zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Simplify new CF from onprem via PSC example (#280) 

* add support for PSC addresses to net-address module

* simplify PSC CF example

* update diagram
This commit is contained in:
Ludovico Magnocavallo 2021-07-20 15:05:48 +02:00 committed by GitHub
parent 6a7e907b65
commit 813ea55d0d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 161 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/net-address/README.md
View File

@ -47,6 +47,26 @@ module "addresses" {
# tftest:modules=1:resources=2
```
### PSC addresses
```hcl
module "addresses" {
source = "./modules/net-address"
project_id = var.project_id
psc_addresses = {
one = {
address = null
network = var.vpc.self_link
}
two = {
address = "10.0.0.32"
network = var.vpc.self_link
}
}
}
# tftest:modules=1:resources=2
```
<!-- BEGIN TFDOC -->
## Variables
@ -57,6 +77,7 @@ module "addresses" {
| *global_addresses* | List of global addresses to create. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *internal_addresses* | Map of internal addresses to create, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;region &#61; string&#10;subnetwork &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *internal_addresses_config* | Optional configuration for internal addresses, keyed by name. Unused options can be set to null. | <code title="map&#40;object&#40;&#123;&#10;address &#61; string&#10;purpose &#61; string&#10;tier &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *psc_addresses* | Map of internal addresses used for Private Service Connect. | <code title="map&#40;object&#40;&#123;&#10;address &#61; string&#10;network &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
## Outputs
@ -65,4 +86,5 @@ module "addresses" {
| external_addresses | None | |
| global_addresses | None | |
| internal_addresses | None | |
| psc_addresses | None | |
<!-- END TFDOC -->

12
modules/net-address/main.tf
View File

@ -44,3 +44,15 @@ resource "google_compute_address" "internal" {
purpose = try(var.internal_addresses_config[each.key].purpose, null)
# labels = lookup(var.internal_address_labels, each.key, {})
}
resource "google_compute_global_address" "psc" {
for_each = var.psc_addresses
project = var.project_id
name = each.key
description = "Terraform managed."
address_type = "INTERNAL"
network = each.value.network
address = try(each.value.address, null)
purpose = "PRIVATE_SERVICE_CONNECT"
# labels = lookup(var.internal_address_labels, each.key, {})
}

12
modules/net-address/outputs.tf
View File

@ -20,7 +20,6 @@ output "external_addresses" {
address.name => {
address = address.address
self_link = address.self_link
users = address.users
}
}
}
@ -41,7 +40,16 @@ output "internal_addresses" {
address.name => {
address = address.address
self_link = address.self_link
users = address.users
}
}
}
output "psc_addresses" {
value = {
for address in google_compute_global_address.psc :
address.name => {
address = address.address
self_link = address.self_link
}
}
}

9
modules/net-address/variables.tf
View File

@ -61,3 +61,12 @@ variable "project_id" {
description = "Project where the addresses will be created."
type = string
}
variable "psc_addresses" {
description = "Map of internal addresses used for Private Service Connect."
