From 6fc960ea0b1d28fe7f4983a0eb55a07a1491b016 Mon Sep 17 00:00:00 2001 From: Ewa Wojtach Date: Thu, 26 Oct 2023 07:23:13 +0200 Subject: [PATCH 1/4] empty gpu sharing config fix --- modules/gke-nodepool/main.tf | 3 ++- tests/modules/gke_nodepool/examples/guest-accelerator.yaml | 4 +--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/gke-nodepool/main.tf b/modules/gke-nodepool/main.tf index f5a104bd..728d6713 100644 --- a/modules/gke-nodepool/main.tf +++ b/modules/gke-nodepool/main.tf @@ -168,7 +168,8 @@ resource "google_container_node_pool" "nodepool" { gpu_partition_size = var.node_config.guest_accelerator.gpu_driver == null ? null : var.node_config.guest_accelerator.gpu_driver.partition_size dynamic "gpu_sharing_config" { - for_each = var.node_config.guest_accelerator.gpu_driver != null ? [""] : [] + #for_each = var.node_config.guest_accelerator.gpu_driver != null ? [""] : [] + for_each = var.node_config.guest_accelerator.gpu_driver == null ? [] : (var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu != null ? [""] : []) content { gpu_sharing_strategy = var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu != null ? "TIME_SHARING" : null max_shared_clients_per_gpu = var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu diff --git a/tests/modules/gke_nodepool/examples/guest-accelerator.yaml b/tests/modules/gke_nodepool/examples/guest-accelerator.yaml index 5f125ef6..8f505054 100644 --- a/tests/modules/gke_nodepool/examples/guest-accelerator.yaml +++ b/tests/modules/gke_nodepool/examples/guest-accelerator.yaml @@ -29,9 +29,7 @@ values: gpu_driver_installation_config: - gpu_driver_version: LATEST gpu_partition_size: null - gpu_sharing_config: - - gpu_sharing_strategy: null - max_shared_clients_per_gpu: null + gpu_sharing_config: null type: nvidia-tesla-a100 gvnic: [] machine_type: a2-highgpu-1g From 98dde0c57f22aa08bc269582fcf6ae2ac78ff0c7 Mon Sep 17 00:00:00 2001 From: Ewa Wojtach Date: Fri, 27 Oct 2023 08:38:37 +0200 Subject: [PATCH 2/4] review comments --- modules/gke-nodepool/main.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/gke-nodepool/main.tf b/modules/gke-nodepool/main.tf index 728d6713..40f7fcf3 100644 --- a/modules/gke-nodepool/main.tf +++ b/modules/gke-nodepool/main.tf @@ -168,8 +168,10 @@ resource "google_container_node_pool" "nodepool" { gpu_partition_size = var.node_config.guest_accelerator.gpu_driver == null ? null : var.node_config.guest_accelerator.gpu_driver.partition_size dynamic "gpu_sharing_config" { - #for_each = var.node_config.guest_accelerator.gpu_driver != null ? [""] : [] - for_each = var.node_config.guest_accelerator.gpu_driver == null ? [] : (var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu != null ? [""] : []) + for_each = lookup( + lookup(var.node_config.guest_accelerator, "gpu_driver", {}), + "max_shared_clients_per_gpu" + ) != null ? [""] : [] content { gpu_sharing_strategy = var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu != null ? "TIME_SHARING" : null max_shared_clients_per_gpu = var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu From cf55638f409187886f0f8e1555c9329923e2c114 Mon Sep 17 00:00:00 2001 From: Simone Ruffilli Date: Fri, 27 Oct 2023 10:23:08 +0200 Subject: [PATCH 3/4] FAST: rename VPC-related files to `net-*` (#1818) --- fast/stages/2-networking-a-peering/README.md | 12 ++++++------ .../{spoke-dev.tf => net-dev.tf} | 0 .../{landing.tf => net-landing.tf} | 0 .../{spoke-prod.tf => net-prod.tf} | 0 fast/stages/2-networking-b-vpn/README.md | 14 +++++++------- .../{spoke-dev.tf => net-dev.tf} | 0 .../{landing.tf => net-landing.tf} | 0 .../{spoke-prod.tf => net-prod.tf} | 0 fast/stages/2-networking-c-nva/README.md | 12 ++++++------ .../{spoke-dev.tf => net-dev.tf} | 0 .../{landing.tf => net-landing.tf} | 0 .../{spoke-prod.tf => net-prod.tf} | 0 fast/stages/2-networking-d-separate-envs/README.md | 4 ++-- .../{spoke-dev.tf => net-dev.tf} | 0 .../{spoke-prod.tf => net-prod.tf} | 0 fast/stages/2-networking-e-nva-bgp/README.md | 12 ++++++------ .../{spoke-dev.tf => net-dev.tf} | 0 .../{landing.tf => net-landing.tf} | 0 .../{spoke-prod.tf => net-prod.tf} | 0 19 files changed, 27 insertions(+), 27 deletions(-) rename fast/stages/2-networking-a-peering/{spoke-dev.tf => net-dev.tf} (100%) rename fast/stages/2-networking-a-peering/{landing.tf => net-landing.tf} (100%) rename fast/stages/2-networking-a-peering/{spoke-prod.tf => net-prod.tf} (100%) rename fast/stages/2-networking-b-vpn/{spoke-dev.tf => net-dev.tf} (100%) rename fast/stages/2-networking-b-vpn/{landing.tf => net-landing.tf} (100%) rename