Merge branch 'master' into cmalpe/kms-import-job
This commit is contained in:
commit
b29987bb61
|
@ -190,7 +190,7 @@ DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/1
|
|||
|
||||
#### On-prem to cloud
|
||||
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
|
||||
|
||||
## How to run this stage
|
||||
|
||||
|
@ -349,9 +349,9 @@ vpn_onprem_primary_config = {
|
|||
|
||||
To create a new environment (e.g. `staging`), a few changes are required.
|
||||
|
||||
Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file,
|
||||
Create a `net-staging.tf` file by copying `net-prod.tf` file,
|
||||
and adapt the new file by replacing the value "prod" with the value "staging".
|
||||
Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
|
||||
Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ.
|
||||
|
||||
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_primary` and `spoke_staging_secondary`).
|
||||
>`custom_adv` is a map that "resolves" CIDR names to actual addresses, and will be used later to configure routing.
|
||||
|
@ -369,15 +369,15 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> · <code>net-firewall-policy</code> | |
|
||||
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | <code>google_monitoring_alert_policy</code> |
|
||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||
| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>google_storage_bucket_object</code> · <code>local_file</code> |
|
||||
| [peerings.tf](./peerings.tf) | None | <code>net-vpc-peering</code> | |
|
||||
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [variables-peerings.tf](./variables-peerings.tf) | Peering related variables. | | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
|
|
|
@ -203,7 +203,7 @@ DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/1
|
|||
|
||||
#### On-prem to cloud
|
||||
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
|
||||
|
||||
## How to run this stage
|
||||
|
||||
|
@ -362,9 +362,9 @@ vpn_onprem_primary_config = {
|
|||
|
||||
To create a new environment (e.g. `staging`), a few changes are required.
|
||||
|
||||
Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file,
|
||||
Create a `net-staging.tf` file by copying `net-prod.tf` file,
|
||||
and adapt the new file by replacing the value "prod" with the value "staging".
|
||||
Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
|
||||
Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ.
|
||||
|
||||
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
|
||||
>`custom_adv` is a map that "resolves" CIDR names to actual addresses, and will be used later to configure routing.
|
||||
|
@ -372,7 +372,7 @@ The new VPC requires a set of dedicated CIDRs, one per region, added to variable
|
|||
Variables managing L7 Internal Load Balancers (`l7ilb_subnets`) and Private Service Access (`psa_ranges`) should also be adapted, also subnets and firewall rules for the new spoke should be added as described above.
|
||||
|
||||
HA VPN connectivity (see also [VPNs](#vpns)) to `landing` is managed by the `vpn-spoke-*.tf` files.
|
||||
Copy `vpn-spoke-dev.tf` to `vpn-spoke-staging.tf` - replace `dev` with `staging` where relevant.
|
||||
Copy `vpn-net-dev.tf` to `vpn-net-staging.tf` - replace `dev` with `staging` where relevant.
|
||||
|
||||
VPN configuration also controls BGP advertisements, which requires the following variable changes:
|
||||
|
||||
|
@ -391,14 +391,14 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> · <code>net-firewall-policy</code> | |
|
||||
| [monitoring-vpn.tf](./monitoring-vpn.tf) | VPN monitoring alerts. | | <code>google_monitoring_alert_policy</code> |
|
||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||
| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>google_storage_bucket_object</code> · <code>local_file</code> |
|
||||
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [variables-vpn.tf](./variables-vpn.tf) | None | | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
|
|
|
@ -260,7 +260,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19
|
|||
|
||||
#### On-prem to cloud
|
||||
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
|
||||
|
||||
## How to run this stage
|
||||
|
||||
|
@ -419,9 +419,9 @@ vpn_onprem_primary_config = {
|
|||
|
||||
To create a new environment (e.g. `staging`), a few changes are required:
|
||||
|
||||
Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file.
|
||||
Create a `net-staging.tf` file by copying `net-prod.tf` file.
|
||||
Adapt the new file by replacing the value "prod" with the value "staging".
|
||||
Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
|
||||
Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ.
|
||||
|
||||
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `gcp_ranges` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
|
||||
>`gcp_ranges` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing.
