fixed e2e test for shared-vpc and subnet-iam
This commit is contained in:
parent
a259d2cbdb
commit
d9cd46d8a7
|
@ -114,7 +114,7 @@ module "vpc" {
|
||||||
ip_cidr_range = "10.0.1.0/24"
|
ip_cidr_range = "10.0.1.0/24"
|
||||||
iam = {
|
iam = {
|
||||||
"roles/compute.networkUser" = [
|
"roles/compute.networkUser" = [
|
||||||
"user:${var.user_email}", "group:${var.group_email}"
|
"group:${var.group_email}"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
iam_bindings = {
|
iam_bindings = {
|
||||||
|
@ -134,7 +134,7 @@ module "vpc" {
|
||||||
ip_cidr_range = "10.0.2.0/24"
|
ip_cidr_range = "10.0.2.0/24"
|
||||||
iam_bindings_additive = {
|
iam_bindings_additive = {
|
||||||
subnet-2-iam = {
|
subnet-2-iam = {
|
||||||
member = "user:${var.user_email}"
|
member = "group:${var.group_email}"
|
||||||
role = "roles/compute.networkUser"
|
role = "roles/compute.networkUser"
|
||||||
subnet = "europe-west1/subnet-2"
|
subnet = "europe-west1/subnet-2"
|
||||||
}
|
}
|
||||||
|
@ -185,14 +185,21 @@ module "vpc-spoke-1" {
|
||||||
[Shared VPC](https://cloud.google.com/vpc/docs/shared-vpc) is a project-level functionality which enables a project to share its VPCs with other projects. The `shared_vpc_host` variable is here to help with rapid prototyping, we recommend leveraging the project module for production usage.
|
[Shared VPC](https://cloud.google.com/vpc/docs/shared-vpc) is a project-level functionality which enables a project to share its VPCs with other projects. The `shared_vpc_host` variable is here to help with rapid prototyping, we recommend leveraging the project module for production usage.
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
locals {
|
|
||||||
service_project_1 = {
|
module "service-project" {
|
||||||
project_id = var.service_project_1.project_id
|
source = "./fabric/modules/project"
|
||||||
gke_service_account = "serviceAccount:${var.service_account.email}"
|
billing_account = var.billing_account_id
|
||||||
cloud_services_service_account = "serviceAccount:${var.service_account.email}"
|
name = "prj1"
|
||||||
}
|
prefix = var.prefix
|
||||||
service_project_2 = {
|
parent = var.folder_id
|
||||||
project_id = var.service_project_2.project_id
|
services = [
|
||||||
|
"cloudresourcemanager.googleapis.com",
|
||||||
|
"compute.googleapis.com",
|
||||||
|
"iam.googleapis.com",
|
||||||
|
"serviceusage.googleapis.com"
|
||||||
|
]
|
||||||
|
shared_vpc_service_config = {
|
||||||
|
host_project = var.project_id
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -211,22 +218,20 @@ module "vpc-host" {
|
||||||
}
|
}
|
||||||
iam = {
|
iam = {
|
||||||
"roles/compute.networkUser" = [
|
"roles/compute.networkUser" = [
|
||||||
local.service_project_1.cloud_services_service_account,
|
"serviceAccount:${var.service_account.email}"
|
||||||
local.service_project_1.gke_service_account
|
|
||||||
]
|
]
|
||||||
"roles/compute.securityAdmin" = [
|
"roles/compute.securityAdmin" = [
|
||||||
local.service_project_1.gke_service_account
|
"serviceAccount:${var.service_account.email}"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
shared_vpc_host = true
|
shared_vpc_host = true
|
||||||
shared_vpc_service_projects = [
|
shared_vpc_service_projects = [
|
||||||
local.service_project_1.project_id,
|
module.service-project.project_id
|
||||||
local.service_project_2.project_id
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=9 inventory=shared-vpc.yaml e2e
|
# tftest modules=2 resources=14 inventory=shared-vpc.yaml e2e
|
||||||
```
|
```
|
||||||
|
|
||||||
### Private Service Networking
|
### Private Service Networking
|
||||||
|
|
|
@ -22,10 +22,6 @@ variable "billing_account_id" {
|
||||||
default = "123456-123456-123456"
|
default = "123456-123456-123456"
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "user_email" {
|
|
||||||
default = "user1@example.org"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "group_email" {
|
variable "group_email" {
|
||||||
default = "organization-admins@example.org"
|
default = "organization-admins@example.org"
|
||||||
}
|
}
|
||||||
|
@ -98,15 +94,3 @@ variable "vpc2" {
|
||||||
variable "zone" {
|
variable "zone" {
|
||||||
default = "zone"
|
default = "zone"
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "service_project_1" {
|
|
||||||
default = {
|
|
||||||
project_id = "service-project-1-project-id"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "service_project_2" {
|
|
||||||
default = {
|
|
||||||
project_id = "service-project-2-project-id"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -17,17 +17,11 @@ billing_account_id = "${billing_account_id}"
|
||||||
kms_key = {
|
kms_key = {
|
||||||
id = "${kms_key_id}"
|
id = "${kms_key_id}"
|
||||||
}
|
}
|
||||||
user_email = "${user_email}"
|
|
||||||
group_email = "${group_email}"
|
group_email = "${group_email}"
|
||||||
organization_id = "organizations/${organization_id}"
|
organization_id = "organizations/${organization_id}"
|
||||||
folder_id = "folders/${folder_id}"
|
folder_id = "folders/${folder_id}"
|
||||||
|
prefix = "${prefix}"
|
||||||
project_id = "${project_id}"
|
project_id = "${project_id}"
|
||||||
service_project_1 = {
|
|
||||||
project_id = "${service_project_1.project_id}"
|
|
||||||
}
|
|
||||||
service_project_2 = {
|
|
||||||
project_id = "${service_project_2.project_id}"
|
|
||||||
}
|
|
||||||
region = "${region}"
|
region = "${region}"
|
||||||
service_account = {
|
service_account = {
|
||||||
id = "${service_account.id}"
|
id = "${service_account.id}"
|
||||||
|
|
|
@ -26,24 +26,17 @@ locals {
|
||||||
"cloudkms.googleapis.com",
|
"cloudkms.googleapis.com",
|
||||||
"cloudresourcemanager.googleapis.com",
|
"cloudresourcemanager.googleapis.com",
|
||||||
"compute.googleapis.com",
|
"compute.googleapis.com",
|
||||||
|
"dns.googleapis.com",
|
||||||
"eventarc.googleapis.com",
|
"eventarc.googleapis.com",
|
||||||
"iam.googleapis.com",
|
"iam.googleapis.com",
|
||||||
"run.googleapis.com",
|
"run.googleapis.com",
|
||||||
"secretmanager.googleapis.com",
|
"secretmanager.googleapis.com",
|
||||||
|
"servicenetworking.googleapis.com",
|
||||||
"serviceusage.googleapis.com",
|
"serviceusage.googleapis.com",
|
||||||
"stackdriver.googleapis.com",
|
"stackdriver.googleapis.com",
|
||||||
"storage-component.googleapis.com",
|
"storage-component.googleapis.com",
|
||||||
"storage.googleapis.com",
|
"storage.googleapis.com",
|
||||||
"vpcaccess.googleapis.com",
|
"vpcaccess.googleapis.com",
|
||||||
"servicenetworking.googleapis.com",
|
|
||||||
"dns.googleapis.com",
|
|
||||||
]
|
|
||||||
services-svc = [
|
|
||||||
# trimmed down list of services, to be extended as needed
|
|
||||||
"cloudresourcemanager.googleapis.com",
|
|
||||||
"compute.googleapis.com",
|
|
||||||
"iam.googleapis.com",
|
|
||||||
"serviceusage.googleapis.com",
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -66,34 +59,6 @@ resource "google_project_service" "project_service" {
|
||||||
disable_dependent_services = true
|
disable_dependent_services = true
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_project" "service_project_1" {
|
|
||||||
name = "${local.prefix}-prj-1"
|
|
||||||
billing_account = var.billing_account
|
|
||||||
folder_id = google_folder.folder.id
|
|
||||||
project_id = "${local.prefix}-prj-1"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_project_service" "service_project_1_service" {
|
|
||||||
for_each = toset(local.services-svc)
|
|
||||||
service = each.value
|
|
||||||
project = google_project.service_project_1.project_id
|
|
||||||
disable_dependent_services = true
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_project" "service_project_2" {
|
|
||||||
name = "${local.prefix}-prj-2"
|
|
||||||
billing_account = var.billing_account
|
|
||||||
folder_id = google_folder.folder.id
|
|
||||||
project_id = "${local.prefix}-prj-2"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_project_service" "service_project_2_service" {
|
|
||||||
for_each = toset(local.services-svc)
|
|
||||||
service = each.value
|
|
||||||
project = google_project.service_project_2.project_id
|
|
||||||
disable_dependent_services = true
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_storage_bucket" "bucket" {
|
resource "google_storage_bucket" "bucket" {
|
||||||
location = var.region
|
location = var.region
|
||||||
name = "${local.prefix}-bucket"
|
name = "${local.prefix}-bucket"
|
||||||
|
@ -152,16 +117,10 @@ resource "local_file" "terraform_tfvars" {
|
||||||
billing_account_id = var.billing_account
|
billing_account_id = var.billing_account
|
||||||
folder_id = google_folder.folder.folder_id
|
folder_id = google_folder.folder.folder_id
|
||||||
group_email = var.group_email
|
group_email = var.group_email
|
||||||
user_email = var.user_email
|
prefix = var.prefix
|
||||||
kms_key_id = google_kms_crypto_key.key.id
|
kms_key_id = google_kms_crypto_key.key.id
|
||||||
organization_id = var.organization_id
|
organization_id = var.organization_id
|
||||||
project_id = google_project.project.project_id
|
project_id = google_project.project.project_id
|
||||||
service_project_1 = {
|
|
||||||
project_id = google_project.service_project_1.project_id
|
|
||||||
}
|
|
||||||
service_project_2 = {
|
|
||||||
project_id = google_project.service_project_2.project_id
|
|
||||||
}
|
|
||||||
region = var.region
|
region = var.region
|
||||||
service_account = {
|
service_account = {
|
||||||
id = google_service_account.service_account.id
|
id = google_service_account.service_account.id
|
||||||
|
|
|
@ -18,9 +18,6 @@ variable "billing_account" {
|
||||||
variable "group_email" {
|
variable "group_email" {
|
||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
variable "user_email" {
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
variable "organization_id" {
|
variable "organization_id" {
|
||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,12 +18,9 @@ values:
|
||||||
project: project-id
|
project: project-id
|
||||||
module.vpc-host.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
|
module.vpc-host.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
|
||||||
project: project-id
|
project: project-id
|
||||||
module.vpc-host.google_compute_shared_vpc_service_project.service_projects["service-project-1-project-id"]:
|
module.service-project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
|
||||||
host_project: project-id
|
host_project: project-id
|
||||||
service_project: service-project-1-project-id
|
service_project: test-prj1
|
||||||
module.vpc-host.google_compute_shared_vpc_service_project.service_projects["service-project-2-project-id"]:
|
|
||||||
host_project: project-id
|
|
||||||
service_project: service-project-2-project-id
|
|
||||||
module.vpc-host.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]:
|
module.vpc-host.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]:
|
||||||
secondary_ip_range:
|
secondary_ip_range:
|
||||||
- ip_cidr_range: 172.16.0.0/20
|
- ip_cidr_range: 172.16.0.0/20
|
||||||
|
@ -34,7 +31,6 @@ values:
|
||||||
condition: []
|
condition: []
|
||||||
members:
|
members:
|
||||||
- serviceAccount:service_account_email
|
- serviceAccount:service_account_email
|
||||||
# - serviceAccount:gke
|
|
||||||
project: project-id
|
project: project-id
|
||||||
region: europe-west1
|
region: europe-west1
|
||||||
role: roles/compute.networkUser
|
role: roles/compute.networkUser
|
||||||
|
@ -48,9 +44,12 @@ values:
|
||||||
role: roles/compute.securityAdmin
|
role: roles/compute.securityAdmin
|
||||||
subnetwork: subnet-1
|
subnetwork: subnet-1
|
||||||
|
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
google_compute_network: 1
|
google_compute_network: 1
|
||||||
|
google_compute_route: 2
|
||||||
google_compute_shared_vpc_host_project: 1
|
google_compute_shared_vpc_host_project: 1
|
||||||
google_compute_shared_vpc_service_project: 2
|
google_compute_shared_vpc_service_project: 2
|
||||||
google_compute_subnetwork: 1
|
google_compute_subnetwork: 1
|
||||||
google_compute_subnetwork_iam_binding: 2
|
google_compute_subnetwork_iam_binding: 2
|
||||||
|
modules: 2
|
|
@ -75,7 +75,6 @@ values:
|
||||||
condition: []
|
condition: []
|
||||||
members:
|
members:
|
||||||
- group:organization-admins@example.org
|
- group:organization-admins@example.org
|
||||||
- user:user1@example.org
|
|
||||||
project: project-id
|
project: project-id
|
||||||
region: europe-west1
|
region: europe-west1
|
||||||
role: roles/compute.networkUser
|
role: roles/compute.networkUser
|
||||||
|
@ -93,7 +92,7 @@ values:
|
||||||
subnetwork: subnet-1
|
subnetwork: subnet-1
|
||||||
module.vpc.google_compute_subnetwork_iam_member.bindings["subnet-2-iam"]:
|
module.vpc.google_compute_subnetwork_iam_member.bindings["subnet-2-iam"]:
|
||||||
condition: []
|
condition: []
|
||||||
member: user:user1@example.org
|
member: group:organization-admins@example.org
|
||||||
project: project-id
|
project: project-id
|
||||||
region: europe-west1
|
region: europe-west1
|
||||||
role: roles/compute.networkUser
|
role: roles/compute.networkUser
|
||||||
|
|
Loading…
Reference in New Issue