fast/stages/2-networking-b-vpn/{spoke-prod.tf => net-prod.tf} (100%) rename fast/stages/2-networking-c-nva/{spoke-dev.tf => net-dev.tf} (100%) rename fast/stages/2-networking-c-nva/{landing.tf => net-landing.tf} (100%) rename fast/stages/2-networking-c-nva/{spoke-prod.tf => net-prod.tf} (100%) rename fast/stages/2-networking-d-separate-envs/{spoke-dev.tf => net-dev.tf} (100%) rename fast/stages/2-networking-d-separate-envs/{spoke-prod.tf => net-prod.tf} (100%) rename fast/stages/2-networking-e-nva-bgp/{spoke-dev.tf => net-dev.tf} (100%) rename fast/stages/2-networking-e-nva-bgp/{landing.tf => net-landing.tf} (100%) rename fast/stages/2-networking-e-nva-bgp/{spoke-prod.tf => net-prod.tf} (100%) diff --git a/fast/stages/2-networking-a-peering/README.md b/fast/stages/2-networking-a-peering/README.md index e0c9f9b2..93db80e6 100644 --- a/fast/stages/2-networking-a-peering/README.md +++ b/fast/stages/2-networking-a-peering/README.md @@ -190,7 +190,7 @@ DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/1 #### On-prem to cloud -The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP. +The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP. ## How to run this stage @@ -349,9 +349,9 @@ vpn_onprem_primary_config = { To create a new environment (e.g. `staging`), a few changes are required. -Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file, +Create a `net-staging.tf` file by copying `net-prod.tf` file, and adapt the new file by replacing the value "prod" with the value "staging". -Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ. +Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ. The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_primary` and `spoke_staging_secondary`). >`custom_adv` is a map that "resolves" CIDR names to actual addresses, and will be used later to configure routing. @@ -369,15 +369,15 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | | | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | | | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | | -| [landing.tf](./landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | | | [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy | | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | +| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | +| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | +| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [peerings.tf](./peerings.tf) | None | net-vpc-peering | | | [regions.tf](./regions.tf) | Compute short names for regions. | | | -| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | -| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | | [variables-peerings.tf](./variables-peerings.tf) | Peering related variables. | | | | [variables.tf](./variables.tf) | Module variables. | | | diff --git a/fast/stages/2-networking-a-peering/spoke-dev.tf b/fast/stages/2-networking-a-peering/net-dev.tf similarity index 100% rename from fast/stages/2-networking-a-peering/spoke-dev.tf rename to fast/stages/2-networking-a-peering/net-dev.tf diff --git a/fast/stages/2-networking-a-peering/landing.tf b/fast/stages/2-networking-a-peering/net-landing.tf similarity index 100% rename from fast/stages/2-networking-a-peering/landing.tf rename to fast/stages/2-networking-a-peering/net-landing.tf diff --git a/fast/stages/2-networking-a-peering/spoke-prod.tf b/fast/stages/2-networking-a-peering/net-prod.tf similarity index 100% rename from fast/stages/2-networking-a-peering/spoke-prod.tf rename to fast/stages/2-networking-a-peering/net-prod.tf diff --git a/fast/stages/2-networking-b-vpn/README.md b/fast/stages/2-networking-b-vpn/README.md index 1ce344b5..26e9d619 100644 --- a/fast/stages/2-networking-b-vpn/README.md +++ b/fast/stages/2-networking-b-vpn/README.md @@ -203,7 +203,7 @@ DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/1 #### On-prem to cloud -The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP. +The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP. ## How to run this stage @@ -362,9 +362,9 @@ vpn_onprem_primary_config = { To create a new environment (e.g. `staging`), a few changes are required. -Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file, +Create a `net-staging.tf` file by copying `net-prod.tf` file, and adapt the new file by replacing the value "prod" with the value "staging". -Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ. +Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ. The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`). >`custom_adv` is a map that "resolves" CIDR names to actual addresses, and will be