commit
998d4aaf54
|
@ -69,4 +69,7 @@ jobs:
|
|||
- name: Check python formatting
|
||||
id: yapf
|
||||
run: |
|
||||
yapf --style="{based_on_style: google, indent_width: 2, SPLIT_BEFORE_NAMED_ASSIGNS: false}" -p -d tools/*.py
|
||||
yapf --style="{based_on_style: google, indent_width: 2, SPLIT_BEFORE_NAMED_ASSIGNS: false}" -p -d \
|
||||
tools/*.py \
|
||||
blueprints/cloud-operations/network-dashboard/src/*py \
|
||||
blueprints/cloud-operations/network-dashboard/src/plugins/*py
|
||||
|
|
|
@ -754,7 +754,7 @@ def test_name(plan_summary, tfvars_to_yaml, tmp_path):
|
|||
assert s.values[address]['project'] == 'my-project'
|
||||
```
|
||||
|
||||
For more examples on how to write python tests, the tests for [`organization`](./tests/modules/organization/test_plan_org_policies.py) and [`net-vpc`](./tests/modules/net_vpc/test_routes.py) modules.
|
||||
For more examples on how to write python tests, check the tests for the [`organization`](./tests/modules/organization/test_plan_org_policies.py) module.
|
||||
|
||||
#### Testing documentation examples
|
||||
|
||||
|
|
|
@ -826,9 +826,9 @@
|
|||
"integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
|
||||
},
|
||||
"node_modules/cookiejar": {
|
||||
"version": "2.1.3",
|
||||
"resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz",
|
||||
"integrity": "sha512-JxbCBUdrfr6AQjOXrxoTvAMJO4HBTUIlBzslcJPAz+/KT8yk53fXun51u+RenNYvad/+Vc2DIz5o9UxlCDymFQ=="
|
||||
"version": "2.1.4",
|
||||
"resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.4.tgz",
|
||||
"integrity": "sha512-LDx6oHrK+PhzLKJU9j5S7/Y3jM/mUHvD/DeI1WQmJn652iPC5Y4TBzC9l+5OMOXlyTTA+SmVUPm0HQUwpD5Jqw=="
|
||||
},
|
||||
"node_modules/debug": {
|
||||
"version": "2.6.9",
|
||||
|
@ -3783,9 +3783,9 @@
|
|||
"integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
|
||||
},
|
||||
"cookiejar": {
|
||||
"version": "2.1.3",
|
||||
"resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz",
|
||||
"integrity": "sha512-JxbCBUdrfr6AQjOXrxoTvAMJO4HBTUIlBzslcJPAz+/KT8yk53fXun51u+RenNYvad/+Vc2DIz5o9UxlCDymFQ=="
|
||||
"version": "2.1.4",
|
||||
"resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.4.tgz",
|
||||
"integrity": "sha512-LDx6oHrK+PhzLKJU9j5S7/Y3jM/mUHvD/DeI1WQmJn652iPC5Y4TBzC9l+5OMOXlyTTA+SmVUPm0HQUwpD5Jqw=="
|
||||
},
|
||||
"debug": {
|
||||
"version": "2.6.9",
|
||||
|
|
|
@ -25,20 +25,24 @@ The diagram below depicts the architecture.
|
|||
terraform apply
|
||||
```
|
||||
|
||||
Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned.
|
||||
|
||||
5. Install Apigee hybrid using de ansible playbook that is in the ansible folder by running this command
|
||||
|
||||
ansible-playbook playbook.yaml -vvvß
|
||||
|
||||
## Testing the blueprint
|
||||
|
||||
2. Deploy an api proxy
|
||||
|
||||
```
|
||||
./deploy-apiproxy.sh
|
||||
./deploy-apiproxy.sh apis-test
|
||||
```
|
||||
|
||||
3. In the console check the IP address that has been allocated to the Apigee ingress gateway and send some traffic to the deployed API proxy.
|
||||
3. Send a request
|
||||
|
||||
```
|
||||
curl -k -v -H "Host:HOSTNAME" \
|
||||
--resolve HOSTNAME:443:IP_ADDRESS \
|
||||
https://HOSTNAME/httpbin/headers
|
||||
curl -v https://HOSTNAME/httpbin/headers
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
|
@ -56,4 +60,10 @@ The diagram below depicts the architecture.
|
|||
| [region](variables.tf#L84) | Region. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [zone](variables.tf#L90) | Zone. | <code>string</code> | | <code>"europe-west1-c"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| [ip_address](outputs.tf#L17) | GLB IP address. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -18,12 +18,13 @@
|
|||
|
||||
resource "local_file" "vars_file" {
|
||||
content = yamlencode({
|
||||
cluster = module.cluster.name
|
||||
region = var.region
|
||||
project_id = module.project.project_id
|
||||
envgroup = local.envgroup
|
||||
env = local.environment
|
||||
hostname = var.hostname
|
||||
cluster = module.cluster.name
|
||||
region = var.region
|
||||
project_id = module.project.project_id
|
||||
envgroups = local.envgroups
|
||||
environments = local.environments
|
||||
service_accounts = local.google_sas
|
||||
ingress_ip_name = local.ingress_ip_name
|
||||
})
|
||||
filename = "${path.module}/ansible/vars/vars.yaml"
|
||||
file_permission = "0666"
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create and annotate k8s service account
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: "{{ k8s_service_account }}"
|
||||
namespace: apigee
|
||||
annotations:
|
||||
iam.gke.io/gcp-service-account: "{{ google_service_account }}@{{ project_id }}.iam.gserviceaccount.com"
|
||||
with_items: "{{ k8s_service_accounts }}"
|
||||
loop_control:
|
||||
loop_var: k8s_service_account
|
|
@ -1,11 +1,11 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
|
@ -19,18 +19,27 @@
|
|||
--project {{ project_id }} \
|
||||
--internal-ip
|
||||
|
||||
- name: Install cert-manager
|
||||
shell: >
|
||||
kubectl apply \
|
||||
--validate=false \
|
||||
-f https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yaml
|
||||
- name: Download cert-manager
|
||||
uri:
|
||||
url: https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yaml
|
||||
dest: ~/cert-manager.yaml
|
||||
|
||||
- name: Wait until pods are ready in cert-manager namespace
|
||||
shell: >
|
||||
kubectl wait --for=condition=ready pods \
|
||||
-l app.kubernetes.io/instance=cert-manager \
|
||||
-n cert-manager \
|
||||
--timeout=90s
|
||||
- name: Apply metrics-server manifest to the cluster.
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
src: ~/cert-manager.yaml
|
||||
|
||||
- name:
|
||||
kubernetes.core.k8s_info:
|
||||
kind: Pod
|
||||
wait: yes
|
||||
label_selectors:
|
||||
- "app.kubernetes.io/instance=cert-manager"
|
||||
namespace: cert-manager
|
||||
wait_timeout: 90
|
||||
wait_condition:
|
||||
type: Ready
|
||||
status: True
|
||||
|
||||
- name: Fetch apigeectl version
|
||||
uri:
|
||||
|
@ -48,7 +57,7 @@
|
|||
unarchive:
|
||||
src: "~/apigeectl.tar.gz"
|
||||
dest: "~"
|
||||
remote_src: yes
|
||||
remote_src: yes
|
||||
|
||||
- name: Move apigeectl folder
|
||||
shell: >
|
||||
|
@ -66,25 +75,69 @@
|
|||
file:
|
||||
src: ~/apigeectl/{{ item }}
|
||||
dest: "~/hybrid-files/{{ item }}"
|
||||
state: link
|
||||
state: link
|
||||
with_items:
|
||||
- tools
|
||||
- config
|
||||
- templates
|
||||
- plugins
|
||||
- plugins
|
||||
|
||||
- name: Create service accounts
|
||||
shell: >
|
||||
~/hybrid-files/tools/create-service-account -i {{ project_id }} -e non-prod -d ~/hybrid-files/service-accounts
|
||||
- name: Create apigee namespace
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: apigee
|
||||
|
||||
- name: Create certificates
|
||||
- name: Create k8s service accounts
|
||||
include_tasks: k8s_service_accounts.yaml
|
||||
vars:
|
||||
google_service_account: "{{ item.key }}"
|
||||
k8s_service_accounts: "{{ item.value }}"
|
||||
with_dict: "{{ service_accounts }}"
|
||||
|
||||
- name: Set hostnames
|
||||
set_fact:
|
||||
hostnames: "{{ hostnames | default([]) + item.value }}"
|
||||
with_dict: "{{ envgroups }}"
|
||||
|
||||
- name: Create certificate and private key
|
||||
shell: >
|
||||
openssl req \
|
||||
-nodes \
|
||||
-new \
|
||||
-x509 \
|
||||
-keyout ~/hybrid-files/certs/{{ envgroup }}.key \
|
||||
-out ~/hybrid-files/certs/{{ envgroup }}.cert -subj '/CN='{{ hostname }}'' -days 3650
|
||||
-keyout ~/hybrid-files/certs/server.key \
|
||||
-out ~/hybrid-files/certs/server.crt \
|
||||
-subj "/CN=apigee.com' \
|
||||
-addext "subjectAltName={{ hostnames | map('regex_replace', '^', 'DNS:') | join(',') }}""
|
||||
-days 3650
|
||||
|
||||
- name: Read certificate
|
||||
slurp:
|
||||
src: ~/hybrid-files/certs/server.crt
|
||||
register: certificate_output
|
||||
|
||||
- name: Read private ket
|
||||
slurp:
|
||||
src: ~/hybrid-files/certs/server.key
|
||||
register: privatekey_output
|
||||
|
||||
- name: Create secret
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: tls-hybrid-ingress
|
||||
namespace: apigee
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: "{{ certificate_output.content }}"
|
||||
tls.key: "{{ privatekey_output.content }}"
|
||||
|
||||
- name: Create overrides.yaml
|
||||
template:
|
||||
|
@ -96,48 +149,185 @@
|
|||
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" \
|
||||
-H "Content-Type:application/json" \
|
||||
"https://apigee.googleapis.com/v1/organizations/{{ project_id }}:setSyncAuthorization" \
|
||||
-d '{"identities":["'"serviceAccount:apigee-non-prod@{{ project_id }}.iam.gserviceaccount.com"'"]}'
|
||||
-d '{"identities":["'"serviceAccount:apigee-synchronizer@{{ project_id }}.iam.gserviceaccount.com"'"]}'
|
||||
|
||||
- name: Dry-run (init)
|
||||
shell: >
|
||||
~/apigeectl/apigeectl init -f overrides/overrides.yaml --dry-run=client
|
||||
~/apigeectl/apigeectl init -f overrides/overrides.yaml --dry-run=client
|
||||
args:
|
||||
chdir: ~/hybrid-files
|
||||
|
||||
- name: Install the Apigee deployment services Apigee Deployment Controller and Apigee Admission Webhook.
|
||||
shell: >
|
||||
~/apigeectl/apigeectl init -f overrides/overrides.yaml
|
||||
~/apigeectl/apigeectl init -f overrides/overrides.yaml
|
||||
args:
|
||||
chdir: ~/hybrid-files
|
||||
chdir: ~/hybrid-files
|
||||
|
||||
- name: Wait until pods are ready in apigee-system namespace
|
||||
shell: >
|
||||
kubectl wait --for=condition=ready pods \
|
||||
-l app=apigee-controller \
|
||||
-n apigee-system \
|
||||
--timeout=300s
|
||||
- name: Wait for apigee-controller pod to be ready
|
||||
kubernetes.core.k8s_info:
|
||||
kind: Pod
|
||||
wait: yes
|
||||
label_selectors:
|
||||
- "app=apigee-controller"
|
||||
namespace: apigee-system
|
||||
wait_timeout: 600
|
||||
wait_condition:
|
||||
type: Ready
|
||||
status: True
|
||||
|
||||
- name: Wait until pods are ready in apigee namespace
|
||||
shell: >
|
||||
kubectl wait --for=condition=ready pods \
|
||||
-l app=apigee-ingressgateway-manager \
|
||||
-n apigee \
|
||||
--timeout=300s
|
||||
- name: Wait for apigee-selfsigned-issuer issuer to be ready
|
||||
kubernetes.core.k8s_info:
|
||||
kind: Issuer
|
||||
wait: yes
|
||||
name: apigee-selfsigned-issuer
|
||||
namespace: apigee-system
|
||||
wait_timeout: 600
|
||||
wait_condition:
|
||||
type: Ready
|
||||
status: True
|
||||
|
||||
- name: Wait for apigee-serving-cert certificate to be ready
|
||||
kubernetes.core.k8s_info:
|
||||
kind: Certificate
|
||||
wait: yes
|
||||
name: apigee-serving-cert
|
||||
namespace: apigee-system
|
||||
wait_timeout: 600
|
||||
wait_condition:
|
||||
type: Ready
|
||||
status: True
|
||||
|
||||
- name: Wait for apigee-resources-install job to be complete
|
||||
kubernetes.core.k8s_info:
|
||||
kind: Job
|
||||
wait: yes
|
||||
name: apigee-resources-install
|
||||
namespace: apigee-system
|
||||
wait_timeout: 360
|
||||
wait_condition:
|
||||
type: Complete
|
||||
status: True
|
||||
|
||||
- name: Dry-run (apply)
|
||||
shell: >
|
||||
~/apigeectl/apigeectl apply -f overrides/overrides.yaml --dry-run=client
|
||||
~/apigeectl/apigeectl apply -f overrides/overrides.yaml --dry-run=client
|
||||
args:
|
||||
chdir: ~/hybrid-files
|
||||
|
||||
- name: Install the Apigee runtime components
|
||||
shell: >
|
||||
~/apigeectl/apigeectl apply -f overrides/overrides.yaml
|
||||
~/apigeectl/apigeectl apply -f overrides/overrides.yaml
|
||||
args:
|
||||
chdir: ~/hybrid-files
|
||||
chdir: ~/hybrid-files
|
||||
|
||||
- name: Check status of the deployment
|
||||
shell: >
|
||||
while [ -n "$(kubectl get pods -n apigee | tail -n +2 | grep -v Running | grep -v Completed)" ]; do sleep 1; done
|
||||
args:
|
||||
chdir: ~/hybrid-files
|
||||
- name: Wait for apigee-runtime pod to be ready
|
||||
kubernetes.core.k8s_info:
|
||||
kind: Pod
|
||||
wait: yes
|
||||
label_selectors:
|
||||
- "app=apigee-runtime"
|
||||
namespace: apigee
|
||||
wait_timeout: 360
|
||||
wait_condition:
|
||||
type: Ready
|
||||
status: True
|
||||
|
||||
- name:
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: apigee.cloud.google.com/v1alpha1
|
||||
kind: ApigeeRoute
|
||||
metadata:
|
||||
name: apigee-wildcard
|
||||
namespace: apigee
|
||||
spec:
|
||||
hostnames:
|
||||
- '*'
|
||||
ports:
|
||||
- number: 443
|
||||
protocol: HTTPS
|
||||
tls:
|
||||
credentialName: tls-hybrid-ingress
|
||||
mode: SIMPLE
|
||||
selector:
|
||||
app: apigee-ingressgateway
|
||||
enableNonSniClient: true
|
||||
|
||||
- name: Create google-managed certificate
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: networking.gke.io/v1
|
||||
kind: ManagedCertificate
|
||||
metadata:
|
||||
name: "apigee-cert-hybrid"
|
||||
namespace: apigee
|
||||
spec:
|
||||
domains: "{{ hostnames }}"
|
||||
|
||||
- name: Create backend config
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: cloud.google.com/v1
|
||||
kind: BackendConfig
|
||||
metadata:
|
||||
name: apigee-ingress-backendconfig
|
||||
namespace: apigee
|
||||
spec:
|
||||
healthCheck:
|
||||
requestPath: /healthz/ready
|
||||
port: 15021
|
||||
type: HTTP
|
||||
logging:
|
||||
enable: true
|
||||
sampleRate: 0.5
|
||||
|
||||
- name: Create service
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: apigee-ingressgateway-hybrid
|
||||
namespace: apigee
|
||||
annotations:
|
||||
cloud.google.com/backend-config: '{"default": "apigee-ingress-backendconfig"}'
|
||||
cloud.google.com/neg: '{"ingress": true}'
|
||||
cloud.google.com/app-protocols: '{"https":"HTTPS", "status-port": "HTTP"}'
|
||||
labels:
|
||||
app: apigee-ingressgateway-hybrid
|
||||
spec:
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
targetPort: 15021
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
selector:
|
||||
app: apigee-ingressgateway
|
||||
ingress_name: ingress
|
||||
type: ClusterIP
|
||||
|
||||
- name: Create ingress
|
||||
kubernetes.core.k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
networking.gke.io/managed-certificates: "apigee-cert-hybrid"
|
||||
kubernetes.io/ingress.global-static-ip-name: "{{ ingress_ip_name }}"
|
||||
kubernetes.io/ingress.allow-http: "false"
|
||||
name: xlb-apigee
|
||||
namespace: apigee
|
||||
spec:
|
||||
defaultBackend:
|
||||
service:
|
||||
name: apigee-ingressgateway-hybrid
|
||||
port:
|
||||
number: 443
|
|
@ -1,29 +1,26 @@
|
|||
gcp:
|
||||
region: {{ region }}
|
||||
projectID: {{ project_id }}
|
||||
workloadIdentityEnabled: true
|
||||
|
||||
k8sCluster:
|
||||
name: {{ cluster }}
|
||||
region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster.
|
||||
region: {{ region }} # Must be the closest Google Cloud region to your cluster.
|
||||
org: {{ project_id }}
|
||||
|
||||
instanceID: "instance-1"
|
||||
instanceID: "{{ cluster }}-{{ region }}"
|
||||
|
||||
cassandra:
|
||||
hostNetwork: false
|
||||
# Set to false for single region installations and multi-region installations
|
||||
# with connectivity between pods in different clusters, for example GKE installations.
|
||||
# Set to true for multi-region installations with no communication between
|
||||
# pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal,
|
||||
# AKS, EKS, and OpenShift installations.
|
||||
# See Multi-region deployment: Prerequisites
|
||||
|
||||
virtualhosts:
|
||||
- name: {{ envgroup }}
|
||||
{% for k in envgroups %}
|
||||
- name: {{ k }}
|
||||
sslSecret: tls-hybrid-ingress
|
||||
additionalGateways: ["apigee-wildcard"]
|
||||
selector:
|
||||
app: apigee-ingressgateway
|
||||
sslCertPath: ./certs/{{ envgroup }}.cert
|
||||
sslKeyPath: ./certs/{{ envgroup }}.key
|
||||
{% endfor %}
|
||||
|
||||
ao:
|
||||
args:
|
||||
|
@ -37,27 +34,9 @@ ingressGateways:
|
|||
replicaCountMax: 10
|
||||
|
||||
envs:
|
||||
- name: {{ env }}
|
||||
serviceAccountPaths:
|
||||
synchronizer: ./service-accounts/{{ project_id }}-apigee-non-prod.json
|
||||
udca: ./service-accounts/{{ project_id }}-apigee-non-prod.json
|
||||
runtime: ./service-accounts/{{ project_id }}-apigee-non-prod.json
|
||||
|
||||
mart:
|
||||
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
|
||||
|
||||
connectAgent:
|
||||
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
|
||||
|
||||
metrics:
|
||||
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
|
||||
|
||||
udca:
|
||||
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
|
||||
|
||||
watcher:
|
||||
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
|
||||
{% for k in environments %}
|
||||
- name: {{ k }}
|
||||
{% endfor %}
|
||||
|
||||
logger:
|
||||
enabled: true
|
||||
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
|
||||
enabled: false
|
||||
|
|
|
@ -15,8 +15,51 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
envgroup = "test"
|
||||
environment = "apis-test"
|
||||
envgroups = {
|
||||
test = [var.hostname]
|
||||
}
|
||||
environments = {
|
||||
apis-test = {
|
||||
envgroups = ["test"]
|
||||
}
|
||||
}
|
||||
org_short_name = (length(module.project.project_id) < 16 ?
|
||||
module.project.project_id :
|
||||
substr(module.project.project_id, 0, 15))
|
||||
org_hash = format("%s-%s", local.org_short_name, substr(sha256(module.project.project_id), 0, 7))
|
||||
org_env_hashes = {
|
||||
for k, v in local.environments :
|
||||
k => format("%s-%s-%s", local.org_short_name, length(k) < 16 ? k : substr(k, 0, 15), substr(sha256("${module.project.project_id}:${k}"), 0, 7))
|
||||
}
|
||||
google_sas = {
|
||||
apigee-metrics = [
|
||||
"apigee-metrics-sa"
|
||||
]
|
||||
apigee-cassandra = [
|
||||
"apigee-cassandra-schema-setup-${local.org_hash}-sa",
|
||||
"apigee-cassandra-user-setup-${local.org_hash}-sa"
|
||||
]
|
||||
apigee-mart = [
|
||||
"apigee-mart-${local.org_hash}-sa",
|
||||
"apigee-connect-agent-${local.org_hash}-sa"
|
||||
]
|
||||
apigee-watcher = [
|
||||
"apigee-watcher-${local.org_hash}-sa"
|
||||
]
|
||||
apigee-udca = concat([
|
||||
"apigee-udca-${local.org_hash}-sa"
|
||||
],
|
||||
[for k, v in local.org_env_hashes :
|
||||
"apigee-udca-${local.org_env_hashes[k]}-sa"
|
||||
])
|
||||
apigee-synchronizer = [
|
||||
for k, v in local.org_env_hashes :
|
||||
"apigee-synchronizer-${local.org_env_hashes[k]}-sa"
|
||||
]
|
||||
apigee-runtime = [for k, v in local.org_env_hashes :
|
||||
"apigee-runtime-${local.org_env_hashes[k]}-sa"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
module "apigee" {
|
||||
|
@ -26,20 +69,24 @@ module "apigee" {
|
|||
analytics_region = var.region
|
||||
runtime_type = "HYBRID"
|
||||
}
|
||||
envgroups = {
|
||||
(local.envgroup) = [var.hostname]
|
||||
}
|
||||
environments = {
|
||||
(local.environment) = {
|
||||
envgroups = [local.envgroup]
|
||||
}
|
||||
envgroups = local.envgroups
|
||||
environments = local.environments
|
||||
}
|
||||
|
||||
module "sas" {
|
||||
for_each = local.google_sas
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = module.project.project_id
|
||||
name = each.key
|
||||
# authoritative roles granted *on* the service accounts to other identities
|
||||
iam = {
|
||||
"roles/iam.workloadIdentityUser" = [for v in each.value : "serviceAccount:${module.project.project_id}.svc.id.goog[apigee/${v}]"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "local_file" "deploy_apiproxy_file" {
|
||||
content = templatefile("${path.module}/templates/deploy-apiproxy.sh.tpl", {
|
||||
org = module.project.project_id
|
||||
env = local.environment
|
||||
})
|
||||
filename = "${path.module}/deploy-apiproxy.sh"
|
||||
file_permission = "0777"
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 35 KiB After Width: | Height: | Size: 35 KiB |
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -14,14 +14,12 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "test" {
|
||||
source = "../../../../modules/dns"
|
||||
project_id = "my-project"
|
||||
name = "test"
|
||||
domain = "test.example."
|
||||
client_networks = var.client_networks
|
||||
type = var.type
|
||||
forwarders = var.forwarders
|
||||
peer_network = var.peer_network
|
||||
recordsets = var.recordsets
|
||||
locals {
|
||||
ingress_ip_name = "apigee"
|
||||
}
|
||||
|
||||
module "addresses" {
|
||||
source = "../../../modules/net-address"
|
||||
project_id = module.project.project_id
|
||||
global_addresses = [local.ingress_ip_name]
|
||||
}
|
|
@ -40,5 +40,12 @@ module "project" {
|
|||
"roles/resourcemanager.projectIamAdmin" = [module.mgmt_server.service_account_iam_email]
|
||||
"roles/iam.serviceAccountAdmin" = [module.mgmt_server.service_account_iam_email]
|
||||
"roles/iam.serviceAccountKeyAdmin" = [module.mgmt_server.service_account_iam_email]
|
||||
"roles/monitoring.metricWriter" = [module.sas["apigee-metrics"].iam_email]
|
||||
"roles/storage.objectAdmin" = [module.sas["apigee-cassandra"].iam_email]
|
||||
"roles/apigeeconnect.Agent" = [module.sas["apigee-mart"].iam_email]
|
||||
"roles/apigee.runtimeAgent" = [module.sas["apigee-watcher"].iam_email]
|
||||
"roles/apigee.analyticsAgent" = [module.sas["apigee-udca"].iam_email]
|
||||
"roles/apigee.synchronizerManager" = [module.sas["apigee-synchronizer"].iam_email]
|
||||
"roles/cloudtrace.agent" = [module.sas["apigee-runtime"].iam_email]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -34,4 +34,12 @@ module "mgmt_server" {
|
|||
type = var.mgmt_server_config.disk_type
|
||||
size = var.mgmt_server_config.disk_size
|
||||
}
|
||||
}
|
||||
metadata = {
|
||||
startup-script = <<EOT
|
||||
#!/bin/bash
|
||||
apt update -y
|
||||
apt install python3-pip -y
|
||||
pip3 install kubernetes
|
||||
EOT
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -14,16 +14,7 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "test" {
|
||||
source = "../../../../modules/gke-cluster"
|
||||
project_id = "my-project"
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
vpc_config = {
|
||||
network = "mynetwork"
|
||||
subnetwork = "mysubnet"
|
||||
}
|
||||
enable_addons = var.enable_addons
|
||||
enable_features = var.enable_features
|
||||
tags = var.tags
|
||||
output "ip_address" {
|
||||
description = "GLB IP address."
|
||||
value = module.addresses.global_addresses["apigee"].address
|
||||
}
|
|
@ -14,8 +14,13 @@
|
|||
|
||||
#!/bin/bash
|
||||
|
||||
if [ $# -lt 1 ]; then
|
||||
echo "Usage: $0 ENVIRONMENT"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
ORG_NAME=${org}
|
||||
ENV_NAME=${env}
|
||||
ENV_NAME=$1
|
||||
|
||||
wget https://github.com/apigee/api-platform-samples/raw/master/sample-proxies/apigee-quickstart/httpbin_rev1_2020_02_02.zip -O apiproxy.zip
|
||||
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
{
|
||||
"category": "CUSTOM",
|
||||
"displayName": "quotas_utilization",
|
||||
"mosaicLayout": {
|
||||
"columns": 12,
|
||||
|
@ -18,7 +17,6 @@
|
|||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
|
@ -40,9 +38,7 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 0,
|
||||
"yPos": 0
|
||||
"width": 6
|
||||
},
|
||||
{
|
||||
"height": 4,
|
||||
|
@ -58,7 +54,6 @@
|
|||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
|
@ -81,7 +76,6 @@
|
|||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 0,
|
||||
"yPos": 12
|
||||
},
|
||||
{
|
||||
|
@ -98,7 +92,6 @@
|
|||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
|
@ -121,7 +114,6 @@
|
|||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 0,
|
||||
"yPos": 8
|
||||
},
|
||||
{
|
||||
|
@ -138,7 +130,6 @@
|
|||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
|
@ -178,7 +169,6 @@
|
|||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
|
@ -201,7 +191,6 @@
|
|||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 0,
|
||||
"yPos": 4
|
||||
},
|
||||
{
|
||||
|
@ -218,7 +207,6 @@
|
|||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
|
@ -241,8 +229,7 @@
|
|||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 6,
|
||||
"yPos": 0
|
||||
"xPos": 6
|
||||
},
|
||||
{
|
||||
"height": 4,
|
||||
|
@ -258,7 +245,6 @@
|
|||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
|
@ -298,7 +284,6 @@
|
|||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
|
@ -330,17 +315,19 @@
|
|||
},
|
||||
"dataSets": [
|
||||
{
|
||||
"minAlignmentPeriod": "60s",
|
||||
"minAlignmentPeriod": "3600s",
|
||||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "60s",
|
||||
"perSeriesAligner": "ALIGN_MEAN"
|
||||
"alignmentPeriod": "3600s",
|
||||
"perSeriesAligner": "ALIGN_NEXT_OLDER"
|
||||
},
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/peering_group/routes_dynamic_used_ratio\" resource.type=\"global\""
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/peering_group/routes_dynamic_used_ratio\" resource.type=\"global\"",
|
||||
"secondaryAggregation": {
|
||||
"alignmentPeriod": "60s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -353,7 +340,6 @@
|
|||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 0,
|
||||
"yPos": 20
|
||||
},
|
||||
{
|
||||
|
@ -366,21 +352,23 @@
|
|||
},
|
||||
"dataSets": [
|
||||
{
|
||||
"minAlignmentPeriod": "60s",
|
||||
"minAlignmentPeriod": "3600s",
|
||||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "60s",
|
||||
"alignmentPeriod": "3600s",
|
||||
"crossSeriesReducer": "REDUCE_SUM",
|
||||
"groupByFields": [
|
||||
"metric.label.\"project\""
|
||||
],
|
||||
"perSeriesAligner": "ALIGN_MEAN"
|
||||
"perSeriesAligner": "ALIGN_NEXT_OLDER"
|
||||
},
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/project/firewall_rules_used_ratio\" resource.type=\"global\""
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/project/firewall_rules_used_ratio\" resource.type=\"global\"",
|
||||
"secondaryAggregation": {
|
||||
"alignmentPeriod": "60s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -393,8 +381,7 @@
|
|||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 0,
|
||||
"yPos": 32
|
||||
"yPos": 28
|
||||
},
|
||||
{
|
||||
"height": 4,
|
||||
|
@ -406,17 +393,19 @@
|
|||
},
|
||||
"dataSets": [
|
||||
{
|
||||
"minAlignmentPeriod": "60s",
|
||||
"minAlignmentPeriod": "3600s",
|
||||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "60s",
|
||||
"perSeriesAligner": "ALIGN_MEAN"
|
||||
"alignmentPeriod": "3600s",
|
||||
"perSeriesAligner": "ALIGN_NEXT_OLDER"
|
||||
},
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/firewall_policy/tuples_used_ratio\" resource.type=\"global\""
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/firewall_policy/tuples_used_ratio\" resource.type=\"global\"",
|
||||
"secondaryAggregation": {
|
||||
"alignmentPeriod": "60s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -430,7 +419,7 @@
|
|||
},
|
||||
"width": 6,
|
||||
"xPos": 6,
|
||||
"yPos": 28
|
||||
"yPos": 24
|
||||
},
|
||||
{
|
||||
"height": 4,
|
||||
|
@ -442,17 +431,135 @@
|
|||
},
|
||||
"dataSets": [
|
||||
{
|
||||
"minAlignmentPeriod": "60s",
|
||||
"minAlignmentPeriod": "3600s",
|
||||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "60s",
|
||||
"perSeriesAligner": "ALIGN_MEAN"
|
||||
"alignmentPeriod": "3600s",
|
||||
"perSeriesAligner": "ALIGN_NEXT_OLDER"
|
||||
},
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/subnetwork/addresses_used_ratio\" resource.type=\"global\""
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/subnetwork/addresses_used_ratio\" resource.type=\"global\"",
|
||||
"secondaryAggregation": {
|
||||
"alignmentPeriod": "60s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"timeshiftDuration": "0s",
|
||||
"yAxis": {
|
||||
"label": "y1Axis",
|
||||
"scale": "LINEAR"
|
||||
}
|
||||
}
|
||||
},
|
||||
"width": 6,
|
||||
"yPos": 16
|
||||
},
|
||||
{
|
||||
"height": 4,
|
||||
"widget": {
|
||||
"title": "Project static routes used",
|
||||
"xyChart": {
|
||||
"chartOptions": {
|
||||
"mode": "COLOR"
|
||||
},
|
||||
"dataSets": [
|
||||
{
|
||||
"minAlignmentPeriod": "3600s",
|
||||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
"crossSeriesReducer": "REDUCE_SUM",
|
||||
"groupByFields": [
|
||||
"metric.label.\"project\""
|
||||
],
|
||||
"perSeriesAligner": "ALIGN_NEXT_OLDER"
|
||||
},
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/project/routes_static_used_ratio\" resource.type=\"global\"",
|
||||
"secondaryAggregation": {
|
||||
"alignmentPeriod": "60s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"timeshiftDuration": "0s",
|
||||
"yAxis": {
|
||||
"label": "y1Axis",
|
||||
"scale": "LINEAR"
|
||||
}
|
||||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 6,
|
||||
"yPos": 20
|
||||
},
|
||||
{
|
||||
"height": 4,
|
||||
"widget": {
|
||||
"title": "Peering group static routes used",
|
||||
"xyChart": {
|
||||
"chartOptions": {
|
||||
"mode": "COLOR"
|
||||
},
|
||||
"dataSets": [
|
||||
{
|
||||
"minAlignmentPeriod": "3600s",
|
||||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
"perSeriesAligner": "ALIGN_NEXT_OLDER"
|
||||
},
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/peering_group/routes_static_used_ratio\" resource.type=\"global\"",
|
||||
"secondaryAggregation": {
|
||||
"alignmentPeriod": "60s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"timeshiftDuration": "0s",
|
||||
"yAxis": {
|
||||
"label": "y1Axis",
|
||||
"scale": "LINEAR"
|
||||
}
|
||||
}
|
||||
},
|
||||
"width": 6,
|
||||
"yPos": 24
|
||||
},
|
||||
{
|
||||
"height": 4,
|
||||
"widget": {
|
||||
"title": "Addresses used ratio per psa range [NEXT OLDER]",
|
||||
"xyChart": {
|
||||
"chartOptions": {
|
||||
"mode": "COLOR"
|
||||
},
|
||||
"dataSets": [
|
||||
{
|
||||
"minAlignmentPeriod": "3600s",
|
||||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "3600s",
|
||||
"perSeriesAligner": "ALIGN_NEXT_OLDER"
|
||||
},
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/network/psa/addresses_used_ratio\" resource.type=\"global\"",
|
||||
"secondaryAggregation": {
|
||||
"alignmentPeriod": "60s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -467,88 +574,6 @@
|
|||
"width": 6,
|
||||
"xPos": 6,
|
||||
"yPos": 16
|
||||
},
|
||||
{
|
||||
"height": 4,
|
||||
"widget": {
|
||||
"title": "Project static routes used",
|
||||
"xyChart": {
|
||||
"chartOptions": {
|
||||
"mode": "COLOR"
|
||||
},
|
||||
"dataSets": [
|
||||
{
|
||||
"minAlignmentPeriod": "60s",
|
||||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "60s",
|
||||
"crossSeriesReducer": "REDUCE_SUM",
|
||||
"groupByFields": [
|
||||
"metric.label.\"project\""
|
||||
],
|
||||
"perSeriesAligner": "ALIGN_MEAN"
|
||||
},
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/project/routes_static_used_ratio\" resource.type=\"global\"",
|
||||
"secondaryAggregation": {
|
||||
"alignmentPeriod": "60s",
|
||||
"perSeriesAligner": "ALIGN_NONE"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"thresholds": [],
|
||||
"timeshiftDuration": "0s",
|
||||
"yAxis": {
|
||||
"label": "y1Axis",
|
||||
"scale": "LINEAR"
|
||||
}
|
||||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 0,
|
||||
"yPos": 24
|
||||
},
|
||||
{
|
||||
"height": 4,
|
||||
"widget": {
|
||||
"title": "Peering group static routes used",
|
||||
"xyChart": {
|
||||
"chartOptions": {
|
||||
"mode": "COLOR"
|
||||
},
|
||||
"dataSets": [
|
||||
{
|
||||
"minAlignmentPeriod": "60s",
|
||||
"plotType": "LINE",
|
||||
"targetAxis": "Y1",
|
||||
"timeSeriesQuery": {
|
||||
"apiSource": "DEFAULT_CLOUD",
|
||||
"timeSeriesFilter": {
|
||||
"aggregation": {
|
||||
"alignmentPeriod": "60s",
|
||||
"perSeriesAligner": "ALIGN_MEAN"
|
||||
},
|
||||
"filter": "metric.type=\"custom.googleapis.com/netmon/peering_group/routes_static_used_ratio\" resource.type=\"global\""
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"thresholds": [],
|
||||
"timeshiftDuration": "0s",
|
||||
"yAxis": {
|
||||
"label": "y1Axis",
|
||||
"scale": "LINEAR"
|
||||
}
|
||||
}
|
||||
},
|
||||
"width": 6,
|
||||
"xPos": 0,
|
||||
"yPos": 28
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -74,7 +74,7 @@ dashboard_json_path = "../dashboards/quotas-utilization.json"
|
|||
| [name](variables.tf#L75) | Name used to create Cloud Function related resources. | <code>string</code> | | <code>"net-dash"</code> |
|
||||
| [project_create_config](variables.tf#L81) | Optional configuration if project creation is required. | <code title="object({ billing_account_id = string parent_id = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L95) | Compute region where the Cloud Function will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [schedule_config](variables.tf#L101) | Schedule timer configuration in crontab format. | <code>string</code> | | <code>"0/30 * * * *"</code> |
|
||||
| [schedule_config](variables.tf#L101) | Schedule timer configuration in crontab format. | <code>string</code> | | <code>"*/30 * * * *"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -101,5 +101,5 @@ variable "region" {
|
|||
variable "schedule_config" {
|
||||
description = "Schedule timer configuration in crontab format."
|
||||
type = string
|
||||
default = "0/30 * * * *"
|
||||
default = "*/30 * * * *"
|
||||
}
|
||||
|
|
|
@ -84,8 +84,8 @@ def do_discovery(resources):
|
|||
{k: len(v) for k, v in resources.items() if not isinstance(v, str)}))
|
||||
|
||||
|
||||
def do_init(resources, discovery_root, monitoring_project, folders=None, projects=None,
|
||||
custom_quota=None):
|
||||
def do_init(resources, discovery_root, monitoring_project, folders=None,
|
||||
projects=None, custom_quota=None):
|
||||
'''Calls init plugins to configure keys in the shared resource map.
|
||||
|
||||
Args:
|
||||
|
|
|
@ -39,7 +39,9 @@ TYPES = {
|
|||
'subnetworks': 'compute.googleapis.com/Subnetwork',
|
||||
'routers': 'compute.googleapis.com/Router',
|
||||
'routes': 'compute.googleapis.com/Route',
|
||||
'sql_instances': 'sqladmin.googleapis.com/Instance'
|
||||
'sql_instances': 'sqladmin.googleapis.com/Instance',
|
||||
'filestore_instances': 'file.googleapis.com/Instance',
|
||||
'memorystore_instances': 'redis.googleapis.com/Instance',
|
||||
}
|
||||
NAMES = {v: k for k, v in TYPES.items()}
|
||||
|
||||
|
@ -62,8 +64,8 @@ def _handle_discovery(resources, response, data):
|
|||
'Processes the asset API response and returns parsed resources or next URL.'
|
||||
LOGGER.info('discovery handle request')
|
||||
for result in parse_cai_results(data, 'cai-compute', method='list'):
|
||||
resource = _handle_resource(
|
||||
resources, result['assetType'], result['resource'])
|
||||
resource = _handle_resource(resources, result['assetType'],
|
||||
result['resource'])
|
||||
if not resource:
|
||||
continue
|
||||
yield resource
|
||||
|
@ -82,10 +84,16 @@ def _handle_resource(resources, asset_type, data):
|
|||
# e.g. assetType = GlobalAddress but discoveryName = Address
|
||||
resource_name = NAMES[asset_type]
|
||||
resource = {
|
||||
'id': attrs.get('id'),
|
||||
'name': attrs['name'],
|
||||
'self_link': _self_link(attrs['selfLink']),
|
||||
'assetType': asset_type
|
||||
'id':
|
||||
attrs.get('id'),
|
||||
'name':
|
||||
attrs['name'],
|
||||
# Some resources (ex: Filestore) don't have a self_link, using parent + name in that case
|
||||
'self_link':
|
||||
f'{data["parent"]}/{attrs["name"]}'
|
||||
if not 'selfLink' in attrs else _self_link(attrs['selfLink']),
|
||||
'assetType':
|
||||
asset_type
|
||||
}
|
||||
# derive parent type and id and skip if parent is not within scope
|
||||
parent_data = _get_parent(data['parent'], resources)
|
||||
|
@ -212,8 +220,41 @@ def _handle_sql_instances(resource, data):
|
|||
],
|
||||
'region': data['region'],
|
||||
'availabilityType': data['settings']['availabilityType'],
|
||||
'network': data['settings']['ipConfiguration']['privateNetwork']
|
||||
}
|
||||
|
||||
|
||||
def _handle_filestore_instances(resource, data):
|
||||
'Handles filestore instance type resource data.'
|
||||
return {
|
||||
# Getting only the instance name, removing the rest
|
||||
'name': data['name'].split('/')[-1],
|
||||
# Is a list but for now, only one network is supported for Filestore
|
||||
'network': data['networks'][0]['network'],
|
||||
'reservedIpRange': data['networks'][0]['reservedIpRange'],
|
||||
'ipAddresses': data['networks'][0]['ipAddresses']
|
||||
}
|
||||
|
||||
|
||||
def _handle_memorystore_instances(resource, data):
|
||||
'Handles Memorystore (Redis) instance type resource data.'
|
||||
return {
|
||||
# Getting only the instance name, removing the rest
|
||||
'name':
|
||||
data['name'].split('/')[-1],
|
||||
'locationId':
|
||||
data['locationId'],
|
||||
'replicaCount':
|
||||
0 if not 'replicaCount' in data else data['replicaCount'],
|
||||
'network':
|
||||
data['authorizedNetwork'],
|
||||
'reservedIpRange':
|
||||
'' if not 'reservedIpRange' in data else data['reservedIpRange'],
|
||||
'host':
|
||||
'' if not 'host' in data else data['host'],
|
||||
}
|
||||
|
||||
|
||||
def _handle_subnetworks(resource, data):
|
||||
'Handles subnetwork type resource data.'
|
||||
secondary_ranges = [{
|
||||
|
@ -237,8 +278,7 @@ def _self_link(s):
|
|||
def _url(resources):
|
||||
'Returns discovery URL'
|
||||
discovery_root = resources['config:discovery_root']
|
||||
asset_types = '&'.join(
|
||||
f'assetTypes={t}' for t in TYPES.values())
|
||||
asset_types = '&'.join(f'assetTypes={t}' for t in TYPES.values())
|
||||
return CAI_URL.format(root=discovery_root, asset_types=asset_types)
|
||||
|
||||
|
||||
|
|
|
@ -34,7 +34,28 @@ def _sql_addresses(sql_instances):
|
|||
if not v['ipAddresses']:
|
||||
continue
|
||||
# 1 IP for the instance + 1 IP for the ILB + 1 IP if HA
|
||||
yield v['ipAddresses'][0], 2 if v['availabilityType'] != 'REGIONAL' else 3
|
||||
yield v['ipAddresses'][
|
||||
0], 2 if v['availabilityType'] != 'REGIONAL' else 3, v['network']
|
||||
|
||||
|
||||
def _filestore_addresses(filestore_instances):
|
||||
'Returns counts of Filestore instances per PSA range.'
|
||||
for v in filestore_instances.values():
|
||||
if not v['ipAddresses'] or not v['reservedIpRange']:
|
||||
continue
|
||||
# Subnet size (reservedIpRange) can be /29, /26 or /24
|
||||
yield v['ipAddresses'][0], ipaddress.ip_network(
|
||||
v['reservedIpRange']).num_addresses, v['network']
|
||||
|
||||
|
||||
def _memorystore_addresses(memorystore_instances):
|
||||
'Returns counts of Memorystore (Redis) instances per PSA range.'
|
||||
for v in memorystore_instances.values():
|
||||
if not v['reservedIpRange'] or v['reservedIpRange'] == '':
|
||||
continue
|
||||
# Subnet size (reservedIpRange) can be minimum /28 or /29
|
||||
yield v['host'], ipaddress.ip_network(
|
||||
v['reservedIpRange']).num_addresses, v['network']
|
||||
|
||||
|
||||
@register_timeseries
|
||||
|
@ -46,25 +67,34 @@ def timeseries(resources):
|
|||
('project', 'network', 'subnetwork'),
|
||||
dtype.endswith('ratio'))
|
||||
psa_nets = {
|
||||
k: ipaddress.ip_network('{}/{}'.format(v['address'], v['prefixLength']))
|
||||
for k, v in resources['global_addresses'].items() if v['prefixLength']
|
||||
k: {
|
||||
'network_link':
|
||||
v['network'],
|
||||
'network_prefix':
|
||||
ipaddress.ip_network('{}/{}'.format(v['address'],
|
||||
v['prefixLength']))
|
||||
} for k, v in resources['global_addresses'].items() if v['prefixLength']
|
||||
}
|
||||
psa_counts = {}
|
||||
for address, ip_count in _sql_addresses(resources.get('sql_instances', {})):
|
||||
for address, ip_count, network in itertools.chain(
|
||||
_sql_addresses(resources.get('sql_instances', {})),
|
||||
_filestore_addresses(resources.get('filestore_instances', {})),
|
||||
_memorystore_addresses(resources.get('memorystore_instances', {}))):
|
||||
ip_address = ipaddress.ip_address(address)
|
||||
for k, v in psa_nets.items():
|
||||
if ip_address in v:
|
||||
if network == v['network_link'] and ip_address in v['network_prefix']:
|
||||
psa_counts[k] = psa_counts.get(k, 0) + ip_count
|
||||
break
|
||||
|
||||
for k, v in psa_counts.items():
|
||||
max_ips = psa_nets[k].num_addresses - 4
|
||||
max_ips = psa_nets[k]['network_prefix'].num_addresses - 4
|
||||
psa_range = resources['global_addresses'][k]
|
||||
labels = {
|
||||
'network': psa_range['network'],
|
||||
'project': psa_range['project_id'],
|
||||
'psa_range': psa_range['name']
|
||||
}
|
||||
|
||||
yield TimeSeries('network/psa/addresses_available', max_ips, labels)
|
||||
yield TimeSeries('network/psa/addresses_used', v, labels)
|
||||
yield TimeSeries('network/psa/addresses_used_ratio',
|
||||
|
|
|
@ -80,7 +80,7 @@ We use three groups to control access to resources:
|
|||
The table below shows a high level overview of roles for each group on each project, using `READ`, `WRITE` and `ADMIN` access patterns for simplicity. For detailed roles please refer to the code.
|
||||
|
||||
|Group|Drop off|Load|Transformation|DHW Landing|DWH Curated|DWH Confidential|Orchestration|Common|
|
||||
|-|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|
|
||||
|-|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|
|
||||
|Data Engineers|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`|
|
||||
|Data Analysts|-|-|-|-|-|`READ`|-|-|
|
||||
|Data Security|-|-|-|-|-|-|-|-|`ADMIN`|
|
||||
|
|
|
@ -12,12 +12,15 @@ This sample creates several distinct groups of resources:
|
|||
|
||||
- project
|
||||
- networking
|
||||
- VPC network with a default subnet and CloudNat
|
||||
- Firewall rules for [SSH access via IAP](https://cloud.google.com/iap/docs/using-tcp-forwarding) and open communication within the VPC
|
||||
- Vertex AI Workbench notebook configured with a private IP and using a dedicated Service Account
|
||||
- One GCS bucket
|
||||
- One BigQuery dataset
|
||||
|
||||
## Virtual Private Cloud (VPC) design
|
||||
As is often the case in real-world configurations, this blueprint accepts as input an existing Shared-VPC via the network_config variable. Make sure that 'container.googleapis.com', 'notebooks.googleapis.com' and 'servicenetworking.googleapis.com' are enabled in the VPC host project.
|
||||
|
||||
If the network_config variable is not provided, one VPC will be created in each project that supports network resources (load, transformation and orchestration).
|
||||
|
||||
## Deploy your enviroment
|
||||
We assume the identiy running the following steps has the following role:
|
||||
|
||||
|
@ -47,12 +50,12 @@ You can now connect to the Vertex AI notbook to perform your data analysy.
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [prefix](variables.tf#L22) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L40) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L32) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L50) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||
| [location](variables.tf#L16) | The location where resources will be deployed. | <code>string</code> | | <code>"EU"</code> |
|
||||
| [project_create](variables.tf#L31) | Provide values if project creation is needed, uses existing project if null. Parent format: folders/folder_id or organizations/org_id. | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L45) | The region where resources will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [vpc_config](variables.tf#L61) | Parameters to create a VPC. | <code title="object({ ip_cidr_range = string })">object({…})</code> | | <code title="{ ip_cidr_range = "10.0.0.0/20" }">{…}</code> |
|
||||
| [network_config](variables.tf#L22) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | <code title="object({ host_project = string network_self_link = string subnet_self_link = string })">object({…})</code> | | <code>null</code> |
|
||||
| [project_create](variables.tf#L41) | Provide values if project creation is needed, uses existing project if null. Parent format: folders/folder_id or organizations/org_id. | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L55) | The region where resources will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -17,6 +17,39 @@
|
|||
###############################################################################
|
||||
locals {
|
||||
service_encryption_keys = var.service_encryption_keys
|
||||
shared_vpc_project = try(var.network_config.host_project, null)
|
||||
|
||||
subnet = (
|
||||
local.use_shared_vpc
|
||||
? var.network_config.subnet_self_link
|
||||
: values(module.vpc.0.subnet_self_links)[0]
|
||||
)
|
||||
vpc = (
|
||||
local.use_shared_vpc
|
||||
? var.network_config.network_self_link
|
||||
: module.vpc.0.self_link
|
||||
)
|
||||
use_shared_vpc = var.network_config != null
|
||||
|
||||
shared_vpc_bindings = {
|
||||
"roles/compute.networkUser" = [
|
||||
"robot-df", "notebooks"
|
||||
]
|
||||
}
|
||||
|
||||
shared_vpc_role_members = {
|
||||
robot-df = "serviceAccount:${module.project.service_accounts.robots.dataflow}"
|
||||
notebooks = "serviceAccount:${module.project.service_accounts.robots.notebooks}"
|
||||
}
|
||||
|
||||
# reassemble in a format suitable for for_each
|
||||
shared_vpc_bindings_map = {
|
||||
for binding in flatten([
|
||||
for role, members in local.shared_vpc_bindings : [
|
||||
for member in members : { role = role, member = member }
|
||||
]
|
||||
]) : "${binding.role}-${binding.member}" => binding
|
||||
}
|
||||
}
|
||||
|
||||
module "project" {
|
||||
|
@ -27,6 +60,7 @@ module "project" {
|
|||
project_create = var.project_create != null
|
||||
prefix = var.project_create == null ? null : var.prefix
|
||||
services = [
|
||||
"aiplatform.googleapis.com",
|
||||
"bigquery.googleapis.com",
|
||||
"bigquerystorage.googleapis.com",
|
||||
"bigqueryreservation.googleapis.com",
|
||||
|
@ -42,17 +76,26 @@ module "project" {
|
|||
"storage.googleapis.com",
|
||||
"storage-component.googleapis.com"
|
||||
]
|
||||
|
||||
shared_vpc_service_config = local.shared_vpc_project == null ? null : {
|
||||
attach = true
|
||||
host_project = local.shared_vpc_project
|
||||
}
|
||||
|
||||
org_policies = {
|
||||
# "constraints/compute.requireOsLogin" = {
|
||||
# enforce = false
|
||||
# }
|
||||
# Example of applying a project wide policy, mainly useful for Composer
|
||||
# Example of applying a project wide policy, mainly useful for Composer 1
|
||||
}
|
||||
service_encryption_key_ids = {
|
||||
compute = [try(local.service_encryption_keys.compute, null)]
|
||||
bq = [try(local.service_encryption_keys.bq, null)]
|
||||
storage = [try(local.service_encryption_keys.storage, null)]
|
||||
}
|
||||
service_config = {
|
||||
disable_on_destroy = false, disable_dependent_services = false
|
||||
}
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
|
@ -61,11 +104,12 @@ module "project" {
|
|||
|
||||
module "vpc" {
|
||||
source = "../../../modules/net-vpc"
|
||||
count = local.use_shared_vpc ? 0 : 1
|
||||
project_id = module.project.project_id
|
||||
name = "${var.prefix}-vpc"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.vpc_config.ip_cidr_range
|
||||
ip_cidr_range = "10.0.0.0/20"
|
||||
name = "${var.prefix}-subnet"
|
||||
region = var.region
|
||||
}
|
||||
|
@ -74,10 +118,11 @@ module "vpc" {
|
|||
|
||||
module "vpc-firewall" {
|
||||
source = "../../../modules/net-vpc-firewall"
|
||||
count = local.use_shared_vpc ? 0 : 1
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc.name
|
||||
network = module.vpc.0.name
|
||||
default_rules_config = {
|
||||
admin_ranges = [var.vpc_config.ip_cidr_range]
|
||||
admin_ranges = ["10.0.0.0/20"]
|
||||
}
|
||||
ingress_rules = {
|
||||
#TODO Remove and rely on 'ssh' tag once terraform-provider-google/issues/9273 is fixed
|
||||
|
@ -92,12 +137,21 @@ module "vpc-firewall" {
|
|||
|
||||
module "cloudnat" {
|
||||
source = "../../../modules/net-cloudnat"
|
||||
count = local.use_shared_vpc ? 0 : 1
|
||||
project_id = module.project.project_id
|
||||
name = "${var.prefix}-default"
|
||||
region = var.region
|
||||
router_network = module.vpc.name
|
||||
router_network = module.vpc.0.name
|
||||
}
|
||||
|
||||
resource "google_project_iam_member" "shared_vpc" {
|
||||
count = local.use_shared_vpc ? 1 : 0
|
||||
project = var.network_config.host_project
|
||||
role = "roles/compute.networkUser"
|
||||
member = "serviceAccount:${module.project.service_accounts.robots.notebooks}"
|
||||
}
|
||||
|
||||
|
||||
###############################################################################
|
||||
# Storage #
|
||||
###############################################################################
|
||||
|
@ -121,8 +175,6 @@ module "dataset" {
|
|||
###############################################################################
|
||||
# Vertex AI Notebook #
|
||||
###############################################################################
|
||||
# TODO: Add encryption_key to Vertex AI notebooks as well
|
||||
# TODO: Add shared VPC support
|
||||
|
||||
module "service-account-notebook" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
|
@ -160,11 +212,14 @@ resource "google_notebooks_instance" "playground" {
|
|||
no_public_ip = true
|
||||
no_proxy_access = false
|
||||
|
||||
network = module.vpc.network.id
|
||||
subnet = module.vpc.subnets[format("%s/%s", var.region, "${var.prefix}-subnet")].id
|
||||
network = local.vpc
|
||||
subnet = local.subnet
|
||||
|
||||
service_account = module.service-account-notebook.email
|
||||
|
||||
#TODO Uncomment once terraform-provider-google/issues/9273 is fixed
|
||||
# tags = ["ssh"]
|
||||
depends_on = [
|
||||
google_project_iam_member.shared_vpc,
|
||||
]
|
||||
}
|
||||
|
|
|
@ -37,5 +37,5 @@ output "project" {
|
|||
|
||||
output "vpc" {
|
||||
description = "VPC Network."
|
||||
value = module.vpc.name
|
||||
value = local.vpc
|
||||
}
|
||||
|
|
|
@ -19,6 +19,16 @@ variable "location" {
|
|||
default = "EU"
|
||||
}
|
||||
|
||||
variable "network_config" {
|
||||
description = "Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values."
|
||||
type = object({
|
||||
host_project = string
|
||||
network_self_link = string
|
||||
subnet_self_link = string
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
description = "Prefix used for resource names."
|
||||
type = string
|
||||
|
@ -57,13 +67,3 @@ variable "service_encryption_keys" { # service encription key
|
|||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "vpc_config" {
|
||||
description = "Parameters to create a VPC."
|
||||
type = object({
|
||||
ip_cidr_range = string
|
||||
})
|
||||
default = {
|
||||
ip_cidr_range = "10.0.0.0/20"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -23,25 +23,6 @@
|
|||
set_fact:
|
||||
context: "gke_{{ project_id }}_{{ region }}_{{ cluster }}"
|
||||
|
||||
- name: Install ASM in cluster
|
||||
shell: >
|
||||
gcloud container fleet mesh update \
|
||||
--control-plane automatic \
|
||||
--memberships {{ cluster }} \
|
||||
--project {{ project_id }}
|
||||
|
||||
- name: Wait until MCP is provisioned
|
||||
shell: >
|
||||
for i in $(seq 12); do
|
||||
result=$(gcloud container fleet mesh describe --project {{ project_id }} --format json \
|
||||
| jq -r '.membershipStates | to_entries[] | select(.key | endswith("{{ cluster }}")) | .value.servicemesh.controlPlaneManagement.state')
|
||||
if [ "$result" = "ACTIVE" ]; then
|
||||
break
|
||||
fi
|
||||
echo "ASM control plane is not ready yet..."
|
||||
sleep 60
|
||||
done
|
||||
|
||||
- name: Get endpoint IP
|
||||
shell: >
|
||||
gcloud container clusters describe "{{ cluster }}" \
|
||||
|
|
|
@ -224,7 +224,7 @@ module "gke" {
|
|||
}
|
||||
}
|
||||
|
||||
# tftest modules=8 resources=35
|
||||
# tftest modules=8 resources=37
|
||||
```
|
||||
|
||||
<!-- TFDOC OPTS files:1 -->
|
||||
|
|
|
@ -76,11 +76,11 @@ locals {
|
|||
data-platform-prod = try(module.branch-dp-prod-folder.0.id, null)
|
||||
gke-dev = try(module.branch-gke-dev-folder.0.id, null)
|
||||
gke-prod = try(module.branch-gke-prod-folder.0.id, null)
|
||||
networking = module.branch-network-folder.id
|
||||
networking-dev = module.branch-network-dev-folder.id
|
||||
networking-prod = module.branch-network-prod-folder.id
|
||||
networking = try(module.branch-network-folder.id, null)
|
||||
networking-dev = try(module.branch-network-dev-folder.id, null)
|
||||
networking-prod = try(module.branch-network-prod-folder.id, null)
|
||||
sandbox = try(module.branch-sandbox-folder.0.id, null)
|
||||
security = module.branch-security-folder.id
|
||||
security = try(module.branch-security-folder.id, null)
|
||||
teams = try(module.branch-teams-folder.0.id, null)
|
||||
},
|
||||
{
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Api Gateway
|
||||
# API Gateway
|
||||
This module allows creating an API with its associated API config and API gateway. It also allows you grant IAM roles on the created resources.
|
||||
|
||||
# Examples
|
||||
|
@ -15,46 +15,46 @@ module "gateway" {
|
|||
# ...
|
||||
EOT
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
# tftest modules=1 resources=4 inventory=basic.yaml
|
||||
```
|
||||
|
||||
## Basic example + customer service account
|
||||
## Use existing service account
|
||||
```hcl
|
||||
module "gateway" {
|
||||
source = "./fabric/modules/api-gateway"
|
||||
project_id = "my-project"
|
||||
api_id = "api"
|
||||
region = "europe-west1"
|
||||
spec = <<EOT
|
||||
# The OpenAPI spec contents
|
||||
# ...
|
||||
EOT
|
||||
service_account_email = "sa@my-project.iam.gserviceaccount.com"
|
||||
iam = {
|
||||
"roles/apigateway.admin" = ["user:user@example.com"]
|
||||
}
|
||||
spec = <<EOT
|
||||
# The OpenAPI spec contents
|
||||
# ...
|
||||
EOT
|
||||
}
|
||||
# tftest modules=1 resources=7
|
||||
# tftest modules=1 resources=7 inventory=existing-sa.yaml
|
||||
```
|
||||
|
||||
## Basic example + service account creation
|
||||
## Create service account
|
||||
```hcl
|
||||
module "gateway" {
|
||||
source = "./fabric/modules/api-gateway"
|
||||
project_id = "my-project"
|
||||
api_id = "api"
|
||||
region = "europe-west1"
|
||||
spec = <<EOT
|
||||
# The OpenAPI spec contents
|
||||
# ...
|
||||
EOT
|
||||
service_account_create = true
|
||||
iam = {
|
||||
"roles/apigateway.admin" = ["user:mirene@google.com"]
|
||||
"roles/apigateway.viewer" = ["user:mirene@google.com"]
|
||||
}
|
||||
spec = <<EOT
|
||||
# The OpenAPI spec contents
|
||||
# ...
|
||||
EOT
|
||||
}
|
||||
# tftest modules=1 resources=11
|
||||
# tftest modules=1 resources=11 inventory=create-sa.yaml
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ module "private-dns" {
|
|||
"A myhost" = { ttl = 600, records = ["10.0.0.120"] }
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=3
|
||||
# tftest modules=1 resources=3 inventory=private-zone.yaml
|
||||
```
|
||||
|
||||
### Forwarding Zone
|
||||
|
@ -36,7 +36,7 @@ module "private-dns" {
|
|||
client_networks = [var.vpc.self_link]
|
||||
forwarders = { "10.0.1.1" = null, "1.2.3.4" = "private" }
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
# tftest modules=1 resources=1 inventory=forwarding-zone.yaml
|
||||
```
|
||||
|
||||
### Peering Zone
|
||||
|
@ -47,11 +47,12 @@ module "private-dns" {
|
|||
project_id = "myproject"
|
||||
type = "peering"
|
||||
name = "test-example"
|
||||
domain = "test.example."
|
||||
domain = "."
|
||||
description = "Forwarding zone for ."
|
||||
client_networks = [var.vpc.self_link]
|
||||
peer_network = var.vpc2.self_link
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
# tftest modules=1 resources=1 inventory=peering-zone.yaml
|
||||
```
|
||||
|
||||
### Routing Policies
|
||||
|
@ -84,7 +85,7 @@ module "private-dns" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
# tftest modules=1 resources=4 inventory=routing-policies.yaml
|
||||
```
|
||||
|
||||
### Reverse Lookup Zone
|
||||
|
@ -98,7 +99,23 @@ module "private-dns" {
|
|||
domain = "0.0.10.in-addr.arpa."
|
||||
client_networks = [var.vpc.self_link]
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
# tftest modules=1 resources=1 inventory=reverse-zone.yaml
|
||||
```
|
||||
|
||||
### Public Zone
|
||||
|
||||
```hcl
|
||||
module "public-dns" {
|
||||
source = "./fabric/modules/dns"
|
||||
project_id = "myproject"
|
||||
type = "public"
|
||||
name = "example"
|
||||
domain = "example.com."
|
||||
recordsets = {
|
||||
"A myhost" = { ttl = 300, records = ["127.0.0.1"] }
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=3 inventory=public-zone.yaml
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
|
@ -8,50 +8,46 @@ module "bucket" {
|
|||
project_id = "myproject"
|
||||
prefix = "test"
|
||||
name = "my-bucket"
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.admin" = ["group:storage@example.com"]
|
||||
}
|
||||
labels = {
|
||||
cost-center = "devops"
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2
|
||||
# tftest modules=1 resources=2 inventory=simple.yaml
|
||||
```
|
||||
|
||||
### Example with Cloud KMS
|
||||
|
||||
```hcl
|
||||
module "bucket" {
|
||||
source = "./fabric/modules/gcs"
|
||||
project_id = "myproject"
|
||||
prefix = "test"
|
||||
name = "my-bucket"
|
||||
iam = {
|
||||
"roles/storage.admin" = ["group:storage@example.com"]
|
||||
}
|
||||
source = "./fabric/modules/gcs"
|
||||
project_id = "myproject"
|
||||
name = "my-bucket"
|
||||
encryption_key = "my-encryption-key"
|
||||
}
|
||||
# tftest modules=1 resources=2
|
||||
# tftest modules=1 resources=1 inventory=cmek.yaml
|
||||
```
|
||||
|
||||
### Example with retention policy
|
||||
### Example with retention policy and logging
|
||||
|
||||
```hcl
|
||||
module "bucket" {
|
||||
source = "./fabric/modules/gcs"
|
||||
project_id = "myproject"
|
||||
prefix = "test"
|
||||
name = "my-bucket"
|
||||
iam = {
|
||||
"roles/storage.admin" = ["group:storage@example.com"]
|
||||
}
|
||||
retention_policy = {
|
||||
retention_period = 100
|
||||
is_locked = true
|
||||
}
|
||||
logging_config = {
|
||||
log_bucket = var.bucket
|
||||
log_bucket = "log-bucket"
|
||||
log_object_prefix = null
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2
|
||||
# tftest modules=1 resources=1 inventory=retention-logging.yaml
|
||||
```
|
||||
|
||||
### Example with lifecycle rule
|
||||
|
@ -60,11 +56,7 @@ module "bucket" {
|
|||
module "bucket" {
|
||||
source = "./fabric/modules/gcs"
|
||||
project_id = "myproject"
|
||||
prefix = "test"
|
||||
name = "my-bucket"
|
||||
iam = {
|
||||
"roles/storage.admin" = ["group:storage@example.com"]
|
||||
}
|
||||
lifecycle_rules = {
|
||||
lr-0 = {
|
||||
action = {
|
||||
|
@ -77,7 +69,7 @@ module "bucket" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2
|
||||
# tftest modules=1 resources=1 inventory=lifecycle.yaml
|
||||
```
|
||||
|
||||
### Minimal example with GCS notifications
|
||||
|
@ -86,7 +78,6 @@ module "bucket" {
|
|||
module "bucket-gcs-notification" {
|
||||
source = "./fabric/modules/gcs"
|
||||
project_id = "myproject"
|
||||
prefix = "test"
|
||||
name = "my-bucket"
|
||||
notification_config = {
|
||||
enabled = true
|
||||
|
@ -97,7 +88,7 @@ module "bucket-gcs-notification" {
|
|||
custom_attributes = {}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
# tftest modules=1 resources=4 inventory=notification.yaml
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ module "cluster-1" {
|
|||
environment = "dev"
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
# tftest modules=1 resources=1 inventory=basic.yaml
|
||||
```
|
||||
|
||||
### GKE Cluster with Dataplane V2 enabled
|
||||
|
@ -42,7 +42,7 @@ module "cluster-1" {
|
|||
module "cluster-1" {
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = "myproject"
|
||||
name = "cluster-1"
|
||||
name = "cluster-dataplane-v2"
|
||||
location = "europe-west1-b"
|
||||
vpc_config = {
|
||||
network = var.vpc.self_link
|
||||
|
@ -68,8 +68,36 @@ module "cluster-1" {
|
|||
environment = "dev"
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
# tftest modules=1 resources=1 inventory=dataplane-v2.yaml
|
||||
```
|
||||
### Autopilot Cluster
|
||||
|
||||
```hcl
|
||||
module "cluster-autopilot" {
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = "myproject"
|
||||
name = "cluster-autopilot"
|
||||
location = "europe-west1-b"
|
||||
vpc_config = {
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
secondary_range_names = {
|
||||
pods = "pods"
|
||||
services = "services"
|
||||
}
|
||||
master_authorized_ranges = {
|
||||
internal-vms = "10.0.0.0/8"
|
||||
}
|
||||
master_ipv4_cidr_block = "192.168.0.0/28"
|
||||
}
|
||||
enable_features = {
|
||||
autopilot = true
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=1 inventory=autopilot.yaml
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
|
|
@ -295,7 +295,7 @@ module "hub" {
|
|||
]
|
||||
}
|
||||
|
||||
# tftest modules=8 resources=28
|
||||
# tftest modules=8 resources=30
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
|
|
|
@ -70,6 +70,20 @@ resource "google_gke_hub_feature" "default" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "google_gke_hub_feature_membership" "servicemesh" {
|
||||
provider = google-beta
|
||||
for_each = var.features.servicemesh ? var.clusters : {}
|
||||
project = var.project_id
|
||||
location = "global"
|
||||
feature = google_gke_hub_feature.default["servicemesh"].name
|
||||
membership = google_gke_hub_membership.default[each.key].membership_id
|
||||
|
||||
mesh {
|
||||
management = "MANAGEMENT_AUTOMATIC"
|
||||
control_plane = "AUTOMATIC"
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_gke_hub_feature_membership" "default" {
|
||||
provider = google-beta
|
||||
for_each = local.cluster_cm_config
|
||||
|
|
|
@ -16,7 +16,7 @@ module "cluster-1-nodepool-1" {
|
|||
location = "europe-west1-b"
|
||||
name = "nodepool-1"
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
# tftest modules=1 resources=1 inventory=basic.yaml
|
||||
```
|
||||
|
||||
### Internally managed service account
|
||||
|
@ -27,22 +27,11 @@ If you create a new service account, its resource and email (in both plain and I
|
|||
|
||||
#### GCE default service account
|
||||
|
||||
To use the GCE default service account, you can ignore the variable which is equivalent to `{ create = null, email = null }`.
|
||||
|
||||
```hcl
|
||||
module "cluster-1-nodepool-1" {
|
||||
source = "./fabric/modules/gke-nodepool"
|
||||
project_id = "myproject"
|
||||
cluster_name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
name = "nodepool-1"
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
```
|
||||
To use the GCE default service account, you can ignore the variable which is equivalent to `{ create = null, email = null }`. This is what the first example of this document does.
|
||||
|
||||
#### Externally defined service account
|
||||
|
||||
To use an existing service account, pass in just the `email` attribute.
|
||||
To use an existing service account, pass in just the `email` attribute. If you do this, will most likely want to use the `cloud-platform` scope.
|
||||
|
||||
```hcl
|
||||
module "cluster-1-nodepool-1" {
|
||||
|
@ -52,10 +41,11 @@ module "cluster-1-nodepool-1" {
|
|||
location = "europe-west1-b"
|
||||
name = "nodepool-1"
|
||||
service_account = {
|
||||
email = "foo-bar@myproject.iam.gserviceaccount.com"
|
||||
email = "foo-bar@myproject.iam.gserviceaccount.com"
|
||||
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
# tftest modules=1 resources=1 inventory=external-sa.yaml
|
||||
```
|
||||
|
||||
#### Auto-created service account
|
||||
|
@ -70,12 +60,48 @@ module "cluster-1-nodepool-1" {
|
|||
location = "europe-west1-b"
|
||||
name = "nodepool-1"
|
||||
service_account = {
|
||||
create = true
|
||||
# optional
|
||||
email = "spam-eggs"
|
||||
create = true
|
||||
email = "spam-eggs" # optional
|
||||
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2
|
||||
# tftest modules=1 resources=2 inventory=create-sa.yaml
|
||||
```
|
||||
### Node & node pool configuration
|
||||
|
||||
```hcl
|
||||
module "cluster-1-nodepool-1" {
|
||||
source = "./fabric/modules/gke-nodepool"
|
||||
project_id = "myproject"
|
||||
cluster_name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
name = "nodepool-1"
|
||||
labels = { environment = "dev" }
|
||||
service_account = {
|
||||
create = true
|
||||
email = "nodepool-1" # optional
|
||||
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||
}
|
||||
node_config = {
|
||||
machine_type = "n2-standard-2"
|
||||
disk_size_gb = 50
|
||||
disk_type = "pd-ssd"
|
||||
ephemeral_ssd_count = 1
|
||||
gvnic = true
|
||||
spot = true
|
||||
}
|
||||
nodepool_config = {
|
||||
autoscaling = {
|
||||
max_node_count = 10
|
||||
min_node_count = 1
|
||||
}
|
||||
management = {
|
||||
auto_repair = true
|
||||
auto_upgrade = false
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2 inventory=config.yaml
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
|
@ -97,7 +123,7 @@ module "cluster-1-nodepool-1" {
|
|||
| [nodepool_config](variables.tf#L115) | Nodepool-level configuration. | <code title="object({ autoscaling = optional(object({ location_policy = optional(string) max_node_count = optional(number) min_node_count = optional(number) use_total_nodes = optional(bool, false) })) management = optional(object({ auto_repair = optional(bool) auto_upgrade = optional(bool) })) upgrade_settings = optional(object({ max_surge = number max_unavailable = number })) })">object({…})</code> | | <code>null</code> |
|
||||
| [pod_range](variables.tf#L137) | Pod secondary range configuration. | <code title="object({ secondary_pod_range = object({ cidr = optional(string) create = optional(bool) name = string }) })">object({…})</code> | | <code>null</code> |
|
||||
| [reservation_affinity](variables.tf#L154) | Configuration of the desired reservation which instances could take capacity from. | <code title="object({ consume_reservation_type = string key = optional(string) values = optional(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||
| [service_account](variables.tf#L164) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | <code title="object({ create = optional(bool, false) email = optional(string, null) oauth_scopes = optional(list(string), null) })">object({…})</code> | | <code>{}</code> |
|
||||
| [service_account](variables.tf#L164) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | <code title="object({ create = optional(bool, false) email = optional(string) oauth_scopes = optional(list(string)) })">object({…})</code> | | <code>{}</code> |
|
||||
| [sole_tenant_nodegroup](variables.tf#L175) | Sole tenant node group. | <code>string</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L181) | Network tags applied to nodes. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [taints](variables.tf#L187) | Kubernetes taints applied to all nodes. | <code title="list(object({ key = string value = string effect = string }))">list(object({…}))</code> | | <code>null</code> |
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -165,8 +165,8 @@ variable "service_account" {
|
|||
description = "Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used."
