diff --git a/blueprints/apigee/bigquery-analytics/README.md b/blueprints/apigee/bigquery-analytics/README.md
index 817c39bb..64bb966d 100644
--- a/blueprints/apigee/bigquery-analytics/README.md
+++ b/blueprints/apigee/bigquery-analytics/README.md
@@ -106,5 +106,5 @@ module "test" {
europe-west1 = "10.0.0.0/28"
}
}
-# tftest modules=10 resources=62
+# tftest modules=10 resources=64
```
diff --git a/blueprints/apigee/hybrid-gke/README.md b/blueprints/apigee/hybrid-gke/README.md
index 05614fac..5d79f1f8 100644
--- a/blueprints/apigee/hybrid-gke/README.md
+++ b/blueprints/apigee/hybrid-gke/README.md
@@ -80,5 +80,5 @@ module "test" {
project_id = "my-project"
hostname = "test.myorg.org"
}
-# tftest modules=18 resources=59
+# tftest modules=18 resources=61
```
diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md
index 1919c657..b568bd8e 100644
--- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md
+++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md
@@ -79,5 +79,5 @@ module "test" {
onprem_project_id = "my-onprem-project"
hostname = "test.myorg.org"
}
-# tftest modules=14 resources=73
+# tftest modules=14 resources=77
```
diff --git a/blueprints/cloud-operations/adfs/README.md b/blueprints/cloud-operations/adfs/README.md
index b1efb7b7..914382ca 100644
--- a/blueprints/cloud-operations/adfs/README.md
+++ b/blueprints/cloud-operations/adfs/README.md
@@ -89,5 +89,5 @@ module "test" {
ad_dns_domain_name = "example.com"
adfs_dns_domain_name = "adfs.example.com"
}
-# tftest modules=5 resources=18
+# tftest modules=5 resources=20
```
diff --git a/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md b/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md
index 1025a6be..5e192194 100644
--- a/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md
+++ b/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md
@@ -82,5 +82,5 @@ module "test" {
project_id = "project-1"
}
-# tftest modules=7 resources=21
+# tftest modules=7 resources=23
```
diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/README.md b/blueprints/cloud-operations/dns-fine-grained-iam/README.md
index 8fe402f2..6379495d 100644
--- a/blueprints/cloud-operations/dns-fine-grained-iam/README.md
+++ b/blueprints/cloud-operations/dns-fine-grained-iam/README.md
@@ -128,5 +128,5 @@ module "test1" {
project_create = true
project_id = "test"
}
-# tftest modules=9 resources=25
+# tftest modules=9 resources=27
```
diff --git a/blueprints/cloud-operations/dns-shared-vpc/README.md b/blueprints/cloud-operations/dns-shared-vpc/README.md
index 6d6e627b..ed64d1de 100644
--- a/blueprints/cloud-operations/dns-shared-vpc/README.md
+++ b/blueprints/cloud-operations/dns-shared-vpc/README.md
@@ -51,5 +51,5 @@ module "test" {
shared_vpc_link = "https://www.googleapis.com/compute/v1/projects/test-dns/global/networks/default"
teams = ["team1", "team2"]
}
-# tftest modules=9 resources=12
+# tftest modules=9 resources=16
```
diff --git a/blueprints/cloud-operations/packer-image-builder/README.md b/blueprints/cloud-operations/packer-image-builder/README.md
index a72cb738..8d542c33 100644
--- a/blueprints/cloud-operations/packer-image-builder/README.md
+++ b/blueprints/cloud-operations/packer-image-builder/README.md
@@ -115,5 +115,5 @@ module "test" {
packer_account_users = ["user:john@example.com"]
create_packer_vars = true
}
-# tftest modules=7 resources=17 files=pkrvars
+# tftest modules=7 resources=19 files=pkrvars
```
diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md b/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md
index 29721ac1..067ebb10 100644
--- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md
+++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md
@@ -128,5 +128,5 @@ module "test" {
billing_account = "123456-123456-123456"
project_create = true
}
-# tftest modules=11 resources=35
+# tftest modules=11 resources=37
```
diff --git a/blueprints/cloud-operations/vm-migration/single-project/README.md b/blueprints/cloud-operations/vm-migration/single-project/README.md
index 0817a639..bc51953d 100644
--- a/blueprints/cloud-operations/vm-migration/single-project/README.md
+++ b/blueprints/cloud-operations/vm-migration/single-project/README.md
@@ -52,5 +52,5 @@ module "test" {
migration_admin_users = ["user:admin@example.com"]
migration_viewer_users = ["user:viewer@example.com"]
}
-# tftest modules=5 resources=20
+# tftest modules=5 resources=22
```
diff --git a/blueprints/data-solutions/bq-ml/README.md b/blueprints/data-solutions/bq-ml/README.md
index 385ec529..4211b6f0 100644
--- a/blueprints/data-solutions/bq-ml/README.md
+++ b/blueprints/data-solutions/bq-ml/README.md
@@ -98,5 +98,5 @@ module "test" {
prefix = "prefix"
}
-# tftest modules=9 resources=48
+# tftest modules=9 resources=50
