From a4def10c19fa807b2d384a5d77dc8efe3e79d1d0 Mon Sep 17 00:00:00 2001 From: Stefano Tribioli Date: Thu, 4 Jan 2024 18:18:34 +0100 Subject: [PATCH 1/2] Add PNA support to Service Directory module Endpoints in Service Directory can be *associated* with a VPC. In this case, they can be used by supported Google Cloud products to send requests directly to resources inside a VPC. This feature is called Private Network Access. The `google_service_directory_endpoint` resource supports this configuration with a new argument `network`. Unfortunately, this argument has an unusual format: it is similar to a standard VPC ID, but instead of the project ID, it expects the project number. --- modules/service-directory/README.md | 58 +++++++++++++++---- modules/service-directory/main.tf | 1 + modules/service-directory/variables.tf | 1 + .../service_directory/examples/pna.yaml | 37 ++++++++++++ 4 files changed, 87 insertions(+), 10 deletions(-) create mode 100644 tests/modules/service_directory/examples/pna.yaml diff --git a/modules/service-directory/README.md b/modules/service-directory/README.md index 3b16cbeb..1faf8e81 100644 --- a/modules/service-directory/README.md +++ b/modules/service-directory/README.md @@ -90,20 +90,59 @@ module "dns-sd" { } # tftest modules=2 resources=5 inventory=dns.yaml ``` - +### Services with endpoints using private network access + +[Private network access](https://cloud.google.com/service-directory/docs/private-network-access-overview) enables supported Google Cloud products to send HTTP requests to resources inside a VPC. + +```hcl +locals { + project_number = "123456789012" +} + +module "service-directory" { + source = "./fabric/modules/service-directory" + project_id = "my-project" + location = "europe-west1" + name = "sd-1" + services = { + one = { + endpoints = ["first", "second"] + metadata = null + } + } + endpoint_config = { + "one/first" = { + address = "10.0.0.11", + port = 443, + network = "projects/${local.project_number}/locations/global/networks/${var.vpc.name}" + metadata = {} + } + "one/second" = { + address = "10.0.0.12", + port = 443, + network = "projects/${local.project_number}/locations/global/networks/${var.vpc.name}" + metadata = {} + } + } +} +# tftest modules=1 resources=4 inventory=pna.yaml +``` + +Note that the `network` argument is unusual in that it requires the project number, instead of the more common project ID. + ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [location](variables.tf#L40) | Namespace location. | string | ✓ | | -| [name](variables.tf#L45) | Namespace name. | string | ✓ | | -| [project_id](variables.tf#L50) | Project used for resources. | string | ✓ | | -| [endpoint_config](variables.tf#L18) | Map of endpoint attributes, keys are in service/endpoint format. | map(object({…})) | | {} | -| [iam](variables.tf#L28) | IAM bindings for namespace, in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | -| [labels](variables.tf#L34) | Labels. | map(string) | | {} | -| [service_iam](variables.tf#L55) | IAM bindings for services, in {SERVICE => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | -| [services](variables.tf#L61) | Service configuration, using service names as keys. | map(object({…})) | | {} | +| [location](variables.tf#L41) | Namespace location. | string | ✓ | | +| [name](variables.tf#L46) | Namespace name. | string | ✓ | | +| [project_id](variables.tf#L51) | Project used for resources. | string | ✓ | | +| [endpoint_config](variables.tf#L18) | Map of endpoint attributes, keys are in service/endpoint format. | map(object({…})) | | {} | +| [iam](variables.tf#L29) | IAM bindings for namespace, in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | +| [labels](variables.tf#L35) | Labels. | map(string) | | {} | +| [service_iam](variables.tf#L56) | IAM bindings for services, in {SERVICE => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | +| [services](variables.tf#L62) | Service configuration, using service names as keys. | map(object({…})) | | {} | ## Outputs @@ -116,5 +155,4 @@ module "dns-sd" { | [service_id](outputs.tf#L40) | Service ids (short names). | | | [service_names](outputs.tf#L50) | Service ids (long names). | | | [services](outputs.tf#L60) | Service resources. | | - diff --git a/modules/service-directory/main.tf b/modules/service-directory/main.tf index 781bae60..25017a28 100644 --- a/modules/service-directory/main.tf +++ b/modules/service-directory/main.tf @@ -75,4 +75,5 @@ resource "google_service_directory_endpoint" "default" { metadata = try(var.endpoint_config[each.key].metadata, null) address = try(var.endpoint_config[each.key].address, null) port = try(var.endpoint_config[each.key].port, null) + network = try(var.endpoint_config[each.key].network, null) } diff --git a/modules/service-directory/variables.tf b/modules/service-directory/variables.tf index 326aeff8..8212081e 100644 --- a/modules/service-directory/variables.tf +++ b/modules/service-directory/variables.tf @@ -20,6 +20,7 @@ variable "endpoint_config" { type = map(object({ address = string port = number + network = optional(string, null) metadata = map(string) })) default = {} diff --git a/tests/modules/service_directory/examples/pna.yaml b/tests/modules/service_directory/examples/pna.yaml new file mode 100644 index 00000000..167c5f82 --- /dev/null +++ b/tests/modules/service_directory/examples/pna.yaml @@ -0,0 +1,37 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.service-directory.google_service_directory_endpoint.default["one/first"]: + address: 10.0.0.11 + endpoint_id: first + port: 443 + network: projects/123456789012/locations/global/networks/vpc-name + module.service-directory.google_service_directory_endpoint.default["one/second"]: + address: 10.0.0.12 + endpoint_id: second + port: 443 + network: projects/123456789012/locations/global/networks/vpc-name + module.service-directory.google_service_directory_namespace.default: + location: europe-west1 + namespace_id: sd-1 + project: my-project + module.service-directory.google_service_directory_service.default["one"]: + metadata: null + service_id: one + +counts: + google_service_directory_endpoint: 2 + google_service_directory_namespace: 1 + google_service_directory_service: 1 From 0ca3203e52a316ff26869a1a0c38b146cf2b619f Mon Sep 17 00:00:00 2001 From: Stefano Tribioli Date: Fri, 5 Jan 2024 15:10:07 +0100 Subject: [PATCH 2/2] Capitalize Private Network Access --- modules/service-directory/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/service-directory/README.md b/modules/service-directory/README.md index 1faf8e81..c89fe143 100644 --- a/modules/service-directory/README.md +++ b/modules/service-directory/README.md @@ -91,9 +91,9 @@ module "dns-sd" { # tftest modules=2 resources=5 inventory=dns.yaml ``` -### Services with endpoints using private network access +### Services with endpoints using Private Network Access -[Private network access](https://cloud.google.com/service-directory/docs/private-network-access-overview) enables supported Google Cloud products to send HTTP requests to resources inside a VPC. +[Private Network Access](https://cloud.google.com/service-directory/docs/private-network-access-overview) enables supported Google Cloud products to send HTTP requests to resources inside a VPC. ```hcl locals {