type = map(object({
address = string
network = string
}))
default = {}
}

12
networking/private-cloud-function-from-onprem/README.md
View File

@ -19,16 +19,12 @@ curl https://YOUR_REGION-YOUR_PROJECT_ID.cloudfunctions.net/YOUR_FUNCTION_NAME
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| billing_account_id | Billing account id used as default for new projects. | <code title="">string</code> | ✓ | |
| cloud_function_gcs_bucket | Google Storage Bucket used as staging location for the Cloud Function source code. | <code title="">string</code> | ✓ | |
| projects_id | ID of the projects used in this solution. | <code title="object&#40;&#123;&#10;onprem &#61; string&#10;function &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ | |
| root_node | Root folder or organization under which the projects will be created. | <code title="">string</code> | ✓ | |
| *create_projects* | Whether need to create the projects. | <code title="">bool</code> | | <code title="">true</code> |
| project_id | Project id. | <code title="">string</code> | ✓ | |
| *ip_ranges* | IP ranges used for the VPCs. | <code title="object&#40;&#123;&#10;onprem &#61; string&#10;hub &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;onprem &#61; &#34;10.0.1.0&#47;24&#34;,&#10;hub &#61; &#34;10.0.2.0&#47;24&#34;&#10;&#125;">...</code> |
| *prefix* | Prefix used for resources that need unique names. | <code title="">string</code> | | <code title="">null</code> |
| *psc_endpoint* | IP used for the Private Service Connect endpoint, it must not overlap with the hub_ip_range. | <code title="">string</code> | | <code title="">10.100.100.100</code> |
| *name* | Name used for new resources. | <code title="">string</code> | | <code title="">psc-onprem</code> |
| *project_create* | If non null, creates project instead of using an existing one. | <code title="object&#40;&#123;&#10;billing_account_id &#61; string&#10;parent &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *psc_endpoint* | IP used for the Private Service Connect endpoint, it must not overlap with the hub_ip_range. | <code title="">string</code> | | <code title="">172.16.32.1</code> |
| *region* | Region where the resources will be created. | <code title="">string</code> | | <code title="">europe-west1</code> |
| *zone* | Zone where the test VM will be created. | <code title="">string</code> | | <code title="">europe-west1-b</code> |
## Outputs

BIN
networking/private-cloud-function-from-onprem/diagram.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 63 KiB

168
networking/private-cloud-function-from-onprem/main.tf
View File

@ -14,57 +14,40 @@
* limitations under the License.
*/
###############################################################################
# locals #
###############################################################################
locals {
prefix = var.prefix != null ? "${var.prefix}-" : ""
psc_name = replace(var.name, "-", "")
}
###############################################################################
# projects #
###############################################################################
module "project-onprem" {
module "project" {
source = "../../modules/project"
billing_account = var.billing_account_id
name = var.projects_id.onprem
parent = var.root_node
project_create = var.create_projects
prefix = var.prefix
name = var.project_id
project_create = var.project_create == null ? false : true
billing_account = try(var.project_create.billing_account_id, null)
parent = try(var.project_create.parent, null)
service_config = {
disable_dependent_services = false
disable_on_destroy = false
}
services = [
"cloudfunctions.googleapis.com",
"cloudbuild.googleapis.com",
"compute.googleapis.com",
"dns.googleapis.com"
]
}
module "project-hub" {
source = "../../modules/project"
billing_account = var.billing_account_id
name = var.projects_id.function
parent = var.root_node
project_create = var.create_projects
prefix = var.prefix
services = [
"compute.googleapis.com",
"cloudfunctions.googleapis.com",
"cloudbuild.googleapis.com"
]
}
###############################################################################
# VPCs #
###############################################################################
module "vpc-onprem" {
source = "../../modules/net-vpc"
project_id = module.project-onprem.project_id
name = "${local.prefix}onprem"
project_id = module.project.project_id