|
||||
|
@ -439,15 +439,15 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> · <code>net-firewall-policy</code> | |
|
||||
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | <code>google_monitoring_alert_policy</code> |
|
||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||
| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [nva.tf](./nva.tf) | None | <code>compute-mig</code> · <code>compute-vm</code> · <code>simple-nva</code> | |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>google_storage_bucket_object</code> · <code>local_file</code> |
|
||||
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||
|
|
|
@ -318,10 +318,10 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|
|||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> · <code>net-firewall-policy</code> | |
|
||||
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | <code>google_monitoring_alert_policy</code> |
|
||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||
| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>google_storage_bucket_object</code> · <code>local_file</code> |
|
||||
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [test-resources.tf](./test-resources.tf) | Temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||
|
|
|
@ -283,7 +283,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19
|
|||
|
||||
#### On-prem to cloud
|
||||
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`net-landing.tf`](./net-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
|
||||
|
||||
## How to run this stage
|
||||
|
||||
|
@ -442,9 +442,9 @@ vpn_onprem_primary_config = {
|
|||
|
||||
To create a new environment (e.g. `staging`), a few changes are required:
|
||||
|
||||
Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file.
|
||||
Create a `net-staging.tf` file by copying `net-prod.tf` file.
|
||||
Adapt the new file by replacing the value "prod" with the value "staging".
|
||||
Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
|
||||
Running `diff net-dev.tf net-prod.tf` can help to see how environment files differ.
|
||||
|
||||
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `gcp_ranges` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
|
||||
`gcp_ranges` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing.
|
||||
|
@ -464,16 +464,16 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|
|||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> | |
|
||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> · <code>net-firewall-policy</code> | |
|
||||
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | <code>google_monitoring_alert_policy</code> |
|
||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||
| [ncc.tf](./ncc.tf) | None | <code>ncc-spoke-ra</code> | <code>google_network_connectivity_hub</code> |
|
||||
| [net-dev.tf](./net-dev.tf) | Dev spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [net-landing.tf](./net-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [net-prod.tf](./net-prod.tf) | Production spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [nva.tf](./nva.tf) | None | <code>compute-vm</code> · <code>simple-nva</code> | <code>google_compute_address</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>google_storage_bucket_object</code> · <code>local_file</code> |
|
||||
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||
|
|
|
@ -17,6 +17,7 @@ This module simplifies the creation of a Apigee resources (organization, environ
|
|||
- [New instance (Non VPC Peering Provisioning Mode)](#new-instance-non-vpc-peering-provisioning-mode)
|
||||
- [New endpoint attachment](#new-endpoint-attachment)
|
||||
- [Apigee add-ons](#apigee-add-ons)
|
||||
- [IAM](#iam)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
<!-- END TOC -->
|
||||
|
@ -87,7 +88,6 @@ module "apigee" {
|
|||
|
||||
When a new Apigee organization is created, it is automatically peered to the authorized network. You can prevent this from happening by using the `disable_vpc_peering` key in the `organization` variable, as shown below:
|
||||
|
||||
|
||||
```hcl
|
||||
module "apigee" {
|
||||
source = "./fabric/modules/apigee"
|
||||
|
@ -117,7 +117,6 @@ module "apigee" {
|
|||
# tftest modules=1 resources=6 inventory=no-peering.yaml
|
||||
