zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1400 from GoogleCloudPlatform/jccb/default-vpc-routes 

Add default googleapi route creation to net-vpc
This commit is contained in:
Julio Castillo 2023-05-26 17:49:59 +02:00 committed by GitHub
parent 868507e932 b6ce4222d1
commit b1ea36b069
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
59 changed files with 279 additions and 258 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
blueprints/apigee/bigquery-analytics/README.md
View File

@ -106,5 +106,5 @@ module "test" {
europe-west1 = "10.0.0.0/28"
}
}
# tftest modules=10 resources=62
# tftest modules=10 resources=64
```

2
blueprints/apigee/hybrid-gke/README.md
View File

@ -80,5 +80,5 @@ module "test" {
project_id = "my-project"
hostname = "test.myorg.org"
}
# tftest modules=18 resources=59
# tftest modules=18 resources=61
```

2
blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md
View File

@ -79,5 +79,5 @@ module "test" {
onprem_project_id = "my-onprem-project"
hostname = "test.myorg.org"
}
# tftest modules=14 resources=73
# tftest modules=14 resources=77
```

2
blueprints/cloud-operations/adfs/README.md
View File

@ -89,5 +89,5 @@ module "test" {
ad_dns_domain_name = "example.com"
adfs_dns_domain_name = "adfs.example.com"
}
# tftest modules=5 resources=18
# tftest modules=5 resources=20
```

2
blueprints/cloud-operations/asset-inventory-feed-remediation/README.md
View File

@ -82,5 +82,5 @@ module "test" {
project_id = "project-1"
}
# tftest modules=7 resources=21
# tftest modules=7 resources=23
```

2
blueprints/cloud-operations/dns-fine-grained-iam/README.md
View File

@ -128,5 +128,5 @@ module "test1" {
project_create = true
project_id = "test"
}
# tftest modules=9 resources=25
# tftest modules=9 resources=27
```

2
blueprints/cloud-operations/dns-shared-vpc/README.md
View File

@ -51,5 +51,5 @@ module "test" {
shared_vpc_link = "https://www.googleapis.com/compute/v1/projects/test-dns/global/networks/default"
teams = ["team1", "team2"]
}
# tftest modules=9 resources=12
# tftest modules=9 resources=16
```

2
blueprints/cloud-operations/packer-image-builder/README.md
View File

@ -115,5 +115,5 @@ module "test" {
packer_account_users = ["user:john@example.com"]
create_packer_vars = true
}
# tftest modules=7 resources=17 files=pkrvars
# tftest modules=7 resources=19 files=pkrvars
```

2
blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md
View File

@ -128,5 +128,5 @@ module "test" {
billing_account = "123456-123456-123456"
project_create = true
}
# tftest modules=11 resources=35
# tftest modules=11 resources=37
```

2
blueprints/cloud-operations/vm-migration/single-project/README.md
View File

@ -52,5 +52,5 @@ module "test" {
migration_admin_users = ["user:admin@example.com"]
migration_viewer_users = ["user:viewer@example.com"]
}
# tftest modules=5 resources=20
# tftest modules=5 resources=22
```

2
blueprints/data-solutions/bq-ml/README.md
View File

@ -98,5 +98,5 @@ module "test" {
prefix = "prefix"
}
# tftest modules=9 resources=48
# tftest modules=9 resources=50
```

2
blueprints/data-solutions/cloudsql-multiregion/README.md
View File

@ -180,5 +180,5 @@ module "test" {
}
prefix = "prefix"
}
# tftest modules=10 resources=50
# tftest modules=10 resources=52
```

2
blueprints/data-solutions/cmek-via-centralized-kms/README.md
View File

@ -66,5 +66,5 @@ module "test" {
}
prefix = "prefix"
}
# tftest modules=8 resources=27
# tftest modules=8 resources=29
```

2
blueprints/data-solutions/composer-2/README.md
View File

@ -125,5 +125,5 @@ module "test" {
}
prefix = "prefix"
}
# tftest modules=5 resources=26
# tftest modules=5 resources=28
```

