Merge pull request #1400 from GoogleCloudPlatform/jccb/default-vpc-routes

Add default googleapi route creation to net-vpc

blueprints/apigee/bigquery-analytics/README.md

@@ -106,5 +106,5 @@ module "test" {
     europe-west1 = "10.0.0.0/28"
   }
 }
-# tftest modules=10 resources=62
+# tftest modules=10 resources=64
 ```

blueprints/apigee/hybrid-gke/README.md

@@ -80,5 +80,5 @@ module "test" {
   project_id = "my-project"
   hostname   = "test.myorg.org"
 }
-# tftest modules=18 resources=59
+# tftest modules=18 resources=61
 ```

blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md

@@ -79,5 +79,5 @@ module "test" {
   onprem_project_id  = "my-onprem-project"
   hostname           = "test.myorg.org"
 }
-# tftest modules=14 resources=73
+# tftest modules=14 resources=77
 ```

blueprints/cloud-operations/adfs/README.md

@@ -89,5 +89,5 @@ module "test" {
   ad_dns_domain_name   = "example.com"
   adfs_dns_domain_name = "adfs.example.com"
 }
-# tftest modules=5 resources=18
+# tftest modules=5 resources=20
 ```

blueprints/cloud-operations/asset-inventory-feed-remediation/README.md

@@ -82,5 +82,5 @@ module "test" {
   project_id     = "project-1"
 }
 
-# tftest modules=7 resources=21
+# tftest modules=7 resources=23
 ```

blueprints/cloud-operations/dns-fine-grained-iam/README.md

@@ -128,5 +128,5 @@ module "test1" {
   project_create = true
   project_id     = "test"
 }
-# tftest modules=9 resources=25
+# tftest modules=9 resources=27
 ```

blueprints/cloud-operations/dns-shared-vpc/README.md

@@ -51,5 +51,5 @@ module "test" {
   shared_vpc_link    = "https://www.googleapis.com/compute/v1/projects/test-dns/global/networks/default"
   teams              = ["team1", "team2"]
 }
-# tftest modules=9 resources=12
+# tftest modules=9 resources=16
 ```

blueprints/cloud-operations/packer-image-builder/README.md

@@ -115,5 +115,5 @@ module "test" {
   packer_account_users = ["user:john@example.com"]
   create_packer_vars   = true
 }
-# tftest modules=7 resources=17 files=pkrvars
+# tftest modules=7 resources=19 files=pkrvars
 ```

blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md

@@ -128,5 +128,5 @@ module "test" {
   billing_account = "123456-123456-123456"
   project_create  = true
 }
-# tftest modules=11 resources=35
+# tftest modules=11 resources=37
 ```

blueprints/cloud-operations/vm-migration/single-project/README.md

@@ -52,5 +52,5 @@ module "test" {
   migration_admin_users  = ["user:admin@example.com"]
   migration_viewer_users = ["user:viewer@example.com"]
 }
-# tftest modules=5 resources=20
+# tftest modules=5 resources=22
 ```

blueprints/data-solutions/bq-ml/README.md

@@ -98,5 +98,5 @@ module "test" {
   prefix     = "prefix"
 }
 
-# tftest modules=9 resources=48
+# tftest modules=9 resources=50
 ```

blueprints/data-solutions/cloudsql-multiregion/README.md

@@ -180,5 +180,5 @@ module "test" {
   }
   prefix = "prefix"
 }
-# tftest modules=10 resources=50
+# tftest modules=10 resources=52
 ```

blueprints/data-solutions/cmek-via-centralized-kms/README.md

@@ -66,5 +66,5 @@ module "test" {
   }
   prefix = "prefix"
 }
-# tftest modules=8 resources=27
+# tftest modules=8 resources=29
 ```

blueprints/data-solutions/composer-2/README.md

@@ -125,5 +125,5 @@ module "test" {
   }
   prefix = "prefix"
 }
-# tftest modules=5 resources=26
+# tftest modules=5 resources=28
 ```