```
|
||||
|
||||
|
||||
### All resources (CLOUD)
|
||||
|
||||
```hcl
|
||||
|
@ -147,9 +146,6 @@ module "apigee" {
|
|||
display_name = "APIs prod"
|
||||
description = "APIs prod"
|
||||
envgroups = ["prod"]
|
||||
iam = {
|
||||
"roles/viewer" = ["group:devops@myorg.com"]
|
||||
}
|
||||
}
|
||||
}
|
||||
instances = {
|
||||
|
@ -176,7 +172,7 @@ module "apigee" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=15
|
||||
# tftest modules=1 resources=14
|
||||
```
|
||||
|
||||
### All resources (HYBRID control plane)
|
||||
|
@ -205,13 +201,10 @@ module "apigee" {
|
|||
display_name = "APIs prod"
|
||||
description = "APIs prod"
|
||||
envgroups = ["prod"]
|
||||
iam = {
|
||||
"roles/viewer" = ["group:devops@myorg.com"]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=8
|
||||
# tftest modules=1 resources=7
|
||||
```
|
||||
|
||||
### New environment group
|
||||
|
@ -311,18 +304,69 @@ module "apigee" {
|
|||
}
|
||||
# tftest modules=1 resources=1
|
||||
```
|
||||
|
||||
### IAM
|
||||
|
||||
```hcl
|
||||
module "apigee" {
|
||||
source = "./fabric/modules/apigee"
|
||||
project_id = "my-project"
|
||||
organization = {
|
||||
display_name = "My Organization"
|
||||
description = "My Organization"
|
||||
authorized_network = "my-vpc"
|
||||
runtime_type = "CLOUD"
|
||||
billing_type = "PAYG"
|
||||
database_encryption_key = "123456789"
|
||||
analytics_region = "europe-west1"
|
||||
}
|
||||
envgroups = {
|
||||
test = ["test.example.com"]
|
||||
prod = ["prod.example.com"]
|
||||
}
|
||||
environments = {
|
||||
apis-test = {
|
||||
display_name = "APIs test"
|
||||
description = "APIs Test"
|
||||
envgroups = ["test"]
|
||||
iam = {
|
||||
"roles/apigee.environmentAdmin" = ["group:apigee-env-admin@myorg.com"]
|
||||
}
|
||||
iam_bindings_additive = {
|
||||
viewer = {
|
||||
role = "roles/viewer"
|
||||
member = "user:user1@myorg.com"
|
||||
}
|
||||
}
|
||||
}
|
||||
apis-prod = {
|
||||
display_name = "APIs prod"
|
||||
description = "APIs prod"
|
||||
envgroups = ["prod"]
|
||||
iam_bindings = {
|
||||
apigee-env-admin = {
|
||||
role = "roles/apigee.environmentAdmin"
|
||||
members = ["group:apigee-env-admin@myorg.com"]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=10
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [project_id](variables.tf#L117) | Project ID. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L125) | Project ID. | <code>string</code> | ✓ | |
|
||||
| [addons_config](variables.tf#L17) | Addons configuration. | <code title="object({ advanced_api_ops = optional(bool, false) api_security = optional(bool, false) connectors_platform = optional(bool, false) integration = optional(bool, false) monetization = optional(bool, false) })">object({…})</code> | | <code>null</code> |
|
||||
| [endpoint_attachments](variables.tf#L29) | Endpoint attachments. | <code title="map(object({ region = string service_attachment = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [envgroups](variables.tf#L39) | Environment groups (NAME => [HOSTNAMES]). | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [environments](variables.tf#L46) | Environments. | <code title="map(object({ display_name = optional(string) description = optional(string, "Terraform-managed") deployment_type = optional(string) api_proxy_type = optional(string) node_config = optional(object({ min_node_count = optional(number) max_node_count = optional(number) })) iam = optional(map(list(string))) envgroups = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [instances](variables.tf#L64) | Instances ([REGION] => [INSTANCE]). | <code title="map(object({ name = optional(string) display_name = optional(string) description = optional(string, "Terraform-managed") runtime_ip_cidr_range = optional(string) troubleshooting_ip_cidr_range = optional(string) disk_encryption_key = optional(string) consumer_accept_list = optional(list(string)) enable_nat = optional(bool, false) environments = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [organization](variables.tf#L89) | Apigee organization. If set to null the organization must already exist. | <code title="object({ display_name = optional(string) description = optional(string, "Terraform-managed") authorized_network = optional(string) runtime_type = optional(string, "CLOUD") billing_type = optional(string) database_encryption_key = optional(string) analytics_region = optional(string, "europe-west1") retention = optional(string) disable_vpc_peering = optional(bool, false) })">object({…})</code> | | <code>null</code> |