name = "${var.name}-onprem"
subnets = [
{
ip_cidr_range = var.ip_ranges.onprem
name = "${local.prefix}onprem"
name = "${var.name}-onprem"
region = var.region
secondary_ip_range = {}
}
@ -72,22 +55,19 @@ module "vpc-onprem" {
}
module "firewall-onprem" {
source = "../../modules/net-vpc-firewall"
project_id = module.project-onprem.project_id
network = module.vpc-onprem.name
admin_ranges_enabled = true
admin_ranges = []
custom_rules = {}
source = "../../modules/net-vpc-firewall"
project_id = module.project.project_id
network = module.vpc-onprem.name
}
module "vpc-hub" {
source = "../../modules/net-vpc"
project_id = module.project-hub.project_id
name = "${local.prefix}hub"
project_id = module.project.project_id
name = "${var.name}-hub"
subnets = [
{
ip_cidr_range = var.ip_ranges.hub
name = "${local.prefix}hub"
name = "${var.name}-hub"
region = var.region
secondary_ip_range = {}
}
@ -100,10 +80,10 @@ module "vpc-hub" {
module "vpn-onprem" {
source = "../../modules/net-vpn-ha"
project_id = module.project-onprem.project_id
project_id = module.project.project_id
region = var.region
network = module.vpc-onprem.self_link
name = "${local.prefix}onprem-to-hub"
name = "${var.name}-onprem-to-hub"
router_asn = 65001
router_advertise_config = {
groups = ["ALL_SUBNETS"]
@ -144,18 +124,18 @@ module "vpn-onprem" {
module "vpn-hub" {
source = "../../modules/net-vpn-ha"
project_id = module.project-hub.project_id
project_id = module.project.project_id
region = var.region
network = module.vpc-hub.name
name = "${local.prefix}hub-to-onprem"
name = "${var.name}-hub-to-onprem"
router_asn = 65002
peer_gcp_gateway = module.vpn-onprem.self_link
router_advertise_config = {
groups = ["ALL_SUBNETS"]
groups = ["ALL_SUBNETS"]
ip_ranges = {
(var.psc_endpoint) = "to-psc-endpoint"
}
mode = "CUSTOM"
mode = "CUSTOM"
}
tunnels = {
tunnel-0 = {
@ -192,36 +172,25 @@ module "vpn-hub" {
###############################################################################
module "test-vm" {
source = "../../modules/compute-vm"
project_id = module.project-onprem.project_id
region = var.region
zones = ["${var.zone}"]
name = "${local.prefix}test-vm"
instance_type = "e2-micro"
instance_count = 1
boot_disk = { image = "projects/ubuntu-os-cloud/global/images/family/ubuntu-2104", type = "pd-standard", size = 10 }
can_ip_forward = true
network_interfaces = [
{
network = module.vpc-onprem.self_link,
subnetwork = module.vpc-onprem.subnet_self_links["${var.region}/${local.prefix}onprem"],
nat = false,
addresses = {
internal = []
external = []
},
alias_ips = null
}
]
options = {
allow_stopping_for_update = true
deletion_protection = false
preemptible = false
source = "../../modules/compute-vm"
project_id = module.project.project_id
region = var.region
name = "${var.name}-test"
instance_type = "e2-micro"
boot_disk = {
image = "projects/ubuntu-os-cloud/global/images/family/ubuntu-2104"
type = "pd-balanced"
size = 10
}
metadata = {}
service_account = null
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
tags = ["ssh"]
network_interfaces = [{
addresses = null
alias_ips = null
nat = false
network = module.vpc-onprem.self_link
subnetwork = module.vpc-onprem.subnet_self_links["${var.region}/${var.name}-onprem"]
}]
single_name = true
tags = ["ssh"]
}
###############################################################################
@ -230,19 +199,19 @@ module "test-vm" {
module "function-hello" {
source = "../../modules/cloud-function"
project_id = module.project-hub.project_id
name = "${local.prefix}my-hello-function"
bucket_name = var.cloud_function_gcs_bucket
project_id = module.project.project_id
name = var.name
bucket_name = "${var.name}-tf-cf-deploy"
ingress_settings = "ALLOW_INTERNAL_ONLY"
bundle_config = {
source_dir = "${path.module}/assets"
output_path = "bundle.zip"
}
bucket_config = {
location = var.region
location = var.region
lifecycle_delete_age = null
}
iam = {
iam = {
"roles/cloudfunctions.invoker" = ["allUsers"]
}
}
@ -253,16 +222,16 @@ module "function-hello" {
module "private-dns-onprem" {
source = "../../modules/dns"
project_id = module.project-onprem.project_id
project_id = module.project.project_id
type = "private"
name = "${local.prefix}private-cloud-function"
domain = "${var.region}-${local.prefix}${var.projects_id.function}.cloudfunctions.net."
name = var.name
domain = "${var.region}-${module.project.project_id}.cloudfunctions.net."