4
blueprints/data-solutions/data-platform-foundations/README.md
View File

@ -226,7 +226,7 @@ module "data-platform" {
prefix = "myprefix"
}
# tftest modules=43 resources=279
# tftest modules=43 resources=285
```
## Customizations
@ -307,5 +307,5 @@ module "test" {
}
prefix = "prefix"
}
# tftest modules=43 resources=279
# tftest modules=43 resources=285
```

2
blueprints/data-solutions/data-platform-minimal/README.md
View File

@ -203,7 +203,7 @@ module "data-platform" {
prefix = "myprefix"
}
# tftest modules=21 resources=110
# tftest modules=21 resources=112
```
## Customizations

2
blueprints/data-solutions/data-playground/README.md
View File

@ -86,5 +86,5 @@ module "test" {
parent = "folders/467898377"
}
}
# tftest modules=8 resources=41
# tftest modules=8 resources=43
```

2
blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md
View File

@ -228,5 +228,5 @@ module "test" {
project_id = "project-1"
prefix = "prefix"
}
# tftest modules=12 resources=47
# tftest modules=12 resources=49
```

2
blueprints/data-solutions/sqlserver-alwayson/README.md
View File

@ -87,5 +87,5 @@ module "test" {
ad_domain_fqdn = "ad.example.com"
ad_domain_netbios = "ad"
}
# tftest modules=12 resources=38
# tftest modules=12 resources=40
```

4
blueprints/data-solutions/vertex-mlops/README.md
View File

@ -72,7 +72,7 @@ module "test" {
project_id = "test-dev"
}
}
# tftest modules=11 resources=60
# tftest modules=11 resources=62
```
<!-- BEGIN TFDOC -->
@ -127,5 +127,5 @@ module "test" {
project_id = "test-dev"
}
}
# tftest modules=13 resources=65
# tftest modules=13 resources=67
```

4
blueprints/gke/autopilot/README.md
View File

@ -91,5 +91,5 @@ module "test" {
}
project_id = "my-project"
}
# tftest modules=11 resources=34
```
# tftest modules=11 resources=36
```

2
blueprints/gke/binauthz/README.md
View File

@ -138,5 +138,5 @@ module "test" {
}
project_id = "my-project"
}
# tftest modules=14 resources=47
# tftest modules=14 resources=49
```

2
blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
View File

@ -103,5 +103,5 @@ module "test" {
mgmt_subnet_cidr_block = "10.0.0.0/24"
istio_version = "1.14.1-asm.3"
}
# tftest modules=13 resources=57
# tftest modules=13 resources=59
```

2
blueprints/networking/decentralized-firewall/README.md
View File

@ -51,5 +51,5 @@ module "test" {
root_node = "organizations/0123456789"
}
# tftest modules=9 resources=50
# tftest modules=9 resources=54
```

2
blueprints/networking/filtering-proxy-psc/README.md
View File

@ -40,5 +40,5 @@ module "test" {
}
project_id = "test-project"
}
# tftest modules=13 resources=37
# tftest modules=13 resources=41
```

4
blueprints/networking/filtering-proxy/README.md
View File

@ -47,7 +47,7 @@ module "test1" {
prefix = "fabric"
root_node = "folders/123456789"
}
# tftest modules=14 resources=36
# tftest modules=14 resources=38
```
```hcl
@ -58,5 +58,5 @@ module "test2" {
prefix = "fabric"
root_node = "folders/123456789"
}
# tftest modules=12 resources=30
# tftest modules=12 resources=32
```

2
blueprints/networking/glb-and-armor/README.md
View File

@ -151,5 +151,5 @@ module "test" {
project_id = "project-1"
enforce_security_policy = true
}
# tftest modules=12 resources=26
# tftest modules=12 resources=28
```

2
blueprints/networking/glb-hybrid-neg-internal/README.md
View File

@ -96,5 +96,5 @@ module "test" {
}
}
# tftest modules=21 resources=64
# tftest modules=21 resources=70
```

2
blueprints/networking/hub-and-spoke-peering/README.md
View File

@ -115,5 +115,5 @@ module "test" {
project_id = "project-1"
}
# tftest modules=22 resources=61
# tftest modules=22 resources=67
```

