Change psa type in net-vpc, fix psa in fast net stages (#545)

* change psn type in net-vpc, fix psa in fast net stages

* fix doc examples

* psn ---> psa

fast/stages/02-networking-nva/README.md

@@ -353,8 +353,8 @@ Don't forget to add a peering zone in the landing project and point it to the ne
 | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. |  | <code>google_monitoring_dashboard</code> |
 | [nva.tf](./nva.tf) | None | <code>compute-mig</code> · <code>compute-vm</code> · <code>net-ilb</code> |  |
 | [outputs.tf](./outputs.tf) | Module outputs. |  | <code>local_file</code> |
-| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> |  |
-| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> |  |
+| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> |  |
+| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> |  |
 | [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> |  |
 | [variables.tf](./variables.tf) | Module variables. |  |  |
 | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> |  |

fast/stages/02-networking-nva/spoke-dev.tf

@@ -50,6 +50,7 @@ module "dev-spoke-vpc" {
   mtu                             = 1500
   data_folder                     = "${var.data_dir}/subnets/dev"
   delete_default_routes_on_create = true
+  psa_ranges                      = var.psa_ranges.dev
   subnets_l7ilb                   = local.l7ilb_subnets.dev
   # Set explicit routes for googleapis; send everything else to NVAs
   routes = {
@@ -110,17 +111,6 @@ module "dev-spoke-firewall" {
   cidr_template_file  = "${var.data_dir}/cidrs.yaml"
 }
 
-module "dev-spoke-psa-addresses" {
-  source     = "../../../modules/net-address"
-  project_id = module.dev-spoke-project.project_id
-  psa_addresses = { for r, v in var.psa_ranges.dev : r => {
-    address       = cidrhost(v, 0)
-    network       = module.dev-spoke-vpc.self_link
-    prefix_length = split("/", v)[1]
-    }
-  }
-}
-
 module "peering-dev" {
   source        = "../../../modules/net-vpc-peering"
   prefix        = "dev-peering-0"

fast/stages/02-networking-nva/spoke-prod.tf

@@ -50,6 +50,7 @@ module "prod-spoke-vpc" {
   mtu                             = 1500
   data_folder                     = "${var.data_dir}/subnets/prod"
   delete_default_routes_on_create = true
+  psa_ranges                      = var.psa_ranges.prod
   subnets_l7ilb                   = local.l7ilb_subnets.prod
   # Set explicit routes for googleapis; send everything else to NVAs
   routes = {
@@ -110,17 +111,6 @@ module "prod-spoke-firewall" {
   cidr_template_file  = "${var.data_dir}/cidrs.yaml"
 }
 
-module "prod-spoke-psa-addresses" {
-  source     = "../../../modules/net-address"
-  project_id = module.prod-spoke-project.project_id
-  psa_addresses = { for r, v in var.psa_ranges.prod : r => {
-    address       = cidrhost(v, 0)
-    network       = module.prod-spoke-vpc.self_link
-    prefix_length = split("/", v)[1]
-    }
-  }
-}
-
 module "peering-prod" {
   source        = "../../../modules/net-vpc-peering"
   prefix        = "prod-peering-0"

fast/stages/02-networking-vpn/README.md

@@ -296,8 +296,8 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
 | [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> |  |
 | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. |  | <code>google_monitoring_dashboard</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  | <code>local_file</code> |
-| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
-| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
+| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
+| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
 | [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> |  |
 | [variables.tf](./variables.tf) | Module variables. |  |  |
 | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> |  |

fast/stages/02-networking-vpn/spoke-dev.tf

@@ -52,6 +52,7 @@ module "dev-spoke-vpc" {
   name          = "dev-spoke-0"
   mtu           = 1500
   data_folder   = "${var.data_dir}/subnets/dev"
+  psa_ranges    = var.psa_ranges.dev
   subnets_l7ilb = local.l7ilb_subnets.dev
   # set explicit routes for googleapis in case the default route is deleted
   routes = {
@@ -96,17 +97,6 @@ module "dev-spoke-cloudnat" {
   logging_filter = "ERRORS_ONLY"
 }
 
-module "dev-spoke-psa-addresses" {
-  source     = "../../../modules/net-address"
-  project_id = module.dev-spoke-project.project_id
-  psa_addresses = { for r, v in var.psa_ranges.dev : r => {
-    address       = cidrhost(v, 0)
-    network       = module.dev-spoke-vpc.self_link
-    prefix_length = split("/", v)[1]
-    }
-  }
-}
-
 # Create delegated grants for stage3 service accounts
 resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   project = module.dev-spoke-project.project_id

fast/stages/02-networking-vpn/spoke-prod.tf

@@ -52,6 +52,7 @@ module "prod-spoke-vpc" {
   name          = "prod-spoke-0"
   mtu           = 1500
   data_folder   = "${var.data_dir}/subnets/prod"
+  psa_ranges    = var.psa_ranges.prod
   subnets_l7ilb = local.l7ilb_subnets.prod
   # set explicit routes for googleapis in case the default route is deleted
   routes = {
@@ -96,17 +97,6 @@ module "prod-spoke-cloudnat" {
   logging_filter = "ERRORS_ONLY"
 }
 