client_networks = [module.vpc-onprem.self_link]
recordsets = [{
name = "",
type = "A",
ttl = 300,
records = [var.psc_endpoint]
name = "",
type = "A",
ttl = 300,
records = [module.addresses.psc_addresses[local.psc_name].address]
}]
}
@ -270,22 +239,23 @@ module "private-dns-onprem" {
# PSCs #
###############################################################################
resource "google_compute_global_address" "psc-address" {
provider = google
project = module.project-hub.project_id
name = "pscaddress"
purpose = "PRIVATE_SERVICE_CONNECT"
address_type = "INTERNAL"
address = var.psc_endpoint
network = module.vpc-hub.self_link
module "addresses" {
source = "../../modules/net-address"
project_id = module.project.project_id
psc_addresses = {
(local.psc_name) = {
address = var.psc_endpoint
network = module.vpc-hub.self_link
}
}
}
resource "google_compute_global_forwarding_rule" "psc-endpoint" {
provider = google-beta
project = module.project-hub.project_id
name = "pscendpoint"
project = module.project.project_id
name = local.psc_name
network = module.vpc-hub.self_link
ip_address = google_compute_global_address.psc-address.id
ip_address = module.addresses.psc_addresses[local.psc_name].self_link
target = "vpc-sc"
load_balancing_scheme = ""
}

77
networking/private-cloud-function-from-onprem/variables.tf
View File

@ -14,53 +14,6 @@
* limitations under the License.
*/
variable "region" {
description = "Region where the resources will be created."
type = string
default = "europe-west1"
}
variable "zone" {
description = "Zone where the test VM will be created."
type = string
default = "europe-west1-b"
}
variable "prefix" {
description = "Prefix used for resources that need unique names."
type = string
default = null
}
variable "billing_account_id" {
description = "Billing account id used as default for new projects."
type = string
}
variable "projects_id" {
description = "ID of the projects used in this solution."
type = object({
onprem = string
function = string
})
}
variable "create_projects" {
description = "Whether need to create the projects."
type = bool
default = true
}
variable "root_node" {
description = "Root folder or organization under which the projects will be created."
type = string
}
variable "cloud_function_gcs_bucket" {
description = "Google Storage Bucket used as staging location for the Cloud Function source code."
type = string
}
variable "ip_ranges" {
description = "IP ranges used for the VPCs."
type = object({
@ -73,8 +26,34 @@ variable "ip_ranges" {
}
}
variable "name" {
description = "Name used for new resources."
type = string
default = "psc-onprem"
}
variable "project_create" {
description = "If non null, creates project instead of using an existing one."
type = object({
billing_account_id = string
parent = string
})
default = null
}
variable "project_id" {
description = "Project id."
type = string
}
variable "psc_endpoint" {
description = "IP used for the Private Service Connect endpoint, it must not overlap with the hub_ip_range."
type = string
default = "10.100.100.100"
type = string
default = "172.16.32.1"
}
variable "region" {
description = "Region where the resources will be created."
type = string
default = "europe-west1"
}

11
tests/networking/private_cloud_function_from_onprem/fixture/main.tf
View File

@ -15,9 +15,10 @@
*/
module "test" {
source = "../../../../networking/private-cloud-function-from-onprem"
billing_account_id = var.billing_account_id
projects_id = var.projects_id
root_node = var.root_node
cloud_function_gcs_bucket = var.cloud_function_gcs_bucket
source = "../../../../networking/private-cloud-function-from-onprem"
project_create = {
billing_account_id = "123456-ABCDEF-123456"
parent = "folders/1234567890"
}
project_id = "test-project"
}

39
tests/networking/private_cloud_function_from_onprem/fixture/variables.tf
View File

@ -1,39 +0,0 @@
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
variable "billing_account_id" {
type = string
default = "ABCDE-12345-ABCDE"
}
variable "projects_id" {
type = object({
onprem = string
function = string
})
default = {
onprem = "onprem-project-id"
function = "function-project-id"
}
}
variable "root_node" {
type = string
default = "organizations/0123456789"
}
variable cloud_function_gcs_bucket {
type = string
default = "stanging-gcs-bucket"
}

2
tests/networking/private_cloud_function_from_onprem/test_plan.py
View File

@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
"Test that plan works and the numbers of resources is as expected."
modules, resources = e2e_plan_runner(FIXTURES_DIR)
assert len(modules) == 10
assert len(resources) == 40
assert len(resources) == 38