```
diff --git a/blueprints/data-solutions/cloudsql-multiregion/README.md b/blueprints/data-solutions/cloudsql-multiregion/README.md
index 13b5be8a..1216c0aa 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/README.md
+++ b/blueprints/data-solutions/cloudsql-multiregion/README.md
@@ -180,5 +180,5 @@ module "test" {
}
prefix = "prefix"
}
-# tftest modules=10 resources=50
+# tftest modules=10 resources=52
```
diff --git a/blueprints/data-solutions/cmek-via-centralized-kms/README.md b/blueprints/data-solutions/cmek-via-centralized-kms/README.md
index ab80d5ff..74d98e3a 100644
--- a/blueprints/data-solutions/cmek-via-centralized-kms/README.md
+++ b/blueprints/data-solutions/cmek-via-centralized-kms/README.md
@@ -66,5 +66,5 @@ module "test" {
}
prefix = "prefix"
}
-# tftest modules=8 resources=27
+# tftest modules=8 resources=29
```
diff --git a/blueprints/data-solutions/composer-2/README.md b/blueprints/data-solutions/composer-2/README.md
index ab4f65d9..3f665dbd 100644
--- a/blueprints/data-solutions/composer-2/README.md
+++ b/blueprints/data-solutions/composer-2/README.md
@@ -125,5 +125,5 @@ module "test" {
}
prefix = "prefix"
}
-# tftest modules=5 resources=26
+# tftest modules=5 resources=28
```
diff --git a/blueprints/data-solutions/data-platform-foundations/README.md b/blueprints/data-solutions/data-platform-foundations/README.md
index 8bb9c2ca..15c22ded 100644
--- a/blueprints/data-solutions/data-platform-foundations/README.md
+++ b/blueprints/data-solutions/data-platform-foundations/README.md
@@ -226,7 +226,7 @@ module "data-platform" {
prefix = "myprefix"
}
-# tftest modules=43 resources=279
+# tftest modules=43 resources=285
```
## Customizations
@@ -307,5 +307,5 @@ module "test" {
}
prefix = "prefix"
}
-# tftest modules=43 resources=279
+# tftest modules=43 resources=285
```
diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md
index f4689113..e5edf514 100644
--- a/blueprints/data-solutions/data-platform-minimal/README.md
+++ b/blueprints/data-solutions/data-platform-minimal/README.md
@@ -203,7 +203,7 @@ module "data-platform" {
prefix = "myprefix"
}
-# tftest modules=21 resources=110
+# tftest modules=21 resources=112
```
## Customizations
diff --git a/blueprints/data-solutions/data-playground/README.md b/blueprints/data-solutions/data-playground/README.md
index 5f534aa2..c3693ee2 100644
--- a/blueprints/data-solutions/data-playground/README.md
+++ b/blueprints/data-solutions/data-playground/README.md
@@ -86,5 +86,5 @@ module "test" {
parent = "folders/467898377"
}
}
-# tftest modules=8 resources=41
+# tftest modules=8 resources=43
```
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md
index 041c946b..21c342e0 100644
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md
@@ -228,5 +228,5 @@ module "test" {
project_id = "project-1"
prefix = "prefix"
}
-# tftest modules=12 resources=47
+# tftest modules=12 resources=49
```
diff --git a/blueprints/data-solutions/sqlserver-alwayson/README.md b/blueprints/data-solutions/sqlserver-alwayson/README.md
index 695c8f0b..85ab8385 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/README.md
+++ b/blueprints/data-solutions/sqlserver-alwayson/README.md
@@ -87,5 +87,5 @@ module "test" {
ad_domain_fqdn = "ad.example.com"
ad_domain_netbios = "ad"
}
-# tftest modules=12 resources=38
+# tftest modules=12 resources=40
```
diff --git a/blueprints/data-solutions/vertex-mlops/README.md b/blueprints/data-solutions/vertex-mlops/README.md
index ef6b98f6..974ec335 100644
--- a/blueprints/data-solutions/vertex-mlops/README.md
+++ b/blueprints/data-solutions/vertex-mlops/README.md
@@ -72,7 +72,7 @@ module "test" {
project_id = "test-dev"
}
}
-# tftest modules=11 resources=60
+# tftest modules=11 resources=62
```
@@ -127,5 +127,5 @@ module "test" {
project_id = "test-dev"
}
}
-# tftest modules=13 resources=65
+# tftest modules=13 resources=67
```
diff --git a/blueprints/gke/autopilot/README.md b/blueprints/gke/autopilot/README.md
index aa67956f..b31b0879 100644
--- a/blueprints/gke/autopilot/README.md
+++ b/blueprints/gke/autopilot/README.md
@@ -91,5 +91,5 @@ module "test" {
}
project_id = "my-project"
}
-# tftest modules=11 resources=34
-```
\ No newline at end of file
+# tftest modules=11 resources=36
+```
diff --git a/blueprints/gke/binauthz/README.md b/blueprints/gke/binauthz/README.md
index 09eac687..740982e6 100644
--- a/blueprints/gke/binauthz/README.md
+++ b/blueprints/gke/binauthz/README.md
@@ -138,5 +138,5 @@ module "test" {
}
project_id = "my-project"
}
-# tftest modules=14 resources=47
+# tftest modules=14 resources=49
```
diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
index 8237f92c..4efbaf4f 100644
--- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