used later to configure routing. @@ -372,7 +372,7 @@ The new VPC requires a set of dedicated CIDRs, one per region, added to variable Variables managing L7 Internal Load Balancers (`l7ilb_subnets`) and Private Service Access (`psa_ranges`) should also be adapted, also subnets and firewall rules for the new spoke should be added as described above. HA VPN connectivity (see also [VPNs](#vpns)) to `landing` is managed by the `vpn-spoke-*.tf` files. -Copy `vpn-spoke-dev.tf` to `vpn-spoke-staging.tf` - replace `dev` with `staging` where relevant. +Copy `vpn-net-dev.tf` to `vpn-net-staging.tf` - replace `dev` with `staging` where relevant. VPN configuration also controls BGP advertisements, which requires the following variable changes: @@ -391,14 +391,14 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | | | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | | | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | | -| [landing.tf](./landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | | | [monitoring-vpn.tf](./monitoring-vpn.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy | | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | +| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | +| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | +| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | -| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | -| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | | [variables-vpn.tf](./variables-vpn.tf) | None | | | | [variables.tf](./variables.tf) | Module variables. | | | diff --git a/fast/stages/2-networking-b-vpn/spoke-dev.tf b/fast/stages/2-networking-b-vpn/net-dev.tf similarity index 100% rename from fast/stages/2-networking-b-vpn/spoke-dev.tf rename to fast/stages/2-networking-b-vpn/net-dev.tf diff --git a/fast/stages/2-networking-b-vpn/landing.tf b/fast/stages/2-networking-b-vpn/net-landing.tf similarity index 100% rename from fast/stages/2-networking-b-vpn/landing.tf rename to fast/stages/2-networking-b-vpn/net-landing.tf diff --git a/fast/stages/2-networking-b-vpn/spoke-prod.tf b/fast/stages/2-networking-b-vpn/net-prod.tf similarity index 100% rename from fast/stages/2-networking-b-vpn/spoke-prod.tf rename to fast/stages/2-networking-b-vpn/net-prod.tf diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md index daee38fc..416bb6f0 100644 --- a/fast/stages/2-networking-c-nva/README.md +++ b/fast/stages/2-networking-c-nva/README.md @@ -260,7 +260,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19 #### On-prem to cloud -The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. +The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. ## How to run this stage @@ -419,9 +419,9 @@ vpn_onprem_primary_config = { To create a new environment (e.g. `staging`), a few changes are required: -Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file. +Create a `net-staging.tf` file by copying `net-prod.tf` file. Adapt the new file by replacing the value "prod" with the value "staging". -Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ. +Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ. The new VPC requires a set of dedicated CIDRs, one per region, added to variable `gcp_ranges` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`). >`gcp_ranges` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing. @@ -439,15 +439,15 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | | | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | | | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | | -| [landing.tf](./landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | | | [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy | | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | +| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | +| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | +| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | | [nva.tf](./nva.tf) | None | compute-mig · compute-vm · simple-nva | | | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | -| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | -| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | | [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | diff --git a/fast/stages/2-networking-c-nva/spoke-dev.tf b/fast/stages/2-networking-c-nva/net-dev.tf similarity index 100% rename from fast/stages/2-networking-c-nva/spoke-dev.tf rename to fast/stages/2-networking-c-nva/net-dev.tf diff --git a/fast/stages/2-networking-c-nva/landing.tf b/fast/stages/2-networking-c-nva/net-landing.tf similarity index 100% rename from