2
blueprints/networking/hub-and-spoke-vpn/README.md
View File

@ -114,5 +114,5 @@ module "test" {
project_id = "project-1"
}
# tftest modules=20 resources=73
# tftest modules=20 resources=79
```

2
blueprints/networking/ilb-next-hop/README.md
View File

@ -96,5 +96,5 @@ module "test" {
project_create = true
project_id = "project-1"
}
# tftest modules=18 resources=42
# tftest modules=18 resources=46
```

2
blueprints/networking/private-cloud-function-from-onprem/README.md
View File

@ -45,5 +45,5 @@ module "test" {
}
project_id = "test-project"
}
# tftest modules=11 resources=40
# tftest modules=11 resources=44
```

2
blueprints/networking/shared-vpc-gke/README.md
View File

@ -80,5 +80,5 @@ module "test" {
prefix = "test"
root_node = "organizations/0123456789"
}
# tftest modules=11 resources=43
# tftest modules=11 resources=45
```

6
blueprints/serverless/cloud-run-corporate/README.md
View File

@ -238,7 +238,7 @@ module "test" {
prj_onprem_id = "onprem-project-id"
}
# tftest modules=15 resources=46
# tftest modules=15 resources=50
```
```hcl
@ -262,7 +262,7 @@ module "test" {
tf_identity = "user@example.org"
}
# tftest modules=15 resources=32
# tftest modules=15 resources=36
```
```hcl
@ -281,5 +281,5 @@ module "test" {
custom_domain = "cloud-run-corporate.example.org"
}
# tftest modules=14 resources=43
# tftest modules=14 resources=45
```

14
fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf
View File

@ -38,6 +38,13 @@ module "dev-spoke-vpc-serverless" {
ip_cidr_range = var.serverless_connector_config.dev-primary.ip_cidr_range
region = var.regions.primary
}]
# these should be create from the main VPC
create_googleapis_routes = {
private = false
private-6 = false
restricted = false
restricted-6 = false
}
}
module "prod-spoke-vpc-serverless" {
@ -51,6 +58,13 @@ module "prod-spoke-vpc-serverless" {
ip_cidr_range = var.serverless_connector_config.prod-primary.ip_cidr_range
region = var.regions.primary
}]
# these should be create from the main VPC
create_googleapis_routes = {
private = false
private-6 = false
restricted = false
restricted-6 = false
}
}
resource "google_vpc_access_connector" "dev-primary" {

16
fast/stages/2-networking-a-peering/landing.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -51,17 +51,9 @@ module "landing-vpc" {
inbound = true
}
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
data_folder = "${var.factories_config.data_dir}/subnets/landing"
}

16
fast/stages/2-networking-a-peering/spoke-dev.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -53,17 +53,9 @@ module "dev-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/dev"
psa_config = try(var.psa_ranges.dev, null)
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

16
fast/stages/2-networking-a-peering/spoke-prod.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -52,17 +52,9 @@ module "prod-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/prod"
psa_config = try(var.psa_ranges.prod, null)
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

16
fast/stages/2-networking-b-vpn/landing.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -51,17 +51,9 @@ module "landing-vpc" {
inbound = true
}
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
data_folder = "${var.factories_config.data_dir}/subnets/landing"
}

16
fast/stages/2-networking-b-vpn/spoke-dev.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -53,17 +53,9 @@ module "dev-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/dev"
psa_config = try(var.psa_ranges.dev, null)
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

16
fast/stages/2-networking-b-vpn/spoke-prod.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -52,17 +52,9 @@ module "prod-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/prod"
psa_config = try(var.psa_ranges.prod, null)
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

20