+++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
@@ -103,5 +103,5 @@ module "test" {
mgmt_subnet_cidr_block = "10.0.0.0/24"
istio_version = "1.14.1-asm.3"
}
-# tftest modules=13 resources=57
+# tftest modules=13 resources=59
```
diff --git a/blueprints/networking/decentralized-firewall/README.md b/blueprints/networking/decentralized-firewall/README.md
index 334fd0f2..2fd89640 100644
--- a/blueprints/networking/decentralized-firewall/README.md
+++ b/blueprints/networking/decentralized-firewall/README.md
@@ -51,5 +51,5 @@ module "test" {
root_node = "organizations/0123456789"
}
-# tftest modules=9 resources=50
+# tftest modules=9 resources=54
```
diff --git a/blueprints/networking/filtering-proxy-psc/README.md b/blueprints/networking/filtering-proxy-psc/README.md
index 66a22caa..dd9f0585 100644
--- a/blueprints/networking/filtering-proxy-psc/README.md
+++ b/blueprints/networking/filtering-proxy-psc/README.md
@@ -40,5 +40,5 @@ module "test" {
}
project_id = "test-project"
}
-# tftest modules=13 resources=37
+# tftest modules=13 resources=41
```
diff --git a/blueprints/networking/filtering-proxy/README.md b/blueprints/networking/filtering-proxy/README.md
index 6aab12b2..70dcf6df 100644
--- a/blueprints/networking/filtering-proxy/README.md
+++ b/blueprints/networking/filtering-proxy/README.md
@@ -47,7 +47,7 @@ module "test1" {
prefix = "fabric"
root_node = "folders/123456789"
}
-# tftest modules=14 resources=36
+# tftest modules=14 resources=38
```
```hcl
@@ -58,5 +58,5 @@ module "test2" {
prefix = "fabric"
root_node = "folders/123456789"
}
-# tftest modules=12 resources=30
+# tftest modules=12 resources=32
```
diff --git a/blueprints/networking/glb-and-armor/README.md b/blueprints/networking/glb-and-armor/README.md
index 25b9e96f..3e466131 100644
--- a/blueprints/networking/glb-and-armor/README.md
+++ b/blueprints/networking/glb-and-armor/README.md
@@ -151,5 +151,5 @@ module "test" {
project_id = "project-1"
enforce_security_policy = true
}
-# tftest modules=12 resources=26
+# tftest modules=12 resources=28
```
diff --git a/blueprints/networking/glb-hybrid-neg-internal/README.md b/blueprints/networking/glb-hybrid-neg-internal/README.md
index b6bd3d78..253dc4c4 100644
--- a/blueprints/networking/glb-hybrid-neg-internal/README.md
+++ b/blueprints/networking/glb-hybrid-neg-internal/README.md
@@ -96,5 +96,5 @@ module "test" {
}
}
-# tftest modules=21 resources=64
+# tftest modules=21 resources=70
```
diff --git a/blueprints/networking/hub-and-spoke-peering/README.md b/blueprints/networking/hub-and-spoke-peering/README.md
index b9582832..09b5dc5d 100644
--- a/blueprints/networking/hub-and-spoke-peering/README.md
+++ b/blueprints/networking/hub-and-spoke-peering/README.md
@@ -115,5 +115,5 @@ module "test" {
project_id = "project-1"
}
-# tftest modules=22 resources=61
+# tftest modules=22 resources=67
```
diff --git a/blueprints/networking/hub-and-spoke-vpn/README.md b/blueprints/networking/hub-and-spoke-vpn/README.md
index 14beaa13..d0f2d1f0 100644
--- a/blueprints/networking/hub-and-spoke-vpn/README.md
+++ b/blueprints/networking/hub-and-spoke-vpn/README.md
@@ -114,5 +114,5 @@ module "test" {
project_id = "project-1"
}
-# tftest modules=20 resources=73
+# tftest modules=20 resources=79
```
diff --git a/blueprints/networking/ilb-next-hop/README.md b/blueprints/networking/ilb-next-hop/README.md
index b4b5e6e8..1200d9d2 100644
--- a/blueprints/networking/ilb-next-hop/README.md
+++ b/blueprints/networking/ilb-next-hop/README.md
@@ -96,5 +96,5 @@ module "test" {
project_create = true
project_id = "project-1"
}
-# tftest modules=18 resources=42
+# tftest modules=18 resources=46
```
diff --git a/blueprints/networking/private-cloud-function-from-onprem/README.md b/blueprints/networking/private-cloud-function-from-onprem/README.md
index 111e82a4..4951454f 100644
--- a/blueprints/networking/private-cloud-function-from-onprem/README.md
+++ b/blueprints/networking/private-cloud-function-from-onprem/README.md
@@ -45,5 +45,5 @@ module "test" {
}
project_id = "test-project"
}
-# tftest modules=11 resources=40
+# tftest modules=11 resources=44
```
diff --git a/blueprints/networking/shared-vpc-gke/README.md b/blueprints/networking/shared-vpc-gke/README.md
index f413becf..a60dea0c 100644
--- a/blueprints/networking/shared-vpc-gke/README.md
+++ b/blueprints/networking/shared-vpc-gke/README.md
@@ -80,5 +80,5 @@ module "test" {
prefix = "test"
root_node = "organizations/0123456789"
}
-# tftest modules=11 resources=43
+# tftest modules=11 resources=45
```
diff --git a/blueprints/serverless/cloud-run-corporate/README.md b/blueprints/serverless/cloud-run-corporate/README.md
index a91df33b..b31a50ce 100644
--- a/blueprints/serverless/cloud-run-corporate/README.md
+++ b/blueprints/serverless/cloud-run-corporate/README.md
