Change psa type in net-vpc, fix psa in fast net stages (#545)
* change psn type in net-vpc, fix psa in fast net stages * fix doc examples * psn ---> psa
This commit is contained in:
parent
34f8d05f8d
commit
c91802f501
|
@ -353,8 +353,8 @@ Don't forget to add a peering zone in the landing project and point it to the ne
|
|||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||
| [nva.tf](./nva.tf) | None | <code>compute-mig</code> · <code>compute-vm</code> · <code>net-ilb</code> | |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>local_file</code> |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||
|
|
|
@ -50,6 +50,7 @@ module "dev-spoke-vpc" {
|
|||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/dev"
|
||||
delete_default_routes_on_create = true
|
||||
psa_ranges = var.psa_ranges.dev
|
||||
subnets_l7ilb = local.l7ilb_subnets.dev
|
||||
# Set explicit routes for googleapis; send everything else to NVAs
|
||||
routes = {
|
||||
|
@ -110,17 +111,6 @@ module "dev-spoke-firewall" {
|
|||
cidr_template_file = "${var.data_dir}/cidrs.yaml"
|
||||
}
|
||||
|
||||
module "dev-spoke-psa-addresses" {
|
||||
source = "../../../modules/net-address"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
psa_addresses = { for r, v in var.psa_ranges.dev : r => {
|
||||
address = cidrhost(v, 0)
|
||||
network = module.dev-spoke-vpc.self_link
|
||||
prefix_length = split("/", v)[1]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "peering-dev" {
|
||||
source = "../../../modules/net-vpc-peering"
|
||||
prefix = "dev-peering-0"
|
||||
|
|
|
@ -50,6 +50,7 @@ module "prod-spoke-vpc" {
|
|||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/prod"
|
||||
delete_default_routes_on_create = true
|
||||
psa_ranges = var.psa_ranges.prod
|
||||
subnets_l7ilb = local.l7ilb_subnets.prod
|
||||
# Set explicit routes for googleapis; send everything else to NVAs
|
||||
routes = {
|
||||
|
@ -110,17 +111,6 @@ module "prod-spoke-firewall" {
|
|||
cidr_template_file = "${var.data_dir}/cidrs.yaml"
|
||||
}
|
||||
|
||||
module "prod-spoke-psa-addresses" {
|
||||
source = "../../../modules/net-address"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
psa_addresses = { for r, v in var.psa_ranges.prod : r => {
|
||||
address = cidrhost(v, 0)
|
||||
network = module.prod-spoke-vpc.self_link
|
||||
prefix_length = split("/", v)[1]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "peering-prod" {
|
||||
source = "../../../modules/net-vpc-peering"
|
||||
prefix = "prod-peering-0"
|
||||
|
|
|
@ -296,8 +296,8 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
|
|||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>local_file</code> |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||
|
|
|
@ -52,6 +52,7 @@ module "dev-spoke-vpc" {
|
|||
name = "dev-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/dev"
|
||||
psa_ranges = var.psa_ranges.dev
|
||||
subnets_l7ilb = local.l7ilb_subnets.dev
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
|
@ -96,17 +97,6 @@ module "dev-spoke-cloudnat" {
|
|||
logging_filter = "ERRORS_ONLY"
|
||||
}
|
||||
|
||||
module "dev-spoke-psa-addresses" {
|
||||
source = "../../../modules/net-address"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
psa_addresses = { for r, v in var.psa_ranges.dev : r => {
|
||||
address = cidrhost(v, 0)
|
||||
network = module.dev-spoke-vpc.self_link
|
||||
prefix_length = split("/", v)[1]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Create delegated grants for stage3 service accounts
|
||||
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
|
||||
project = module.dev-spoke-project.project_id
|
||||
|
|
|
@ -52,6 +52,7 @@ module "prod-spoke-vpc" {
|
|||
name = "prod-spoke-0"
|
||||
mtu = 1500
|
||||
data_folder = "${var.data_dir}/subnets/prod"
|
||||
psa_ranges = var.psa_ranges.prod
|
||||
subnets_l7ilb = local.l7ilb_subnets.prod
|
||||
# set explicit routes for googleapis in case the default route is deleted
|
||||
routes = {
|
||||
|
@ -96,17 +97,6 @@ module "prod-spoke-cloudnat" {
|
|||
logging_filter = "ERRORS_ONLY"
|
||||
}
|
||||
|
||||
module "prod-spoke-psa-addresses" {
|
||||
source = "../../../modules/net-address"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
psa_addresses = { for r, v in var.psa_ranges.prod : r => {
|
||||
address = cidrhost(v, 0)
|
||||
network = module.prod-spoke-vpc.self_link
|
||||
prefix_length = split("/", v)[1]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Create delegated grants for stage3 service accounts
|
||||
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
|
||||
project = module.prod-spoke-project.project_id
|
||||
|
|
|
@ -25,7 +25,7 @@ module "vpc" {
|
|||
source = "./modules/net-vpc"
|
||||
project_id = module.project.project_id
|
||||
name = "my-network"
|
||||
psn_ranges = ["10.60.0.0/16"]
|
||||
psa_ranges = {cloudsql-ew1-0="10.60.0.0/16"}
|
||||
}
|
||||
|
||||
module "db" {
|
||||
|
|
|
@ -138,7 +138,7 @@ module "vpc" {
|
|||
secondary_ip_range = null
|
||||
}
|
||||
]
|
||||
psn_ranges = ["10.10.0.0/16"]
|
||||
psa_ranges = {range-a = "10.10.0.0/16"}
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
```
|
||||
|
@ -171,8 +171,8 @@ module "vpc" {
|
|||
```
|
||||
|
||||
### Subnet Factory
|
||||
The `net-vpc` module includes a subnet factory (see [Resource Factories](../../examples/factories/)) for the massive creation of subnets leveraging one configuration file per subnet.
|
||||
|
||||
The `net-vpc` module includes a subnet factory (see [Resource Factories](../../examples/factories/)) for the massive creation of subnets leveraging one configuration file per subnet.
|
||||
|
||||
```hcl
|
||||
module "vpc" {
|
||||
|
@ -220,7 +220,7 @@ flow_logs: # enable, set to empty map to use defaults
|
|||
| [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code></code> | | <code>null</code> |
|
||||
| [peering_config](variables.tf#L90) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string export_routes = bool import_routes = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | <code>bool</code> | | <code>true</code> |
|
||||
| [psn_ranges](variables.tf#L111) | CIDR ranges used for Google services that support Private Service Networking. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [psa_ranges](variables.tf#L111) | CIDR ranges used for Google services that support Private Service Networking. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L124) | Network routes, keyed by name. | <code title="map(object({ dest_range = string priority = number tags = list(string) next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L136) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L146) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
|
|
|
@ -78,11 +78,11 @@ locals {
|
|||
? null
|
||||
: element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0)
|
||||
)
|
||||
psn_ranges = {
|
||||
for r in(var.psn_ranges == null ? [] : var.psn_ranges) : r => {
|
||||
address = split("/", r)[0]
|
||||
name = replace(split("/", r)[0], ".", "-")
|
||||
prefix_length = split("/", r)[1]
|
||||
psa_ranges = {
|
||||
for k, v in coalesce(var.psa_ranges, {}) : k => {
|
||||
address = split("/", v)[0]
|
||||
name = k
|
||||
prefix_length = split("/", v)[1]
|
||||
}
|
||||
}
|
||||
routes = {
|
||||
|
@ -328,10 +328,10 @@ resource "google_dns_policy" "default" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "google_compute_global_address" "psn_ranges" {
|
||||
for_each = local.psn_ranges
|
||||
resource "google_compute_global_address" "psa_ranges" {
|
||||
for_each = local.psa_ranges
|
||||
project = var.project_id
|
||||
name = "${var.name}-psn-${each.value.name}"
|
||||
name = "${var.name}-psa-${each.key}"
|
||||
purpose = "VPC_PEERING"
|
||||
address_type = "INTERNAL"
|
||||
address = each.value.address
|
||||
|
@ -339,11 +339,11 @@ resource "google_compute_global_address" "psn_ranges" {
|
|||
network = local.network.id
|
||||
}
|
||||
|
||||
resource "google_service_networking_connection" "psn_connection" {
|
||||
for_each = toset(local.psn_ranges == {} ? [] : [""])
|
||||
resource "google_service_networking_connection" "psa_connection" {
|
||||
for_each = toset(local.psa_ranges == {} ? [] : [""])
|
||||
network = local.network.id
|
||||
service = "servicenetworking.googleapis.com"
|
||||
reserved_peering_ranges = [
|
||||
for k, v in google_compute_global_address.psn_ranges : v.name
|
||||
for k, v in google_compute_global_address.psa_ranges : v.name
|
||||
]
|
||||
}
|
||||
|
|
|
@ -27,7 +27,7 @@ output "name" {
|
|||
google_compute_network_peering.remote,
|
||||
google_compute_shared_vpc_host_project.shared_vpc_host,
|
||||
google_compute_shared_vpc_service_project.service_projects,
|
||||
google_service_networking_connection.psn_connection
|
||||
google_service_networking_connection.psa_connection
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -39,7 +39,7 @@ output "network" {
|
|||
google_compute_network_peering.remote,
|
||||
google_compute_shared_vpc_host_project.shared_vpc_host,
|
||||
google_compute_shared_vpc_service_project.service_projects,
|
||||
google_service_networking_connection.psn_connection
|
||||
google_service_networking_connection.psa_connection
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -52,7 +52,7 @@ output "project_id" {
|
|||
google_compute_network_peering.remote,
|
||||
google_compute_shared_vpc_host_project.shared_vpc_host,
|
||||
google_compute_shared_vpc_service_project.service_projects,
|
||||
google_service_networking_connection.psn_connection
|
||||
google_service_networking_connection.psa_connection
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -64,7 +64,7 @@ output "self_link" {
|
|||
google_compute_network_peering.remote,
|
||||
google_compute_shared_vpc_host_project.shared_vpc_host,
|
||||
google_compute_shared_vpc_service_project.service_projects,
|
||||
google_service_networking_connection.psn_connection
|
||||
google_service_networking_connection.psa_connection
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -108,16 +108,16 @@ variable "project_id" {
|
|||
type = string
|
||||
}
|
||||
|
||||
variable "psn_ranges" {
|
||||
variable "psa_ranges" {
|
||||
description = "CIDR ranges used for Google services that support Private Service Networking."
|
||||
type = list(string)
|
||||
type = map(string)
|
||||
default = null
|
||||
validation {
|
||||
condition = alltrue([
|
||||
for r in(var.psn_ranges == null ? [] : var.psn_ranges) :
|
||||
can(cidrnetmask(r))
|
||||
for k, v in(var.psa_ranges == null ? {} : var.psa_ranges) :
|
||||
can(cidrnetmask(v))
|
||||
])
|
||||
error_message = "Specify a valid RFC1918 CIDR range for Private Service Networking."
|
||||
error_message = "Specify valid RFC1918 CIDR ranges for Private Service Networking."
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -30,6 +30,6 @@ module "test" {
|
|||
subnet_flow_logs = var.subnet_flow_logs
|
||||
subnet_private_access = var.subnet_private_access
|
||||
auto_create_subnetworks = var.auto_create_subnetworks
|
||||
psn_ranges = var.psn_ranges
|
||||
psa_ranges = var.psa_ranges
|
||||
data_folder = var.data_folder
|
||||
}
|
||||
|
|
|
@ -61,8 +61,8 @@ variable "peering_config" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "psn_ranges" {
|
||||
type = list(string)
|
||||
variable "psa_ranges" {
|
||||
type = map(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
|
|
|
@ -16,20 +16,21 @@ import tftest
|
|||
|
||||
|
||||
def test_single_range(plan_runner):
|
||||
"Test single PSN range."
|
||||
_, resources = plan_runner(psn_ranges='["172.16.100.0/24"]')
|
||||
"Test single PSA range."
|
||||
_, resources = plan_runner(psa_ranges='{foobar="172.16.100.0/24"}')
|
||||
assert len(resources) == 3
|
||||
|
||||
|
||||
def test_multi_range(plan_runner):
|
||||
"Test multiple PSN ranges."
|
||||
_, resources = plan_runner(psn_ranges='["172.16.100.0/24", "172.16.101.0/24"]')
|
||||
"Test multiple PSA ranges."
|
||||
psa_ranges = '{foobar="172.16.100.0/24", frobniz="172.16.101.0/24"}'
|
||||
_, resources = plan_runner(psa_ranges=psa_ranges)
|
||||
assert len(resources) == 4
|
||||
|
||||
|
||||
def test_validation(plan_runner):
|
||||
"Test PSN variable validation."
|
||||
"Test PSA variable validation."
|
||||
try:
|
||||
plan_runner(psn_ranges='["foobar"]')
|
||||
plan_runner(psa_ranges='{foobar="foobar"}')
|
||||
except tftest.TerraformTestError as e:
|
||||
assert 'Invalid value for variable' in e.args[0]
|
Loading…
Reference in New Issue