fast/stages/2-networking-c-nva/landing.tf rename to fast/stages/2-networking-c-nva/net-landing.tf diff --git a/fast/stages/2-networking-c-nva/spoke-prod.tf b/fast/stages/2-networking-c-nva/net-prod.tf similarity index 100% rename from fast/stages/2-networking-c-nva/spoke-prod.tf rename to fast/stages/2-networking-c-nva/net-prod.tf diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md index 88f68846..16b6af8b 100644 --- a/fast/stages/2-networking-d-separate-envs/README.md +++ b/fast/stages/2-networking-d-separate-envs/README.md @@ -318,10 +318,10 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | | | [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy | | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | +| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | +| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | -| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | -| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [test-resources.tf](./test-resources.tf) | Temporary instances for testing | compute-vm | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | diff --git a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf b/fast/stages/2-networking-d-separate-envs/net-dev.tf similarity index 100% rename from fast/stages/2-networking-d-separate-envs/spoke-dev.tf rename to fast/stages/2-networking-d-separate-envs/net-dev.tf diff --git a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf b/fast/stages/2-networking-d-separate-envs/net-prod.tf similarity index 100% rename from fast/stages/2-networking-d-separate-envs/spoke-prod.tf rename to fast/stages/2-networking-d-separate-envs/net-prod.tf diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-e-nva-bgp/README.md index e9bf8c10..2a6e2297 100644 --- a/fast/stages/2-networking-e-nva-bgp/README.md +++ b/fast/stages/2-networking-e-nva-bgp/README.md @@ -283,7 +283,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19 #### On-prem to cloud -The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. +The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP. ## How to run this stage @@ -442,9 +442,9 @@ vpn_onprem_primary_config = { To create a new environment (e.g. `staging`), a few changes are required: -Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file. +Create a `net-staging.tf` file by copying `net-prod.tf` file. Adapt the new file by replacing the value "prod" with the value "staging". -Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ. +Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ. The new VPC requires a set of dedicated CIDRs, one per region, added to variable `gcp_ranges` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`). `gcp_ranges` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing. @@ -464,16 +464,16 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | | | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | | | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | | -| [landing.tf](./landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | | [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | | | [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy | | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | | [ncc.tf](./ncc.tf) | None | ncc-spoke-ra | google_network_connectivity_hub | +| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | +| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | | +| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | | [nva.tf](./nva.tf) | None | compute-vm · simple-nva | google_compute_address | | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | -| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | -| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | | [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf b/fast/stages/2-networking-e-nva-bgp/net-dev.tf similarity index 100% rename from fast/stages/2-networking-e-nva-bgp/spoke-dev.tf rename to fast/stages/2-networking-e-nva-bgp/net-dev.tf diff --git a/fast/stages/2-networking-e-nva-bgp/landing.tf b/fast/stages/2-networking-e-nva-bgp/net-landing.tf similarity index 100% rename from fast/stages/2-networking-e-nva-bgp/landing.tf rename to fast/stages/2-networking-e-nva-bgp/net-landing.tf diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf b/fast/stages/2-networking-e-nva-bgp/net-prod.tf similarity index 100% rename from fast/stages/2-networking-e-nva-bgp/spoke-prod.tf rename to fast/stages/2-networking-e-nva-bgp/net-prod.tf From 022b9f5060e3f84b906bc63f7a929b2a76b36eea Mon Sep 17 00:00:00 2001 From: apichick Date: Fri, 27 Oct 2023 18:15:37 +0200 Subject: [PATCH 4/4] Added