-module "prod-spoke-psa-addresses" {
-  source     = "../../../modules/net-address"
-  project_id = module.prod-spoke-project.project_id
-  psa_addresses = { for r, v in var.psa_ranges.prod : r => {
-    address       = cidrhost(v, 0)
-    network       = module.prod-spoke-vpc.self_link
-    prefix_length = split("/", v)[1]
-    }
-  }
-}
-
 # Create delegated grants for stage3 service accounts
 resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   project = module.prod-spoke-project.project_id

modules/cloudsql-instance/README.md

@@ -25,7 +25,7 @@ module "vpc" {
   source     = "./modules/net-vpc"
   project_id = module.project.project_id
   name       = "my-network"
-  psn_ranges = ["10.60.0.0/16"]
+  psa_ranges = {cloudsql-ew1-0="10.60.0.0/16"}
 }
 
 module "db" {

modules/net-vpc/README.md

@@ -138,7 +138,7 @@ module "vpc" {
       secondary_ip_range = null
     }
   ]
-  psn_ranges = ["10.10.0.0/16"]
+  psa_ranges = {range-a = "10.10.0.0/16"}
 }
 # tftest modules=1 resources=4
 ```
@@ -171,8 +171,8 @@ module "vpc" {
 ```
 
 ### Subnet Factory
-The `net-vpc` module includes a subnet factory (see [Resource Factories](../../examples/factories/)) for the massive creation of subnets leveraging one configuration file per subnet.
 