blueprints/data-solutions/data-platform-foundations/README.md

@@ -226,7 +226,7 @@ module "data-platform" {
   prefix = "myprefix"
 }
 
-# tftest modules=43 resources=279
+# tftest modules=43 resources=285
 ```
 
 ## Customizations
@@ -307,5 +307,5 @@ module "test" {
   }
   prefix = "prefix"
 }
-# tftest modules=43 resources=279
+# tftest modules=43 resources=285
 ```

blueprints/data-solutions/data-platform-minimal/README.md

@@ -203,7 +203,7 @@ module "data-platform" {
   prefix = "myprefix"
 }
 
-# tftest modules=21 resources=110
+# tftest modules=21 resources=112
 ```
 
 ## Customizations

blueprints/data-solutions/data-playground/README.md

@@ -86,5 +86,5 @@ module "test" {
     parent             = "folders/467898377"
   }
 }
-# tftest modules=8 resources=41
+# tftest modules=8 resources=43
 ```

blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md

@@ -228,5 +228,5 @@ module "test" {
   project_id = "project-1"
   prefix     = "prefix"
 }
-# tftest modules=12 resources=47
+# tftest modules=12 resources=49
 ```

blueprints/data-solutions/sqlserver-alwayson/README.md

@@ -87,5 +87,5 @@ module "test" {
   ad_domain_fqdn     = "ad.example.com"
   ad_domain_netbios  = "ad"
 }
-# tftest modules=12 resources=38
+# tftest modules=12 resources=40
 ```

blueprints/data-solutions/vertex-mlops/README.md

@@ -72,7 +72,7 @@ module "test" {
     project_id         = "test-dev"
   }
 }
-# tftest modules=11 resources=60
+# tftest modules=11 resources=62
 ```
 <!-- BEGIN TFDOC -->
 
@@ -127,5 +127,5 @@ module "test" {
     project_id         = "test-dev"
   }
 }
-# tftest modules=13 resources=65
+# tftest modules=13 resources=67
 ```

blueprints/gke/autopilot/README.md

@@ -91,5 +91,5 @@ module "test" {
   }
   project_id = "my-project"
 }
-# tftest modules=11 resources=34
+# tftest modules=11 resources=36
-```
+```

blueprints/gke/binauthz/README.md

@@ -138,5 +138,5 @@ module "test" {
   }
   project_id = "my-project"
 }
-# tftest modules=14 resources=47
+# tftest modules=14 resources=49
 ```

blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md

@@ -103,5 +103,5 @@ module "test" {
   mgmt_subnet_cidr_block = "10.0.0.0/24"
   istio_version          = "1.14.1-asm.3"
 }
-# tftest modules=13 resources=57
+# tftest modules=13 resources=59
 ```

blueprints/networking/decentralized-firewall/README.md

@@ -51,5 +51,5 @@ module "test" {
   root_node          = "organizations/0123456789"
 }
 
-# tftest modules=9 resources=50
+# tftest modules=9 resources=54
 ```

blueprints/networking/filtering-proxy-psc/README.md

@@ -40,5 +40,5 @@ module "test" {
   }
   project_id = "test-project"
 }
-# tftest modules=13 resources=37
+# tftest modules=13 resources=41
 ```

blueprints/networking/filtering-proxy/README.md

@@ -47,7 +47,7 @@ module "test1" {
   prefix          = "fabric"
   root_node       = "folders/123456789"
 }
-# tftest modules=14 resources=36
+# tftest modules=14 resources=38
 ```
 
 ```hcl
@@ -58,5 +58,5 @@ module "test2" {
   prefix          = "fabric"
   root_node       = "folders/123456789"
 }
-# tftest modules=12 resources=30
+# tftest modules=12 resources=32
 ```

blueprints/networking/glb-and-armor/README.md

@@ -151,5 +151,5 @@ module "test" {
   project_id              = "project-1"
   enforce_security_policy = true
 }
-# tftest modules=12 resources=26
+# tftest modules=12 resources=28
 ```

blueprints/networking/glb-hybrid-neg-internal/README.md

@@ -96,5 +96,5 @@ module "test" {
   }
 }
 
-# tftest modules=21 resources=64
+# tftest modules=21 resources=70
 ```

blueprints/networking/hub-and-spoke-peering/README.md

@@ -115,5 +115,5 @@ module "test" {
   project_id = "project-1"
 }
 
-# tftest modules=22 resources=61
+# tftest modules=22 resources=67
 ```