@@ -238,7 +238,7 @@ module "test" {
prj_onprem_id = "onprem-project-id"
}
-# tftest modules=15 resources=46
+# tftest modules=15 resources=50
```
```hcl
@@ -262,7 +262,7 @@ module "test" {
tf_identity = "user@example.org"
}
-# tftest modules=15 resources=32
+# tftest modules=15 resources=36
```
```hcl
@@ -281,5 +281,5 @@ module "test" {
custom_domain = "cloud-run-corporate.example.org"
}
-# tftest modules=14 resources=43
+# tftest modules=14 resources=45
```
diff --git a/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf b/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf
index d08a28ad..f3789fb4 100644
--- a/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf
+++ b/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf
@@ -38,6 +38,13 @@ module "dev-spoke-vpc-serverless" {
ip_cidr_range = var.serverless_connector_config.dev-primary.ip_cidr_range
region = var.regions.primary
}]
+ # these should be create from the main VPC
+ create_googleapis_routes = {
+ private = false
+ private-6 = false
+ restricted = false
+ restricted-6 = false
+ }
}
module "prod-spoke-vpc-serverless" {
@@ -51,6 +58,13 @@ module "prod-spoke-vpc-serverless" {
ip_cidr_range = var.serverless_connector_config.prod-primary.ip_cidr_range
region = var.regions.primary
}]
+ # these should be create from the main VPC
+ create_googleapis_routes = {
+ private = false
+ private-6 = false
+ restricted = false
+ restricted-6 = false
+ }
}
resource "google_vpc_access_connector" "dev-primary" {
diff --git a/fast/stages/2-networking-a-peering/landing.tf b/fast/stages/2-networking-a-peering/landing.tf
index 37e3adfd..db40b3f1 100644
--- a/fast/stages/2-networking-a-peering/landing.tf
+++ b/fast/stages/2-networking-a-peering/landing.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -51,17 +51,9 @@ module "landing-vpc" {
inbound = true
}
# set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
data_folder = "${var.factories_config.data_dir}/subnets/landing"
}
diff --git a/fast/stages/2-networking-a-peering/spoke-dev.tf b/fast/stages/2-networking-a-peering/spoke-dev.tf
index b12d260d..2256926f 100644
--- a/fast/stages/2-networking-a-peering/spoke-dev.tf
+++ b/fast/stages/2-networking-a-peering/spoke-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -53,17 +53,9 @@ module "dev-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/dev"
psa_config = try(var.psa_ranges.dev, null)
# set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/fast/stages/2-networking-a-peering/spoke-prod.tf b/fast/stages/2-networking-a-peering/spoke-prod.tf
index 5130d240..b7e3abcb 100644
--- a/fast/stages/2-networking-a-peering/spoke-prod.tf
+++ b/fast/stages/2-networking-a-peering/spoke-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -52,17 +52,9 @@ module "prod-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/prod"
psa_config = try(var.psa_ranges.prod, null)
# set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/fast/stages/2-networking-b-vpn/landing.tf b/fast/stages/2-networking-b-vpn/landing.tf
index 37e3adfd..db40b3f1 100644
--- a/fast/stages/2-networking-b-vpn/landing.tf
+++ b/fast/stages/2-networking-b-vpn/landing.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -51,17 +51,9 @@ module "landing-vpc" {
inbound = true
}
# set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
data_folder = "${var.factories_config.data_dir}/subnets/landing"
}
diff --git a/fast/stages/2-networking-b-vpn/spoke-dev.tf b/fast/stages/2-networking-b-vpn/spoke-dev.tf
index b12d260d..2256926f 100644
--- a/fast/stages/2-networking-b-vpn/spoke-dev.tf
+++ b/fast/stages/2-networking-b-vpn/spoke-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -53,17 +53,9 @@ module "dev-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/dev"
psa_config = try(var.psa_ranges.dev, null)
# set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/fast/stages/2-networking-b-vpn/spoke-prod.tf b/fast/stages/2-networking-b-vpn/spoke-prod.tf
index 5130d240..b7e3abcb 100644
--- a/fast/stages/2-networking-b-vpn/spoke-prod.tf
+++ b/fast/stages/2-networking-b-vpn/spoke-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -52,17 +52,9 @@ module "prod-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/prod"
psa_config = try(var.psa_ranges.prod, null)
# set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/fast/stages/2-networking-c-nva/landing.tf b/fast/stages/2-networking-c-nva/landing.tf
index e66b03db..0dd7d982 100644
--- a/fast/stages/2-networking-c-nva/landing.tf
+++ b/fast/stages/2-networking-c-nva/landing.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -53,6 +53,10 @@ module "landing-untrusted-vpc" {
inbound = false
logging = false
}
+ create_googleapis_routes = {
+ private = false
+ restricted = false
+ }
data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
}
@@ -116,17 +120,9 @@ module "landing-trusted-vpc" {
inbound = true
}
# Set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/fast/stages/2-networking-c-nva/spoke-dev.tf b/fast/stages/2-networking-c-nva/spoke-dev.tf
index 8e26a732..a90d25aa 100644
--- a/fast/stages/2-networking-c-nva/spoke-dev.tf
+++ b/fast/stages/2-networking-c-nva/spoke-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -53,19 +53,11 @@ module "dev-spoke-vpc" {
delete_default_routes_on_create = true
psa_config = try(var.psa_ranges.dev, null)
# Set explicit routes for googleapis; send everything else to NVAs
+ create_googleapis_routes = {
+ private = true
+ restricted = true
+ }
routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- priority = 999
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- priority = 999
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
nva-primary-to-primary = {
dest_range = "0.0.0.0/0"
priority = 1000
diff --git a/fast/stages/2-networking-c-nva/spoke-prod.tf b/fast/stages/2-networking-c-nva/spoke-prod.tf
index 1b2c4e2b..8dd5af44 100644
--- a/fast/stages/2-networking-c-nva/spoke-prod.tf
+++ b/fast/stages/2-networking-c-nva/spoke-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -52,19 +52,11 @@ module "prod-spoke-vpc" {
delete_default_routes_on_create = true
psa_config = try(var.psa_ranges.prod, null)
# Set explicit routes for googleapis; send everything else to NVAs
+ create_googleapis_routes = {
+ private = true
+ restricted = true
+ }
routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- priority = 999
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- priority = 999
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
nva-primary-to-primary = {
dest_range = "0.0.0.0/0"
priority = 1000
diff --git a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf
index 7cad8479..fd15e26c 100644
--- a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf
+++ b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -53,17 +53,9 @@ module "dev-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/dev"
psa_config = try(var.psa_ranges.dev, null)
# set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf
index e529d5f8..c8d8a69c 100644
--- a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf
+++ b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -52,17 +52,9 @@ module "prod-spoke-vpc" {
data_folder = "${var.factories_config.data_dir}/subnets/prod"
psa_config = try(var.psa_ranges.prod, null)
# set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/fast/stages/2-networking-e-nva-bgp/landing.tf b/fast/stages/2-networking-e-nva-bgp/landing.tf
index 8f0b1959..bbac8c52 100644
--- a/fast/stages/2-networking-e-nva-bgp/landing.tf
+++ b/fast/stages/2-networking-e-nva-bgp/landing.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -54,6 +54,10 @@ module "landing-untrusted-vpc" {
inbound = false
logging = false
}
+ create_googleapis_routes = {
+ private = false
+ restricted = false
+ }
data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
}
@@ -117,17 +121,9 @@ module "landing-trusted-vpc" {
inbound = true
}
# Set explicit routes for googleapis in case the default route is deleted
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf b/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf
index 967a2746..56568ec9 100644
--- a/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf
+++ b/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -53,19 +53,9 @@ module "dev-spoke-vpc" {
delete_default_routes_on_create = true
psa_config = try(var.psa_ranges.dev, null)
# Set explicit routes for googleapis; send everything else to NVAs
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- priority = 999
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- priority = 999
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf b/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf
index 99786081..b6251954 100644
--- a/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf
+++ b/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -52,19 +52,9 @@ module "prod-spoke-vpc" {
delete_default_routes_on_create = true
psa_config = try(var.psa_ranges.prod, null)
# Set explicit routes for googleapis; send everything else to NVAs
- routes = {
- private-googleapis = {
- dest_range = "199.36.153.8/30"
- priority = 999
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
- restricted-googleapis = {
- dest_range = "199.36.153.4/30"
- priority = 999
- next_hop_type = "gateway"
- next_hop = "default-internet-gateway"
- }
+ create_googleapis_routes = {
+ private = true
+ restricted = true
}
}
diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md
index a595fc7e..a8e5d597 100644
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@@ -39,7 +39,7 @@ module "db" {
database_version = "POSTGRES_13"
tier = "db-g1-small"
}
-# tftest modules=3 resources=9 inventory=simple.yaml
+# tftest modules=3 resources=11 inventory=simple.yaml
```
## Cross-regional read replica
diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md
index d9d14c62..a9411949 100644
--- a/modules/gke-hub/README.md
+++ b/modules/gke-hub/README.md
@@ -119,7 +119,7 @@ module "hub" {
}
}
-# tftest modules=4 resources=16 inventory=full.yaml
+# tftest modules=4 resources=18 inventory=full.yaml
```
## Multi-cluster mesh on GKE
@@ -314,7 +314,7 @@ module "hub" {
]
}
-# tftest modules=8 resources=32
+# tftest modules=8 resources=34
```
diff --git a/modules/net-vpc-firewall-policy/README.md b/modules/net-vpc-firewall-policy/README.md
index ec468a77..5392a0b7 100644
--- a/modules/net-vpc-firewall-policy/README.md
+++ b/modules/net-vpc-firewall-policy/README.md
@@ -59,7 +59,7 @@ module "firewall-policy" {
}
}
}
-# tftest modules=2 resources=7
+# tftest modules=2 resources=9
```
diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index 2a4416b6..f2810445 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -17,6 +17,7 @@ This module allows creation and management of VPC networks including subnetworks
- [DNS Policies](#dns-policies)
- [Subnet Factory](#subnet-factory)
- [Custom Routes](#custom-routes)
+ - [Private Google Access routes](#private-google-access-routes)
- [Allow Firewall Policy to be evaluated before Firewall Rules](#allow-firewall-policy-to-be-evaluated-before-firewall-rules)
- [Variables](#variables)
- [Outputs](#outputs)
@@ -45,7 +46,7 @@ module "vpc" {
}
]
}
-# tftest modules=1 resources=3 inventory=simple.yaml
+# tftest modules=1 resources=5 inventory=simple.yaml
```
### Subnet Options
@@ -92,7 +93,7 @@ module "vpc" {
}
]
}
-# tftest modules=1 resources=5 inventory=subnet-options.yaml
+# tftest modules=1 resources=7 inventory=subnet-options.yaml
```
### Subnet IAM
@@ -129,7 +130,7 @@ module "vpc" {
}
}
}
-# tftest modules=1 resources=6 inventory=subnet-iam.yaml
+# tftest modules=1 resources=8 inventory=subnet-iam.yaml
```
### Peering
@@ -164,7 +165,7 @@ module "vpc-spoke-1" {
import_routes = true
}
}
-# tftest modules=2 resources=6 inventory=peering.yaml
+# tftest modules=2 resources=10 inventory=peering.yaml
```
### Shared VPC
@@ -215,7 +216,7 @@ module "vpc-host" {
}
}
}
-# tftest modules=1 resources=7 inventory=shared-vpc.yaml
+# tftest modules=1 resources=9 inventory=shared-vpc.yaml
```
### Private Service Networking
@@ -236,7 +237,7 @@ module "vpc" {
ranges = { myrange = "10.0.1.0/24" }
}
}
-# tftest modules=1 resources=5 inventory=psc.yaml
+# tftest modules=1 resources=7 inventory=psc.yaml
```
### Private Service Networking with peering routes
@@ -261,7 +262,7 @@ module "vpc" {
import_routes = true
}
}
-# tftest modules=1 resources=5 inventory=psc-routes.yaml
+# tftest modules=1 resources=7 inventory=psc-routes.yaml
```
### Subnets for Private Service Connect, Proxy-only subnets
@@ -293,7 +294,7 @@ module "vpc" {
}
]
}
-# tftest modules=1 resources=3 inventory=proxy-only-subnets.yaml
+# tftest modules=1 resources=5 inventory=proxy-only-subnets.yaml
```
### DNS Policies
@@ -318,7 +319,7 @@ module "vpc" {
}
]
}
-# tftest modules=1 resources=3 inventory=dns-policies.yaml
+# tftest modules=1 resources=5 inventory=dns-policies.yaml
```
### Subnet Factory
@@ -332,7 +333,7 @@ module "vpc" {
name = "my-network"
data_folder = "config/subnets"
}
-# tftest modules=1 resources=9 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml
+# tftest modules=1 resources=11 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml
```
```yaml
@@ -400,6 +401,7 @@ locals {
vpn_tunnel = "regions/europe-west1/vpnTunnels/foo"
}
}
+
module "vpc" {
source = "./fabric/modules/net-vpc"
for_each = local.route_types
@@ -420,10 +422,36 @@ module "vpc" {
next_hop = "global/gateways/default-internet-gateway"
}
}
+ create_googleapis_routes = {
+ restricted = false
+ restricted-6 = false
+ private = false
+ private-6 = false
+ }
}
# tftest modules=5 resources=15 inventory=routes.yaml
```
+### Private Google Access routes
+
+By default the VPC module creates IPv4 routes for the [Private Google Access ranges](https://cloud.google.com/vpc/docs/configure-private-google-access#config-routing). This behavior can be controlled through the `create_googleapis_routes` variable:
+
+```hcl
+module "vpc" {
+ source = "./fabric/modules/net-vpc"
+ project_id = "my-project"
+ name = "my-vpc"
+ create_googleapis_routes = {
+ restricted = false
+ restricted-6 = true
+ private = false
+ private-6 = true
+ }
+}
+# tftest modules=1 resources=3 inventory=googleapis.yaml
+```
+
+
### Allow Firewall Policy to be evaluated before Firewall Rules
```hcl
@@ -449,7 +477,7 @@ module "vpc" {
}
]
}
-# tftest modules=1 resources=3 inventory=firewall_policy_enforcement_order.yaml
+# tftest modules=1 resources=5 inventory=firewall_policy_enforcement_order.yaml
```
@@ -457,27 +485,28 @@ module "vpc" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L72) | The name of the network being created. | string
| ✓ | |
-| [project_id](variables.tf#L88) | The ID of the project where this VPC will be created. | string
| ✓ | |
+| [name](variables.tf#L84) | The name of the network being created. | string
| ✓ | |
+| [project_id](variables.tf#L100) | The ID of the project where this VPC will be created. | string
| ✓ | |
| [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | bool
| | false
|
-| [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | string
| | null
|
-| [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | bool
| | false
|
-| [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | string
| | "Terraform-managed."
|
-| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | object({…})
| | null
|
-| [firewall_policy_enforcement_order](variables.tf#L54) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string
| | "AFTER_CLASSIC_FIREWALL"
|
-| [mtu](variables.tf#L66) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number
| | null
|
-| [peering_config](variables.tf#L77) | VPC peering configuration. | object({…})
| | null
|
-| [psa_config](variables.tf#L93) | The Private Service Access configuration for Service Networking. | object({…})
| | null
|
-| [routes](variables.tf#L103) | Network routes, keyed by name. | map(object({…}))
| | {}
|
-| [routing_mode](variables.tf#L123) | The network routing mode (default 'GLOBAL'). | string
| | "GLOBAL"
|
-| [shared_vpc_host](variables.tf#L133) | Enable shared VPC for this project. | bool
| | false
|
-| [shared_vpc_service_projects](variables.tf#L139) | Shared VPC service projects to register with this host. | list(string)
| | []
|
-| [subnet_iam](variables.tf#L145) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string)))
| | {}
|
-| [subnet_iam_additive](variables.tf#L151) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string)))
| | {}
|
-| [subnets](variables.tf#L158) | Subnet configuration. | list(object({…}))
| | []
|
-| [subnets_proxy_only](variables.tf#L183) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
-| [subnets_psc](variables.tf#L195) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
-| [vpc_create](variables.tf#L206) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
+| [create_googleapis_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | object({…})
| | {}
|
+| [data_folder](variables.tf#L35) | An optional folder containing the subnet configurations in YaML format. | string
| | null
|
+| [delete_default_routes_on_create](variables.tf#L41) | Set to true to delete the default routes at creation time. | bool
| | false
|
+| [description](variables.tf#L47) | An optional description of this resource (triggers recreation on change). | string
| | "Terraform-managed."
|
+| [dns_policy](variables.tf#L53) | DNS policy setup for the VPC. | object({…})
| | null
|
+| [firewall_policy_enforcement_order](variables.tf#L66) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string
| | "AFTER_CLASSIC_FIREWALL"
|
+| [mtu](variables.tf#L78) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number
| | null
|
+| [peering_config](variables.tf#L89) | VPC peering configuration. | object({…})
| | null
|
+| [psa_config](variables.tf#L105) | The Private Service Access configuration for Service Networking. | object({…})
| | null
|
+| [routes](variables.tf#L115) | Network routes, keyed by name. | map(object({…}))
| | {}
|
+| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | string
| | "GLOBAL"
|
+| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | bool
| | false
|
+| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | list(string)
| | []
|
+| [subnet_iam](variables.tf#L157) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string)))
| | {}
|
+| [subnet_iam_additive](variables.tf#L163) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string)))
| | {}
|
+| [subnets](variables.tf#L170) | Subnet configuration. | list(object({…}))
| | []
|
+| [subnets_proxy_only](variables.tf#L195) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
+| [subnets_psc](variables.tf#L207) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
+| [vpc_create](variables.tf#L218) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
## Outputs
diff --git a/modules/net-vpc/routes.tf b/modules/net-vpc/routes.tf
index 5981b696..493b248b 100644
--- a/modules/net-vpc/routes.tf
+++ b/modules/net-vpc/routes.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,7 +17,23 @@
# tfdoc:file:description Route resources.
locals {
- _routes = var.routes == null ? {} : var.routes
+ _googleapis_ranges = {
+ private = "199.36.153.8/30"
+ private-6 = "2600:2d00:0002:2000::/64"
+ restricted = "199.36.153.4/30"
+ restricted-6 = "2600:2d00:0002:1000::/64"
+ }
+ _googleapis_routes = {
+ for k, v in local._googleapis_ranges : "${k}-googleapis" => {
+ dest_range = v
+ next_hop = "default-internet-gateway"
+ next_hop_type = "gateway"
+ priority = 1000
+ tags = null
+ }
+ if var.create_googleapis_routes[k]
+ }
+ _routes = merge(local._googleapis_routes, coalesce(var.routes, {}))
routes = {
gateway = { for k, v in local._routes : k => v if v.next_hop_type == "gateway" }
ilb = { for k, v in local._routes : k => v if v.next_hop_type == "ilb" }
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index 8f0f3ab4..2cb1cdbf 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -20,6 +20,18 @@ variable "auto_create_subnetworks" {
default = false
}
+variable "create_googleapis_routes" {
+ description = "Toggle creation of googleapis private/restricted routes."
+ type = object({
+ private = optional(bool, true)
+ private-6 = optional(bool, false)
+ restricted = optional(bool, true)
+ restricted-6 = optional(bool, false)
+ })
+ default = {}
+ nullable = false
+}
+
variable "data_folder" {
description = "An optional folder containing the subnet configurations in YaML format."
type = string
diff --git a/tests/modules/net_vpc/examples/dns-policies.yaml b/tests/modules/net_vpc/examples/dns-policies.yaml
index a30d6408..3999e91f 100644
--- a/tests/modules/net_vpc/examples/dns-policies.yaml
+++ b/tests/modules/net_vpc/examples/dns-policies.yaml
@@ -36,7 +36,3 @@ counts:
google_compute_network: 1
google_compute_subnetwork: 1
google_dns_policy: 1
- modules: 1
- resources: 3
-
-outputs: {}
diff --git a/tests/modules/net_vpc/examples/googleapis.yaml b/tests/modules/net_vpc/examples/googleapis.yaml
new file mode 100644
index 00000000..6248db51
--- /dev/null
+++ b/tests/modules/net_vpc/examples/googleapis.yaml
@@ -0,0 +1,39 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.vpc.google_compute_route.gateway["private-6-googleapis"]:
+ dest_range: 2600:2d00:0002:2000::/64
+ name: my-vpc-private-6-googleapis
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: my-project
+ tags: null
+ module.vpc.google_compute_route.gateway["restricted-6-googleapis"]:
+ dest_range: 2600:2d00:0002:1000::/64
+ name: my-vpc-restricted-6-googleapis
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: my-project
+ tags: null
+
+counts:
+ google_compute_network: 1
+ google_compute_route: 2
diff --git a/tests/modules/net_vpc/examples/simple.yaml b/tests/modules/net_vpc/examples/simple.yaml
index 799852c0..2a5b1ee2 100644
--- a/tests/modules/net_vpc/examples/simple.yaml
+++ b/tests/modules/net_vpc/examples/simple.yaml
@@ -44,7 +44,31 @@ values:
region: europe-west2
role: null
secondary_ip_range: []
+ module.vpc.google_compute_route.gateway["private-googleapis"]:
+ dest_range: 199.36.153.8/30
+ name: my-network-private-googleapis
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: my-project
+ tags: null
+ timeouts: null
+ module.vpc.google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: my-network-restricted-googleapis
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: my-project
+ tags: null
+ timeouts: null
counts:
google_compute_network: 1
google_compute_subnetwork: 2
+ google_compute_route: 2
diff --git a/tests/modules/net_vpc/examples/subnet-iam.yaml b/tests/modules/net_vpc/examples/subnet-iam.yaml
index ce853c71..8aa5bed8 100644
--- a/tests/modules/net_vpc/examples/subnet-iam.yaml
+++ b/tests/modules/net_vpc/examples/subnet-iam.yaml
@@ -54,5 +54,4 @@ counts:
google_compute_subnetwork: 2
google_compute_subnetwork_iam_binding: 1
google_compute_subnetwork_iam_member: 2
-
-outputs: {}
+ google_compute_route: 2