fast/stages/2-networking-c-nva/landing.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -53,6 +53,10 @@ module "landing-untrusted-vpc" {
inbound = false
logging = false
}
create_googleapis_routes = {
private = false
restricted = false
}
data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
}
@ -116,17 +120,9 @@ module "landing-trusted-vpc" {
inbound = true
}
# Set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

18
fast/stages/2-networking-c-nva/spoke-dev.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -53,19 +53,11 @@ module "dev-spoke-vpc" {
delete_default_routes_on_create = true
psa_config = try(var.psa_ranges.dev, null)
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
restricted = true
}
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 999
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 999
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
nva-primary-to-primary = {
dest_range = "0.0.0.0/0"
priority = 1000

18
fast/stages/2-networking-c-nva/spoke-prod.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -52,19 +52,11 @@ module "prod-spoke-vpc" {
delete_default_routes_on_create = true
psa_config = try(var.psa_ranges.prod, null)
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
restricted = true
}
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 999
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 999
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
nva-primary-to-primary = {
dest_range = "0.0.0.0/0"
priority = 1000

16
fast/stages/2-networking-d-separate-envs/spoke-dev.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -53,17 +53,9 @@ module "dev-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/dev"
psa_config = try(var.psa_ranges.dev, null)
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

16
fast/stages/2-networking-d-separate-envs/spoke-prod.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -52,17 +52,9 @@ module "prod-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/prod"
psa_config = try(var.psa_ranges.prod, null)
# set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

20
fast/stages/2-networking-e-nva-bgp/landing.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -54,6 +54,10 @@ module "landing-untrusted-vpc" {
inbound = false
logging = false
}
create_googleapis_routes = {
private = false
restricted = false
}
data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
}
@ -117,17 +121,9 @@ module "landing-trusted-vpc" {
inbound = true
}
# Set explicit routes for googleapis in case the default route is deleted
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

18
fast/stages/2-networking-e-nva-bgp/spoke-dev.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -53,19 +53,9 @@ module "dev-spoke-vpc" {
delete_default_routes_on_create = true
psa_config = try(var.psa_ranges.dev, null)
# Set explicit routes for googleapis; send everything else to NVAs
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 999
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 999
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

18
fast/stages/2-networking-e-nva-bgp/spoke-prod.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -52,19 +52,9 @@ module "prod-spoke-vpc" {
delete_default_routes_on_create = true
psa_config = try(var.psa_ranges.prod, null)
# Set explicit routes for googleapis; send everything else to NVAs
routes = {
private-googleapis = {
dest_range = "199.36.153.8/30"
priority = 999
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
restricted-googleapis = {
dest_range = "199.36.153.4/30"
priority = 999
next_hop_type = "gateway"
next_hop = "default-internet-gateway"
}
create_googleapis_routes = {
private = true
restricted = true
}
}

2
modules/cloudsql-instance/README.md
View File

@ -39,7 +39,7 @@ module "db" {
database_version = "POSTGRES_13"
tier = "db-g1-small"
}
# tftest modules=3 resources=9 inventory=simple.yaml
# tftest modules=3 resources=11 inventory=simple.yaml
```
## Cross-regional read replica