iam_bindings and iam_bindings_additive to apigee module --- modules/apigee/README.md | 72 +++++++++++++++++++++----- modules/apigee/iam.tf | 57 ++++++++++++++++++++ modules/apigee/main.tf | 18 +------ modules/apigee/variables.tf | 14 +++-- tests/modules/apigee/all_psc_mode.yaml | 2 +- tests/modules/apigee/all_vpc_mode.yaml | 2 +- 6 files changed, 130 insertions(+), 35 deletions(-) create mode 100644 modules/apigee/iam.tf diff --git a/modules/apigee/README.md b/modules/apigee/README.md index 7692d6f4..5a05ecb3 100644 --- a/modules/apigee/README.md +++ b/modules/apigee/README.md @@ -17,6 +17,7 @@ This module simplifies the creation of a Apigee resources (organization, environ - [New instance (Non VPC Peering Provisioning Mode)](#new-instance-non-vpc-peering-provisioning-mode) - [New endpoint attachment](#new-endpoint-attachment) - [Apigee add-ons](#apigee-add-ons) + - [IAM](#iam) - [Variables](#variables) - [Outputs](#outputs) @@ -87,7 +88,6 @@ module "apigee" { When a new Apigee organization is created, it is automatically peered to the authorized network. You can prevent this from happening by using the `disable_vpc_peering` key in the `organization` variable, as shown below: - ```hcl module "apigee" { source = "./fabric/modules/apigee" @@ -117,7 +117,6 @@ module "apigee" { # tftest modules=1 resources=6 inventory=no-peering.yaml ``` - ### All resources (CLOUD) ```hcl @@ -147,9 +146,6 @@ module "apigee" { display_name = "APIs prod" description = "APIs prod" envgroups = ["prod"] - iam = { - "roles/viewer" = ["group:devops@myorg.com"] - } } } instances = { @@ -176,7 +172,7 @@ module "apigee" { } } } -# tftest modules=1 resources=15 +# tftest modules=1 resources=14 ``` ### All resources (HYBRID control plane) @@ -205,13 +201,10 @@ module "apigee" { display_name = "APIs prod" description = "APIs prod" envgroups = ["prod"] - iam = { - "roles/viewer" = ["group:devops@myorg.com"] - } } } } -# tftest modules=1 resources=8 +# tftest modules=1 resources=7 ``` ### New environment group @@ -311,18 +304,69 @@ module "apigee" { } # tftest modules=1 resources=1 ``` + +### IAM + +```hcl +module "apigee" { + source = "./fabric/modules/apigee" + project_id = "my-project" + organization = { + display_name = "My Organization" + description = "My Organization" + authorized_network = "my-vpc" + runtime_type = "CLOUD" + billing_type = "PAYG" + database_encryption_key = "123456789" + analytics_region = "europe-west1" + } + envgroups = { + test = ["test.example.com"] + prod = ["prod.example.com"] + } + environments = { + apis-test = { + display_name = "APIs test" + description = "APIs Test" + envgroups = ["test"] + iam = { + "roles/apigee.environmentAdmin" = ["group:apigee-env-admin@myorg.com"] + } + iam_bindings_additive = { + viewer = { + role = "roles/viewer" + member = "user:user1@myorg.com" + } + } + } + apis-prod = { + display_name = "APIs prod" + description = "APIs prod" + envgroups = ["prod"] + iam_bindings = { + apigee-env-admin = { + role = "roles/apigee.environmentAdmin" + members = ["group:apigee-env-admin@myorg.com"] + } + } + } + } +} +# tftest modules=1 resources=10 +``` + ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [project_id](variables.tf#L117) | Project ID. | string | ✓ | | +| [project_id](variables.tf#L125) | Project ID. | string | ✓ | | | [addons_config](variables.tf#L17) | Addons configuration. | object({…}) | | null | | [endpoint_attachments](variables.tf#L29) | Endpoint attachments. | map(object({…})) | | {} | | [envgroups](variables.tf#L39) | Environment groups (NAME => [HOSTNAMES]). | map(list(string)) | | {} | -| [environments](variables.tf#L46) | Environments. | map(object({…})) | | {} | -| [instances](variables.tf#L64) | Instances ([REGION] => [INSTANCE]). | map(object({…})) | | {} | -| [organization](variables.tf#L89) | Apigee organization. If set to null the organization must already exist. | object({…}) | | null | +| [environments](variables.tf#L46) | Environments. | map(object({…})) | | {} | +| [instances](variables.tf#L72) | Instances ([REGION] => [INSTANCE]). | map(object({…})) | | {} | +| [organization](variables.tf#L97) | Apigee organization. If set to null the organization must already exist. | object({…}) | | null | ## Outputs diff --git a/modules/apigee/iam.tf b/modules/apigee/iam.tf new file mode 100644 index 00000000..fc6d96f2 --- /dev/null +++ b/modules/apigee/iam.tf @@ -0,0 +1,57 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_apigee_environment_iam_binding" "authoritative" { + for_each = merge(concat([for k1, v1 in var.environments : { + for k2, v2 