blueprints/networking/hub-and-spoke-vpn/README.md

@@ -114,5 +114,5 @@ module "test" {
   project_id = "project-1"
 }
 
-# tftest modules=20 resources=73
+# tftest modules=20 resources=79
 ```

blueprints/networking/ilb-next-hop/README.md

@@ -96,5 +96,5 @@ module "test" {
   project_create = true
   project_id     = "project-1"
 }
-# tftest modules=18 resources=42
+# tftest modules=18 resources=46
 ```

blueprints/networking/private-cloud-function-from-onprem/README.md

@@ -45,5 +45,5 @@ module "test" {
   }
   project_id = "test-project"
 }
-# tftest modules=11 resources=40
+# tftest modules=11 resources=44
 ```

blueprints/networking/shared-vpc-gke/README.md

@@ -80,5 +80,5 @@ module "test" {
   prefix             = "test"
   root_node          = "organizations/0123456789"
 }
-# tftest modules=11 resources=43
+# tftest modules=11 resources=45
 ```

blueprints/serverless/cloud-run-corporate/README.md

@@ -238,7 +238,7 @@ module "test" {
   prj_onprem_id = "onprem-project-id"
 }
 
-# tftest modules=15 resources=46
+# tftest modules=15 resources=50
 ```
 
 ```hcl
@@ -262,7 +262,7 @@ module "test" {
   tf_identity = "user@example.org"
 }
 
-# tftest modules=15 resources=32
+# tftest modules=15 resources=36
 ```
 
 ```hcl
@@ -281,5 +281,5 @@ module "test" {
   custom_domain = "cloud-run-corporate.example.org"
 }
 