4
modules/gke-hub/README.md
View File

@ -119,7 +119,7 @@ module "hub" {
}
}
# tftest modules=4 resources=16 inventory=full.yaml
# tftest modules=4 resources=18 inventory=full.yaml
```
## Multi-cluster mesh on GKE
@ -314,7 +314,7 @@ module "hub" {
]
}
# tftest modules=8 resources=32
# tftest modules=8 resources=34
```
<!-- BEGIN TFDOC -->

2
modules/net-vpc-firewall-policy/README.md
View File

@ -59,7 +59,7 @@ module "firewall-policy" {
}
}
}
# tftest modules=2 resources=7
# tftest modules=2 resources=9
```
<!-- BEGIN TFDOC -->

91
modules/net-vpc/README.md
View File

@ -17,6 +17,7 @@ This module allows creation and management of VPC networks including subnetworks
- [DNS Policies](#dns-policies)
- [Subnet Factory](#subnet-factory)
- [Custom Routes](#custom-routes)
- [Private Google Access routes](#private-google-access-routes)
- [Allow Firewall Policy to be evaluated before Firewall Rules](#allow-firewall-policy-to-be-evaluated-before-firewall-rules)
- [Variables](#variables)
- [Outputs](#outputs)
@ -45,7 +46,7 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3 inventory=simple.yaml
# tftest modules=1 resources=5 inventory=simple.yaml
```
### Subnet Options
@ -92,7 +93,7 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=5 inventory=subnet-options.yaml
# tftest modules=1 resources=7 inventory=subnet-options.yaml
```
### Subnet IAM
@ -129,7 +130,7 @@ module "vpc" {
}
}
}
# tftest modules=1 resources=6 inventory=subnet-iam.yaml
# tftest modules=1 resources=8 inventory=subnet-iam.yaml
```
### Peering
@ -164,7 +165,7 @@ module "vpc-spoke-1" {
import_routes = true
}
}
# tftest modules=2 resources=6 inventory=peering.yaml
# tftest modules=2 resources=10 inventory=peering.yaml
```
### Shared VPC
@ -215,7 +216,7 @@ module "vpc-host" {
}
}
}
# tftest modules=1 resources=7 inventory=shared-vpc.yaml
# tftest modules=1 resources=9 inventory=shared-vpc.yaml
```
### Private Service Networking
@ -236,7 +237,7 @@ module "vpc" {
ranges = { myrange = "10.0.1.0/24" }
}
}
# tftest modules=1 resources=5 inventory=psc.yaml
# tftest modules=1 resources=7 inventory=psc.yaml
```
### Private Service Networking with peering routes
@ -261,7 +262,7 @@ module "vpc" {
import_routes = true
}
}
# tftest modules=1 resources=5 inventory=psc-routes.yaml
# tftest modules=1 resources=7 inventory=psc-routes.yaml
```
### Subnets for Private Service Connect, Proxy-only subnets
@ -293,7 +294,7 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3 inventory=proxy-only-subnets.yaml
# tftest modules=1 resources=5 inventory=proxy-only-subnets.yaml
```
### DNS Policies
@ -318,7 +319,7 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3 inventory=dns-policies.yaml
# tftest modules=1 resources=5 inventory=dns-policies.yaml
```
### Subnet Factory
@ -332,7 +333,7 @@ module "vpc" {
name = "my-network"
data_folder = "config/subnets"
}
# tftest modules=1 resources=9 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml
# tftest modules=1 resources=11 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml
```
```yaml
@ -400,6 +401,7 @@ locals {
vpn_tunnel = "regions/europe-west1/vpnTunnels/foo"
}
}
module "vpc" {
source = "./fabric/modules/net-vpc"
for_each = local.route_types
@ -420,10 +422,36 @@ module "vpc" {
next_hop = "global/gateways/default-internet-gateway"
}
}
create_googleapis_routes = {
restricted = false
restricted-6 = false
private = false
private-6 = false
}
}
# tftest modules=5 resources=15 inventory=routes.yaml
```
### Private Google Access routes
By default the VPC module creates IPv4 routes for the [Private Google Access ranges](https://cloud.google.com/vpc/docs/configure-private-google-access#config-routing). This behavior can be controlled through the `create_googleapis_routes` variable:
```hcl
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "my-vpc"
create_googleapis_routes = {
restricted = false
restricted-6 = true
private = false
private-6 = true
}
}
# tftest modules=1 resources=3 inventory=googleapis.yaml
```
### Allow Firewall Policy to be evaluated before Firewall Rules
```hcl
@ -449,7 +477,7 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3 inventory=firewall_policy_enforcement_order.yaml
# tftest modules=1 resources=5 inventory=firewall_policy_enforcement_order.yaml
```
<!-- BEGIN TFDOC -->
@ -457,27 +485,28 @@ module "vpc" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L72) | The name of the network being created. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L88) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
| [name](variables.tf#L84) | The name of the network being created. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L100) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
| [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | <code>bool</code> | | <code>false</code> |
| [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | <code>string</code> | | <code>null</code> |
| [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | <code>bool</code> | | <code>false</code> |
| [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | <code>string</code> | | <code>&#34;Terraform-managed.&#34;</code> |
| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | <code title="object&#40;&#123;&#10; inbound &#61; optional&#40;bool&#41;&#10; logging &#61; optional&#40;bool&#41;&#10; outbound &#61; optional&#40;object&#40;&#123;&#10; private_ns &#61; list&#40;string&#41;&#10; public_ns &#61; list&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [firewall_policy_enforcement_order](variables.tf#L54) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | <code>string</code> | | <code>&#34;AFTER_CLASSIC_FIREWALL&#34;</code> |
| [mtu](variables.tf#L66) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | <code>number</code> | | <code>null</code> |
| [peering_config](variables.tf#L77) | VPC peering configuration. | <code title="object&#40;&#123;&#10; peer_vpc_self_link &#61; string&#10; create_remote_peer &#61; optional&#40;bool, true&#41;&#10; export_routes &#61; optional&#40;bool&#41;&#10; import_routes &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [psa_config](variables.tf#L93) | The Private Service Access configuration for Service Networking. | <code title="object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; export_routes &#61; optional&#40;bool, false&#41;&#10; import_routes &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [routes](variables.tf#L103) | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10; dest_range &#61; string&#10; next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10; next_hop &#61; string&#10; priority &#61; optional&#40;number&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [routing_mode](variables.tf#L123) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>&#34;GLOBAL&#34;</code> |
| [shared_vpc_host](variables.tf#L133) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
| [shared_vpc_service_projects](variables.tf#L139) | Shared VPC service projects to register with this host. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [subnet_iam](variables.tf#L145) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [subnet_iam_additive](variables.tf#L151) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [subnets](variables.tf#L158) | Subnet configuration. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10; description &#61; optional&#40;string&#41;&#10; enable_private_access &#61; optional&#40;bool, true&#41;&#10; flow_logs_config &#61; optional&#40;object&#40;&#123;&#10; aggregation_interval &#61; optional&#40;string&#41;&#10; filter_expression &#61; optional&#40;string&#41;&#10; flow_sampling &#61; optional&#40;number&#41;&#10; metadata &#61; optional&#40;string&#41;&#10; metadata_fields &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; ipv6 &#61; optional&#40;object&#40;&#123;&#10; access_type &#61; optional&#40;string&#41;&#10; enable_private_access &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;&#41;&#10; secondary_ip_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [subnets_proxy_only](variables.tf#L183) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10; description &#61; optional&#40;string&#41;&#10; active &#61; bool&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [subnets_psc](variables.tf#L195) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10; description &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [vpc_create](variables.tf#L206) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
| [create_googleapis_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | <code title="object&#40;&#123;&#10; private &#61; optional&#40;bool, true&#41;&#10; private-6 &#61; optional&#40;bool, false&#41;&#10; restricted &#61; optional&#40;bool, true&#41;&#10; restricted-6 &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [data_folder](variables.tf#L35) | An optional folder containing the subnet configurations in YaML format. | <code>string</code> | | <code>null</code> |
| [delete_default_routes_on_create](variables.tf#L41) | Set to true to delete the default routes at creation time. | <code>bool</code> | | <code>false</code> |
| [description](variables.tf#L47) | An optional description of this resource (triggers recreation on change). | <code>string</code> | | <code>&#34;Terraform-managed.&#34;</code> |
| [dns_policy](variables.tf#L53) | DNS policy setup for the VPC. | <code title="object&#40;&#123;&#10; inbound &#61; optional&#40;bool&#41;&#10; logging &#61; optional&#40;bool&#41;&#10; outbound &#61; optional&#40;object&#40;&#123;&#10; private_ns &#61; list&#40;string&#41;&#10; public_ns &#61; list&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [firewall_policy_enforcement_order](variables.tf#L66) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | <code>string</code> | | <code>&#34;AFTER_CLASSIC_FIREWALL&#34;</code> |
| [mtu](variables.tf#L78) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | <code>number</code> | | <code>null</code> |