|
||||
type = object({
|
||||
create = optional(bool, false)
|
||||
email = optional(string, null)
|
||||
oauth_scopes = optional(list(string), null)
|
||||
email = optional(string)
|
||||
oauth_scopes = optional(list(string))
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
|
|
|
@ -30,7 +30,88 @@ module "vpc" {
|
|||
}
|
||||
]
|
||||
}
|
||||
# tftest modules=1 resources=3
|
||||
# tftest modules=1 resources=3 inventory=simple.yaml
|
||||
```
|
||||
|
||||
### Subnet Options
|
||||
```hcl
|
||||
module "vpc" {
|
||||
source = "./fabric/modules/net-vpc"
|
||||
project_id = "my-project"
|
||||
name = "my-network"
|
||||
subnets = [
|
||||
# simple subnet
|
||||
{
|
||||
name = "simple"
|
||||
region = "europe-west1"
|
||||
ip_cidr_range = "10.0.0.0/24"
|
||||
},
|
||||
# custom description and PGA disabled
|
||||
{
|
||||
name = "no-pga"
|
||||
region = "europe-west1"
|
||||
ip_cidr_range = "10.0.1.0/24",
|
||||
description = "Subnet b"
|
||||
enable_private_access = false
|
||||
},
|
||||
# secondary ranges
|
||||
{
|
||||
name = "with-secondary-ranges"
|
||||
region = "europe-west1"
|
||||
ip_cidr_range = "10.0.2.0/24"
|
||||
secondary_ip_ranges = {
|
||||
a = "192.168.0.0/24"
|
||||
b = "192.168.1.0/24"
|
||||
}
|
||||
},
|
||||
# enable flow logs
|
||||
{
|
||||
name = "with-flow-logs"
|
||||
region = "europe-west1"
|
||||
ip_cidr_range = "10.0.3.0/24"
|
||||
flow_logs_config = {
|
||||
flow_sampling = 0.5
|
||||
aggregation_interval = "INTERVAL_10_MIN"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
# tftest modules=1 resources=5 inventory=subnet-options.yaml
|
||||
```
|
||||
|
||||
### Subnet IAM
|
||||
|
||||
```hcl
|
||||
module "vpc" {
|
||||
source = "./fabric/modules/net-vpc"
|
||||
project_id = "my-project"
|
||||
name = "my-network"
|
||||
subnets = [
|
||||
{
|
||||
name = "subnet-1"
|
||||
region = "europe-west1"
|
||||
ip_cidr_range = "10.0.1.0/24"
|
||||
},
|
||||
{
|
||||
name = "subnet-2"
|
||||
region = "europe-west1"
|
||||
ip_cidr_range = "10.0.1.0/24"
|
||||
}
|
||||
]
|
||||
subnet_iam = {
|
||||
"europe-west1/subnet-1" = {
|
||||
"roles/compute.networkUser" = [
|
||||
"user:user1@example.com", "group:group1@example.com"
|
||||
]
|
||||
}
|
||||
"europe-west1/subnet-2" = {
|
||||
"roles/compute.networkUser" = [
|
||||
"user:user2@example.com", "group:group2@example.com"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5 inventory=subnet-iam.yaml
|
||||
```
|
||||
|
||||
### Peering
|
||||
|
@ -65,7 +146,7 @@ module "vpc-spoke-1" {
|
|||
import_routes = true
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=6
|
||||
# tftest modules=2 resources=6 inventory=peering.yaml
|
||||
```
|
||||
|
||||
### Shared VPC
|
||||
|
@ -116,7 +197,7 @@ module "vpc-host" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=7
|
||||
# tftest modules=1 resources=7 inventory=shared-vpc.yaml
|
||||
```
|
||||
|
||||
### Private Service Networking
|
||||
|
@ -137,7 +218,7 @@ module "vpc" {
|
|||
ranges = { myrange = "10.0.1.0/24" }
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5
|
||||
# tftest modules=1 resources=5 inventory=psc.yaml
|
||||
```
|
||||
|
||||
### Private Service Networking with peering routes
|
||||
|
@ -162,7 +243,7 @@ module "vpc" {
|
|||
import_routes = true
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5
|
||||
# tftest modules=1 resources=5 inventory=psc-routes.yaml
|
||||
```
|
||||
|
||||
### Subnets for Private Service Connect, Proxy-only subnets
|
||||
|
@ -194,7 +275,7 @@ module "vpc" {
|
|||
}
|
||||
]
|
||||
}
|
||||
# tftest modules=1 resources=3
|
||||
# tftest modules=1 resources=3 inventory=proxy-only-subnets.yaml
|
||||
```
|
||||
|
||||
### DNS Policies
|
||||
|
@ -219,7 +300,7 @@ module "vpc" {
|
|||
}
|
||||
]
|
||||
}
|
||||
# tftest modules=1 resources=3
|
||||
# tftest modules=1 resources=3 inventory=dns-policies.yaml
|
||||
```
|
||||
|
||||
### Subnet Factory
|
||||
|
@ -233,11 +314,17 @@ module "vpc" {
|
|||
name = "my-network"
|
||||
data_folder = "config/subnets"
|
||||
}
|
||||
# tftest modules=1 resources=2 files=subnets
|
||||
# tftest modules=1 resources=3 files=subnet-simple,subnet-detailed inventory=factory.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=subnets path=config/subnets/subnet-name.yaml
|
||||
# tftest-file id=subnet-simple path=config/subnets/subnet-simple.yaml
|
||||
region: europe-west4
|
||||
ip_cidr_range: 10.0.1.0/24
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=subnet-detailed path=config/subnets/subnet-detailed.yaml
|
||||
region: europe-west1
|
||||
description: Sample description
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
|
@ -254,7 +341,45 @@ flow_logs: # enable, set to empty map to use defaults
|
|||
metadata: "INCLUDE_ALL_METADATA"
|
||||
filter_expression: null
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
### Custom Routes
|
||||
|
||||
VPC routes can be configured through the `routes` variable.
|
||||
|
||||
```hcl
|
||||
locals {
|
||||
route_types = {
|
||||
gateway = "global/gateways/default-internet-gateway"
|
||||
instance = "zones/europe-west1-b/test"
|
||||
ip = "192.168.0.128"
|
||||
ilb = "regions/europe-west1/forwardingRules/test"
|
||||
vpn_tunnel = "regions/europe-west1/vpnTunnels/foo"
|
||||
}
|
||||
}
|
||||
module "vpc" {
|
||||
source = "./fabric/modules/net-vpc"
|
||||
for_each = local.route_types
|
||||
project_id = "my-project"
|
||||
name = "my-network-with-route-${replace(each.key, "_", "-")}"
|
||||
routes = {
|
||||
next-hop = {
|
||||
dest_range = "192.168.128.0/24"
|
||||
tags = null
|
||||
next_hop_type = each.key
|
||||
next_hop = each.value
|
||||
}
|
||||
gateway = {
|
||||
dest_range = "0.0.0.0/0",
|
||||
priority = 100
|
||||
tags = ["tag-a"]
|
||||
next_hop_type = "gateway",
|
||||
next_hop = "global/gateways/default-internet-gateway"
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=5 resources=15 inventory=routes.yaml
|
||||
```
|
||||
|
||||
|
||||
## Variables
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -109,7 +109,7 @@ resource "google_dns_policy" "default" {
|
|||
)
|
||||
iterator = ns
|
||||
content {
|
||||
ipv4_address = ns.key
|
||||
ipv4_address = ns.value
|
||||
forwarding_path = "private"
|
||||
}
|
||||
}
|
||||
|
@ -121,7 +121,7 @@ resource "google_dns_policy" "default" {
|
|||
)
|
||||
iterator = ns
|
||||
content {
|
||||
ipv4_address = ns.key
|
||||
ipv4_address = ns.value
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -45,6 +45,7 @@ locals {
|
|||
# TODO: jit?
|
||||
gke-mcs = "service-%s@gcp-sa-mcsd"
|
||||
monitoring-notifications = "service-%s@gcp-sa-monitoring-notification"
|
||||
notebooks = "service-%s@gcp-sa-notebooks"
|
||||
pubsub = "service-%s@gcp-sa-pubsub"
|
||||
secretmanager = "service-%s@gcp-sa-secretmanager"
|
||||
sql = "service-%s@gcp-sa-cloud-sql"
|
||||
|
|
|
@ -34,6 +34,21 @@ module "test" {
|
|||
# tftest modules=1 resources=1
|
||||
```
|
||||
|
||||
If you need the module to create a scoped policy for you, specify 'scopes' of the policy in the `access_policy_create` variable:
|
||||
|
||||
```hcl
|
||||
module "test" {
|
||||
source = "./fabric/modules/vpc-sc"
|
||||
access_policy = null
|
||||
access_policy_create = {
|
||||
parent = "organizations/123456"
|
||||
title = "vpcsc-policy"
|
||||
scopes = ["folders/456789"]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
```
|
||||
|
||||
### Access levels
|
||||
|
||||
As highlighted above, the `access_levels` type replicates the underlying resource structure.
|
||||
|
@ -189,11 +204,11 @@ module "test" {
|
|||
|---|---|:---:|:---:|:---:|
|
||||
| [access_policy](variables.tf#L56) | Access Policy name, set to null if creating one. | <code>string</code> | ✓ | |
|
||||
| [access_levels](variables.tf#L17) | Access level definitions. | <code title="map(object({ combining_function = optional(string) conditions = optional(list(object({ device_policy = optional(object({ allowed_device_management_levels = optional(list(string)) allowed_encryption_statuses = optional(list(string)) require_admin_approval = bool require_corp_owned = bool require_screen_lock = optional(bool) os_constraints = optional(list(object({ os_type = string minimum_version = optional(string) require_verified_chrome_os = optional(bool) }))) })) ip_subnetworks = optional(list(string), []) members = optional(list(string), []) negate = optional(bool) regions = optional(list(string), []) required_access_levels = optional(list(string), []) })), []) description = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_policy_create](variables.tf#L61) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | <code title="object({ parent = string title = string })">object({…})</code> | | <code>null</code> |
|
||||
| [egress_policies](variables.tf#L70) | Egress policy definitions that can be referenced in perimeters. | <code title="map(object({ from = object({ identity_type = optional(string, "ANY_IDENTITY") identities = optional(list(string)) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) resource_type_external = optional(bool, false) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [ingress_policies](variables.tf#L99) | Ingress policy definitions that can be referenced in perimeters. | <code title="map(object({ from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_perimeters_bridge](variables.tf#L130) | Bridge service perimeters. | <code title="map(object({ spec_resources = optional(list(string)) status_resources = optional(list(string)) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_perimeters_regular](variables.tf#L140) | Regular service perimeters. | <code title="map(object({ spec = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = bool })) })) status = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = bool })) })) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_policy_create](variables.tf#L61) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format. | <code title="object({ parent = string title = string scopes = optional(list(string), null) })">object({…})</code> | | <code>null</code> |
|
||||
| [egress_policies](variables.tf#L71) | Egress policy definitions that can be referenced in perimeters. | <code title="map(object({ from = object({ identity_type = optional(string, "ANY_IDENTITY") identities = optional(list(string)) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) resource_type_external = optional(bool, false) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [ingress_policies](variables.tf#L100) | Ingress policy definitions that can be referenced in perimeters. | <code title="map(object({ from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_perimeters_bridge](variables.tf#L131) | Bridge service perimeters. | <code title="map(object({ spec_resources = optional(list(string)) status_resources = optional(list(string)) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_perimeters_regular](variables.tf#L141) | Regular service perimeters. | <code title="map(object({ spec = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = bool })) })) status = optional(object({ access_levels = optional(list(string)) resources = optional(list(string)) restricted_services = optional(list(string)) egress_policies = optional(list(string)) ingress_policies = optional(list(string)) vpc_accessible_services = optional(object({ allowed_services = list(string) enable_restriction = bool })) })) use_explicit_dry_run_spec = optional(bool, false) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -25,4 +25,5 @@ resource "google_access_context_manager_access_policy" "default" {
|
|||
count = var.access_policy_create != null ? 1 : 0
|
||||
parent = var.access_policy_create.parent
|
||||
title = var.access_policy_create.title
|
||||
scopes = var.access_policy_create.scopes
|
||||
}
|
||||
|
|
|
@ -59,10 +59,11 @@ variable "access_policy" {
|
|||
}
|
||||
|
||||
variable "access_policy_create" {
|
||||
description = "Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format."
|
||||
description = "Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format, scopes are in 'folders/456789' or 'projects/project_id' format."
|
||||
type = object({
|
||||
parent = string
|
||||
title = string
|
||||
scopes = optional(list(string), null)
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
|
|
@ -13,5 +13,5 @@
|
|||
# limitations under the License.
|
||||
|
||||
counts:
|
||||
modules: 9
|
||||
resources: 37
|
||||
modules: 17
|
||||
resources: 59
|
||||
|
|
|
@ -22,4 +22,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||
assert len(modules) == 7
|
||||
assert len(resources) == 37
|
||||
assert len(resources) == 38
|
||||
|
|
|
@ -16,4 +16,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner()
|
||||
assert len(modules) == 12
|
||||
assert len(resources) == 53
|
||||
assert len(resources) == 55
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -21,7 +21,7 @@ import marko
|
|||
|
||||
FABRIC_ROOT = Path(__file__).parents[2]
|
||||
|
||||
FILE_TEST_RE = re.compile(r'# tftest-file +id=(\w+) +path=([\S]+)')
|
||||
FILE_TEST_RE = re.compile(r'# tftest-file +id=([\w_.-]+) +path=([\S]+)')
|
||||
|
||||
Example = collections.namedtuple('Example', 'name code module files')
|
||||
File = collections.namedtuple('File', 'path content')
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -18,7 +18,7 @@ from pathlib import Path
|
|||
|
||||
BASE_PATH = Path(__file__).parent
|
||||
COUNT_TEST_RE = re.compile(r'# tftest +modules=(\d+) +resources=(\d+)' +
|
||||
r'(?: +files=([\w,-.]+))?' +
|
||||
r'(?: +files=([\w,_-]+))?' +
|
||||
r'(?: +inventory=([\w\-.]+))?')
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.gateway.google_api_gateway_api.api:
|
||||
api_id: api
|
||||
display_name: api
|
||||
project: my-project
|
||||
module.gateway.google_api_gateway_api_config.api_config:
|
||||
api: api
|
||||
gateway_config: []
|
||||
grpc_services: []
|
||||
labels: null
|
||||
managed_service_configs: []
|
||||
project: my-project
|
||||
module.gateway.google_api_gateway_gateway.gateway:
|
||||
display_name: gw-api
|
||||
gateway_id: gw-api
|
||||
labels: null
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
module.gateway.google_project_service.service:
|
||||
disable_dependent_services: true
|
||||
disable_on_destroy: true
|
||||
project: my-project
|
||||
|
||||
counts:
|
||||
google_api_gateway_api: 1
|
||||
google_api_gateway_api_config: 1
|
||||
google_api_gateway_gateway: 1
|
||||
google_project_service: 1
|
|
@ -0,0 +1,90 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.gateway.google_api_gateway_api.api:
|
||||
api_id: api
|
||||
display_name: api
|
||||
labels: null
|
||||
project: my-project
|
||||
module.gateway.google_api_gateway_api_config.api_config:
|
||||
api: api
|
||||
grpc_services: []
|
||||
labels: null
|
||||
managed_service_configs: []
|
||||
project: my-project
|
||||
module.gateway.google_api_gateway_api_config_iam_binding.api_config_iam_bindings["roles/apigateway.admin"]:
|
||||
api: api
|
||||
condition: []
|
||||
members:
|
||||
- user:mirene@google.com
|
||||
project: my-project
|
||||
role: roles/apigateway.admin
|
||||
module.gateway.google_api_gateway_api_config_iam_binding.api_config_iam_bindings["roles/apigateway.viewer"]:
|
||||
api: api
|
||||
condition: []
|
||||
members:
|
||||
- user:mirene@google.com
|
||||
project: my-project
|
||||
role: roles/apigateway.viewer
|
||||
module.gateway.google_api_gateway_api_iam_binding.api_iam_bindings["roles/apigateway.admin"]:
|
||||
api: api
|
||||
condition: []
|
||||
members:
|
||||
- user:mirene@google.com
|
||||
project: my-project
|
||||
role: roles/apigateway.admin
|
||||
module.gateway.google_api_gateway_api_iam_binding.api_iam_bindings["roles/apigateway.viewer"]:
|
||||
api: api
|
||||
condition: []
|
||||
members:
|
||||
- user:mirene@google.com
|
||||
project: my-project
|
||||
role: roles/apigateway.viewer
|
||||
module.gateway.google_api_gateway_gateway.gateway:
|
||||
display_name: gw-api
|
||||
gateway_id: gw-api
|
||||
labels: null
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
module.gateway.google_api_gateway_gateway_iam_binding.gateway_iam_bindings["roles/apigateway.admin"]:
|
||||
condition: []
|
||||
gateway: gw-api
|
||||
members:
|
||||
- user:mirene@google.com
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: roles/apigateway.admin
|
||||
module.gateway.google_api_gateway_gateway_iam_binding.gateway_iam_bindings["roles/apigateway.viewer"]:
|
||||
condition: []
|
||||
gateway: gw-api
|
||||
members:
|
||||
- user:mirene@google.com
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: roles/apigateway.viewer
|
||||
module.gateway.google_project_service.service: {}
|
||||
module.gateway.google_service_account.service_account[0]:
|
||||
account_id: sa-api-cfg-api
|
||||
project: my-project
|
||||
|
||||
counts:
|
||||
google_api_gateway_api: 1
|
||||
google_api_gateway_api_config: 1
|
||||
google_api_gateway_api_config_iam_binding: 2
|
||||
google_api_gateway_api_iam_binding: 2
|
||||
google_api_gateway_gateway: 1
|
||||
google_api_gateway_gateway_iam_binding: 2
|
||||
google_project_service: 1
|
||||
google_service_account: 1
|
|
@ -0,0 +1,71 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.gateway.google_api_gateway_api.api:
|
||||
api_id: api
|
||||
display_name: api
|
||||
labels: null
|
||||
project: my-project
|
||||
module.gateway.google_api_gateway_api_config.api_config:
|
||||
api: api
|
||||
gateway_config:
|
||||
- backend_config:
|
||||
- google_service_account: sa@my-project.iam.gserviceaccount.com
|
||||
grpc_services: []
|
||||
labels: null
|
||||
managed_service_configs: []
|
||||
project: my-project
|
||||
module.gateway.google_api_gateway_api_config_iam_binding.api_config_iam_bindings["roles/apigateway.admin"]:
|
||||
api: api
|
||||
api_config: api-cfg-api-8656c6040d6d9ba18a8b9b5f3955c223
|
||||
condition: []
|
||||
members:
|
||||
- user:user@example.com
|
||||
project: my-project
|
||||
role: roles/apigateway.admin
|
||||
module.gateway.google_api_gateway_api_iam_binding.api_iam_bindings["roles/apigateway.admin"]:
|
||||
api: api
|
||||
condition: []
|
||||
members:
|
||||
- user:user@example.com
|
||||
project: my-project
|
||||
role: roles/apigateway.admin
|
||||
module.gateway.google_api_gateway_gateway.gateway:
|
||||
display_name: gw-api
|
||||
gateway_id: gw-api
|
||||
labels: null
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
module.gateway.google_api_gateway_gateway_iam_binding.gateway_iam_bindings["roles/apigateway.admin"]:
|
||||
condition: []
|
||||
gateway: gw-api
|
||||
members:
|
||||
- user:user@example.com
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: roles/apigateway.admin
|
||||
module.gateway.google_project_service.service:
|
||||
disable_dependent_services: true
|
||||
disable_on_destroy: true
|
||||
project: my-project
|
||||
|
||||
counts:
|
||||
google_api_gateway_api: 1
|
||||
google_api_gateway_api_config: 1
|
||||
google_api_gateway_api_config_iam_binding: 1
|
||||
google_api_gateway_api_iam_binding: 1
|
||||
google_api_gateway_gateway: 1
|
||||
google_api_gateway_gateway_iam_binding: 1
|
||||
google_project_service: 1
|
|
@ -1,26 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "gateway" {
|
||||
source = "../../../../modules/api-gateway"
|
||||
api_id = var.api_id
|
||||
project_id = var.project_id
|
||||
labels = var.labels
|
||||
iam = var.iam
|
||||
region = var.region
|
||||
spec = var.spec
|
||||
service_account_create = true
|
||||
}
|
|
@ -1,55 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "api_id" {
|
||||
type = string
|
||||
default = "my-api"
|
||||
}
|
||||
|
||||
variable "iam" {
|
||||
type = map(list(string))
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "labels" {
|
||||
type = map(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
type = string
|
||||
default = "my-project"
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
type = string
|
||||
default = "europe-west1"
|
||||
}
|
||||
|
||||
variable "service_account_create" {
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "service_account_email" {
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "spec" {
|
||||
type = string
|
||||
default = "Spec contents"
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.private-dns.google_dns_managed_zone.non-public[0]:
|
||||
dns_name: test.example.