in v1.iam : "${k1}-${k2}" => { + environment = "${k1}" + role = k2 + members = v2 + } + }])...) + org_id = local.org_id + env_id = google_apigee_environment.environments[each.value.environment].name + role = each.value.role + members = each.value.members +} + +resource "google_apigee_environment_iam_binding" "bindings" { + for_each = merge(concat([for k1, v1 in var.environments : { + for k2, v2 in coalesce(v1.iam_bindings, {}) : "${k1}-${k2}" => { + environment = "${k1}" + role = v2.role + members = v2.members + } + }])...) + org_id = local.org_id + env_id = google_apigee_environment.environments[each.value.environment].name + role = each.value.role + members = each.value.members +} + +resource "google_apigee_environment_iam_member" "bindings" { + for_each = merge(concat([for k1, v1 in var.environments : { + for k2, v2 in coalesce(v1.iam_bindings_additive, {}) : "${k1}-${k2}" => { + environment = "${k1}" + role = v2.role + member = v2.member + } + }])...) + org_id = local.org_id + env_id = google_apigee_environment.environments[each.value.environment].name + role = each.value.role + member = each.value.member +} diff --git a/modules/apigee/main.tf b/modules/apigee/main.tf index 46f76555..be571a8a 100644 --- a/modules/apigee/main.tf +++ b/modules/apigee/main.tf @@ -62,7 +62,7 @@ resource "google_apigee_environment" "environments" { resource "google_apigee_envgroup_attachment" "envgroup_attachments" { for_each = merge(concat([for k1, v1 in var.environments : { - for v2 in coalesce(v1.envgroups, []) : "${k1}-${v2}" => { + for v2 in v1.envgroups : "${k1}-${v2}" => { environment = k1 envgroup = v2 } @@ -72,20 +72,6 @@ resource "google_apigee_envgroup_attachment" "envgroup_attachments" { depends_on = [google_apigee_envgroup.envgroups] } -resource "google_apigee_environment_iam_binding" "binding" { - for_each = merge(concat([for k1, v1 in var.environments : { - for k2, v2 in coalesce(v1.iam, {}) : "${k1}-${k2}" => { - environment = "${k1}" - role = k2 - members = v2 - } - }])...) - org_id = local.org_id - env_id = google_apigee_environment.environments[each.value.environment].name - role = each.value.role - members = each.value.members -} - resource "google_apigee_instance" "instances" { for_each = var.instances name = coalesce(each.value.name, "instance-${each.key}") @@ -114,7 +100,7 @@ resource "google_apigee_nat_address" "apigee_nat" { resource "google_apigee_instance_attachment" "instance_attachments" { for_each = merge(concat([for k1, v1 in var.instances : { - for v2 in coalesce(v1.environments, []) : + for v2 in v1.environments : "${k1}-${v2}" => { instance = k1 environment = v2 diff --git a/modules/apigee/variables.tf b/modules/apigee/variables.tf index 78549507..7ec2cc2d 100644 --- a/modules/apigee/variables.tf +++ b/modules/apigee/variables.tf @@ -54,8 +54,16 @@ variable "environments" { min_node_count = optional(number) max_node_count = optional(number) })) - iam = optional(map(list(string))) - envgroups = optional(list(string)) + iam = optional(map(list(string)), {}) + iam_bindings = optional(map(object({ + role = string + members = list(string) + })), {}) + iam_bindings_additive = optional(map(object({ + role = string + member = string + })), {}) + envgroups = optional(list(string), []) })) default = {} nullable = false @@ -72,7 +80,7 @@ variable "instances" { disk_encryption_key = optional(string) consumer_accept_list = optional(list(string)) enable_nat = optional(bool, false) - environments = optional(list(string)) + environments = optional(list(string), []) })) validation { condition = alltrue([ diff --git a/tests/modules/apigee/all_psc_mode.yaml b/tests/modules/apigee/all_psc_mode.yaml index c31c713a..e7028213 100644 --- a/tests/modules/apigee/all_psc_mode.yaml +++ b/tests/modules/apigee/all_psc_mode.yaml @@ -41,7 +41,7 @@ values: description: APIs Test display_name: APIs test name: apis-test - google_apigee_environment_iam_binding.binding["apis-prod-roles/viewer"]: + google_apigee_environment_iam_binding.authoritative["apis-prod-roles/viewer"]: condition: [] env_id: apis-prod members: diff --git a/tests/modules/apigee/all_vpc_mode.yaml b/tests/modules/apigee/all_vpc_mode.yaml index 2d39429c..b5ebdec1 100644 --- a/tests/modules/apigee/all_vpc_mode.yaml +++ b/tests/modules/apigee/all_vpc_mode.yaml @@ -42,7 +42,7 @@ values: description: APIs Test display_name: APIs test name: apis-test - google_apigee_environment_iam_binding.binding["apis-prod-roles/viewer"]: + google_apigee_environment_iam_binding.authoritative["apis-prod-roles/viewer"]: condition: [] env_id: apis-prod members: