used for resource names. | string | | null | -| [region](variables.tf#L143) | Region used for all resources. | string | | "europe-west1" | -| [revision_annotations](variables.tf#L149) | Configure revision template annotations. | object({…}) | | {} | -| [revision_name](variables.tf#L164) | Revision name. | string | | null | -| [service_account](variables.tf#L170) | Service account email. Unused if service account is auto-created. | string | | null | -| [service_account_create](variables.tf#L176) | Auto-create service account. | bool | | false | -| [timeout_seconds](variables.tf#L182) | Maximum duration the instance is allowed for responding to a request. | number | | null | -| [traffic](variables.tf#L188) | Traffic steering configuration. If revision name is null the latest revision will be used. | map(object({…})) | | {} | -| [volumes](variables.tf#L199) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | -| [vpc_connector_create](variables.tf#L213) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | object({…}) | | null | +| [labels](variables.tf#L124) | Resource labels. | map(string) | | {} | +| [prefix](variables.tf#L135) | Optional prefix used for resource names. | string | | null | +| [region](variables.tf#L150) | Region used for all resources. | string | | "europe-west1" | +| [revision_annotations](variables.tf#L156) | Configure revision template annotations. | object({…}) | | {} | +| [revision_name](variables.tf#L171) | Revision name. | string | | null | +| [service_account](variables.tf#L177) | Service account email. Unused if service account is auto-created. | string | | null | +| [service_account_create](variables.tf#L183) | Auto-create service account. | bool | | false | +| [timeout_seconds](variables.tf#L189) | Maximum duration the instance is allowed for responding to a request. | number | | null | +| [traffic](variables.tf#L195) | Traffic steering configuration. If revision name is null the latest revision will be used. | map(object({…})) | | {} | +| [volumes](variables.tf#L206) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | +| [vpc_connector_create](variables.tf#L220) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | object({…}) | | null | ## Outputs diff --git a/modules/cloud-run/variables.tf b/modules/cloud-run/variables.tf index 69499c18..f176ae40 100644 --- a/modules/cloud-run/variables.tf +++ b/modules/cloud-run/variables.tf @@ -112,6 +112,13 @@ variable "ingress_settings" { description = "Ingress settings." type = string default = null + validation { + condition = contains( + ["all", "internal", "internal-and-cloud-load-balancing"], + coalesce(var.ingress_settings, "all") + ) + error_message = "Ingress settings can be one of 'all', 'internal', 'internal-and-cloud-load-balancing'." + } } variable "labels" { diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index b5340af8..45f47027 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -422,17 +422,12 @@ module "vpc" { next_hop = "global/gateways/default-internet-gateway" } } - create_googleapis_routes = { - restricted = false - restricted-6 = false - private = false - private-6 = false - } + create_googleapis_routes = null } # tftest modules=5 resources=15 inventory=routes.yaml ``` -### Private Google Access routes +### Private Google Access routes By default the VPC module creates IPv4 routes for the [Private Google Access ranges](https://cloud.google.com/vpc/docs/configure-private-google-access#config-routing). This behavior can be controlled through the `create_googleapis_routes` variable: @@ -451,7 +446,6 @@ module "vpc" { # tftest modules=1 resources=3 inventory=googleapis.yaml ``` - ### Allow Firewall Policy to be evaluated before Firewall Rules ```hcl @@ -485,28 +479,28 @@ module "vpc" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L84) | The name of the network being created. | string | ✓ | | -| [project_id](variables.tf#L100) | The ID of the project where this VPC will be created. | string | ✓ | | +| [name](variables.tf#L83) | The name of the network being created. | string | ✓ | | +| [project_id](variables.tf#L99) | The ID of the project where this VPC will be created. | string | ✓ | | | [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | bool | | false | -| [create_googleapis_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | object({…}) | | {} | -| [data_folder](variables.tf#L35) | An optional folder containing the subnet configurations in YaML format. | string | | null | -| [delete_default_routes_on_create](variables.tf#L41) | Set to true to delete the default routes at creation time. | bool | | false | -| [description](variables.tf#L47) | An optional description of this resource (triggers recreation on change). | string | | "Terraform-managed." | -| [dns_policy](variables.tf#L53) | DNS policy setup for the VPC. | object({…}) | | null | -| [firewall_policy_enforcement_order](variables.tf#L66) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string | | "AFTER_CLASSIC_FIREWALL" | -| [mtu](variables.tf#L78) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number | | null | -| [peering_config](variables.tf#L89) | VPC peering configuration. | object({…}) | | null | -| [psa_config](variables.tf#L105) | The Private Service Access configuration for Service Networking. | object({…}) | | null | -| [routes](variables.tf#L115) | Network routes, keyed by name. | map(object({…})) | | {} | -| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | -| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | bool | | false | -| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | list(string) | | [] | -| [subnet_iam](variables.tf#L157) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string))) | | {} | -| [subnet_iam_additive](variables.tf#L163) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | -| [subnets](variables.tf#L170) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L195) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L207) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L218) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [create_googleapis_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. Set to null to disable creation. | object({…}) | | {} | +| [data_folder](variables.tf#L34) | An optional folder containing the subnet configurations in YaML format. | string | | null | +| [delete_default_routes_on_create](variables.tf#L40) | Set to true to delete the default routes at creation time. | bool | | false | +| [description](variables.tf#L46) | An optional description of this resource (triggers recreation on change). | string | | "Terraform-managed." | +| [dns_policy](variables.tf#L52) | DNS policy setup for the VPC. | object({…}) | | null | +| [firewall_policy_enforcement_order](variables.tf#L65) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string | | "AFTER_CLASSIC_FIREWALL" | +| [mtu](variables.tf#L77) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number | | null | +| [peering_config](variables.tf#L88) | VPC peering configuration. | object({…}) | | null | +| [psa_config](variables.tf#L104) | The Private Service Access configuration for Service Networking. | object({…}) | | null | +| [routes](variables.tf#L114) | Network routes, keyed by name. | map(object({…})) | | {} | +| [routing_mode](variables.tf#L134) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | +| [shared_vpc_host](variables.tf#L144) | Enable shared VPC for this project. | bool | | false | +| [shared_vpc_service_projects](variables.tf#L150) | Shared VPC service projects to register with this host. | list(string) | | [] | +| [subnet_iam](variables.tf#L156) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string))) | | {} | +| [subnet_iam_additive](variables.tf#L162) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | +| [subnets](variables.tf#L169) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L194) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L206) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L217) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs diff --git a/modules/net-vpc/routes.tf b/modules/net-vpc/routes.tf index 493b248b..7280f904 100644 --- a/modules/net-vpc/routes.tf +++ b/modules/net-vpc/routes.tf @@ -31,7 +31,7 @@ locals { priority = 1000 tags = null } - if var.create_googleapis_routes[k] + if lookup(coalesce(var.create_googleapis_routes, {}), k, false) } _routes = merge(local._googleapis_routes, coalesce(var.routes, {})) routes = { diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 2cb1cdbf..b20e54fe 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -21,15 +21,14 @@ variable "auto_create_subnetworks" { } variable "create_googleapis_routes" { - description = "Toggle creation of googleapis private/restricted routes." + description = "Toggle creation of googleapis private/restricted routes. Set to null to disable creation." type = object({ private = optional(bool, true) private-6 = optional(bool, false) restricted = optional(bool, true) restricted-6 = optional(bool, false) }) - default = {} - nullable = false + default = {} } variable "data_folder" {