|
||||
| [environments](variables.tf#L46) | Environments. | <code title="map(object({ display_name = optional(string) description = optional(string, "Terraform-managed") deployment_type = optional(string) api_proxy_type = optional(string) node_config = optional(object({ min_node_count = optional(number) max_node_count = optional(number) })) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) })), {}) iam_bindings_additive = optional(map(object({ role = string member = string })), {}) envgroups = optional(list(string), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [instances](variables.tf#L72) | Instances ([REGION] => [INSTANCE]). | <code title="map(object({ name = optional(string) display_name = optional(string) description = optional(string, "Terraform-managed") runtime_ip_cidr_range = optional(string) troubleshooting_ip_cidr_range = optional(string) disk_encryption_key = optional(string) consumer_accept_list = optional(list(string)) enable_nat = optional(bool, false) environments = optional(list(string), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [organization](variables.tf#L97) | Apigee organization. If set to null the organization must already exist. | <code title="object({ display_name = optional(string) description = optional(string, "Terraform-managed") authorized_network = optional(string) runtime_type = optional(string, "CLOUD") billing_type = optional(string) database_encryption_key = optional(string) analytics_region = optional(string, "europe-west1") retention = optional(string) disable_vpc_peering = optional(bool, false) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
resource "google_apigee_environment_iam_binding" "authoritative" {
|
||||
for_each = merge(concat([for k1, v1 in var.environments : {
|
||||
for k2, v2 in v1.iam : "${k1}-${k2}" => {
|
||||
environment = "${k1}"
|
||||
role = k2
|
||||
members = v2
|
||||
}
|
||||
}])...)
|
||||
org_id = local.org_id
|
||||
env_id = google_apigee_environment.environments[each.value.environment].name
|
||||
role = each.value.role
|
||||
members = each.value.members
|
||||
}
|
||||
|
||||
resource "google_apigee_environment_iam_binding" "bindings" {
|
||||
for_each = merge(concat([for k1, v1 in var.environments : {
|
||||
for k2, v2 in coalesce(v1.iam_bindings, {}) : "${k1}-${k2}" => {
|
||||
environment = "${k1}"
|
||||
role = v2.role
|
||||
members = v2.members
|
||||
}
|
||||
}])...)
|
||||
org_id = local.org_id
|
||||
env_id = google_apigee_environment.environments[each.value.environment].name
|
||||
role = each.value.role
|
||||
members = each.value.members
|
||||
}
|
||||
|
||||
resource "google_apigee_environment_iam_member" "bindings" {
|
||||
for_each = merge(concat([for k1, v1 in var.environments : {
|
||||
for k2, v2 in coalesce(v1.iam_bindings_additive, {}) : "${k1}-${k2}" => {
|
||||
environment = "${k1}"
|
||||
role = v2.role
|
||||
member = v2.member
|
||||
}
|
||||
}])...)
|
||||
org_id = local.org_id
|
||||
env_id = google_apigee_environment.environments[each.value.environment].name
|
||||
role = each.value.role
|
||||
member = each.value.member
|
||||
}
|
|
@ -62,7 +62,7 @@ resource "google_apigee_environment" "environments" {
|
|||
|
||||
resource "google_apigee_envgroup_attachment" "envgroup_attachments" {
|
||||
for_each = merge(concat([for k1, v1 in var.environments : {
|
||||
for v2 in coalesce(v1.envgroups, []) : "${k1}-${v2}" => {
|
||||
for v2 in v1.envgroups : "${k1}-${v2}" => {
|
||||
environment = k1
|
||||
envgroup = v2
|
||||
}
|
||||
|
@ -72,20 +72,6 @@ resource "google_apigee_envgroup_attachment" "envgroup_attachments" {
|
|||
depends_on = [google_apigee_envgroup.envgroups]
|
||||
}
|
||||
|
||||
resource "google_apigee_environment_iam_binding" "binding" {
|
||||
for_each = merge(concat([for k1, v1 in var.environments : {
|
||||
for k2, v2 in coalesce(v1.iam, {}) : "${k1}-${k2}" => {
|
||||
environment = "${k1}"
|
||||
role = k2
|
||||
members = v2
|
||||
}
|
||||
}])...)
