Fix PSA (#584)
* Fix PSA * fix typo * fix vpn/peering diff * output filename on failed checksum test
This commit is contained in:
parent
d320bc57ed
commit
a22cf80b60
|
@ -376,10 +376,10 @@ Don't forget to add a peering zone in the landing project and point it to the ne
|
|||
| [l7ilb_subnets](variables.tf#L81) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ dev = [ { ip_cidr_range = "10.128.159.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.191.0/24", region = "europe-west4" } ] prod = [ { ip_cidr_range = "10.128.223.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.255.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||
| [onprem_cidr](variables.tf#L99) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L117) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L134) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code>map(map(string))</code> | | <code title="{ dev = { cloudsql-mysql-ew1 = "10.128.157.0/24" cloudsql-mysql-ew4 = "10.128.189.0/24" cloudsql-sqlserver-ew1 = "10.128.158.0/24" cloudsql-sqlserver-ew4 = "10.128.190.0/24" } prod = { cloudsql-mysql-ew1 = "10.128.221.0/24" cloudsql-mysql-ew4 = "10.128.253.0/24" cloudsql-sqlserver-ew1 = "10.128.222.0/24" cloudsql-sqlserver-ew4 = "10.128.254.0/24" } }">{…}</code> | |
|
||||
| [router_configs](variables.tf#L153) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { asn = "64512" adv = null } landing-trusted-ew4 = { asn = "64512" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L176) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L188) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-ew4 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L134) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) prod = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) })">object({…})</code> | | <code title="{ dev = { cloudsql-mysql-ew1 = { ranges = ["10.128.157.0/24"] routes = null } cloudsql-mysql-ew4 = { ranges = ["10.128.189.0/24"] routes = null } cloudsql-sqlserver-ew1 = { ranges = ["10.128.158.0/24"] routes = null } cloudsql-sqlserver-ew4 = { ranges = ["10.128.190.0/24"] routes = null } } prod = { cloudsql-mysql-ew1 = { ranges = ["10.128.221.0/24"] routes = null } cloudsql-mysql-ew4 = { ranges = ["10.128.253.0/24"] routes = null } cloudsql-sqlserver-ew1 = { ranges = ["10.128.222.0/24"] routes = null } cloudsql-sqlserver-ew4 = { ranges = ["10.128.254.0/24"] routes = null } } }">{…}</code> | |
|
||||
| [router_configs](variables.tf#L192) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { asn = "64512" adv = null } landing-trusted-ew4 = { asn = "64512" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L227) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-ew4 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -51,7 +51,7 @@ module "dev-spoke-vpc" {
|
|||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/dev"
|
||||
delete_default_routes_on_create = true
|
||||
psa_config = { dev = { ranges = values(var.psa_ranges.dev), routes = null } }
|
||||
psa_config = var.psa_ranges.dev
|
||||
subnets_l7ilb = local.l7ilb_subnets.dev
|
||||
# Set explicit routes for googleapis; send everything else to NVAs
|
||||
routes = {
|
||||
|
|
|
@ -51,7 +51,7 @@ module "prod-spoke-vpc" {
|
|||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/prod"
|
||||
delete_default_routes_on_create = true
|
||||
psa_config = { prod = { ranges = values(var.psa_ranges.prod), routes = null } }
|
||||
psa_config = var.psa_ranges.prod
|
||||
subnets_l7ilb = local.l7ilb_subnets.prod
|
||||
# Set explicit routes for googleapis; send everything else to NVAs
|
||||
routes = {
|
||||
|
|
|
@ -133,19 +133,58 @@ variable "prefix" {
|
|||
|
||||
variable "psa_ranges" {
|
||||
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
|
||||
type = map(map(string))
|
||||
type = object({
|
||||
dev = map(object({
|
||||
ranges = list(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
prod = map(object({
|
||||
ranges = list(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
})
|
||||
default = {
|
||||
dev = {
|
||||
cloudsql-mysql-ew1 = "10.128.157.0/24"
|
||||
cloudsql-mysql-ew4 = "10.128.189.0/24"
|
||||
cloudsql-sqlserver-ew1 = "10.128.158.0/24"
|
||||
cloudsql-sqlserver-ew4 = "10.128.190.0/24"
|
||||
cloudsql-mysql-ew1 = {
|
||||
ranges = ["10.128.157.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-mysql-ew4 = {
|
||||
ranges = ["10.128.189.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver-ew1 = {
|
||||
ranges = ["10.128.158.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver-ew4 = {
|
||||
ranges = ["10.128.190.0/24"]
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
prod = {
|
||||
cloudsql-mysql-ew1 = "10.128.221.0/24"
|
||||
cloudsql-mysql-ew4 = "10.128.253.0/24"
|
||||
cloudsql-sqlserver-ew1 = "10.128.222.0/24"
|
||||