|
||||
forwarding_config:
|
||||
- target_name_servers:
|
||||
- forwarding_path: ''
|
||||
ipv4_address: 10.0.1.1
|
||||
- forwarding_path: private
|
||||
ipv4_address: 1.2.3.4
|
||||
name: test-example
|
||||
private_visibility_config:
|
||||
- gke_clusters: []
|
||||
networks:
|
||||
- network_url: projects/xxx/global/networks/aaa
|
||||
project: myproject
|
||||
visibility: private
|
||||
|
||||
counts:
|
||||
google_dns_managed_zone: 1
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -13,24 +13,22 @@
|
|||
# limitations under the License.
|
||||
|
||||
values:
|
||||
google_compute_network.network[0]:
|
||||
auto_create_subnetworks: false
|
||||
delete_default_routes_on_create: false
|
||||
description: Terraform-managed.
|
||||
name: test
|
||||
project: test-project
|
||||
routing_mode: GLOBAL
|
||||
module.private-dns.google_dns_managed_zone.non-public[0]:
|
||||
description: Forwarding zone for .
|
||||
dns_name: .
|
||||
forwarding_config: []
|
||||
name: test-example
|
||||
peering_config:
|
||||
- target_network:
|
||||
- network_url: projects/xxx/global/networks/ccc
|
||||
private_visibility_config:
|
||||
- gke_clusters: []
|
||||
networks:
|
||||
- network_url: projects/xxx/global/networks/aaa
|
||||
project: myproject
|
||||
visibility: private
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_dns_managed_zone: 1
|
||||
|
||||
outputs:
|
||||
bindings: {}
|
||||
project_id: test-project
|
||||
subnet_ips: {}
|
||||
subnet_regions: {}
|
||||
subnet_secondary_ranges: {}
|
||||
subnet_self_links: {}
|
||||
subnets: {}
|
||||
subnets_proxy_only: {}
|
||||
subnets_psc: {}
|
||||
outputs: {}
|
|
@ -0,0 +1,50 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.private-dns.google_dns_managed_zone.non-public[0]:
|
||||
description: Terraform managed.
|
||||
dns_name: test.example.
|
||||
force_destroy: false
|
||||
forwarding_config: []
|
||||
name: test-example
|
||||
peering_config: []
|
||||
private_visibility_config:
|
||||
- gke_clusters: []
|
||||
networks:
|
||||
- network_url: projects/xxx/global/networks/aaa
|
||||
project: myproject
|
||||
visibility: private
|
||||
module.private-dns.google_dns_record_set.cloud-static-records["A localhost"]:
|
||||
managed_zone: test-example
|
||||
name: localhost.test.example.
|
||||
project: myproject
|
||||
routing_policy: []
|
||||
rrdatas:
|
||||
- 127.0.0.1
|
||||
ttl: 300
|
||||
type: A
|
||||
module.private-dns.google_dns_record_set.cloud-static-records["A myhost"]:
|
||||
managed_zone: test-example
|
||||
name: myhost.test.example.
|
||||
project: myproject
|
||||
routing_policy: []
|
||||
rrdatas:
|
||||
- 10.0.0.120
|
||||
ttl: 600
|
||||
type: A
|
||||
|
||||
counts:
|
||||
google_dns_managed_zone: 1
|
||||
google_dns_record_set: 2
|
|
@ -0,0 +1,38 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.public-dns.google_dns_managed_zone.public[0]:
|
||||
dns_name: example.com.
|
||||
name: example
|
||||
project: myproject
|
||||
visibility: public
|
||||
module.public-dns.google_dns_record_set.cloud-static-records["A myhost"]:
|
||||
managed_zone: example
|
||||
name: myhost.example.com.
|
||||
project: myproject
|
||||
routing_policy: []
|
||||
rrdatas:
|
||||
- 127.0.0.1
|
||||
ttl: 300
|
||||
type: A
|
||||
|
||||
counts:
|
||||
google_dns_keys: 1
|
||||
google_dns_managed_zone: 1
|
||||
google_dns_record_set: 1
|
||||
modules: 1
|
||||
resources: 3
|
||||
|
||||
outputs: {}
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -12,12 +12,16 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
region: europe-west1
|
||||
description: Sample description
|
||||
ip_cidr_range: 10.128.0.0/24
|
||||
enable_private_access: false
|
||||
iam_users: ["foobar@example.com"]
|
||||
iam_groups: ["lorem@example.com"]
|
||||
iam_service_accounts: ["foobar@project-id.iam.gserviceaccount.com"]
|
||||
secondary_ip_ranges:
|
||||
secondary-range-a: 192.168.128.0/24
|
||||
values:
|
||||
module.private-dns.google_dns_managed_zone.non-public[0]:
|
||||
description: Terraform managed.
|
||||
dns_name: 0.0.10.in-addr.arpa.
|
||||
name: test-example
|
||||
project: myproject
|
||||
reverse_lookup: true
|
||||
visibility: private
|
||||
|
||||
counts:
|
||||
google_dns_managed_zone: 1
|
||||
|
||||
outputs: {}
|
|
@ -0,0 +1,80 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.private-dns.google_dns_managed_zone.non-public[0]:
|
||||
dns_name: test.example.
|
||||
name: test-example
|
||||
project: myproject
|
||||
module.private-dns.google_dns_record_set.cloud-geo-records["A geo"]:
|
||||
managed_zone: test-example
|
||||
name: geo.test.example.
|
||||
project: myproject
|
||||
routing_policy:
|
||||
- enable_geo_fencing: null
|
||||
geo:
|
||||
- health_checked_targets: []
|
||||
location: europe-west1
|
||||
rrdatas:
|
||||
- 10.0.0.1
|
||||
- health_checked_targets: []
|
||||
location: europe-west2
|
||||
rrdatas:
|
||||
- 10.0.0.2
|
||||
- health_checked_targets: []
|
||||
location: europe-west3
|
||||
rrdatas:
|
||||
- 10.0.0.3
|
||||
primary_backup: []
|
||||
wrr: []
|
||||
rrdatas: null
|
||||
ttl: 300
|
||||
type: A
|
||||
module.private-dns.google_dns_record_set.cloud-static-records["A regular"]:
|
||||
managed_zone: test-example
|
||||
name: regular.test.example.
|
||||
project: myproject
|
||||
routing_policy: []
|
||||
rrdatas:
|
||||
- 10.20.0.1
|
||||
ttl: 300
|
||||
type: A
|
||||
module.private-dns.google_dns_record_set.cloud-wrr-records["A wrr"]:
|
||||
managed_zone: test-example
|
||||
name: wrr.test.example.
|
||||
project: myproject
|
||||
routing_policy:
|
||||
- enable_geo_fencing: null
|
||||
geo: []
|
||||
primary_backup: []
|
||||
wrr:
|
||||
- health_checked_targets: []
|
||||
rrdatas:
|
||||
- 10.10.0.1
|
||||
weight: 0.6
|
||||
- health_checked_targets: []
|
||||
rrdatas:
|
||||
- 10.10.0.2
|
||||
weight: 0.2
|
||||
- health_checked_targets: []
|
||||
rrdatas:
|
||||
- 10.10.0.3
|
||||
weight: 0.2
|
||||
rrdatas: null
|
||||
ttl: 600
|
||||
type: A
|
||||
|
||||
counts:
|
||||
google_dns_managed_zone: 1
|
||||
google_dns_record_set: 3
|
|
@ -1,62 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "client_networks" {
|
||||
type = list(string)
|
||||
default = [
|
||||
"https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default"
|
||||
]
|
||||
}
|
||||
|
||||
variable "forwarders" {
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "peer_network" {
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "recordsets" {
|
||||
type = any
|
||||
default = {
|
||||
"A localhost" = { ttl = 300, records = ["127.0.0.1"] }
|
||||
"A local-host.test.example." = { ttl = 300, records = ["127.0.0.2"] }
|
||||
"CNAME *" = { ttl = 300, records = ["localhost.example.org."] }
|
||||
"A " = { ttl = 300, records = ["127.0.0.3"] }
|
||||
"A geo" = {
|
||||
geo_routing = [
|
||||
{ location = "europe-west1", records = ["127.0.0.4"] },
|
||||
{ location = "europe-west2", records = ["127.0.0.5"] },
|
||||
{ location = "europe-west3", records = ["127.0.0.6"] }
|
||||
]
|
||||
}
|
||||
"A wrr" = {
|
||||
ttl = 600
|
||||
wrr_routing = [
|
||||
{ weight = 0.6, records = ["127.0.0.7"] },
|
||||
{ weight = 0.2, records = ["127.0.0.8"] },
|
||||
{ weight = 0.2, records = ["127.0.0.9"] }
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
variable "type" {
|
||||
type = string
|
||||
default = "private"
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
type = "private"
|
||||
domain = "test.example."
|
||||
name = "test"
|
||||
project_id = "my-project"
|
||||
client_networks = []
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -13,18 +13,13 @@
|
|||
# limitations under the License.
|
||||
|
||||
values:
|
||||
google_storage_bucket.bucket:
|
||||
google_dns_managed_zone.non-public[0]:
|
||||
dns_name: test.example.
|
||||
name: test
|
||||
|
||||
google_storage_bucket_iam_binding.bindings["roles/storage.admin"]:
|
||||
bucket: test
|
||||
condition: []
|
||||
members:
|
||||
- user:a@example.org
|
||||
role: roles/storage.admin
|
||||
private_visibility_config: []
|
||||
visibility: private
|
||||
|
||||
counts:
|
||||
google_storage_bucket: 1
|
||||
google_storage_bucket_iam_binding: 1
|
||||
google_dns_managed_zone: 1
|
||||
modules: 0
|
||||
resources: 2
|
||||
resources: 1
|
|
@ -0,0 +1,4 @@
|
|||
type = "forwarding"
|
||||
domain = "test.example."
|
||||
name = "test"
|
||||
project_id = "my-project"
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -12,6 +12,9 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
region: europe-west4
|
||||
description: Sample description
|
||||
ip_cidr_range: 10.129.0.0/24
|
||||
values:
|
||||
google_dns_managed_zone.non-public[0]:
|
||||
forwarding_config: []
|
||||
|
||||
counts:
|
||||
google_dns_managed_zone: 1
|
|
@ -1,138 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
def test_private(plan_runner):
|
||||
"Test private zone with three recordsets."
|
||||
_, resources = plan_runner()
|
||||
assert len(resources) == 7
|
||||
assert set(r['type'] for r in resources) == {
|
||||
'google_dns_record_set', 'google_dns_managed_zone'
|
||||
}
|
||||
for r in resources:
|
||||
if r['type'] != 'google_dns_managed_zone':
|
||||
continue
|
||||
assert r['values']['visibility'] == 'private'
|
||||
assert len(r['values']['private_visibility_config']) == 1
|
||||
|
||||
|
||||
def test_private_recordsets(plan_runner):
|
||||
"Test recordsets in private zone."
|
||||
_, resources = plan_runner()
|
||||
recordsets = [
|
||||
r['values'] for r in resources if r['type'] == 'google_dns_record_set'
|
||||
]
|
||||
|
||||
assert set(r['name'] for r in recordsets) == {
|
||||
'localhost.test.example.', 'local-host.test.example.', '*.test.example.',
|
||||
"test.example.", "geo.test.example.", "wrr.test.example."
|
||||
}
|
||||
|
||||
for r in recordsets:
|
||||
if r['name'] not in ['wrr.test.example.', 'geo.test.example.']:
|
||||
assert r['routing_policy'] == []
|
||||
assert r['rrdatas'] != []
|
||||
|
||||
|
||||
def test_routing_policies(plan_runner):
|
||||
"Test recordsets with routing policies."
|
||||
_, resources = plan_runner()
|
||||
recordsets = [
|
||||
r['values'] for r in resources if r['type'] == 'google_dns_record_set'
|
||||
]
|
||||
geo_zone = [
|
||||
r['values'] for r in resources if r['address'] ==
|
||||
'module.test.google_dns_record_set.cloud-geo-records["A geo"]'
|
||||
][0]
|
||||
assert geo_zone['name'] == 'geo.test.example.'
|
||||
assert geo_zone['routing_policy'][0]['wrr'] == []
|
||||
geo_policy = geo_zone['routing_policy'][0]['geo']
|
||||
assert geo_policy[0]['location'] == 'europe-west1'
|
||||
assert geo_policy[0]['rrdatas'] == ['127.0.0.4']
|
||||
assert geo_policy[1]['location'] == 'europe-west2'
|
||||
assert geo_policy[1]['rrdatas'] == ['127.0.0.5']
|
||||
assert geo_policy[2]['location'] == 'europe-west3'
|
||||
assert geo_policy[2]['rrdatas'] == ['127.0.0.6']
|
||||
|
||||
wrr_zone = [
|
||||
r['values'] for r in resources if r['address'] ==
|
||||
'module.test.google_dns_record_set.cloud-wrr-records["A wrr"]'
|
||||
][0]
|
||||
assert wrr_zone['name'] == 'wrr.test.example.'
|
||||
wrr_policy = wrr_zone['routing_policy'][0]['wrr']
|
||||
assert wrr_policy[0]['weight'] == 0.6
|
||||
assert wrr_policy[0]['rrdatas'] == ['127.0.0.7']
|
||||
assert wrr_policy[1]['weight'] == 0.2
|
||||
assert wrr_policy[1]['rrdatas'] == ['127.0.0.8']
|
||||
assert wrr_policy[2]['weight'] == 0.2
|
||||
assert wrr_policy[2]['rrdatas'] == ['127.0.0.9']
|
||||
assert wrr_zone['routing_policy'][0]['geo'] == []
|
||||
|
||||
|
||||
def test_private_no_networks(plan_runner):
|
||||
"Test private zone not exposed to any network."
|
||||
_, resources = plan_runner(client_networks='[]')
|
||||
for r in resources:
|
||||
if r['type'] != 'google_dns_managed_zone':
|
||||
continue
|
||||
assert r['values']['visibility'] == 'private'
|
||||
assert len(r['values']['private_visibility_config']) == 0
|
||||
|
||||
|
||||
def test_forwarding_recordsets_null_forwarders(plan_runner):
|
||||
"Test forwarding zone with wrong set of attributes does not break."
|
||||
_, resources = plan_runner(type='forwarding')
|
||||
assert len(resources) == 1
|
||||
resource = resources[0]
|
||||
assert resource['type'] == 'google_dns_managed_zone'
|
||||
assert resource['values']['forwarding_config'] == []
|
||||
|
||||
|
||||
def test_forwarding(plan_runner):
|
||||
"Test forwarding zone with single forwarder."
|
||||
_, resources = plan_runner(type='forwarding', recordsets='null',
|
||||
forwarders='{ "1.2.3.4" = null }')
|
||||
assert len(resources) == 1
|
||||
resource = resources[0]
|
||||
assert resource['type'] == 'google_dns_managed_zone'
|
||||
assert resource['values']['forwarding_config'] == [{
|
||||
'target_name_servers': [{
|
||||
'forwarding_path': '',
|
||||
'ipv4_address': '1.2.3.4'
|
||||
}]
|
||||
}]
|
||||
|
||||
|
||||
def test_peering(plan_runner):
|
||||
"Test peering zone."
|
||||
_, resources = plan_runner(type='peering', recordsets='null',
|
||||
peer_network='dummy-vpc-self-link')
|
||||
assert len(resources) == 1
|
||||
resource = resources[0]
|
||||
assert resource['type'] == 'google_dns_managed_zone'
|
||||
assert resource['values']['peering_config'] == [{
|
||||
'target_network': [{
|
||||
'network_url': 'dummy-vpc-self-link'
|
||||
}]
|
||||
}]
|
||||
|
||||
|
||||
def test_public(plan_runner):
|
||||
"Test public zone with two recordsets."