+The `net-vpc` module includes a subnet factory (see [Resource Factories](../../examples/factories/)) for the massive creation of subnets leveraging one configuration file per subnet.
 
 ```hcl
 module "vpc" {
@@ -220,7 +220,7 @@ flow_logs:                        # enable, set to empty map to use defaults
 | [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code></code> |  | <code>null</code> |
 | [peering_config](variables.tf#L90) | VPC peering configuration. | <code title="object&#40;&#123;&#10;  peer_vpc_self_link &#61; string&#10;  export_routes      &#61; bool&#10;  import_routes      &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | <code>bool</code> |  | <code>true</code> |
-| [psn_ranges](variables.tf#L111) | CIDR ranges used for Google services that support Private Service Networking. | <code>list&#40;string&#41;</code> |  | <code>null</code> |
+| [psa_ranges](variables.tf#L111) | CIDR ranges used for Google services that support Private Service Networking. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
 | [routes](variables.tf#L124) | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;  dest_range    &#61; string&#10;  priority      &#61; number&#10;  tags          &#61; list&#40;string&#41;&#10;  next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10;  next_hop      &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [routing_mode](variables.tf#L136) | The network routing mode (default 'GLOBAL'). | <code>string</code> |  | <code>&#34;GLOBAL&#34;</code> |
 | [shared_vpc_host](variables.tf#L146) | Enable shared VPC for this project. | <code>bool</code> |  | <code>false</code> |

modules/net-vpc/main.tf

@@ -78,11 +78,11 @@ locals {
     ? null
     : element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0)
   )
-  psn_ranges = {
-    for r in(var.psn_ranges == null ? [] : var.psn_ranges) : r => {
-      address       = split("/", r)[0]
-      name          = replace(split("/", r)[0], ".", "-")
-      prefix_length = split("/", r)[1]
+  psa_ranges = {
+    for k, v in coalesce(var.psa_ranges, {}) : k => {
+      address       = split("/", v)[0]
+      name          = k
+      prefix_length = split("/", v)[1]
     }
   }
   routes = {
@@ -328,10 +328,10 @@ resource "google_dns_policy" "default" {
   }
 }
 
-resource "google_compute_global_address" "psn_ranges" {
-  for_each      = local.psn_ranges
+resource "google_compute_global_address" "psa_ranges" {
+  for_each      = local.psa_ranges
   project       = var.project_id
-  name          = "${var.name}-psn-${each.value.name}"
+  name          = "${var.name}-psa-${each.key}"
   purpose       = "VPC_PEERING"
   address_type  = "INTERNAL"
   address       = each.value.address
@@ -339,11 +339,11 @@ resource "google_compute_global_address" "psn_ranges" {
   network       = local.network.id
 }
 
-resource "google_service_networking_connection" "psn_connection" {
-  for_each = toset(local.psn_ranges == {} ? [] : [""])
+resource "google_service_networking_connection" "psa_connection" {
+  for_each = toset(local.psa_ranges == {} ? [] : [""])
   network  = local.network.id
   service  = "servicenetworking.googleapis.com"
   reserved_peering_ranges = [
-    for k, v in google_compute_global_address.psn_ranges : v.name
+    for k, v in google_compute_global_address.psa_ranges : v.name
   ]
 }

modules/net-vpc/outputs.tf

@@ -27,7 +27,7 @@ output "name" {
     google_compute_network_peering.remote,
     google_compute_shared_vpc_host_project.shared_vpc_host,
     google_compute_shared_vpc_service_project.service_projects,
-    google_service_networking_connection.psn_connection
+    google_service_networking_connection.psa_connection
   ]
 }
 
@@ -39,7 +39,7 @@ output "network" {
     google_compute_network_peering.remote,
     google_compute_shared_vpc_host_project.shared_vpc_host,
     google_compute_shared_vpc_service_project.service_projects,
-    google_service_networking_connection.psn_connection
+    google_service_networking_connection.psa_connection
   ]
 }
 
@@ -52,7 +52,7 @@ output "project_id" {
     google_compute_network_peering.remote,
     google_compute_shared_vpc_host_project.shared_vpc_host,
     google_compute_shared_vpc_service_project.service_projects,
-    google_service_networking_connection.psn_connection
+    google_service_networking_connection.psa_connection
   ]
 }
 
@@ -64,7 +64,7 @@ output "self_link" {
     google_compute_network_peering.remote,
     google_compute_shared_vpc_host_project.shared_vpc_host,
     google_compute_shared_vpc_service_project.service_projects,
-    google_service_networking_connection.psn_connection
+    google_service_networking_connection.psa_connection
   ]
 }
 

modules/net-vpc/variables.tf

@@ -108,16 +108,16 @@ variable "project_id" {
   type        = string
 }
 
-variable "psn_ranges" {
+variable "psa_ranges" {
   description = "CIDR ranges used for Google services that support Private Service Networking."
-  type        = list(string)
+  type        = map(string)
   default     = null
   validation {
     condition = alltrue([
-      for r in(var.psn_ranges == null ? [] : var.psn_ranges) :
-      can(cidrnetmask(r))
+      for k, v in(var.psa_ranges == null ? {} : var.psa_ranges) :
+      can(cidrnetmask(v))
     ])
-    error_message = "Specify a valid RFC1918 CIDR range for Private Service Networking."
+    error_message = "Specify valid RFC1918 CIDR ranges for Private Service Networking."
   }
 }
 

tests/modules/net_vpc/fixture/main.tf

@@ -30,6 +30,6 @@ module "test" {
   subnet_flow_logs            = var.subnet_flow_logs
   subnet_private_access       = var.subnet_private_access
   auto_create_subnetworks     = var.auto_create_subnetworks
-  psn_ranges                  = var.psn_ranges
+  psa_ranges                  = var.psa_ranges
   data_folder                 = var.data_folder
 }

tests/modules/net_vpc/fixture/variables.tf

@@ -61,8 +61,8 @@ variable "peering_config" {
   default = null
 }
 
-variable "psn_ranges" {
-  type    = list(string)
+variable "psa_ranges" {
+  type    = map(string)
   default = null
 }
 

tests/modules/net_vpc/test_plan_psa.py

@@ -16,20 +16,21 @@ import tftest
 
 
 def test_single_range(plan_runner):
-  "Test single PSN range."
-  _, resources = plan_runner(psn_ranges='["172.16.100.0/24"]')
+  "Test single PSA range."
+  _, resources = plan_runner(psa_ranges='{foobar="172.16.100.0/24"}')
   assert len(resources) == 3
 
 
 def test_multi_range(plan_runner):
-  "Test multiple PSN ranges."
-  _, resources = plan_runner(psn_ranges='["172.16.100.0/24", "172.16.101.0/24"]')
+  "Test multiple PSA ranges."
+  psa_ranges = '{foobar="172.16.100.0/24", frobniz="172.16.101.0/24"}'
+  _, resources = plan_runner(psa_ranges=psa_ranges)
   assert len(resources) == 4
 
 
 def test_validation(plan_runner):
-  "Test PSN variable validation."
+  "Test PSA variable validation."
   try:
-    plan_runner(psn_ranges='["foobar"]')
+    plan_runner(psa_ranges='{foobar="foobar"}')
   except tftest.TerraformTestError as e:
     assert 'Invalid value for variable' in e.args[0]