cloudsql-sqlserver-ew4 = "10.128.254.0/24"
|
||||
cloudsql-mysql-ew1 = {
|
||||
ranges = ["10.128.221.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-mysql-ew4 = {
|
||||
ranges = ["10.128.253.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver-ew1 = {
|
||||
ranges = ["10.128.222.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver-ew4 = {
|
||||
ranges = ["10.128.254.0/24"]
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -298,10 +298,10 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
|
|||
| [l7ilb_subnets](variables.tf#L76) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.93.0/24", region = "europe-west4" } ] dev = [ { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.61.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L104) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map(object({ export_local_custom_routes = bool export_peer_custom_routes = bool }))">map(object({…}))</code> | | <code title="{ dev = { export_local_custom_routes = true export_peer_custom_routes = true } prod = { export_local_custom_routes = true export_peer_custom_routes = true } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code>map(map(string))</code> | | <code title="{ prod = { cloudsql-mysql = "10.128.94.0/24" cloudsql-sqlserver = "10.128.95.0/24" } dev = { cloudsql-mysql = "10.128.62.0/24" cloudsql-sqlserver = "10.128.63.0/24" } }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L136) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L154) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L166) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) prod = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) })">object({…})</code> | | <code title="{ dev = { cloudsql-mysql = { ranges = ["10.128.62.0/24"] routes = null } cloudsql-sqlserver = { ranges = ["10.128.63.0/24"] routes = null } } prod = { cloudsql-mysql = { ranges = ["10.128.94.0/24"] routes = null } cloudsql-sqlserver = { ranges = ["10.128.95.0/24"] routes = null } } }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L163) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L181) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L193) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -51,7 +51,7 @@ module "dev-spoke-vpc" {
|
|||
name = "dev-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/dev"
|
||||
psa_config = { dev = { ranges = values(var.psa_ranges.dev), routes = null } }
|
||||
psa_config = var.psa_ranges.dev
|
||||
subnets_l7ilb = local.l7ilb_subnets.dev
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
|
|
|
@ -51,7 +51,7 @@ module "prod-spoke-vpc" {
|
|||
name = "prod-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/prod"
|
||||
psa_config = { prod = { ranges = values(var.psa_ranges.prod), routes = null } }
|
||||
psa_config = var.psa_ranges.prod
|
||||
subnets_l7ilb = local.l7ilb_subnets.prod
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
|
|
|
@ -120,15 +120,42 @@ variable "prefix" {
|
|||
|
||||
variable "psa_ranges" {
|
||||
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
|
||||
type = map(map(string))
|
||||
type = object({
|
||||
dev = map(object({
|
||||
ranges = list(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
prod = map(object({
|
||||
ranges = list(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
})
|
||||
default = {
|
||||
prod = {
|
||||
cloudsql-mysql = "10.128.94.0/24"
|
||||
cloudsql-sqlserver = "10.128.95.0/24"
|
||||
}
|
||||
dev = {
|
||||
cloudsql-mysql = "10.128.62.0/24"
|
||||
cloudsql-sqlserver = "10.128.63.0/24"
|
||||
cloudsql-mysql = {
|
||||
ranges = ["10.128.62.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver = {
|
||||
ranges = ["10.128.63.0/24"]
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
prod = {
|
||||
cloudsql-mysql = {
|
||||
ranges = ["10.128.94.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver = {
|
||||
ranges = ["10.128.95.0/24"]
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -321,11 +321,11 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
|
|||
| [dns](variables.tf#L58) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||