| [peering_config](variables.tf#L89) | VPC peering configuration. | <code title="object&#40;&#123;&#10; peer_vpc_self_link &#61; string&#10; create_remote_peer &#61; optional&#40;bool, true&#41;&#10; export_routes &#61; optional&#40;bool&#41;&#10; import_routes &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [psa_config](variables.tf#L105) | The Private Service Access configuration for Service Networking. | <code title="object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; export_routes &#61; optional&#40;bool, false&#41;&#10; import_routes &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [routes](variables.tf#L115) | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10; dest_range &#61; string&#10; next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10; next_hop &#61; string&#10; priority &#61; optional&#40;number&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>&#34;GLOBAL&#34;</code> |
| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [subnet_iam](variables.tf#L157) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [subnet_iam_additive](variables.tf#L163) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [subnets](variables.tf#L170) | Subnet configuration. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10; description &#61; optional&#40;string&#41;&#10; enable_private_access &#61; optional&#40;bool, true&#41;&#10; flow_logs_config &#61; optional&#40;object&#40;&#123;&#10; aggregation_interval &#61; optional&#40;string&#41;&#10; filter_expression &#61; optional&#40;string&#41;&#10; flow_sampling &#61; optional&#40;number&#41;&#10; metadata &#61; optional&#40;string&#41;&#10; metadata_fields &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; ipv6 &#61; optional&#40;object&#40;&#123;&#10; access_type &#61; optional&#40;string&#41;&#10; enable_private_access &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;&#41;&#10; secondary_ip_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [subnets_proxy_only](variables.tf#L195) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10; description &#61; optional&#40;string&#41;&#10; active &#61; bool&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [subnets_psc](variables.tf#L207) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; ip_cidr_range &#61; string&#10; region &#61; string&#10; description &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [vpc_create](variables.tf#L218) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
## Outputs

20
modules/net-vpc/routes.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -17,7 +17,23 @@
# tfdoc:file:description Route resources.
locals {
_routes = var.routes == null ? {} : var.routes
_googleapis_ranges = {
private = "199.36.153.8/30"
private-6 = "2600:2d00:0002:2000::/64"
restricted = "199.36.153.4/30"
restricted-6 = "2600:2d00:0002:1000::/64"
}
_googleapis_routes = {
for k, v in local._googleapis_ranges : "${k}-googleapis" => {
dest_range = v
next_hop = "default-internet-gateway"
next_hop_type = "gateway"
priority = 1000
tags = null
}
if var.create_googleapis_routes[k]
}
_routes = merge(local._googleapis_routes, coalesce(var.routes, {}))
routes = {
gateway = { for k, v in local._routes : k => v if v.next_hop_type == "gateway" }
ilb = { for k, v in local._routes : k => v if v.next_hop_type == "ilb" }

14
modules/net-vpc/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -20,6 +20,18 @@ variable "auto_create_subnetworks" {
default = false
}
variable "create_googleapis_routes" {
description = "Toggle creation of googleapis private/restricted routes."
type = object({
private = optional(bool, true)
private-6 = optional(bool, false)
restricted = optional(bool, true)
restricted-6 = optional(bool, false)
})
default = {}
nullable = false
}
variable "data_folder" {
description = "An optional folder containing the subnet configurations in YaML format."
type = string

4
tests/modules/net_vpc/examples/dns-policies.yaml
View File

@ -36,7 +36,3 @@ counts:
google_compute_network: 1
google_compute_subnetwork: 1
google_dns_policy: 1
modules: 1
resources: 3
outputs: {}

39
tests/modules/net_vpc/examples/googleapis.yaml Normal file
View File

@ -0,0 +1,39 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc.google_compute_route.gateway["private-6-googleapis"]:
dest_range: 2600:2d00:0002:2000::/64
name: my-vpc-private-6-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
module.vpc.google_compute_route.gateway["restricted-6-googleapis"]:
dest_range: 2600:2d00:0002:1000::/64
name: my-vpc-restricted-6-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
counts:
google_compute_network: 1
google_compute_route: 2

24
tests/modules/net_vpc/examples/simple.yaml
View File

@ -44,7 +44,31 @@ values:
region: europe-west2
role: null
secondary_ip_range: []
module.vpc.google_compute_route.gateway["private-googleapis"]:
dest_range: 199.36.153.8/30
name: my-network-private-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
timeouts: null
module.vpc.google_compute_route.gateway["restricted-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.4/30
name: my-network-restricted-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
timeouts: null
counts:
google_compute_network: 1
google_compute_subnetwork: 2
google_compute_route: 2

3
tests/modules/net_vpc/examples/subnet-iam.yaml
View File

@ -54,5 +54,4 @@ counts:
google_compute_subnetwork: 2
google_compute_subnetwork_iam_binding: 1
google_compute_subnetwork_iam_member: 2
outputs: {}
google_compute_route: 2