-# tftest modules=14 resources=43
+# tftest modules=14 resources=45
 ```

fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf

@@ -38,6 +38,13 @@ module "dev-spoke-vpc-serverless" {
     ip_cidr_range = var.serverless_connector_config.dev-primary.ip_cidr_range
     region        = var.regions.primary
   }]
+  # these should be create from the main VPC
+  create_googleapis_routes = {
+    private      = false
+    private-6    = false
+    restricted   = false
+    restricted-6 = false
+  }
 }
 
 module "prod-spoke-vpc-serverless" {
@@ -51,6 +58,13 @@ module "prod-spoke-vpc-serverless" {
     ip_cidr_range = var.serverless_connector_config.prod-primary.ip_cidr_range
     region        = var.regions.primary
   }]
+  # these should be create from the main VPC
+  create_googleapis_routes = {
+    private      = false
+    private-6    = false
+    restricted   = false
+    restricted-6 = false
+  }
 }
 
 resource "google_vpc_access_connector" "dev-primary" {

fast/stages/2-networking-a-peering/landing.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -51,17 +51,9 @@ module "landing-vpc" {
     inbound = true
   }
   # set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
   data_folder = "${var.factories_config.data_dir}/subnets/landing"
 }

fast/stages/2-networking-a-peering/spoke-dev.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,17 +53,9 @@ module "dev-spoke-vpc" {
   data_folder = "${var.factories_config.data_dir}/subnets/dev"
   psa_config  = try(var.psa_ranges.dev, null)
   # set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

fast/stages/2-networking-a-peering/spoke-prod.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,17 +52,9 @@ module "prod-spoke-vpc" {
   data_folder = "${var.factories_config.data_dir}/subnets/prod"
   psa_config  = try(var.psa_ranges.prod, null)
   # set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

fast/stages/2-networking-b-vpn/landing.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -51,17 +51,9 @@ module "landing-vpc" {
     inbound = true
   }
   # set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
   data_folder = "${var.factories_config.data_dir}/subnets/landing"
 }

fast/stages/2-networking-b-vpn/spoke-dev.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,17 +53,9 @@ module "dev-spoke-vpc" {
   data_folder = "${var.factories_config.data_dir}/subnets/dev"
   psa_config  = try(var.psa_ranges.dev, null)
   # set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

fast/stages/2-networking-b-vpn/spoke-prod.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,17 +52,9 @@ module "prod-spoke-vpc" {
   data_folder = "${var.factories_config.data_dir}/subnets/prod"
   psa_config  = try(var.psa_ranges.prod, null)
   # set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

fast/stages/2-networking-c-nva/landing.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,6 +53,10 @@ module "landing-untrusted-vpc" {
     inbound = false
     logging = false
   }
+  create_googleapis_routes = {
+    private    = false
+    restricted = false
+  }
   data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
 }
 
@@ -116,17 +120,9 @@ module "landing-trusted-vpc" {
     inbound = true
   }
   # Set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

fast/stages/2-networking-c-nva/spoke-dev.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,19 +53,11 @@ module "dev-spoke-vpc" {
   delete_default_routes_on_create = true
   psa_config                      = try(var.psa_ranges.dev, null)
   # Set explicit routes for googleapis; send everything else to NVAs
+  create_googleapis_routes = {
+    private    = true
+    restricted = true
+  }
   routes = {
-    private-googleapis = {
-      dest_range    = "199.36.153.8/30"
-      priority      = 999
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      priority      = 999
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
     nva-primary-to-primary = {
       dest_range    = "0.0.0.0/0"
       priority      = 1000

fast/stages/2-networking-c-nva/spoke-prod.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,19 +52,11 @@ module "prod-spoke-vpc" {
   delete_default_routes_on_create = true
   psa_config                      = try(var.psa_ranges.prod, null)
   # Set explicit routes for googleapis; send everything else to NVAs
+  create_googleapis_routes = {
+    private    = true
+    restricted = true
+  }
   routes = {
-    private-googleapis = {
-      dest_range    = "199.36.153.8/30"
-      priority      = 999
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      priority      = 999
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
     nva-primary-to-primary = {
       dest_range    = "0.0.0.0/0"
       priority      = 1000

fast/stages/2-networking-d-separate-envs/spoke-dev.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,17 +53,9 @@ module "dev-spoke-vpc" {
   data_folder = "${var.factories_config.data_dir}/subnets/dev"
   psa_config  = try(var.psa_ranges.dev, null)
   # set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

fast/stages/2-networking-d-separate-envs/spoke-prod.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,17 +52,9 @@ module "prod-spoke-vpc" {
   data_folder = "${var.factories_config.data_dir}/subnets/prod"
   psa_config  = try(var.psa_ranges.prod, null)
   # set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

fast/stages/2-networking-e-nva-bgp/landing.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -54,6 +54,10 @@ module "landing-untrusted-vpc" {
     inbound = false
     logging = false
   }
+  create_googleapis_routes = {
+    private    = false
+    restricted = false
+  }
   data_folder = "${var.factories_config.data_dir}/subnets/landing-untrusted"
 }
 
@@ -117,17 +121,9 @@ module "landing-trusted-vpc" {
     inbound = true
   }
   # Set explicit routes for googleapis in case the default route is deleted
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

fast/stages/2-networking-e-nva-bgp/spoke-dev.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,19 +53,9 @@ module "dev-spoke-vpc" {
   delete_default_routes_on_create = true
   psa_config                      = try(var.psa_ranges.dev, null)
   # Set explicit routes for googleapis; send everything else to NVAs
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      priority      = 999
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      priority      = 999
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

fast/stages/2-networking-e-nva-bgp/spoke-prod.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,19 +52,9 @@ module "prod-spoke-vpc" {
   delete_default_routes_on_create = true
   psa_config                      = try(var.psa_ranges.prod, null)
   # Set explicit routes for googleapis; send everything else to NVAs
-  routes = {
+  create_googleapis_routes = {
-    private-googleapis = {
+    private    = true
-      dest_range    = "199.36.153.8/30"
+    restricted = true
-      priority      = 999
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
-    restricted-googleapis = {
-      dest_range    = "199.36.153.4/30"
-      priority      = 999
-      next_hop_type = "gateway"
-      next_hop      = "default-internet-gateway"
-    }
   }
 }
 

modules/cloudsql-instance/README.md

@@ -39,7 +39,7 @@ module "db" {
   database_version = "POSTGRES_13"
   tier             = "db-g1-small"
 }
-# tftest modules=3 resources=9 inventory=simple.yaml
+# tftest modules=3 resources=11 inventory=simple.yaml
 ```
 
 ## Cross-regional read replica

modules/gke-hub/README.md

@@ -119,7 +119,7 @@ module "hub" {
   }
 }
 
-# tftest modules=4 resources=16 inventory=full.yaml
+# tftest modules=4 resources=18 inventory=full.yaml
 ```
 
 ## Multi-cluster mesh on GKE
@@ -314,7 +314,7 @@ module "hub" {
   ]
 }
 
-# tftest modules=8 resources=32
+# tftest modules=8 resources=34
 ```
 <!-- BEGIN TFDOC -->
 

modules/net-vpc-firewall-policy/README.md

@@ -59,7 +59,7 @@ module "firewall-policy" {
     }
   }
 }
-# tftest modules=2 resources=7
+# tftest modules=2 resources=9
 ```
 <!-- BEGIN TFDOC -->
 

modules/net-vpc/README.md

@@ -17,6 +17,7 @@ This module allows creation and management of VPC networks including subnetworks
     - [DNS Policies](#dns-policies)
     - [Subnet Factory](#subnet-factory)
     - [Custom Routes](#custom-routes)
+    - [Private Google Access routes](#private-google-access-routes)
     - [Allow Firewall Policy to be evaluated before Firewall Rules](#allow-firewall-policy-to-be-evaluated-before-firewall-rules)
   - [Variables](#variables)
   - [Outputs](#outputs)
@@ -45,7 +46,7 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=3 inventory=simple.yaml
+# tftest modules=1 resources=5 inventory=simple.yaml
 ```
 
 ### Subnet Options
@@ -92,7 +93,7 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=5 inventory=subnet-options.yaml
+# tftest modules=1 resources=7 inventory=subnet-options.yaml
 ```
 
 ### Subnet IAM
@@ -129,7 +130,7 @@ module "vpc" {
     }
   }
 }
-# tftest modules=1 resources=6 inventory=subnet-iam.yaml
+# tftest modules=1 resources=8 inventory=subnet-iam.yaml
 ```
 
 ### Peering
@@ -164,7 +165,7 @@ module "vpc-spoke-1" {
     import_routes      = true
   }
 }
-# tftest modules=2 resources=6 inventory=peering.yaml
+# tftest modules=2 resources=10 inventory=peering.yaml
 ```
 
 ### Shared VPC
@@ -215,7 +216,7 @@ module "vpc-host" {
     }
   }
 }
-# tftest modules=1 resources=7 inventory=shared-vpc.yaml
+# tftest modules=1 resources=9 inventory=shared-vpc.yaml
 ```
 
 ### Private Service Networking
@@ -236,7 +237,7 @@ module "vpc" {
     ranges = { myrange = "10.0.1.0/24" }
   }
 }
-# tftest modules=1 resources=5 inventory=psc.yaml
+# tftest modules=1 resources=7 inventory=psc.yaml
 ```
 
 ### Private Service Networking with peering routes
@@ -261,7 +262,7 @@ module "vpc" {
     import_routes = true
   }
 }
-# tftest modules=1 resources=5 inventory=psc-routes.yaml
+# tftest modules=1 resources=7 inventory=psc-routes.yaml
 ```
 
 ### Subnets for Private Service Connect, Proxy-only subnets
@@ -293,7 +294,7 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=3 inventory=proxy-only-subnets.yaml
+# tftest modules=1 resources=5 inventory=proxy-only-subnets.yaml
 ```
 
 ### DNS Policies
@@ -318,7 +319,7 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=3 inventory=dns-policies.yaml
+# tftest modules=1 resources=5 inventory=dns-policies.yaml
 ```
 
 ### Subnet Factory
@@ -332,7 +333,7 @@ module "vpc" {
   name        = "my-network"
   data_folder = "config/subnets"
 }
-# tftest modules=1 resources=9 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml
+# tftest modules=1 resources=11 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml
 ```
 
 ```yaml
@@ -400,6 +401,7 @@ locals {
     vpn_tunnel = "regions/europe-west1/vpnTunnels/foo"
   }
 }
+
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
   for_each   = local.route_types
@@ -420,10 +422,36 @@ module "vpc" {
       next_hop      = "global/gateways/default-internet-gateway"
     }
   }
+  create_googleapis_routes = {
+    restricted   = false
+    restricted-6 = false
+    private      = false
+    private-6    = false
+  }
 }
 # tftest modules=5 resources=15 inventory=routes.yaml
 ```
 
+###  Private Google Access routes
+
+By default the VPC module creates IPv4 routes for the [Private Google Access ranges](https://cloud.google.com/vpc/docs/configure-private-google-access#config-routing). This behavior can be controlled through the `create_googleapis_routes` variable:
+
+```hcl
+module "vpc" {
+  source     = "./fabric/modules/net-vpc"
+  project_id = "my-project"
+  name       = "my-vpc"
+  create_googleapis_routes = {
+    restricted   = false
+    restricted-6 = true
+    private      = false
+    private-6    = true
+  }
+}
+# tftest modules=1 resources=3 inventory=googleapis.yaml
+```
+
+
 ### Allow Firewall Policy to be evaluated before Firewall Rules
 
 ```hcl
@@ -449,7 +477,7 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=3 inventory=firewall_policy_enforcement_order.yaml
+# tftest modules=1 resources=5 inventory=firewall_policy_enforcement_order.yaml
 ```
 <!-- BEGIN TFDOC -->
 
@@ -457,27 +485,28 @@ module "vpc" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [name](variables.tf#L72) | The name of the network being created. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L84) | The name of the network being created. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L88) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L100) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ |  |
 | [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | <code>bool</code> |  | <code>false</code> |
-| [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | <code>string</code> |  | <code>null</code> |
+| [create_googleapis_routes](variables.tf#L23) | Toggle creation of googleapis private/restricted routes. | <code title="object&#40;&#123;&#10;  private      &#61; optional&#40;bool, true&#41;&#10;  private-6    &#61; optional&#40;bool, false&#41;&#10;  restricted   &#61; optional&#40;bool, true&#41;&#10;  restricted-6 &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | <code>bool</code> |  | <code>false</code> |
+| [data_folder](variables.tf#L35) | An optional folder containing the subnet configurations in YaML format. | <code>string</code> |  | <code>null</code> |
-| [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | <code>string</code> |  | <code>&#34;Terraform-managed.&#34;</code> |
+| [delete_default_routes_on_create](variables.tf#L41) | Set to true to delete the default routes at creation time. | <code>bool</code> |  | <code>false</code> |
-| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | <code title="object&#40;&#123;&#10;  inbound &#61; optional&#40;bool&#41;&#10;  logging &#61; optional&#40;bool&#41;&#10;  outbound &#61; optional&#40;object&#40;&#123;&#10;    private_ns &#61; list&#40;string&#41;&#10;    public_ns  &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [description](variables.tf#L47) | An optional description of this resource (triggers recreation on change). | <code>string</code> |  | <code>&#34;Terraform-managed.&#34;</code> |
-| [firewall_policy_enforcement_order](variables.tf#L54) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | <code>string</code> |  | <code>&#34;AFTER_CLASSIC_FIREWALL&#34;</code> |
+| [dns_policy](variables.tf#L53) | DNS policy setup for the VPC. | <code title="object&#40;&#123;&#10;  inbound &#61; optional&#40;bool&#41;&#10;  logging &#61; optional&#40;bool&#41;&#10;  outbound &#61; optional&#40;object&#40;&#123;&#10;    private_ns &#61; list&#40;string&#41;&#10;    public_ns  &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [mtu](variables.tf#L66) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | <code>number</code> |  | <code>null</code> |
+| [firewall_policy_enforcement_order](variables.tf#L66) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | <code>string</code> |  | <code>&#34;AFTER_CLASSIC_FIREWALL&#34;</code> |
-| [peering_config](variables.tf#L77) | VPC peering configuration. | <code title="object&#40;&#123;&#10;  peer_vpc_self_link &#61; string&#10;  create_remote_peer &#61; optional&#40;bool, true&#41;&#10;  export_routes      &#61; optional&#40;bool&#41;&#10;  import_routes      &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [mtu](variables.tf#L78) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | <code>number</code> |  | <code>null</code> |
-| [psa_config](variables.tf#L93) | The Private Service Access configuration for Service Networking. | <code title="object&#40;&#123;&#10;  ranges        &#61; map&#40;string&#41;&#10;  export_routes &#61; optional&#40;bool, false&#41;&#10;  import_routes &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [peering_config](variables.tf#L89) | VPC peering configuration. | <code title="object&#40;&#123;&#10;  peer_vpc_self_link &#61; string&#10;  create_remote_peer &#61; optional&#40;bool, true&#41;&#10;  export_routes      &#61; optional&#40;bool&#41;&#10;  import_routes      &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [routes](variables.tf#L103) | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;  dest_range    &#61; string&#10;  next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10;  next_hop      &#61; string&#10;  priority      &#61; optional&#40;number&#41;&#10;  tags          &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [psa_config](variables.tf#L105) | The Private Service Access configuration for Service Networking. | <code title="object&#40;&#123;&#10;  ranges        &#61; map&#40;string&#41;&#10;  export_routes &#61; optional&#40;bool, false&#41;&#10;  import_routes &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [routing_mode](variables.tf#L123) | The network routing mode (default 'GLOBAL'). | <code>string</code> |  | <code>&#34;GLOBAL&#34;</code> |
+| [routes](variables.tf#L115) | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;  dest_range    &#61; string&#10;  next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10;  next_hop      &#61; string&#10;  priority      &#61; optional&#40;number&#41;&#10;  tags          &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [shared_vpc_host](variables.tf#L133) | Enable shared VPC for this project. | <code>bool</code> |  | <code>false</code> |
+| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | <code>string</code> |  | <code>&#34;GLOBAL&#34;</code> |
-| [shared_vpc_service_projects](variables.tf#L139) | Shared VPC service projects to register with this host. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | <code>bool</code> |  | <code>false</code> |
-| [subnet_iam](variables.tf#L145) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnet_iam_additive](variables.tf#L151) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [subnet_iam](variables.tf#L157) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [subnets](variables.tf#L158) | Subnet configuration. | <code title="list&#40;object&#40;&#123;&#10;  name                  &#61; string&#10;  ip_cidr_range         &#61; string&#10;  region                &#61; string&#10;  description           &#61; optional&#40;string&#41;&#10;  enable_private_access &#61; optional&#40;bool, true&#41;&#10;  flow_logs_config &#61; optional&#40;object&#40;&#123;&#10;    aggregation_interval &#61; optional&#40;string&#41;&#10;    filter_expression    &#61; optional&#40;string&#41;&#10;    flow_sampling        &#61; optional&#40;number&#41;&#10;    metadata             &#61; optional&#40;string&#41;&#10;    metadata_fields &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ipv6 &#61; optional&#40;object&#40;&#123;&#10;    access_type           &#61; optional&#40;string&#41;&#10;    enable_private_access &#61; optional&#40;bool, true&#41;&#10;  &#125;&#41;&#41;&#10;  secondary_ip_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [subnet_iam_additive](variables.tf#L163) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [subnets_proxy_only](variables.tf#L183) | List of proxy-only subnets for Regional HTTPS  or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;  active        &#61; bool&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [subnets](variables.tf#L170) | Subnet configuration. | <code title="list&#40;object&#40;&#123;&#10;  name                  &#61; string&#10;  ip_cidr_range         &#61; string&#10;  region                &#61; string&#10;  description           &#61; optional&#40;string&#41;&#10;  enable_private_access &#61; optional&#40;bool, true&#41;&#10;  flow_logs_config &#61; optional&#40;object&#40;&#123;&#10;    aggregation_interval &#61; optional&#40;string&#41;&#10;    filter_expression    &#61; optional&#40;string&#41;&#10;    flow_sampling        &#61; optional&#40;number&#41;&#10;    metadata             &#61; optional&#40;string&#41;&#10;    metadata_fields &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ipv6 &#61; optional&#40;object&#40;&#123;&#10;    access_type           &#61; optional&#40;string&#41;&#10;    enable_private_access &#61; optional&#40;bool, true&#41;&#10;  &#125;&#41;&#41;&#10;  secondary_ip_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnets_psc](variables.tf#L195) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [subnets_proxy_only](variables.tf#L195) | List of proxy-only subnets for Regional HTTPS  or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;  active        &#61; bool&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [vpc_create](variables.tf#L206) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> |  | <code>true</code> |
+| [subnets_psc](variables.tf#L207) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [vpc_create](variables.tf#L218) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> |  | <code>true</code> |
 
 ## Outputs
 

modules/net-vpc/routes.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,23 @@
 # tfdoc:file:description Route resources.
 
 locals {
-  _routes = var.routes == null ? {} : var.routes
+  _googleapis_ranges = {
+    private      = "199.36.153.8/30"
+    private-6    = "2600:2d00:0002:2000::/64"
+    restricted   = "199.36.153.4/30"
+    restricted-6 = "2600:2d00:0002:1000::/64"
+  }
+  _googleapis_routes = {
+    for k, v in local._googleapis_ranges : "${k}-googleapis" => {
+      dest_range    = v
+      next_hop      = "default-internet-gateway"
+      next_hop_type = "gateway"
+      priority      = 1000
+      tags          = null
+    }
+    if var.create_googleapis_routes[k]
+  }
+  _routes = merge(local._googleapis_routes, coalesce(var.routes, {}))
   routes = {
     gateway    = { for k, v in local._routes : k => v if v.next_hop_type == "gateway" }
     ilb        = { for k, v in local._routes : k => v if v.next_hop_type == "ilb" }

modules/net-vpc/variables.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,18 @@ variable "auto_create_subnetworks" {
   default     = false
 }
 
+variable "create_googleapis_routes" {
+  description = "Toggle creation of googleapis private/restricted routes."
+  type = object({
+    private      = optional(bool, true)
+    private-6    = optional(bool, false)
+    restricted   = optional(bool, true)
+    restricted-6 = optional(bool, false)
+  })
+  default  = {}
+  nullable = false
+}
+
 variable "data_folder" {
   description = "An optional folder containing the subnet configurations in YaML format."
   type        = string

tests/modules/net_vpc/examples/dns-policies.yaml

@@ -36,7 +36,3 @@ counts:
   google_compute_network: 1
   google_compute_subnetwork: 1
   google_dns_policy: 1
-  modules: 1
-  resources: 3
-
-outputs: {}

tests/modules/net_vpc/examples/googleapis.yaml

@@ -0,0 +1,39 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.vpc.google_compute_route.gateway["private-6-googleapis"]:
+    dest_range: 2600:2d00:0002:2000::/64
+    name: my-vpc-private-6-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+  module.vpc.google_compute_route.gateway["restricted-6-googleapis"]:
+    dest_range: 2600:2d00:0002:1000::/64
+    name: my-vpc-restricted-6-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+
+counts:
+  google_compute_network: 1
+  google_compute_route: 2

tests/modules/net_vpc/examples/simple.yaml

@@ -44,7 +44,31 @@ values:
     region: europe-west2
     role: null
     secondary_ip_range: []
+  module.vpc.google_compute_route.gateway["private-googleapis"]:
+    dest_range: 199.36.153.8/30
+    name: my-network-private-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+    timeouts: null
+  module.vpc.google_compute_route.gateway["restricted-googleapis"]:
+    description: Terraform-managed.
+    dest_range: 199.36.153.4/30
+    name: my-network-restricted-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+    timeouts: null
 
 counts:
   google_compute_network: 1
   google_compute_subnetwork: 2
+  google_compute_route: 2

tests/modules/net_vpc/examples/subnet-iam.yaml

@@ -54,5 +54,4 @@ counts:
   google_compute_subnetwork: 2
   google_compute_subnetwork_iam_binding: 1
   google_compute_subnetwork_iam_member: 2
-
+  google_compute_route: 2
-outputs: {}