| [l7ilb_subnets](variables.tf#L76) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.93.0/24", region = "europe-west4" } ] dev = [ { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.61.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L104) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code>map(map(string))</code> | | <code title="{ prod = { cloudsql-mysql = "10.128.94.0/24" cloudsql-sqlserver = "10.128.95.0/24" } dev = { cloudsql-mysql = "10.128.62.0/24" cloudsql-sqlserver = "10.128.63.0/24" } }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L136) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) prod = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) })">object({…})</code> | | <code title="{ dev = { cloudsql-mysql = { ranges = ["10.128.62.0/24"] routes = null } cloudsql-sqlserver = { ranges = ["10.128.63.0/24"] routes = null } } prod = { cloudsql-mysql = { ranges = ["10.128.94.0/24"] routes = null } cloudsql-sqlserver = { ranges = ["10.128.95.0/24"] routes = null } } }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L163) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "64512", adv = null } landing-ew4 = { asn = "64512", adv = null } spoke-dev-ew1 = { asn = "64513", adv = null } spoke-dev-ew4 = { asn = "64513", adv = null } spoke-prod-ew1 = { asn = "64514", adv = null } spoke-prod-ew4 = { asn = "64514", adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L154) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L166) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L181) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L193) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) session_range = string }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } session_range = null } landing-ew4 = { adv = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } session_range = null } dev-ew1 = { adv = { default = false custom = ["gcp_dev"] } session_range = "169.254.0.0/27" } prod-ew1 = { adv = { default = false custom = ["gcp_prod"] } session_range = "169.254.0.64/27" } prod-ew4 = { adv = { default = false custom = ["gcp_prod"] } session_range = "169.254.0.96/27" } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
|
|
@ -51,7 +51,7 @@ module "dev-spoke-vpc" {
|
|||
name = "dev-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/dev"
|
||||
psa_config = { dev = { ranges = values(var.psa_ranges.dev), routes = null } }
|
||||
psa_config = var.psa_ranges.dev
|
||||
subnets_l7ilb = local.l7ilb_subnets.dev
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
|
|
|
@ -51,7 +51,7 @@ module "prod-spoke-vpc" {
|
|||
name = "prod-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/prod"
|
||||
psa_config = { prod = { ranges = values(var.psa_ranges.prod), routes = null } }
|
||||
psa_config = var.psa_ranges.prod
|
||||
subnets_l7ilb = local.l7ilb_subnets.prod
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
|
|
|
@ -120,15 +120,42 @@ variable "prefix" {
|
|||
|
||||
variable "psa_ranges" {
|
||||
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
|
||||
type = map(map(string))
|
||||
type = object({
|
||||
dev = map(object({
|
||||
ranges = list(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
prod = map(object({
|
||||
ranges = list(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
})
|
||||
default = {
|
||||
prod = {
|
||||
cloudsql-mysql = "10.128.94.0/24"
|
||||
cloudsql-sqlserver = "10.128.95.0/24"
|
||||
}
|
||||
dev = {
|
||||
cloudsql-mysql = "10.128.62.0/24"
|
||||
cloudsql-sqlserver = "10.128.63.0/24"
|
||||
cloudsql-mysql = {
|
||||
ranges = ["10.128.62.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver = {
|
||||
ranges = ["10.128.63.0/24"]
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
prod = {
|
||||
cloudsql-mysql = {
|
||||
ranges = ["10.128.94.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver = {
|
||||
ranges = ["10.128.95.0/24"]
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -56,6 +56,7 @@ locals {
|
|||
_psa_ranges = flatten([
|
||||
for k, v in coalesce(var.psa_config, {}) : [
|
||||
for r in v.ranges : {
|
||||
key = "${k}:${index(v.ranges, r)}"
|
||||
name = "${var.name}-psa-${k}-${index(v.ranges, r)}"
|
||||
address = try(split("/", r)[0], null)
|
||||
prefix_length = try(split("/", r)[1], null)
|
||||
|
@ -87,7 +88,7 @@ locals {
|
|||
? null
|
||||
: element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0)
|
||||
)
|
||||
psa_ranges = { for e in local._psa_ranges : e.name => e }
|
||||
psa_ranges = { for e in local._psa_ranges : e.key => e }
|
||||
routes = {
|
||||
gateway = { for k, v in local._routes : k => v if v.next_hop_type == "gateway" }
|
||||
ilb = { for k, v in local._routes : k => v if v.next_hop_type == "ilb" }
|
||||
|
@ -348,7 +349,7 @@ resource "google_service_networking_connection" "psa_connection" {
|
|||
service = "servicenetworking.googleapis.com"
|
||||
reserved_peering_ranges = [
|
||||
for k, v in google_compute_global_address.psa_ranges :
|
||||
v.name if try(split("-", v.name)[2], null) == k
|
||||
v.name if try(split(":", k)[0], null) == each.key
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -73,4 +73,4 @@ def test_vpn_peering_checksums(e2e_plan_runner):
|
|||
for filename in common_files:
|
||||
md5_vpn = compute_md5(STAGE_VPN / filename)
|
||||
md5_peering = compute_md5(STAGE_PEERING / filename)
|
||||
assert md5_vpn == md5_peering
|
||||
assert md5_vpn == md5_peering, filename
|
||||
|
|
Loading…
Reference in New Issue