|
||||
_, resources = plan_runner(type='public')
|
||||
for r in resources:
|
||||
if r['type'] != 'google_dns_managed_zone':
|
||||
continue
|
||||
assert r['values']['visibility'] == 'public'
|
||||
assert r['values']['private_visibility_config'] == []
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -12,9 +12,8 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
module: modules/gcs
|
||||
common_tfvars:
|
||||
- common.tfvars
|
||||
module: modules/dns
|
||||
|
||||
tests:
|
||||
prefix:
|
||||
iam:
|
||||
no_clients:
|
||||
null_forwarders:
|
|
@ -1,13 +0,0 @@
|
|||
force_destroy = true
|
||||
labels = { environment = "test" }
|
||||
logging_config = {
|
||||
log_bucket = "foo"
|
||||
}
|
||||
name = "test"
|
||||
project_id = "test-project"
|
||||
retention_policy = {
|
||||
retention_period = 5
|
||||
is_locked = false
|
||||
}
|
||||
storage_class = "MULTI_REGIONAL"
|
||||
versioning = true
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -12,8 +12,12 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.bucket.google_storage_bucket.bucket:
|
||||
encryption:
|
||||
- default_kms_key_name: my-encryption-key
|
||||
name: my-bucket
|
||||
project: myproject
|
||||
|
||||
def test_resource_count(plan_runner):
|
||||
"Test number of resources created."
|
||||
_, resources = plan_runner()
|
||||
assert len(resources) == 5
|
||||
counts:
|
||||
google_storage_bucket: 1
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -13,32 +13,26 @@
|
|||
# limitations under the License.
|
||||
|
||||
values:
|
||||
google_storage_bucket.bucket:
|
||||
force_destroy: true
|
||||
labels:
|
||||
environment: test
|
||||
location: EU
|
||||
logging:
|
||||
- log_bucket: foo
|
||||
name: foo-test
|
||||
project: test-project
|
||||
retention_policy:
|
||||
- is_locked: false
|
||||
retention_period: 5
|
||||
storage_class: MULTI_REGIONAL
|
||||
uniform_bucket_level_access: true
|
||||
versioning:
|
||||
- enabled: true
|
||||
module.bucket.google_storage_bucket.bucket:
|
||||
lifecycle_rule:
|
||||
- action:
|
||||
- storage_class: STANDARD
|
||||
type: SetStorageClass
|
||||
condition:
|
||||
- age: 30
|
||||
created_before: ''
|
||||
custom_time_before: ''
|
||||
days_since_custom_time: null
|
||||
days_since_noncurrent_time: null
|
||||
matches_prefix: []
|
||||
matches_storage_class: []
|
||||
matches_suffix: []
|
||||
noncurrent_time_before: ''
|
||||
num_newer_versions: null
|
||||
name: my-bucket
|
||||
project: myproject
|
||||
|
||||
counts:
|
||||
google_storage_bucket: 1
|
||||
modules: 0
|
||||
resources: 1
|
||||
|
||||
outputs:
|
||||
bucket: __missing__
|
||||
id: foo-test
|
||||
name: foo-test
|
||||
notification: null
|
||||
topic: null
|
||||
url: __missing__
|
||||
outputs: {}
|
|
@ -0,0 +1,31 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.bucket-gcs-notification.google_pubsub_topic.topic[0]: {}
|
||||
module.bucket-gcs-notification.google_pubsub_topic_iam_binding.binding[0]: {}
|
||||
module.bucket-gcs-notification.google_storage_bucket.bucket:
|
||||
name: my-bucket
|
||||
project: myproject
|
||||
module.bucket-gcs-notification.google_storage_notification.notification[0]:
|
||||
bucket: my-bucket
|
||||
event_types:
|
||||
- OBJECT_FINALIZE
|
||||
payload_format: JSON_API_V1
|
||||
|
||||
counts:
|
||||
google_pubsub_topic: 1
|
||||
google_pubsub_topic_iam_binding: 1
|
||||
google_storage_bucket: 1
|
||||
google_storage_notification: 1
|
|
@ -0,0 +1,26 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.bucket.google_storage_bucket.bucket:
|
||||
logging:
|
||||
- log_bucket: log-bucket
|
||||
name: my-bucket
|
||||
project: myproject
|
||||
retention_policy:
|
||||
- is_locked: true
|
||||
retention_period: 100
|
||||
|
||||
counts:
|
||||
google_storage_bucket: 1
|
|
@ -0,0 +1,46 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.bucket.google_storage_bucket.bucket:
|
||||
autoclass: []
|
||||
cors: []
|
||||
custom_placement_config: []
|
||||
default_event_based_hold: null
|
||||
encryption: []
|
||||
force_destroy: false
|
||||
labels:
|
||||
cost-center: devops
|
||||
lifecycle_rule: []
|
||||
location: EU
|
||||
logging: []
|
||||
name: test-my-bucket
|
||||
project: myproject
|
||||
requester_pays: null
|
||||
retention_policy: []
|
||||
storage_class: MULTI_REGIONAL
|
||||
timeouts: null
|
||||
uniform_bucket_level_access: true
|
||||
versioning:
|
||||
- enabled: true
|
||||
module.bucket.google_storage_bucket_iam_binding.bindings["roles/storage.admin"]:
|
||||
bucket: test-my-bucket
|
||||
condition: []
|
||||
members:
|
||||
- group:storage@example.com
|
||||
role: roles/storage.admin
|
||||
|
||||
counts:
|
||||
google_storage_bucket: 1
|
||||
google_storage_bucket_iam_binding: 1
|
|
@ -1,3 +0,0 @@
|
|||
iam = {
|
||||
"roles/storage.admin" = ["user:a@example.org"]
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
prefix = "foo"
|
|
@ -0,0 +1,32 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cluster-autopilot.google_container_cluster.cluster:
|
||||
enable_autopilot: true
|
||||
ip_allocation_policy:
|
||||
- cluster_secondary_range_name: pods
|
||||
services_secondary_range_name: services
|
||||
location: europe-west1-b
|
||||
master_authorized_networks_config:
|
||||
- cidr_blocks:
|
||||
- cidr_block: 10.0.0.0/8
|
||||
display_name: internal-vms
|
||||
name: cluster-autopilot
|
||||
network: projects/xxx/global/networks/aaa
|
||||
project: myproject
|
||||
subnetwork: subnet_self_link
|
||||
|
||||
counts:
|
||||
google_container_cluster: 1
|
|
@ -0,0 +1,42 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cluster-1.google_container_cluster.cluster:
|
||||
default_max_pods_per_node: 32
|
||||
ip_allocation_policy:
|
||||
- cluster_secondary_range_name: pods
|
||||
services_secondary_range_name: services
|
||||
location: europe-west1-b
|
||||
master_authorized_networks_config:
|
||||
- cidr_blocks:
|
||||
- cidr_block: 10.0.0.0/8
|
||||
display_name: internal-vms
|
||||
name: cluster-1
|
||||
network: projects/xxx/global/networks/aaa
|
||||
private_cluster_config:
|
||||
- enable_private_endpoint: true
|
||||
enable_private_nodes: true
|
||||
master_global_access_config:
|
||||
- enabled: false
|
||||
master_ipv4_cidr_block: 192.168.0.0/28
|
||||
private_endpoint_subnetwork: null
|
||||
project: myproject
|
||||
remove_default_node_pool: true
|
||||
resource_labels:
|
||||
environment: dev
|
||||
subnetwork: subnet_self_link
|
||||
|
||||
counts:
|
||||
google_container_cluster: 1
|
|
@ -0,0 +1,45 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cluster-1.google_container_cluster.cluster:
|
||||
datapath_provider: ADVANCED_DATAPATH
|
||||
ip_allocation_policy:
|
||||
- cluster_secondary_range_name: pods
|
||||
services_secondary_range_name: services
|
||||
location: europe-west1-b
|
||||
master_authorized_networks_config:
|
||||
- cidr_blocks:
|
||||
- cidr_block: 10.0.0.0/8
|
||||
display_name: internal-vms
|
||||
min_master_version: null
|
||||
name: cluster-dataplane-v2
|
||||
network: projects/xxx/global/networks/aaa
|
||||
private_cluster_config:
|
||||
- enable_private_endpoint: true
|
||||
enable_private_nodes: true
|
||||
master_global_access_config:
|
||||
- enabled: false
|
||||
master_ipv4_cidr_block: 192.168.0.0/28
|
||||
private_endpoint_subnetwork: null
|
||||
project: myproject
|
||||
remove_default_node_pool: true
|
||||
resource_labels:
|
||||
environment: dev
|
||||
subnetwork: subnet_self_link
|
||||
workload_identity_config:
|
||||
- workload_pool: myproject.svc.id.goog
|
||||
|
||||
counts:
|
||||
google_container_cluster: 1
|
|
@ -1,43 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "enable_addons" {
|
||||
type = any
|
||||
default = {
|
||||
horizontal_pod_autoscaling = true
|
||||
http_load_balancing = true
|
||||
}
|
||||
}
|
||||
|
||||
variable "enable_features" {
|
||||
type = any
|
||||
default = {
|
||||
workload_identity = true
|
||||
}
|
||||
}
|
||||
|
||||
variable "monitoring_config" {
|
||||
type = any
|
||||
default = {
|
||||
managed_prometheus = true
|
||||
}
|
||||
}
|
||||
|
||||
variable "tags" {
|
||||
description = "Network tags applied to nodes."
|
||||
type = list(string)
|
||||
default = null
|
||||
}
|
|
@ -1,38 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
def test_standard(plan_runner):
|
||||
"Test resources created with variable defaults."
|
||||
_, resources = plan_runner()
|
||||
assert len(resources) == 1
|
||||
|
||||
cluster_config = resources[0]['values']
|
||||
assert cluster_config['name'] == "cluster-1"
|
||||
assert cluster_config['network'] == "mynetwork"
|
||||
assert cluster_config['subnetwork'] == "mysubnet"
|
||||
assert cluster_config['enable_autopilot'] is None
|
||||
# assert 'service_account' not in node_config
|
||||
|
||||
|
||||
def test_autopilot(plan_runner):
|
||||
"Test resources created with variable defaults."
|
||||
_, resources = plan_runner(enable_features='{ autopilot=true }')
|
||||
assert len(resources) == 1
|
||||
cluster_config = resources[0]['values']
|
||||
assert cluster_config['name'] == "cluster-1"
|
||||
assert cluster_config['network'] == "mynetwork"
|
||||
assert cluster_config['subnetwork'] == "mysubnet"
|
||||
assert cluster_config['enable_autopilot'] == True
|
||||
# assert 'service_account' not in node_config
|
|
@ -31,7 +31,7 @@ variable "features" {
|
|||
configmanagement = true
|
||||
identityservice = false
|
||||
multiclusteringress = null
|
||||
servicemesh = false
|
||||
servicemesh = true
|
||||
multiclusterservicediscovery = false
|
||||
}
|
||||
}
|
||||
|
|
|
@ -23,11 +23,14 @@ def resources(plan_runner):
|
|||
|
||||
def test_resource_count(resources):
|
||||
"Test number of resources created."
|
||||
assert len(resources) == 5
|
||||
assert len(resources) == 8
|
||||
assert sorted(r['address'] for r in resources) == [
|
||||
'module.hub.google_gke_hub_feature.default["configmanagement"]',
|
||||
'module.hub.google_gke_hub_feature.default["servicemesh"]',
|
||||
'module.hub.google_gke_hub_feature_membership.default["cluster-1"]',
|
||||
'module.hub.google_gke_hub_feature_membership.default["cluster-2"]',
|
||||
'module.hub.google_gke_hub_feature_membership.servicemesh["cluster-1"]',
|
||||
'module.hub.google_gke_hub_feature_membership.servicemesh["cluster-2"]',
|
||||
'module.hub.google_gke_hub_membership.default["cluster-1"]',
|
||||
'module.hub.google_gke_hub_membership.default["cluster-2"]'
|
||||
]
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cluster-1-nodepool-1.google_container_node_pool.nodepool:
|
||||
cluster: cluster-1
|
||||
location: europe-west1-b
|
||||
name: nodepool-1
|
||||
project: myproject
|
||||
|
||||
counts:
|
||||
google_container_node_pool: 1
|
|
@ -0,0 +1,60 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cluster-1-nodepool-1.google_container_node_pool.nodepool:
|
||||
autoscaling:
|
||||
- location_policy: null
|
||||
max_node_count: 10
|
||||
min_node_count: 1
|
||||
total_max_node_count: null
|
||||
total_min_node_count: null
|
||||
cluster: cluster-1
|
||||
initial_node_count: 1
|
||||
location: europe-west1-b
|
||||
management:
|
||||
- auto_repair: true
|
||||
auto_upgrade: false
|
||||
name: nodepool-1
|
||||
node_config:
|
||||
- boot_disk_kms_key: null
|
||||
disk_size_gb: 50
|
||||
disk_type: pd-ssd
|
||||
ephemeral_storage_config:
|
||||
- local_ssd_count: 1
|
||||
gcfs_config: []
|
||||
gvnic: []
|
||||
kubelet_config: []
|
||||
labels:
|
||||
environment: dev
|
||||
linux_node_config: []
|
||||
logging_variant: DEFAULT
|
||||
machine_type: n2-standard-2
|
||||
node_group: null
|
||||
oauth_scopes:
|
||||
- https://www.googleapis.com/auth/cloud-platform
|
||||
preemptible: false
|
||||
reservation_affinity: []
|
||||
resource_labels: null
|
||||
sandbox_config: []
|
||||
spot: true
|
||||
tags: null
|
||||
taint: []
|
||||
placement_policy: []
|
||||
project: myproject
|
||||
module.cluster-1-nodepool-1.google_service_account.service_account[0]: {}
|
||||
|
||||
counts:
|
||||
google_container_node_pool: 1
|
||||
google_service_account: 1
|
|
@ -0,0 +1,52 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cluster-1-nodepool-1.google_container_node_pool.nodepool:
|
||||
cluster: cluster-1
|
||||
location: europe-west1-b
|
||||
name: nodepool-1
|
||||
node_config:
|
||||
- boot_disk_kms_key: null
|
||||
disk_type: pd-balanced
|
||||
ephemeral_storage_config: []
|
||||
gcfs_config: []
|
||||
gvnic: []
|
||||
kubelet_config: []
|
||||
linux_node_config: []
|
||||
logging_variant: DEFAULT
|
||||
node_group: null
|
||||
oauth_scopes:
|
||||
- https://www.googleapis.com/auth/cloud-platform
|
||||
preemptible: false
|
||||
reservation_affinity: []
|
||||
resource_labels: null
|
||||
sandbox_config: []
|
||||
spot: false
|
||||
tags: null
|
||||
taint: []
|
||||
placement_policy: []
|
||||
project: myproject
|
||||
timeouts: null
|
||||
module.cluster-1-nodepool-1.google_service_account.service_account[0]:
|
||||
account_id: spam-eggs
|
||||
description: null
|
||||
disabled: false
|
||||
display_name: Terraform GKE cluster-1 nodepool-1.
|
||||
project: myproject
|
||||
timeouts: null
|
||||
|
||||
counts:
|
||||
google_container_node_pool: 1
|
||||
google_service_account: 1
|
|
@ -0,0 +1,43 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cluster-1-nodepool-1.google_container_node_pool.nodepool:
|
||||
cluster: cluster-1
|
||||
location: europe-west1-b
|
||||
name: nodepool-1
|
||||
node_config:
|
||||
- boot_disk_kms_key: null
|
||||
disk_type: pd-balanced
|
||||
ephemeral_storage_config: []
|
||||
gcfs_config: []
|
||||
gvnic: []
|
||||
kubelet_config: []
|
||||
linux_node_config: []
|
||||
logging_variant: DEFAULT
|
||||
node_group: null
|
||||
oauth_scopes:
|
||||
- https://www.googleapis.com/auth/cloud-platform
|
||||
preemptible: false
|
||||
reservation_affinity: []
|
||||
resource_labels: null
|
||||
sandbox_config: []
|
||||
service_account: foo-bar@myproject.iam.gserviceaccount.com
|
||||
spot: false
|
||||
tags: null
|
||||
taint: []
|
||||
project: myproject
|
||||
|
||||
counts:
|
||||
google_container_node_pool: 1
|
|
@ -1,45 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
resource "google_service_account" "test" {
|
||||
project = "my-project"
|
||||
account_id = "gke-nodepool-test"
|
||||
display_name = "Test Service Account"
|
||||
}
|
||||
|
||||
module "test" {
|
||||
source = "../../../../modules/gke-nodepool"
|
||||
project_id = "my-project"
|
||||
cluster_name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
name = "nodepool-1"
|
||||
gke_version = var.gke_version
|
||||
labels = var.labels
|
||||
max_pods_per_node = var.max_pods_per_node
|
||||
node_config = var.node_config
|
||||
node_count = var.node_count
|
||||
node_locations = var.node_locations
|
||||
nodepool_config = var.nodepool_config
|
||||
pod_range = var.pod_range
|
||||
reservation_affinity = var.reservation_affinity
|
||||
service_account = {
|
||||
create = var.service_account_create
|
||||
email = google_service_account.test.email
|
||||
}
|
||||
sole_tenant_nodegroup = var.sole_tenant_nodegroup
|
||||
tags = var.tags
|
||||
taints = var.taints
|
||||
}
|
|
@ -1,86 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "gke_version" {
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "labels" {
|
||||
type = map(string)
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "max_pods_per_node" {
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "node_config" {
|
||||
type = any
|
||||
default = {
|
||||
disk_type = "pd-balanced"
|
||||
}
|
||||
}
|
||||
|
||||
variable "node_count" {
|
||||
type = any
|
||||
default = {
|
||||
initial = 1
|
||||
}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "node_locations" {
|
||||
type = list(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "nodepool_config" {
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "pod_range" {
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "reservation_affinity" {
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "service_account_create" {
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "sole_tenant_nodegroup" {
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "tags" {
|
||||
type = list(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "taints" {
|
||||
type = any
|
||||
default = null
|
||||
}
|
|
@ -1,67 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
def test_defaults(plan_runner):
|
||||
"Test resources created with variable defaults."
|
||||
_, resources = plan_runner()
|
||||
assert len(resources) == 1
|
||||
assert resources[0]['values']['autoscaling'] == []
|
||||
|
||||
|
||||
def test_service_account(plan_runner):
|
||||
_, resources = plan_runner()
|
||||
assert len(resources) == 1
|
||||
_, resources = plan_runner(service_account_create='true')
|
||||
assert len(resources) == 2
|
||||
assert 'google_service_account' in [r['type'] for r in resources]
|
||||
|
||||
|
||||
def test_nodepool_config(plan_runner):
|
||||
nodepool_config = '''{
|
||||
autoscaling = { use_total_nodes = true, max_node_count = 3}
|
||||
management = {}
|
||||
upgrade_settings = { max_surge = 3, max_unavailable = 3 }
|
||||
}'''
|
||||
_, resources = plan_runner(nodepool_config=nodepool_config)
|
||||
assert resources[0]['values']['autoscaling'] == [{
|
||||
'location_policy': None,
|
||||
'max_node_count': None,
|
||||
'min_node_count': None,
|
||||
'total_max_node_count': 3,
|
||||
'total_min_node_count': None
|
||||
}]
|
||||
nodepool_config = '{ autoscaling = { max_node_count = 3} }'
|
||||
_, resources = plan_runner(nodepool_config=nodepool_config)
|
||||
assert resources[0]['values']['autoscaling'] == [{
|
||||
'location_policy': None,
|
||||
'max_node_count': 3,
|
||||
'min_node_count': None,
|
||||
'total_max_node_count': None,
|
||||
'total_min_node_count': None
|
||||
}]
|
||||
|
||||
|
||||
def test_node_config(plan_runner):
|
||||
node_config = '''{
|
||||
gcfs = true
|
||||
metadata = { foo = "bar" }
|
||||
}'''
|
||||
_, resources = plan_runner(node_config=node_config)
|
||||
values = resources[0]['values']['node_config'][0]
|
||||
assert values['gcfs_config'] == [{'enabled': True}]
|
||||
assert values['metadata'] == {
|
||||
'disable-legacy-endpoints': 'true',
|
||||
'foo': 'bar'
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
name: my-network
|
||||
project: my-project
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]: {}
|
||||
module.vpc.google_dns_policy.default[0]:
|
||||
alternative_name_server_config:
|
||||
- target_name_servers:
|
||||
- forwarding_path: ''
|
||||
ipv4_address: '8.8.8.8'
|
||||
- forwarding_path: private
|
||||
ipv4_address: '10.0.0.1'
|
||||
description: Managed by Terraform
|
||||
enable_inbound_forwarding: true
|
||||
enable_logging: null
|
||||
name: my-network
|
||||
networks:
|
||||
- {}
|
||||
project: my-project
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_compute_subnetwork: 1
|
||||
google_dns_policy: 1
|
||||
modules: 1
|
||||
resources: 3
|
||||
|
||||
outputs: {}
|
|
@ -0,0 +1,50 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
name: my-network
|
||||
project: my-project
|
||||
routing_mode: GLOBAL
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-detailed"]:
|
||||
description: Sample description
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
log_config:
|
||||
- aggregation_interval: INTERVAL_5_SEC
|
||||
filter_expr: 'true'
|
||||
flow_sampling: 0.5
|
||||
metadata: INCLUDE_ALL_METADATA
|
||||
metadata_fields: null
|
||||
name: subnet-detailed
|
||||
private_ip_google_access: false
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: null
|
||||
secondary_ip_range:
|
||||
- ip_cidr_range: 192.168.0.0/24
|
||||
range_name: secondary-range-a
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west4/subnet-simple"]:
|
||||
description: Terraform-managed.
|
||||
ip_cidr_range: 10.0.1.0/24
|
||||
log_config: []
|
||||
name: subnet-simple
|
||||
private_ip_google_access: true
|
||||
project: my-project
|
||||
region: europe-west4
|
||||
role: null
|
||||
secondary_ip_range: []
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_compute_subnetwork: 2
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -13,35 +13,22 @@
|
|||
# limitations under the License.
|
||||
|
||||
values:
|
||||
google_compute_network.network[0]:
|
||||
auto_create_subnetworks: false
|
||||
delete_default_routes_on_create: false
|
||||
description: Terraform-managed.
|
||||
name: test
|
||||
project: test-project
|
||||
routing_mode: GLOBAL
|
||||
google_compute_network_peering.local[0]:
|
||||
export_custom_routes: true
|
||||
import_custom_routes: false
|
||||
name: test-peer
|
||||
peer_network: projects/my-project/global/networks/peer
|
||||
google_compute_network_peering.remote[0]:
|
||||
module.vpc-hub.google_compute_network.network[0]: {}
|
||||
module.vpc-spoke-1.google_compute_network.network[0]: {}
|
||||
module.vpc-hub.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]: {}
|
||||
module.vpc-spoke-1.google_compute_subnetwork.subnetwork["europe-west1/subnet-2"]: {}
|
||||
module.vpc-spoke-1.google_compute_network_peering.local[0]:
|
||||
export_custom_routes: false
|
||||
export_subnet_routes_with_public_ip: true
|
||||
import_custom_routes: true
|
||||
name: peer-test
|
||||
network: projects/my-project/global/networks/peer
|
||||
import_subnet_routes_with_public_ip: null
|
||||
module.vpc-spoke-1.google_compute_network_peering.remote[0]:
|
||||
export_custom_routes: true
|
||||
export_subnet_routes_with_public_ip: true
|
||||
import_custom_routes: false
|
||||
import_subnet_routes_with_public_ip: null
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_compute_network: 2
|
||||
google_compute_network_peering: 2
|
||||
|
||||
outputs:
|
||||
bindings: {}
|
||||
project_id: test-project
|
||||
subnet_ips: {}
|
||||
subnet_regions: {}
|
||||
subnet_secondary_ranges: {}
|
||||
subnet_self_links: {}
|
||||
subnets: {}
|
||||
subnets_proxy_only: {}
|
||||
subnets_psc: {}
|
||||
google_compute_subnetwork: 2
|
|
@ -0,0 +1,40 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
name: my-network
|
||||
project: my-project
|
||||
module.vpc.google_compute_subnetwork.proxy_only["europe-west1/regional-proxy"]:
|
||||
description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB.
|
||||
ip_cidr_range: 10.0.1.0/24
|
||||
log_config: []
|
||||
name: regional-proxy
|
||||
project: my-project
|
||||
purpose: REGIONAL_MANAGED_PROXY
|
||||
region: europe-west1
|
||||
role: ACTIVE
|
||||
module.vpc.google_compute_subnetwork.psc["europe-west1/psc"]:
|
||||
description: Terraform-managed subnet for Private Service Connect (PSC NAT).
|
||||
ip_cidr_range: 10.0.3.0/24
|
||||
log_config: []
|
||||
name: psc
|
||||
project: my-project
|
||||
purpose: PRIVATE_SERVICE_CONNECT
|
||||
region: europe-west1
|
||||
role: null
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_compute_subnetwork: 2
|
|
@ -0,0 +1,47 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc.google_compute_global_address.psa_ranges["myrange"]:
|
||||
address: 10.0.1.0
|
||||
address_type: INTERNAL
|
||||
description: null
|
||||
ip_version: null
|
||||
name: myrange
|
||||
prefix_length: 24
|
||||
project: my-project
|
||||
purpose: VPC_PEERING
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
name: my-network
|
||||
project: my-project
|
||||
routing_mode: GLOBAL
|
||||
module.vpc.google_compute_network_peering_routes_config.psa_routes["1"]:
|
||||
export_custom_routes: true
|
||||
import_custom_routes: true
|
||||
project: my-project
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
name: production
|
||||
project: my-project
|
||||
module.vpc.google_service_networking_connection.psa_connection["1"]:
|
||||
reserved_peering_ranges:
|
||||
- myrange
|
||||
service: servicenetworking.googleapis.com
|
||||
|
||||
counts:
|
||||
google_compute_global_address: 1
|
||||
google_compute_network: 1
|
||||
google_compute_network_peering_routes_config: 1
|
||||
google_compute_subnetwork: 1
|
||||
google_service_networking_connection: 1
|
|
@ -0,0 +1,46 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc.google_compute_global_address.psa_ranges["myrange"]:
|
||||
address: 10.0.1.0
|
||||
address_type: INTERNAL
|
||||
name: myrange
|
||||
prefix_length: 24
|
||||
project: my-project
|
||||
purpose: VPC_PEERING
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
name: my-network
|
||||
project: my-project
|
||||
module.vpc.google_compute_network_peering_routes_config.psa_routes["1"]:
|
||||
export_custom_routes: false
|
||||
import_custom_routes: false
|
||||
project: my-project
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
name: production
|
||||
project: my-project
|
||||
module.vpc.google_service_networking_connection.psa_connection["1"]:
|
||||
reserved_peering_ranges:
|
||||
- myrange
|
||||
service: servicenetworking.googleapis.com
|
||||
|
||||
counts:
|
||||
google_compute_global_address: 1
|
||||
google_compute_network: 1
|
||||
google_compute_network_peering_routes_config: 1
|
||||
google_compute_subnetwork: 1
|
||||
google_service_networking_connection: 1
|
||||
|
||||
outputs: {}
|
|
@ -0,0 +1,146 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc["gateway"].google_compute_network.network[0]:
|
||||
name: my-network-with-route-gateway
|
||||
project: my-project
|
||||
routing_mode: GLOBAL
|
||||
module.vpc["gateway"].google_compute_route.gateway["gateway"]:
|
||||
dest_range: 0.0.0.0/0
|
||||
name: my-network-with-route-gateway-gateway
|
||||
next_hop_gateway: global/gateways/default-internet-gateway
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 100
|
||||
project: my-project
|
||||
tags:
|
||||
- tag-a
|
||||
module.vpc["gateway"].google_compute_route.gateway["next-hop"]:
|
||||
dest_range: 192.168.128.0/24
|
||||
name: my-network-with-route-gateway-next-hop
|
||||
next_hop_gateway: global/gateways/default-internet-gateway
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 1000
|
||||
project: my-project
|
||||
tags: null
|
||||
module.vpc["ilb"].google_compute_network.network[0]:
|
||||
name: my-network-with-route-ilb
|
||||
project: my-project
|
||||
routing_mode: GLOBAL
|
||||
module.vpc["ilb"].google_compute_route.gateway["gateway"]:
|
||||
dest_range: 0.0.0.0/0
|
||||
name: my-network-with-route-ilb-gateway
|
||||
next_hop_gateway: global/gateways/default-internet-gateway
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 100
|
||||
project: my-project
|
||||
tags:
|
||||
- tag-a
|
||||
module.vpc["ilb"].google_compute_route.ilb["next-hop"]:
|
||||
dest_range: 192.168.128.0/24
|
||||
name: my-network-with-route-ilb-next-hop
|
||||
next_hop_gateway: null
|
||||
next_hop_ilb: regions/europe-west1/forwardingRules/test
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 1000
|
||||
project: my-project
|
||||
tags: null
|
||||
module.vpc["instance"].google_compute_network.network[0]:
|
||||
name: my-network-with-route-instance
|
||||
project: my-project
|
||||
routing_mode: GLOBAL
|
||||
module.vpc["instance"].google_compute_route.gateway["gateway"]:
|
||||
dest_range: 0.0.0.0/0
|
||||
name: my-network-with-route-instance-gateway
|
||||
next_hop_gateway: global/gateways/default-internet-gateway
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 100
|
||||
project: my-project
|
||||
tags:
|
||||
- tag-a
|
||||
module.vpc["instance"].google_compute_route.instance["next-hop"]:
|
||||
dest_range: 192.168.128.0/24
|
||||
name: my-network-with-route-instance-next-hop
|
||||
next_hop_gateway: null
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: zones/europe-west1-b/test
|
||||
next_hop_instance_zone: europe-west1-b
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 1000
|
||||
project: my-project
|
||||
tags: null
|
||||
module.vpc["ip"].google_compute_network.network[0]:
|
||||
name: my-network-with-route-ip
|
||||
project: my-project
|
||||
routing_mode: GLOBAL
|
||||
module.vpc["ip"].google_compute_route.gateway["gateway"]:
|
||||
dest_range: 0.0.0.0/0
|
||||
name: my-network-with-route-ip-gateway
|
||||
next_hop_gateway: global/gateways/default-internet-gateway
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 100
|
||||
project: my-project
|
||||
tags:
|
||||
- tag-a
|
||||
module.vpc["ip"].google_compute_route.ip["next-hop"]:
|
||||
dest_range: 192.168.128.0/24
|
||||
name: my-network-with-route-ip-next-hop
|
||||
next_hop_gateway: null
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_ip: 192.168.0.128
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 1000
|
||||
project: my-project
|
||||
tags: null
|
||||
module.vpc["vpn_tunnel"].google_compute_network.network[0]:
|
||||
name: my-network-with-route-vpn-tunnel
|
||||
project: my-project
|
||||
routing_mode: GLOBAL
|
||||
module.vpc["vpn_tunnel"].google_compute_route.gateway["gateway"]:
|
||||
dest_range: 0.0.0.0/0
|
||||
name: my-network-with-route-vpn-tunnel-gateway
|
||||
next_hop_gateway: global/gateways/default-internet-gateway
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 100
|
||||
project: my-project
|
||||
tags:
|
||||
- tag-a
|
||||
module.vpc["vpn_tunnel"].google_compute_route.vpn_tunnel["next-hop"]:
|
||||
dest_range: 192.168.128.0/24
|
||||
name: my-network-with-route-vpn-tunnel-next-hop
|
||||
next_hop_gateway: null
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: regions/europe-west1/vpnTunnels/foo
|
||||
priority: 1000
|
||||
project: my-project
|
||||
tags: null
|
||||
|
||||
counts:
|
||||
google_compute_network: 5
|
||||
google_compute_route: 10
|
|
@ -0,0 +1,51 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc-host.google_compute_network.network[0]:
|
||||
name: my-host-network
|
||||
project: my-project
|
||||
module.vpc-host.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
|
||||
project: my-project
|
||||
module.vpc-host.google_compute_shared_vpc_service_project.service_projects["project1"]:
|
||||
host_project: my-project
|
||||
service_project: project1
|
||||
module.vpc-host.google_compute_shared_vpc_service_project.service_projects["project2"]:
|
||||
host_project: my-project
|
||||
service_project: project2
|
||||
module.vpc-host.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]: {}
|
||||
module.vpc-host.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.networkUser"]:
|
||||
condition: []
|
||||
members:
|
||||
- serviceAccount:cloudsvc
|
||||
- serviceAccount:gke
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: roles/compute.networkUser
|
||||
subnetwork: subnet-1
|
||||
module.vpc-host.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.securityAdmin"]:
|
||||
condition: []
|
||||
members:
|
||||
- serviceAccount:gke
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: roles/compute.securityAdmin
|
||||
subnetwork: subnet-1
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_compute_shared_vpc_host_project: 1
|
||||
google_compute_shared_vpc_service_project: 2
|
||||
google_compute_subnetwork: 1
|
||||
google_compute_subnetwork_iam_binding: 2
|
|
@ -0,0 +1,50 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
auto_create_subnetworks: false
|
||||
delete_default_routes_on_create: false
|
||||
description: Terraform-managed.
|
||||
name: my-network
|
||||
project: my-project
|
||||
routing_mode: GLOBAL
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
|
||||
description: Terraform-managed.
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
log_config: []
|
||||
name: production
|
||||
private_ip_google_access: true
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: null
|
||||
secondary_ip_range:
|
||||
- ip_cidr_range: 172.16.0.0/20
|
||||
range_name: pods
|
||||
- ip_cidr_range: 192.168.0.0/24
|
||||
range_name: services
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west2/production"]:
|
||||
description: Terraform-managed.
|
||||
ip_cidr_range: 10.0.16.0/24
|
||||
log_config: []
|
||||
name: production
|
||||
private_ip_google_access: true
|
||||
project: my-project
|
||||
region: europe-west2
|
||||
role: null
|
||||
secondary_ip_range: []
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_compute_subnetwork: 2
|
|
@ -0,0 +1,54 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
name: my-network
|
||||
project: my-project
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]:
|
||||
name: subnet-1
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-2"]:
|
||||
name: subnet-2
|
||||
private_ip_google_access: true
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.networkUser"]:
|
||||
condition: []
|
||||
members:
|
||||
- group:group1@example.com
|
||||
- user:user1@example.com
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: roles/compute.networkUser
|
||||
subnetwork: subnet-1
|
||||
module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-2.roles/compute.networkUser"]:
|
||||
condition: []
|
||||
members:
|
||||
- group:group2@example.com
|
||||
- user:user2@example.com
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: roles/compute.networkUser
|
||||
subnetwork: subnet-2
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_compute_subnetwork: 2
|
||||
google_compute_subnetwork_iam_binding: 2
|
||||
modules: 1
|
||||
resources: 5
|
||||
|
||||
outputs: {}
|
|
@ -0,0 +1,70 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
name: my-network
|
||||
project: my-project
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/no-pga"]:
|
||||
description: Subnet b
|
||||
ip_cidr_range: 10.0.1.0/24
|
||||
log_config: []
|
||||
name: no-pga
|
||||
private_ip_google_access: false
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
secondary_ip_range: []
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/simple"]:
|
||||
description: Terraform-managed.
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
log_config: []
|
||||
name: simple
|
||||
private_ip_google_access: true
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
secondary_ip_range: []
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/with-flow-logs"]:
|
||||
description: Terraform-managed.
|
||||
ip_cidr_range: 10.0.3.0/24
|
||||
ipv6_access_type: null
|
||||
log_config:
|
||||
- aggregation_interval: INTERVAL_10_MIN
|
||||
filter_expr: 'true'
|
||||
flow_sampling: 0.5
|
||||
metadata: INCLUDE_ALL_METADATA
|
||||
metadata_fields: null
|
||||
name: with-flow-logs
|
||||
private_ip_google_access: true
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: null
|
||||
secondary_ip_range: []
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/with-secondary-ranges"]:
|
||||
description: Terraform-managed.
|
||||
ip_cidr_range: 10.0.2.0/24
|
||||
log_config: []
|
||||
name: with-secondary-ranges
|
||||
private_ip_google_access: true
|
||||
project: my-project
|
||||
region: europe-west1
|
||||
role: null
|
||||
secondary_ip_range:
|
||||
- ip_cidr_range: 192.168.0.0/24
|
||||
range_name: a
|
||||
- ip_cidr_range: 192.168.1.0/24
|
||||
range_name: b
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
google_compute_subnetwork: 4
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue