From 7a91a7e41c020549869aafd29c5496498428a9de Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 26 May 2023 10:50:00 +0200 Subject: [PATCH 1/7] Add default googleapi route creation to net-vpc --- fast/stages/2-networking-a-peering/landing.tf | 16 ++----- .../2-networking-a-peering/spoke-dev.tf | 16 ++----- .../2-networking-a-peering/spoke-prod.tf | 16 ++----- fast/stages/2-networking-b-vpn/landing.tf | 16 ++----- fast/stages/2-networking-b-vpn/spoke-dev.tf | 16 ++----- fast/stages/2-networking-b-vpn/spoke-prod.tf | 16 ++----- fast/stages/2-networking-c-nva/landing.tf | 16 ++----- fast/stages/2-networking-c-nva/spoke-dev.tf | 18 +++----- fast/stages/2-networking-c-nva/spoke-prod.tf | 18 +++----- .../2-networking-d-separate-envs/spoke-dev.tf | 16 ++----- .../spoke-prod.tf | 16 ++----- fast/stages/2-networking-e-nva-bgp/landing.tf | 16 ++----- .../2-networking-e-nva-bgp/spoke-dev.tf | 18 ++------ .../2-networking-e-nva-bgp/spoke-prod.tf | 18 ++------ modules/net-vpc/README.md | 41 +++++++++--------- modules/net-vpc/routes.tf | 42 ++++++++++++++++++- modules/net-vpc/variables.tf | 14 ++++++- 17 files changed, 133 insertions(+), 196 deletions(-) diff --git a/fast/stages/2-networking-a-peering/landing.tf b/fast/stages/2-networking-a-peering/landing.tf index 37e3adfd..995a652a 100644 --- a/fast/stages/2-networking-a-peering/landing.tf +++ b/fast/stages/2-networking-a-peering/landing.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -51,17 +51,9 @@ module "landing-vpc" { inbound = true } # set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } data_folder = "${var.factories_config.data_dir}/subnets/landing" } diff --git a/fast/stages/2-networking-a-peering/spoke-dev.tf b/fast/stages/2-networking-a-peering/spoke-dev.tf index b12d260d..0c51b12e 100644 --- a/fast/stages/2-networking-a-peering/spoke-dev.tf +++ b/fast/stages/2-networking-a-peering/spoke-dev.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,17 +53,9 @@ module "dev-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/dev" psa_config = try(var.psa_ranges.dev, null) # set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/fast/stages/2-networking-a-peering/spoke-prod.tf b/fast/stages/2-networking-a-peering/spoke-prod.tf index 5130d240..42986ab8 100644 --- a/fast/stages/2-networking-a-peering/spoke-prod.tf +++ b/fast/stages/2-networking-a-peering/spoke-prod.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,17 +52,9 @@ module "prod-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/prod" psa_config = try(var.psa_ranges.prod, null) # set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/fast/stages/2-networking-b-vpn/landing.tf b/fast/stages/2-networking-b-vpn/landing.tf index 37e3adfd..995a652a 100644 --- a/fast/stages/2-networking-b-vpn/landing.tf +++ b/fast/stages/2-networking-b-vpn/landing.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -51,17 +51,9 @@ module "landing-vpc" { inbound = true } # set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } data_folder = "${var.factories_config.data_dir}/subnets/landing" } diff --git a/fast/stages/2-networking-b-vpn/spoke-dev.tf b/fast/stages/2-networking-b-vpn/spoke-dev.tf index b12d260d..0c51b12e 100644 --- a/fast/stages/2-networking-b-vpn/spoke-dev.tf +++ b/fast/stages/2-networking-b-vpn/spoke-dev.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,17 +53,9 @@ module "dev-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/dev" psa_config = try(var.psa_ranges.dev, null) # set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/fast/stages/2-networking-b-vpn/spoke-prod.tf b/fast/stages/2-networking-b-vpn/spoke-prod.tf index 5130d240..42986ab8 100644 --- a/fast/stages/2-networking-b-vpn/spoke-prod.tf +++ b/fast/stages/2-networking-b-vpn/spoke-prod.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,17 +52,9 @@ module "prod-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/prod" psa_config = try(var.psa_ranges.prod, null) # set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/fast/stages/2-networking-c-nva/landing.tf b/fast/stages/2-networking-c-nva/landing.tf index e66b03db..855f882b 100644 --- a/fast/stages/2-networking-c-nva/landing.tf +++ b/fast/stages/2-networking-c-nva/landing.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -116,17 +116,9 @@ module "landing-trusted-vpc" { inbound = true } # Set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/fast/stages/2-networking-c-nva/spoke-dev.tf b/fast/stages/2-networking-c-nva/spoke-dev.tf index 8e26a732..5af5ed5a 100644 --- a/fast/stages/2-networking-c-nva/spoke-dev.tf +++ b/fast/stages/2-networking-c-nva/spoke-dev.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,19 +53,11 @@ module "dev-spoke-vpc" { delete_default_routes_on_create = true psa_config = try(var.psa_ranges.dev, null) # Set explicit routes for googleapis; send everything else to NVAs + create_default_routes = { + private = true + restricted = true + } routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - priority = 999 - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - priority = 999 - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } nva-primary-to-primary = { dest_range = "0.0.0.0/0" priority = 1000 diff --git a/fast/stages/2-networking-c-nva/spoke-prod.tf b/fast/stages/2-networking-c-nva/spoke-prod.tf index 1b2c4e2b..de829b31 100644 --- a/fast/stages/2-networking-c-nva/spoke-prod.tf +++ b/fast/stages/2-networking-c-nva/spoke-prod.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,19 +52,11 @@ module "prod-spoke-vpc" { delete_default_routes_on_create = true psa_config = try(var.psa_ranges.prod, null) # Set explicit routes for googleapis; send everything else to NVAs + create_default_routes = { + private = true + restricted = true + } routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - priority = 999 - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - priority = 999 - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } nva-primary-to-primary = { dest_range = "0.0.0.0/0" priority = 1000 diff --git a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf index 7cad8479..3c1c8c2c 100644 --- a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf +++ b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,17 +53,9 @@ module "dev-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/dev" psa_config = try(var.psa_ranges.dev, null) # set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf index e529d5f8..8a91bb42 100644 --- a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf +++ b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,17 +52,9 @@ module "prod-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/prod" psa_config = try(var.psa_ranges.prod, null) # set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/fast/stages/2-networking-e-nva-bgp/landing.tf b/fast/stages/2-networking-e-nva-bgp/landing.tf index 8f0b1959..9d4938c3 100644 --- a/fast/stages/2-networking-e-nva-bgp/landing.tf +++ b/fast/stages/2-networking-e-nva-bgp/landing.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -117,17 +117,9 @@ module "landing-trusted-vpc" { inbound = true } # Set explicit routes for googleapis in case the default route is deleted - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf b/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf index 967a2746..4b8c3316 100644 --- a/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf +++ b/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,19 +53,9 @@ module "dev-spoke-vpc" { delete_default_routes_on_create = true psa_config = try(var.psa_ranges.dev, null) # Set explicit routes for googleapis; send everything else to NVAs - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - priority = 999 - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - priority = 999 - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf b/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf index 99786081..890855f1 100644 --- a/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf +++ b/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,19 +52,9 @@ module "prod-spoke-vpc" { delete_default_routes_on_create = true psa_config = try(var.psa_ranges.prod, null) # Set explicit routes for googleapis; send everything else to NVAs - routes = { - private-googleapis = { - dest_range = "199.36.153.8/30" - priority = 999 - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } - restricted-googleapis = { - dest_range = "199.36.153.4/30" - priority = 999 - next_hop_type = "gateway" - next_hop = "default-internet-gateway" - } + create_default_routes = { + private = true + restricted = true } } diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 2a4416b6..124df134 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -457,27 +457,28 @@ module "vpc" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L72) | The name of the network being created. | string | ✓ | | -| [project_id](variables.tf#L88) | The ID of the project where this VPC will be created. | string | ✓ | | +| [name](variables.tf#L84) | The name of the network being created. | string | ✓ | | +| [project_id](variables.tf#L100) | The ID of the project where this VPC will be created. | string | ✓ | | | [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | bool | | false | -| [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | string | | null | -| [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | bool | | false | -| [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | string | | "Terraform-managed." | -| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | object({…}) | | null | -| [firewall_policy_enforcement_order](variables.tf#L54) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string | | "AFTER_CLASSIC_FIREWALL" | -| [mtu](variables.tf#L66) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number | | null | -| [peering_config](variables.tf#L77) | VPC peering configuration. | object({…}) | | null | -| [psa_config](variables.tf#L93) | The Private Service Access configuration for Service Networking. | object({…}) | | null | -| [routes](variables.tf#L103) | Network routes, keyed by name. | map(object({…})) | | {} | -| [routing_mode](variables.tf#L123) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | -| [shared_vpc_host](variables.tf#L133) | Enable shared VPC for this project. | bool | | false | -| [shared_vpc_service_projects](variables.tf#L139) | Shared VPC service projects to register with this host. | list(string) | | [] | -| [subnet_iam](variables.tf#L145) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string))) | | {} | -| [subnet_iam_additive](variables.tf#L151) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | -| [subnets](variables.tf#L158) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L183) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L195) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L206) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [create_default_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | object({…}) | | {} | +| [data_folder](variables.tf#L35) | An optional folder containing the subnet configurations in YaML format. | string | | null | +| [delete_default_routes_on_create](variables.tf#L41) | Set to true to delete the default routes at creation time. | bool | | false | +| [description](variables.tf#L47) | An optional description of this resource (triggers recreation on change). | string | | "Terraform-managed." | +| [dns_policy](variables.tf#L53) | DNS policy setup for the VPC. | object({…}) | | null | +| [firewall_policy_enforcement_order](variables.tf#L66) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string | | "AFTER_CLASSIC_FIREWALL" | +| [mtu](variables.tf#L78) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number | | null | +| [peering_config](variables.tf#L89) | VPC peering configuration. | object({…}) | | null | +| [psa_config](variables.tf#L105) | The Private Service Access configuration for Service Networking. | object({…}) | | null | +| [routes](variables.tf#L115) | Network routes, keyed by name. | map(object({…})) | | {} | +| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | +| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | bool | | false | +| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | list(string) | | [] | +| [subnet_iam](variables.tf#L157) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string))) | | {} | +| [subnet_iam_additive](variables.tf#L163) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | +| [subnets](variables.tf#L170) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L195) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L207) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L218) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs diff --git a/modules/net-vpc/routes.tf b/modules/net-vpc/routes.tf index 5981b696..e0603828 100644 --- a/modules/net-vpc/routes.tf +++ b/modules/net-vpc/routes.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -88,3 +88,43 @@ resource "google_compute_route" "vpn_tunnel" { tags = each.value.tags next_hop_vpn_tunnel = each.value.next_hop } + +resource "google_compute_route" "private" { + count = var.create_default_routes.private ? 1 : 0 + project = var.project_id + network = local.network.name + name = "private-googleapis-default" + description = "Terraform-managed." + dest_range = "199.36.153.8/30" + next_hop_gateway = "default-internet-gateway" +} + +resource "google_compute_route" "private6" { + count = var.create_default_routes.private6 ? 1 : 0 + project = var.project_id + network = local.network.name + name = "private6-googleapis-default" + description = "Terraform-managed." + dest_range = "2600:2d00:0002:2000::/64" + next_hop_gateway = "default-internet-gateway" +} + +resource "google_compute_route" "restricted" { + count = var.create_default_routes.restricted ? 1 : 0 + project = var.project_id + network = local.network.name + name = "restricted-googleapis-default" + description = "Terraform-managed." + dest_range = "199.36.153.4/30" + next_hop_gateway = "default-internet-gateway" +} + +resource "google_compute_route" "restricted6" { + count = var.create_default_routes.restricted6 ? 1 : 0 + project = var.project_id + network = local.network.name + name = "restricted6-googleapis-default" + description = "Terraform-managed." + dest_range = "2600:2d00:0002:1000::/64" + next_hop_gateway = "default-internet-gateway" +} diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 8f0f3ab4..f5f93eff 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,6 +20,18 @@ variable "auto_create_subnetworks" { default = false } +variable "create_default_routes" { + description = "Toggle creation of googleapis private/restricted routes." + type = object({ + private = optional(bool, true) + private6 = optional(bool, false) + restricted = optional(bool, true) + restricted6 = optional(bool, false) + }) + default = {} + nullable = false +} + variable "data_folder" { description = "An optional folder containing the subnet configurations in YaML format." type = string From 1e8c58c88ee87deb8c7592a539c2ca61f22a72ed Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 26 May 2023 11:47:27 +0200 Subject: [PATCH 2/7] Reuse existing logic to create default routes --- modules/net-vpc/README.md | 2 +- modules/net-vpc/routes.tf | 58 +++++++++++------------------------- modules/net-vpc/variables.tf | 8 ++--- 3 files changed, 22 insertions(+), 46 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 124df134..6e4c8089 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -460,7 +460,7 @@ module "vpc" { | [name](variables.tf#L84) | The name of the network being created. | string | ✓ | | | [project_id](variables.tf#L100) | The ID of the project where this VPC will be created. | string | ✓ | | | [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | bool | | false | -| [create_default_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | object({…}) | | {} | +| [create_default_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | object({…}) | | {} | | [data_folder](variables.tf#L35) | An optional folder containing the subnet configurations in YaML format. | string | | null | | [delete_default_routes_on_create](variables.tf#L41) | Set to true to delete the default routes at creation time. | bool | | false | | [description](variables.tf#L47) | An optional description of this resource (triggers recreation on change). | string | | "Terraform-managed." | diff --git a/modules/net-vpc/routes.tf b/modules/net-vpc/routes.tf index e0603828..65a310ab 100644 --- a/modules/net-vpc/routes.tf +++ b/modules/net-vpc/routes.tf @@ -17,7 +17,23 @@ # tfdoc:file:description Route resources. locals { - _routes = var.routes == null ? {} : var.routes + _googleapis_ranges = { + private = "199.36.153.8/30" + private-6 = "2600:2d00:0002:2000::/64" + restricted = "199.36.153.4/30" + restricted-6 = "2600:2d00:0002:1000::/64" + } + _googleapis_routes = { + for k, v in local._googleapis_ranges : "${k}-googleapis" => { + dest_range = v + next_hop = "default-internet-gateway" + next_hop_type = "gateway" + priority = 1000 + tags = null + } + if var.create_default_routes[k] + } + _routes = merge(local._googleapis_routes, coalesce(var.routes, {})) routes = { gateway = { for k, v in local._routes : k => v if v.next_hop_type == "gateway" } ilb = { for k, v in local._routes : k => v if v.next_hop_type == "ilb" } @@ -88,43 +104,3 @@ resource "google_compute_route" "vpn_tunnel" { tags = each.value.tags next_hop_vpn_tunnel = each.value.next_hop } - -resource "google_compute_route" "private" { - count = var.create_default_routes.private ? 1 : 0 - project = var.project_id - network = local.network.name - name = "private-googleapis-default" - description = "Terraform-managed." - dest_range = "199.36.153.8/30" - next_hop_gateway = "default-internet-gateway" -} - -resource "google_compute_route" "private6" { - count = var.create_default_routes.private6 ? 1 : 0 - project = var.project_id - network = local.network.name - name = "private6-googleapis-default" - description = "Terraform-managed." - dest_range = "2600:2d00:0002:2000::/64" - next_hop_gateway = "default-internet-gateway" -} - -resource "google_compute_route" "restricted" { - count = var.create_default_routes.restricted ? 1 : 0 - project = var.project_id - network = local.network.name - name = "restricted-googleapis-default" - description = "Terraform-managed." - dest_range = "199.36.153.4/30" - next_hop_gateway = "default-internet-gateway" -} - -resource "google_compute_route" "restricted6" { - count = var.create_default_routes.restricted6 ? 1 : 0 - project = var.project_id - network = local.network.name - name = "restricted6-googleapis-default" - description = "Terraform-managed." - dest_range = "2600:2d00:0002:1000::/64" - next_hop_gateway = "default-internet-gateway" -} diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index f5f93eff..ba9dcc40 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -23,10 +23,10 @@ variable "auto_create_subnetworks" { variable "create_default_routes" { description = "Toggle creation of googleapis private/restricted routes." type = object({ - private = optional(bool, true) - private6 = optional(bool, false) - restricted = optional(bool, true) - restricted6 = optional(bool, false) + private = optional(bool, true) + private-6 = optional(bool, false) + restricted = optional(bool, true) + restricted-6 = optional(bool, false) }) default = {} nullable = false From 563b5fa0cb3c6438ee10b3cc6f2f34185f1ac01f Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 26 May 2023 12:46:16 +0200 Subject: [PATCH 3/7] Update net-vpc README --- .../apigee/bigquery-analytics/README.md | 2 +- modules/net-vpc/README.md | 50 +++++++++++++++---- 2 files changed, 40 insertions(+), 12 deletions(-) diff --git a/blueprints/apigee/bigquery-analytics/README.md b/blueprints/apigee/bigquery-analytics/README.md index 817c39bb..64bb966d 100644 --- a/blueprints/apigee/bigquery-analytics/README.md +++ b/blueprints/apigee/bigquery-analytics/README.md @@ -106,5 +106,5 @@ module "test" { europe-west1 = "10.0.0.0/28" } } -# tftest modules=10 resources=62 +# tftest modules=10 resources=64 ``` diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 6e4c8089..1256a49e 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -17,6 +17,7 @@ This module allows creation and management of VPC networks including subnetworks - [DNS Policies](#dns-policies) - [Subnet Factory](#subnet-factory) - [Custom Routes](#custom-routes) + - [Private Google Access routes](#private-google-access-routes) - [Allow Firewall Policy to be evaluated before Firewall Rules](#allow-firewall-policy-to-be-evaluated-before-firewall-rules) - [Variables](#variables) - [Outputs](#outputs) @@ -45,7 +46,7 @@ module "vpc" { } ] } -# tftest modules=1 resources=3 inventory=simple.yaml +# tftest modules=1 resources=5 inventory=simple.yaml ``` ### Subnet Options @@ -92,7 +93,7 @@ module "vpc" { } ] } -# tftest modules=1 resources=5 inventory=subnet-options.yaml +# tftest modules=1 resources=7 inventory=subnet-options.yaml ``` ### Subnet IAM @@ -129,7 +130,7 @@ module "vpc" { } } } -# tftest modules=1 resources=6 inventory=subnet-iam.yaml +# tftest modules=1 resources=8 inventory=subnet-iam.yaml ``` ### Peering @@ -164,7 +165,7 @@ module "vpc-spoke-1" { import_routes = true } } -# tftest modules=2 resources=6 inventory=peering.yaml +# tftest modules=2 resources=10 inventory=peering.yaml ``` ### Shared VPC @@ -215,7 +216,7 @@ module "vpc-host" { } } } -# tftest modules=1 resources=7 inventory=shared-vpc.yaml +# tftest modules=1 resources=9 inventory=shared-vpc.yaml ``` ### Private Service Networking @@ -236,7 +237,7 @@ module "vpc" { ranges = { myrange = "10.0.1.0/24" } } } -# tftest modules=1 resources=5 inventory=psc.yaml +# tftest modules=1 resources=7 inventory=psc.yaml ``` ### Private Service Networking with peering routes @@ -261,7 +262,7 @@ module "vpc" { import_routes = true } } -# tftest modules=1 resources=5 inventory=psc-routes.yaml +# tftest modules=1 resources=7 inventory=psc-routes.yaml ``` ### Subnets for Private Service Connect, Proxy-only subnets @@ -293,7 +294,7 @@ module "vpc" { } ] } -# tftest modules=1 resources=3 inventory=proxy-only-subnets.yaml +# tftest modules=1 resources=5 inventory=proxy-only-subnets.yaml ``` ### DNS Policies @@ -318,7 +319,7 @@ module "vpc" { } ] } -# tftest modules=1 resources=3 inventory=dns-policies.yaml +# tftest modules=1 resources=5 inventory=dns-policies.yaml ``` ### Subnet Factory @@ -332,7 +333,7 @@ module "vpc" { name = "my-network" data_folder = "config/subnets" } -# tftest modules=1 resources=9 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml +# tftest modules=1 resources=11 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml ``` ```yaml @@ -400,6 +401,7 @@ locals { vpn_tunnel = "regions/europe-west1/vpnTunnels/foo" } } + module "vpc" { source = "./fabric/modules/net-vpc" for_each = local.route_types @@ -420,10 +422,36 @@ module "vpc" { next_hop = "global/gateways/default-internet-gateway" } } + create_default_routes = { + restricted = false + restricted-6 = false + private = false + private-6 = false + } } # tftest modules=5 resources=15 inventory=routes.yaml ``` +### Private Google Access routes + +By default the VPC module creates IPv4 routes for the [Private Google Access ranges](https://cloud.google.com/vpc/docs/configure-private-google-access#config-routing). This behavior can be controlled through the `create_default_routes` variable: + +```hcl +module "vpc" { + source = "./fabric/modules/net-vpc" + project_id = "my-project" + name = "my-vpc" + create_default_routes = { + restricted = false + restricted-6 = true + private = false + private-6 = true + } +} +# tftest modules=1 resources=3 inventory=googleapis.yaml +``` + + ### Allow Firewall Policy to be evaluated before Firewall Rules ```hcl @@ -449,7 +477,7 @@ module "vpc" { } ] } -# tftest modules=1 resources=3 inventory=firewall_policy_enforcement_order.yaml +# tftest modules=1 resources=5 inventory=firewall_policy_enforcement_order.yaml ``` From cecbd2072c33c005dd9719b1148e3dfe7d83d4bc Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 26 May 2023 13:12:19 +0200 Subject: [PATCH 4/7] Fix modules and blueprints tests --- blueprints/apigee/hybrid-gke/README.md | 2 +- .../README.md | 2 +- blueprints/cloud-operations/adfs/README.md | 2 +- .../README.md | 2 +- .../dns-fine-grained-iam/README.md | 2 +- .../cloud-operations/dns-shared-vpc/README.md | 2 +- .../packer-image-builder/README.md | 2 +- .../unmanaged-instances-healthcheck/README.md | 2 +- .../vm-migration/single-project/README.md | 2 +- blueprints/data-solutions/bq-ml/README.md | 2 +- .../cloudsql-multiregion/README.md | 2 +- .../cmek-via-centralized-kms/README.md | 2 +- .../data-solutions/composer-2/README.md | 2 +- .../data-platform-foundations/README.md | 4 +- .../data-platform-minimal/README.md | 2 +- .../data-solutions/data-playground/README.md | 2 +- .../gcs-to-bq-with-least-privileges/README.md | 2 +- .../sqlserver-alwayson/README.md | 2 +- .../data-solutions/vertex-mlops/README.md | 4 +- blueprints/gke/autopilot/README.md | 4 +- blueprints/gke/binauthz/README.md | 2 +- .../README.md | 2 +- .../decentralized-firewall/README.md | 2 +- .../networking/filtering-proxy-psc/README.md | 2 +- .../networking/filtering-proxy/README.md | 4 +- blueprints/networking/glb-and-armor/README.md | 2 +- .../glb-hybrid-neg-internal/README.md | 2 +- .../hub-and-spoke-peering/README.md | 2 +- .../networking/hub-and-spoke-vpn/README.md | 2 +- blueprints/networking/ilb-next-hop/README.md | 2 +- .../README.md | 2 +- .../networking/shared-vpc-gke/README.md | 2 +- .../serverless/cloud-run-corporate/README.md | 6 +-- modules/cloudsql-instance/README.md | 2 +- modules/gke-hub/README.md | 4 +- modules/net-vpc-firewall-policy/README.md | 2 +- .../net_vpc/examples/dns-policies.yaml | 4 -- .../modules/net_vpc/examples/googleapis.yaml | 39 +++++++++++++++++++ tests/modules/net_vpc/examples/simple.yaml | 24 ++++++++++++ .../modules/net_vpc/examples/subnet-iam.yaml | 3 +- 40 files changed, 107 insertions(+), 49 deletions(-) create mode 100644 tests/modules/net_vpc/examples/googleapis.yaml diff --git a/blueprints/apigee/hybrid-gke/README.md b/blueprints/apigee/hybrid-gke/README.md index 05614fac..5d79f1f8 100644 --- a/blueprints/apigee/hybrid-gke/README.md +++ b/blueprints/apigee/hybrid-gke/README.md @@ -80,5 +80,5 @@ module "test" { project_id = "my-project" hostname = "test.myorg.org" } -# tftest modules=18 resources=59 +# tftest modules=18 resources=61 ``` diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md index 1919c657..b568bd8e 100644 --- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md +++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md @@ -79,5 +79,5 @@ module "test" { onprem_project_id = "my-onprem-project" hostname = "test.myorg.org" } -# tftest modules=14 resources=73 +# tftest modules=14 resources=77 ``` diff --git a/blueprints/cloud-operations/adfs/README.md b/blueprints/cloud-operations/adfs/README.md index b1efb7b7..914382ca 100644 --- a/blueprints/cloud-operations/adfs/README.md +++ b/blueprints/cloud-operations/adfs/README.md @@ -89,5 +89,5 @@ module "test" { ad_dns_domain_name = "example.com" adfs_dns_domain_name = "adfs.example.com" } -# tftest modules=5 resources=18 +# tftest modules=5 resources=20 ``` diff --git a/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md b/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md index 1025a6be..5e192194 100644 --- a/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md +++ b/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md @@ -82,5 +82,5 @@ module "test" { project_id = "project-1" } -# tftest modules=7 resources=21 +# tftest modules=7 resources=23 ``` diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/README.md b/blueprints/cloud-operations/dns-fine-grained-iam/README.md index 8fe402f2..6379495d 100644 --- a/blueprints/cloud-operations/dns-fine-grained-iam/README.md +++ b/blueprints/cloud-operations/dns-fine-grained-iam/README.md @@ -128,5 +128,5 @@ module "test1" { project_create = true project_id = "test" } -# tftest modules=9 resources=25 +# tftest modules=9 resources=27 ``` diff --git a/blueprints/cloud-operations/dns-shared-vpc/README.md b/blueprints/cloud-operations/dns-shared-vpc/README.md index 6d6e627b..ed64d1de 100644 --- a/blueprints/cloud-operations/dns-shared-vpc/README.md +++ b/blueprints/cloud-operations/dns-shared-vpc/README.md @@ -51,5 +51,5 @@ module "test" { shared_vpc_link = "https://www.googleapis.com/compute/v1/projects/test-dns/global/networks/default" teams = ["team1", "team2"] } -# tftest modules=9 resources=12 +# tftest modules=9 resources=16 ``` diff --git a/blueprints/cloud-operations/packer-image-builder/README.md b/blueprints/cloud-operations/packer-image-builder/README.md index a72cb738..8d542c33 100644 --- a/blueprints/cloud-operations/packer-image-builder/README.md +++ b/blueprints/cloud-operations/packer-image-builder/README.md @@ -115,5 +115,5 @@ module "test" { packer_account_users = ["user:john@example.com"] create_packer_vars = true } -# tftest modules=7 resources=17 files=pkrvars +# tftest modules=7 resources=19 files=pkrvars ``` diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md b/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md index 29721ac1..067ebb10 100644 --- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md +++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md @@ -128,5 +128,5 @@ module "test" { billing_account = "123456-123456-123456" project_create = true } -# tftest modules=11 resources=35 +# tftest modules=11 resources=37 ``` diff --git a/blueprints/cloud-operations/vm-migration/single-project/README.md b/blueprints/cloud-operations/vm-migration/single-project/README.md index 0817a639..bc51953d 100644 --- a/blueprints/cloud-operations/vm-migration/single-project/README.md +++ b/blueprints/cloud-operations/vm-migration/single-project/README.md @@ -52,5 +52,5 @@ module "test" { migration_admin_users = ["user:admin@example.com"] migration_viewer_users = ["user:viewer@example.com"] } -# tftest modules=5 resources=20 +# tftest modules=5 resources=22 ``` diff --git a/blueprints/data-solutions/bq-ml/README.md b/blueprints/data-solutions/bq-ml/README.md index 385ec529..4211b6f0 100644 --- a/blueprints/data-solutions/bq-ml/README.md +++ b/blueprints/data-solutions/bq-ml/README.md @@ -98,5 +98,5 @@ module "test" { prefix = "prefix" } -# tftest modules=9 resources=48 +# tftest modules=9 resources=50 ``` diff --git a/blueprints/data-solutions/cloudsql-multiregion/README.md b/blueprints/data-solutions/cloudsql-multiregion/README.md index 13b5be8a..1216c0aa 100644 --- a/blueprints/data-solutions/cloudsql-multiregion/README.md +++ b/blueprints/data-solutions/cloudsql-multiregion/README.md @@ -180,5 +180,5 @@ module "test" { } prefix = "prefix" } -# tftest modules=10 resources=50 +# tftest modules=10 resources=52 ``` diff --git a/blueprints/data-solutions/cmek-via-centralized-kms/README.md b/blueprints/data-solutions/cmek-via-centralized-kms/README.md index ab80d5ff..74d98e3a 100644 --- a/blueprints/data-solutions/cmek-via-centralized-kms/README.md +++ b/blueprints/data-solutions/cmek-via-centralized-kms/README.md @@ -66,5 +66,5 @@ module "test" { } prefix = "prefix" } -# tftest modules=8 resources=27 +# tftest modules=8 resources=29 ``` diff --git a/blueprints/data-solutions/composer-2/README.md b/blueprints/data-solutions/composer-2/README.md index ab4f65d9..3f665dbd 100644 --- a/blueprints/data-solutions/composer-2/README.md +++ b/blueprints/data-solutions/composer-2/README.md @@ -125,5 +125,5 @@ module "test" { } prefix = "prefix" } -# tftest modules=5 resources=26 +# tftest modules=5 resources=28 ``` diff --git a/blueprints/data-solutions/data-platform-foundations/README.md b/blueprints/data-solutions/data-platform-foundations/README.md index 8bb9c2ca..15c22ded 100644 --- a/blueprints/data-solutions/data-platform-foundations/README.md +++ b/blueprints/data-solutions/data-platform-foundations/README.md @@ -226,7 +226,7 @@ module "data-platform" { prefix = "myprefix" } -# tftest modules=43 resources=279 +# tftest modules=43 resources=285 ``` ## Customizations @@ -307,5 +307,5 @@ module "test" { } prefix = "prefix" } -# tftest modules=43 resources=279 +# tftest modules=43 resources=285 ``` diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md index f4689113..e5edf514 100644 --- a/blueprints/data-solutions/data-platform-minimal/README.md +++ b/blueprints/data-solutions/data-platform-minimal/README.md @@ -203,7 +203,7 @@ module "data-platform" { prefix = "myprefix" } -# tftest modules=21 resources=110 +# tftest modules=21 resources=112 ``` ## Customizations diff --git a/blueprints/data-solutions/data-playground/README.md b/blueprints/data-solutions/data-playground/README.md index 5f534aa2..c3693ee2 100644 --- a/blueprints/data-solutions/data-playground/README.md +++ b/blueprints/data-solutions/data-playground/README.md @@ -86,5 +86,5 @@ module "test" { parent = "folders/467898377" } } -# tftest modules=8 resources=41 +# tftest modules=8 resources=43 ``` diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md index 041c946b..21c342e0 100644 --- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md +++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md @@ -228,5 +228,5 @@ module "test" { project_id = "project-1" prefix = "prefix" } -# tftest modules=12 resources=47 +# tftest modules=12 resources=49 ``` diff --git a/blueprints/data-solutions/sqlserver-alwayson/README.md b/blueprints/data-solutions/sqlserver-alwayson/README.md index 695c8f0b..85ab8385 100644 --- a/blueprints/data-solutions/sqlserver-alwayson/README.md +++ b/blueprints/data-solutions/sqlserver-alwayson/README.md @@ -87,5 +87,5 @@ module "test" { ad_domain_fqdn = "ad.example.com" ad_domain_netbios = "ad" } -# tftest modules=12 resources=38 +# tftest modules=12 resources=40 ``` diff --git a/blueprints/data-solutions/vertex-mlops/README.md b/blueprints/data-solutions/vertex-mlops/README.md index ef6b98f6..974ec335 100644 --- a/blueprints/data-solutions/vertex-mlops/README.md +++ b/blueprints/data-solutions/vertex-mlops/README.md @@ -72,7 +72,7 @@ module "test" { project_id = "test-dev" } } -# tftest modules=11 resources=60 +# tftest modules=11 resources=62 ``` @@ -127,5 +127,5 @@ module "test" { project_id = "test-dev" } } -# tftest modules=13 resources=65 +# tftest modules=13 resources=67 ``` diff --git a/blueprints/gke/autopilot/README.md b/blueprints/gke/autopilot/README.md index aa67956f..b31b0879 100644 --- a/blueprints/gke/autopilot/README.md +++ b/blueprints/gke/autopilot/README.md @@ -91,5 +91,5 @@ module "test" { } project_id = "my-project" } -# tftest modules=11 resources=34 -``` \ No newline at end of file +# tftest modules=11 resources=36 +``` diff --git a/blueprints/gke/binauthz/README.md b/blueprints/gke/binauthz/README.md index 09eac687..740982e6 100644 --- a/blueprints/gke/binauthz/README.md +++ b/blueprints/gke/binauthz/README.md @@ -138,5 +138,5 @@ module "test" { } project_id = "my-project" } -# tftest modules=14 resources=47 +# tftest modules=14 resources=49 ``` diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md index 8237f92c..4efbaf4f 100644 --- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md +++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md @@ -103,5 +103,5 @@ module "test" { mgmt_subnet_cidr_block = "10.0.0.0/24" istio_version = "1.14.1-asm.3" } -# tftest modules=13 resources=57 +# tftest modules=13 resources=59 ``` diff --git a/blueprints/networking/decentralized-firewall/README.md b/blueprints/networking/decentralized-firewall/README.md index 334fd0f2..2fd89640 100644 --- a/blueprints/networking/decentralized-firewall/README.md +++ b/blueprints/networking/decentralized-firewall/README.md @@ -51,5 +51,5 @@ module "test" { root_node = "organizations/0123456789" } -# tftest modules=9 resources=50 +# tftest modules=9 resources=54 ``` diff --git a/blueprints/networking/filtering-proxy-psc/README.md b/blueprints/networking/filtering-proxy-psc/README.md index 66a22caa..dd9f0585 100644 --- a/blueprints/networking/filtering-proxy-psc/README.md +++ b/blueprints/networking/filtering-proxy-psc/README.md @@ -40,5 +40,5 @@ module "test" { } project_id = "test-project" } -# tftest modules=13 resources=37 +# tftest modules=13 resources=41 ``` diff --git a/blueprints/networking/filtering-proxy/README.md b/blueprints/networking/filtering-proxy/README.md index 6aab12b2..70dcf6df 100644 --- a/blueprints/networking/filtering-proxy/README.md +++ b/blueprints/networking/filtering-proxy/README.md @@ -47,7 +47,7 @@ module "test1" { prefix = "fabric" root_node = "folders/123456789" } -# tftest modules=14 resources=36 +# tftest modules=14 resources=38 ``` ```hcl @@ -58,5 +58,5 @@ module "test2" { prefix = "fabric" root_node = "folders/123456789" } -# tftest modules=12 resources=30 +# tftest modules=12 resources=32 ``` diff --git a/blueprints/networking/glb-and-armor/README.md b/blueprints/networking/glb-and-armor/README.md index 25b9e96f..3e466131 100644 --- a/blueprints/networking/glb-and-armor/README.md +++ b/blueprints/networking/glb-and-armor/README.md @@ -151,5 +151,5 @@ module "test" { project_id = "project-1" enforce_security_policy = true } -# tftest modules=12 resources=26 +# tftest modules=12 resources=28 ``` diff --git a/blueprints/networking/glb-hybrid-neg-internal/README.md b/blueprints/networking/glb-hybrid-neg-internal/README.md index b6bd3d78..253dc4c4 100644 --- a/blueprints/networking/glb-hybrid-neg-internal/README.md +++ b/blueprints/networking/glb-hybrid-neg-internal/README.md @@ -96,5 +96,5 @@ module "test" { } } -# tftest modules=21 resources=64 +# tftest modules=21 resources=70 ``` diff --git a/blueprints/networking/hub-and-spoke-peering/README.md b/blueprints/networking/hub-and-spoke-peering/README.md index b9582832..09b5dc5d 100644 --- a/blueprints/networking/hub-and-spoke-peering/README.md +++ b/blueprints/networking/hub-and-spoke-peering/README.md @@ -115,5 +115,5 @@ module "test" { project_id = "project-1" } -# tftest modules=22 resources=61 +# tftest modules=22 resources=67 ``` diff --git a/blueprints/networking/hub-and-spoke-vpn/README.md b/blueprints/networking/hub-and-spoke-vpn/README.md index 14beaa13..d0f2d1f0 100644 --- a/blueprints/networking/hub-and-spoke-vpn/README.md +++ b/blueprints/networking/hub-and-spoke-vpn/README.md @@ -114,5 +114,5 @@ module "test" { project_id = "project-1" } -# tftest modules=20 resources=73 +# tftest modules=20 resources=79 ``` diff --git a/blueprints/networking/ilb-next-hop/README.md b/blueprints/networking/ilb-next-hop/README.md index b4b5e6e8..1200d9d2 100644 --- a/blueprints/networking/ilb-next-hop/README.md +++ b/blueprints/networking/ilb-next-hop/README.md @@ -96,5 +96,5 @@ module "test" { project_create = true project_id = "project-1" } -# tftest modules=18 resources=42 +# tftest modules=18 resources=46 ``` diff --git a/blueprints/networking/private-cloud-function-from-onprem/README.md b/blueprints/networking/private-cloud-function-from-onprem/README.md index 111e82a4..4951454f 100644 --- a/blueprints/networking/private-cloud-function-from-onprem/README.md +++ b/blueprints/networking/private-cloud-function-from-onprem/README.md @@ -45,5 +45,5 @@ module "test" { } project_id = "test-project" } -# tftest modules=11 resources=40 +# tftest modules=11 resources=44 ``` diff --git a/blueprints/networking/shared-vpc-gke/README.md b/blueprints/networking/shared-vpc-gke/README.md index f413becf..a60dea0c 100644 --- a/blueprints/networking/shared-vpc-gke/README.md +++ b/blueprints/networking/shared-vpc-gke/README.md @@ -80,5 +80,5 @@ module "test" { prefix = "test" root_node = "organizations/0123456789" } -# tftest modules=11 resources=43 +# tftest modules=11 resources=45 ``` diff --git a/blueprints/serverless/cloud-run-corporate/README.md b/blueprints/serverless/cloud-run-corporate/README.md index a91df33b..b31a50ce 100644 --- a/blueprints/serverless/cloud-run-corporate/README.md +++ b/blueprints/serverless/cloud-run-corporate/README.md @@ -238,7 +238,7 @@ module "test" { prj_onprem_id = "onprem-project-id" } -# tftest modules=15 resources=46 +# tftest modules=15 resources=50 ``` ```hcl @@ -262,7 +262,7 @@ module "test" { tf_identity = "user@example.org" } -# tftest modules=15 resources=32 +# tftest modules=15 resources=36 ``` ```hcl @@ -281,5 +281,5 @@ module "test" { custom_domain = "cloud-run-corporate.example.org" } -# tftest modules=14 resources=43 +# tftest modules=14 resources=45 ``` diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md index a595fc7e..a8e5d597 100644 --- a/modules/cloudsql-instance/README.md +++ b/modules/cloudsql-instance/README.md @@ -39,7 +39,7 @@ module "db" { database_version = "POSTGRES_13" tier = "db-g1-small" } -# tftest modules=3 resources=9 inventory=simple.yaml +# tftest modules=3 resources=11 inventory=simple.yaml ``` ## Cross-regional read replica diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md index d9d14c62..a9411949 100644 --- a/modules/gke-hub/README.md +++ b/modules/gke-hub/README.md @@ -119,7 +119,7 @@ module "hub" { } } -# tftest modules=4 resources=16 inventory=full.yaml +# tftest modules=4 resources=18 inventory=full.yaml ``` ## Multi-cluster mesh on GKE @@ -314,7 +314,7 @@ module "hub" { ] } -# tftest modules=8 resources=32 +# tftest modules=8 resources=34 ``` diff --git a/modules/net-vpc-firewall-policy/README.md b/modules/net-vpc-firewall-policy/README.md index ec468a77..5392a0b7 100644 --- a/modules/net-vpc-firewall-policy/README.md +++ b/modules/net-vpc-firewall-policy/README.md @@ -59,7 +59,7 @@ module "firewall-policy" { } } } -# tftest modules=2 resources=7 +# tftest modules=2 resources=9 ``` diff --git a/tests/modules/net_vpc/examples/dns-policies.yaml b/tests/modules/net_vpc/examples/dns-policies.yaml index a30d6408..3999e91f 100644 --- a/tests/modules/net_vpc/examples/dns-policies.yaml +++ b/tests/modules/net_vpc/examples/dns-policies.yaml @@ -36,7 +36,3 @@ counts: google_compute_network: 1 google_compute_subnetwork: 1 google_dns_policy: 1 - modules: 1 - resources: 3 - -outputs: {} diff --git a/tests/modules/net_vpc/examples/googleapis.yaml b/tests/modules/net_vpc/examples/googleapis.yaml new file mode 100644 index 00000000..6248db51 --- /dev/null +++ b/tests/modules/net_vpc/examples/googleapis.yaml @@ -0,0 +1,39 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.vpc.google_compute_route.gateway["private-6-googleapis"]: + dest_range: 2600:2d00:0002:2000::/64 + name: my-vpc-private-6-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: my-project + tags: null + module.vpc.google_compute_route.gateway["restricted-6-googleapis"]: + dest_range: 2600:2d00:0002:1000::/64 + name: my-vpc-restricted-6-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: my-project + tags: null + +counts: + google_compute_network: 1 + google_compute_route: 2 diff --git a/tests/modules/net_vpc/examples/simple.yaml b/tests/modules/net_vpc/examples/simple.yaml index 799852c0..2a5b1ee2 100644 --- a/tests/modules/net_vpc/examples/simple.yaml +++ b/tests/modules/net_vpc/examples/simple.yaml @@ -44,7 +44,31 @@ values: region: europe-west2 role: null secondary_ip_range: [] + module.vpc.google_compute_route.gateway["private-googleapis"]: + dest_range: 199.36.153.8/30 + name: my-network-private-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: my-project + tags: null + timeouts: null + module.vpc.google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: my-network-restricted-googleapis + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: my-project + tags: null + timeouts: null counts: google_compute_network: 1 google_compute_subnetwork: 2 + google_compute_route: 2 diff --git a/tests/modules/net_vpc/examples/subnet-iam.yaml b/tests/modules/net_vpc/examples/subnet-iam.yaml index ce853c71..8aa5bed8 100644 --- a/tests/modules/net_vpc/examples/subnet-iam.yaml +++ b/tests/modules/net_vpc/examples/subnet-iam.yaml @@ -54,5 +54,4 @@ counts: google_compute_subnetwork: 2 google_compute_subnetwork_iam_binding: 1 google_compute_subnetwork_iam_member: 2 - -outputs: {} + google_compute_route: 2 From 0888cce3a5c442f684c9fd2947586fa84426a73e Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 26 May 2023 16:43:43 +0200 Subject: [PATCH 5/7] Rename to `create_googleapis_routes` --- fast/stages/2-networking-a-peering/landing.tf | 2 +- fast/stages/2-networking-a-peering/spoke-dev.tf | 2 +- fast/stages/2-networking-a-peering/spoke-prod.tf | 2 +- fast/stages/2-networking-b-vpn/landing.tf | 2 +- fast/stages/2-networking-b-vpn/spoke-dev.tf | 2 +- fast/stages/2-networking-b-vpn/spoke-prod.tf | 2 +- fast/stages/2-networking-c-nva/landing.tf | 2 +- fast/stages/2-networking-c-nva/spoke-dev.tf | 2 +- fast/stages/2-networking-c-nva/spoke-prod.tf | 2 +- fast/stages/2-networking-d-separate-envs/spoke-dev.tf | 2 +- fast/stages/2-networking-d-separate-envs/spoke-prod.tf | 2 +- fast/stages/2-networking-e-nva-bgp/landing.tf | 2 +- fast/stages/2-networking-e-nva-bgp/spoke-dev.tf | 2 +- fast/stages/2-networking-e-nva-bgp/spoke-prod.tf | 2 +- modules/net-vpc/README.md | 8 ++++---- modules/net-vpc/routes.tf | 2 +- modules/net-vpc/variables.tf | 2 +- 17 files changed, 20 insertions(+), 20 deletions(-) diff --git a/fast/stages/2-networking-a-peering/landing.tf b/fast/stages/2-networking-a-peering/landing.tf index 995a652a..db40b3f1 100644 --- a/fast/stages/2-networking-a-peering/landing.tf +++ b/fast/stages/2-networking-a-peering/landing.tf @@ -51,7 +51,7 @@ module "landing-vpc" { inbound = true } # set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-a-peering/spoke-dev.tf b/fast/stages/2-networking-a-peering/spoke-dev.tf index 0c51b12e..2256926f 100644 --- a/fast/stages/2-networking-a-peering/spoke-dev.tf +++ b/fast/stages/2-networking-a-peering/spoke-dev.tf @@ -53,7 +53,7 @@ module "dev-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/dev" psa_config = try(var.psa_ranges.dev, null) # set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-a-peering/spoke-prod.tf b/fast/stages/2-networking-a-peering/spoke-prod.tf index 42986ab8..b7e3abcb 100644 --- a/fast/stages/2-networking-a-peering/spoke-prod.tf +++ b/fast/stages/2-networking-a-peering/spoke-prod.tf @@ -52,7 +52,7 @@ module "prod-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/prod" psa_config = try(var.psa_ranges.prod, null) # set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-b-vpn/landing.tf b/fast/stages/2-networking-b-vpn/landing.tf index 995a652a..db40b3f1 100644 --- a/fast/stages/2-networking-b-vpn/landing.tf +++ b/fast/stages/2-networking-b-vpn/landing.tf @@ -51,7 +51,7 @@ module "landing-vpc" { inbound = true } # set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-b-vpn/spoke-dev.tf b/fast/stages/2-networking-b-vpn/spoke-dev.tf index 0c51b12e..2256926f 100644 --- a/fast/stages/2-networking-b-vpn/spoke-dev.tf +++ b/fast/stages/2-networking-b-vpn/spoke-dev.tf @@ -53,7 +53,7 @@ module "dev-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/dev" psa_config = try(var.psa_ranges.dev, null) # set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-b-vpn/spoke-prod.tf b/fast/stages/2-networking-b-vpn/spoke-prod.tf index 42986ab8..b7e3abcb 100644 --- a/fast/stages/2-networking-b-vpn/spoke-prod.tf +++ b/fast/stages/2-networking-b-vpn/spoke-prod.tf @@ -52,7 +52,7 @@ module "prod-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/prod" psa_config = try(var.psa_ranges.prod, null) # set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-c-nva/landing.tf b/fast/stages/2-networking-c-nva/landing.tf index 855f882b..21d3406c 100644 --- a/fast/stages/2-networking-c-nva/landing.tf +++ b/fast/stages/2-networking-c-nva/landing.tf @@ -116,7 +116,7 @@ module "landing-trusted-vpc" { inbound = true } # Set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-c-nva/spoke-dev.tf b/fast/stages/2-networking-c-nva/spoke-dev.tf index 5af5ed5a..a90d25aa 100644 --- a/fast/stages/2-networking-c-nva/spoke-dev.tf +++ b/fast/stages/2-networking-c-nva/spoke-dev.tf @@ -53,7 +53,7 @@ module "dev-spoke-vpc" { delete_default_routes_on_create = true psa_config = try(var.psa_ranges.dev, null) # Set explicit routes for googleapis; send everything else to NVAs - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-c-nva/spoke-prod.tf b/fast/stages/2-networking-c-nva/spoke-prod.tf index de829b31..8dd5af44 100644 --- a/fast/stages/2-networking-c-nva/spoke-prod.tf +++ b/fast/stages/2-networking-c-nva/spoke-prod.tf @@ -52,7 +52,7 @@ module "prod-spoke-vpc" { delete_default_routes_on_create = true psa_config = try(var.psa_ranges.prod, null) # Set explicit routes for googleapis; send everything else to NVAs - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf index 3c1c8c2c..fd15e26c 100644 --- a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf +++ b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf @@ -53,7 +53,7 @@ module "dev-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/dev" psa_config = try(var.psa_ranges.dev, null) # set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf index 8a91bb42..c8d8a69c 100644 --- a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf +++ b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf @@ -52,7 +52,7 @@ module "prod-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/prod" psa_config = try(var.psa_ranges.prod, null) # set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-e-nva-bgp/landing.tf b/fast/stages/2-networking-e-nva-bgp/landing.tf index 9d4938c3..d5b44e28 100644 --- a/fast/stages/2-networking-e-nva-bgp/landing.tf +++ b/fast/stages/2-networking-e-nva-bgp/landing.tf @@ -117,7 +117,7 @@ module "landing-trusted-vpc" { inbound = true } # Set explicit routes for googleapis in case the default route is deleted - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf b/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf index 4b8c3316..56568ec9 100644 --- a/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf +++ b/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf @@ -53,7 +53,7 @@ module "dev-spoke-vpc" { delete_default_routes_on_create = true psa_config = try(var.psa_ranges.dev, null) # Set explicit routes for googleapis; send everything else to NVAs - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf b/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf index 890855f1..b6251954 100644 --- a/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf +++ b/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf @@ -52,7 +52,7 @@ module "prod-spoke-vpc" { delete_default_routes_on_create = true psa_config = try(var.psa_ranges.prod, null) # Set explicit routes for googleapis; send everything else to NVAs - create_default_routes = { + create_googleapis_routes = { private = true restricted = true } diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 1256a49e..f2810445 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -422,7 +422,7 @@ module "vpc" { next_hop = "global/gateways/default-internet-gateway" } } - create_default_routes = { + create_googleapis_routes = { restricted = false restricted-6 = false private = false @@ -434,14 +434,14 @@ module "vpc" { ### Private Google Access routes -By default the VPC module creates IPv4 routes for the [Private Google Access ranges](https://cloud.google.com/vpc/docs/configure-private-google-access#config-routing). This behavior can be controlled through the `create_default_routes` variable: +By default the VPC module creates IPv4 routes for the [Private Google Access ranges](https://cloud.google.com/vpc/docs/configure-private-google-access#config-routing). This behavior can be controlled through the `create_googleapis_routes` variable: ```hcl module "vpc" { source = "./fabric/modules/net-vpc" project_id = "my-project" name = "my-vpc" - create_default_routes = { + create_googleapis_routes = { restricted = false restricted-6 = true private = false @@ -488,7 +488,7 @@ module "vpc" { | [name](variables.tf#L84) | The name of the network being created. | string | ✓ | | | [project_id](variables.tf#L100) | The ID of the project where this VPC will be created. | string | ✓ | | | [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | bool | | false | -| [create_default_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | object({…}) | | {} | +| [create_googleapis_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | object({…}) | | {} | | [data_folder](variables.tf#L35) | An optional folder containing the subnet configurations in YaML format. | string | | null | | [delete_default_routes_on_create](variables.tf#L41) | Set to true to delete the default routes at creation time. | bool | | false | | [description](variables.tf#L47) | An optional description of this resource (triggers recreation on change). | string | | "Terraform-managed." | diff --git a/modules/net-vpc/routes.tf b/modules/net-vpc/routes.tf index 65a310ab..493b248b 100644 --- a/modules/net-vpc/routes.tf +++ b/modules/net-vpc/routes.tf @@ -31,7 +31,7 @@ locals { priority = 1000 tags = null } - if var.create_default_routes[k] + if var.create_googleapis_routes[k] } _routes = merge(local._googleapis_routes, coalesce(var.routes, {})) routes = { diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index ba9dcc40..2cb1cdbf 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -20,7 +20,7 @@ variable "auto_create_subnetworks" { default = false } -variable "create_default_routes" { +variable "create_googleapis_routes" { description = "Toggle creation of googleapis private/restricted routes." type = object({ private = optional(bool, true) From fb121b4d0854190e21416ba29e6f92d6d5a085de Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 26 May 2023 17:17:40 +0200 Subject: [PATCH 6/7] Fix FAST tests --- .../local-serverless-connector.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf b/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf index d08a28ad..f3789fb4 100644 --- a/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf +++ b/fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf @@ -38,6 +38,13 @@ module "dev-spoke-vpc-serverless" { ip_cidr_range = var.serverless_connector_config.dev-primary.ip_cidr_range region = var.regions.primary }] + # these should be create from the main VPC + create_googleapis_routes = { + private = false + private-6 = false + restricted = false + restricted-6 = false + } } module "prod-spoke-vpc-serverless" { @@ -51,6 +58,13 @@ module "prod-spoke-vpc-serverless" { ip_cidr_range = var.serverless_connector_config.prod-primary.ip_cidr_range region = var.regions.primary }] + # these should be create from the main VPC + create_googleapis_routes = { + private = false + private-6 = false + restricted = false + restricted-6 = false + } } resource "google_vpc_access_connector" "dev-primary" { From b6ce4222d116a63edf0af00033e0c83748d1d539 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 26 May 2023 17:32:34 +0200 Subject: [PATCH 7/7] Fix nva stages tests --- fast/stages/2-networking-c-nva/landing.tf | 4 ++++ fast/stages/2-networking-e-nva-bgp/landing.tf | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/fast/stages/2-networking-c-nva/landing.tf b/fast/stages/2-networking-c-nva/landing.tf index 21d3406c..0dd7d982 100644 --- a/fast/stages/2-networking-c-nva/landing.tf +++ b/fast/stages/2-networking-c-nva/landing.tf @@ -53,6 +53,10 @@ module "landing-untrusted-vpc" { inbound = false logging = false } + create_googleapis_routes = { + private = false + restricted = false + } data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted" } diff --git a/fast/stages/2-networking-e-nva-bgp/landing.tf b/fast/stages/2-networking-e-nva-bgp/landing.tf index d5b44e28..bbac8c52 100644 --- a/fast/stages/2-networking-e-nva-bgp/landing.tf +++ b/fast/stages/2-networking-e-nva-bgp/landing.tf @@ -54,6 +54,10 @@ module "landing-untrusted-vpc" { inbound = false logging = false } + create_googleapis_routes = { + private = false + restricted = false + } data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted" }