|
||||
org_id = local.org_id
|
||||
env_id = google_apigee_environment.environments[each.value.environment].name
|
||||
role = each.value.role
|
||||
members = each.value.members
|
||||
}
|
||||
|
||||
resource "google_apigee_instance" "instances" {
|
||||
for_each = var.instances
|
||||
name = coalesce(each.value.name, "instance-${each.key}")
|
||||
|
@ -114,7 +100,7 @@ resource "google_apigee_nat_address" "apigee_nat" {
|
|||
|
||||
resource "google_apigee_instance_attachment" "instance_attachments" {
|
||||
for_each = merge(concat([for k1, v1 in var.instances : {
|
||||
for v2 in coalesce(v1.environments, []) :
|
||||
for v2 in v1.environments :
|
||||
"${k1}-${v2}" => {
|
||||
instance = k1
|
||||
environment = v2
|
||||
|
|
|
@ -54,8 +54,16 @@ variable "environments" {
|
|||
min_node_count = optional(number)
|
||||
max_node_count = optional(number)
|
||||
}))
|
||||
iam = optional(map(list(string)))
|
||||
envgroups = optional(list(string))
|
||||
iam = optional(map(list(string)), {})
|
||||
iam_bindings = optional(map(object({
|
||||
role = string
|
||||
members = list(string)
|
||||
})), {})
|
||||
iam_bindings_additive = optional(map(object({
|
||||
role = string
|
||||
member = string
|
||||
})), {})
|
||||
envgroups = optional(list(string), [])
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
|
@ -72,7 +80,7 @@ variable "instances" {
|
|||
disk_encryption_key = optional(string)
|
||||
consumer_accept_list = optional(list(string))
|
||||
enable_nat = optional(bool, false)
|
||||
environments = optional(list(string))
|
||||
environments = optional(list(string), [])
|
||||
}))
|
||||
validation {
|
||||
condition = alltrue([
|
||||
|
|
|
@ -168,7 +168,10 @@ resource "google_container_node_pool" "nodepool" {
|
|||
gpu_partition_size = var.node_config.guest_accelerator.gpu_driver == null ? null : var.node_config.guest_accelerator.gpu_driver.partition_size
|
||||
|
||||
dynamic "gpu_sharing_config" {
|
||||
for_each = var.node_config.guest_accelerator.gpu_driver != null ? [""] : []
|
||||
for_each = lookup(
|
||||
lookup(var.node_config.guest_accelerator, "gpu_driver", {}),
|
||||
"max_shared_clients_per_gpu"
|
||||
) != null ? [""] : []
|
||||
content {
|
||||
gpu_sharing_strategy = var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu != null ? "TIME_SHARING" : null
|
||||
max_shared_clients_per_gpu = var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu
|
||||
|
|
|
@ -41,7 +41,7 @@ values:
|
|||
description: APIs Test
|
||||
display_name: APIs test
|
||||
name: apis-test
|
||||
google_apigee_environment_iam_binding.binding["apis-prod-roles/viewer"]:
|
||||
google_apigee_environment_iam_binding.authoritative["apis-prod-roles/viewer"]:
|
||||
condition: []
|
||||
env_id: apis-prod
|
||||
members:
|
||||
|
|
|
@ -42,7 +42,7 @@ values:
|
|||
description: APIs Test
|
||||
display_name: APIs test
|
||||
name: apis-test
|
||||
google_apigee_environment_iam_binding.binding["apis-prod-roles/viewer"]:
|
||||
google_apigee_environment_iam_binding.authoritative["apis-prod-roles/viewer"]:
|
||||
condition: []
|
||||
env_id: apis-prod
|
||||
members:
|
||||
|
|
|
@ -29,9 +29,7 @@ values:
|
|||
gpu_driver_installation_config:
|
||||
- gpu_driver_version: LATEST
|
||||
gpu_partition_size: null
|
||||
gpu_sharing_config:
|
||||
- gpu_sharing_strategy: null
|
||||
max_shared_clients_per_gpu: null
|
||||
gpu_sharing_config: null
|
||||
type: nvidia-tesla-a100
|
||||
gvnic: []
|
||||
machine_type: a2-highgpu-1g
|
||||
|
|
Loading…
Reference in New Issue