From 6b4bca10bd98dc72421bb7aad8367cedc11ea9de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Thu, 8 Jun 2023 05:39:09 +0000 Subject: [PATCH 1/4] Use RFC6598 addresses for pods and subnets 10.128.0.0/9 is public network. Closes: #1424 --- .../data/subnets/dev/dev-dataplatform-ew1.yaml | 4 ++-- .../data/subnets/dev/dev-dataplatform-ew1.yaml | 4 ++-- .../data/subnets/dev/dev-dataplatform-ew1.yaml | 4 ++-- .../data/subnets/dev/dev-dataplatform-ew1.yaml | 4 ++-- .../data/subnets/dev/dev-dataplatform-ew1.yaml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml index 2c682405..4e5690c0 100644 --- a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -4,5 +4,5 @@ region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.128.48.0/24 secondary_ip_ranges: - pods: 100.128.48.0/20 - services: 100.255.48.0/24 + pods: 100.64.48.0/20 + services: 100.64.64.0/24 diff --git a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml index 2c682405..4e5690c0 100644 --- a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -4,5 +4,5 @@ region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.128.48.0/24 secondary_ip_ranges: - pods: 100.128.48.0/20 - services: 100.255.48.0/24 + pods: 100.64.48.0/20 + services: 100.64.64.0/24 diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml index 2c682405..4e5690c0 100644 --- a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -4,5 +4,5 @@ region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.128.48.0/24 secondary_ip_ranges: - pods: 100.128.48.0/20 - services: 100.255.48.0/24 + pods: 100.64.48.0/20 + services: 100.64.64.0/24 diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml index 2c682405..4e5690c0 100644 --- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -4,5 +4,5 @@ region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.128.48.0/24 secondary_ip_ranges: - pods: 100.128.48.0/20 - services: 100.255.48.0/24 + pods: 100.64.48.0/20 + services: 100.64.64.0/24 diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml index 2c682405..4e5690c0 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -4,5 +4,5 @@ region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.128.48.0/24 secondary_ip_ranges: - pods: 100.128.48.0/20 - services: 100.255.48.0/24 + pods: 100.64.48.0/20 + services: 100.64.64.0/24 From ebeace21dd25af12875591b9740d351f94b2c43e Mon Sep 17 00:00:00 2001 From: Miren Esnaola Date: Wed, 7 Jun 2023 18:57:54 +0200 Subject: [PATCH 2/4] Added support for PSC negs in net-ilb-l7 module --- modules/net-ilb-l7/README.md | 59 +++++++++++++++++++++------ modules/net-ilb-l7/backend-service.tf | 3 ++ modules/net-ilb-l7/main.tf | 16 ++++++++ modules/net-ilb-l7/variables.tf | 10 ++++- 4 files changed, 74 insertions(+), 14 deletions(-) diff --git a/modules/net-ilb-l7/README.md b/modules/net-ilb-l7/README.md index 64d47623..03717fec 100644 --- a/modules/net-ilb-l7/README.md +++ b/modules/net-ilb-l7/README.md @@ -225,7 +225,9 @@ module "ilb-l7" { # tftest modules=1 resources=5 ``` -Similarly to instance groups, NEGs can also be managed by this module which supports GCE, hybrid, and serverless NEGs: +Similarly to instance groups, NEGs can also be managed by this module which supports GCE, hybrid, serverless and Private Service Connect NEGs: + +#### Zonal NEG creation ```hcl resource "google_compute_address" "test" { @@ -273,7 +275,7 @@ module "ilb-l7" { # tftest modules=1 resources=8 ``` -Hybrid NEGs are also supported: +#### Hybrid NEG creation ```hcl module "ilb-l7" { @@ -311,7 +313,7 @@ module "ilb-l7" { # tftest modules=1 resources=7 ``` -As are serverless NEGs for Cloud Run: +#### Serverless NEG creation ```hcl module "ilb-l7" { @@ -348,6 +350,39 @@ module "ilb-l7" { # tftest modules=1 resources=5 ``` +#### Private Service Connect NEG creation + +```hcl +module "ilb-l7" { + source = "./fabric/modules/net-ilb-l7" + name = "ilb-test" + project_id = var.project_id + region = "europe-west1" + backend_service_configs = { + default = { + backends = [{ + group = "my-neg" + }] + health_checks = [] + } + } + health_check_configs = {} + neg_configs = { + my-neg = { + psc = { + region = "europe-west1" + target_service = "europe-west1-cloudkms.googleapis.com" + } + } + } + vpc_config = { + network = var.vpc.self_link + subnetwork = var.subnet.self_link + } +} +# tftest modules=1 resources=5 +``` + ### URL Map The module exposes the full URL map resource configuration, with some minor changes to the interface to decrease verbosity, and support for aliasing backend services via keys. @@ -606,9 +641,9 @@ module "ilb-l7" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [name](variables.tf#L54) | Load balancer name. | string | ✓ | | -| [project_id](variables.tf#L132) | Project id. | string | ✓ | | -| [region](variables.tf#L150) | The region where to allocate the ILB resources. | string | ✓ | | -| [vpc_config](variables.tf#L177) | VPC-level configuration. | object({…}) | ✓ | | +| [project_id](variables.tf#L138) | Project id. | string | ✓ | | +| [region](variables.tf#L156) | The region where to allocate the ILB resources. | string | ✓ | | +| [vpc_config](variables.tf#L183) | VPC-level configuration. | object({…}) | ✓ | | | [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null | | [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} | | [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." | @@ -616,12 +651,12 @@ module "ilb-l7" { | [group_configs](variables.tf#L36) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} | | [health_check_configs](variables-health-check.tf#L19) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | map(object({…})) | | {…} | | [labels](variables.tf#L48) | Labels set on resources. | map(string) | | {} | -| [neg_configs](variables.tf#L59) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} | -| [network_tier_premium](variables.tf#L119) | Use premium network tier. Defaults to true. | bool | | true | -| [ports](variables.tf#L126) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string) | | null | -| [protocol](variables.tf#L137) | Protocol supported by this load balancer. | string | | "HTTP" | -| [service_directory_registration](variables.tf#L155) | Service directory namespace and service used to register this load balancer. | object({…}) | | null | -| [ssl_certificates](variables.tf#L164) | SSL target proxy certificates (only if protocol is HTTPS). | object({…}) | | {} | +| [neg_configs](variables.tf#L59) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} | +| [network_tier_premium](variables.tf#L125) | Use premium network tier. Defaults to true. | bool | | true | +| [ports](variables.tf#L132) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string) | | null | +| [protocol](variables.tf#L143) | Protocol supported by this load balancer. | string | | "HTTP" | +| [service_directory_registration](variables.tf#L161) | Service directory namespace and service used to register this load balancer. | object({…}) | | null | +| [ssl_certificates](variables.tf#L170) | SSL target proxy certificates (only if protocol is HTTPS). | object({…}) | | {} | | [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…}) | | {…} | ## Outputs diff --git a/modules/net-ilb-l7/backend-service.tf b/modules/net-ilb-l7/backend-service.tf index ea758835..669a291a 100644 --- a/modules/net-ilb-l7/backend-service.tf +++ b/modules/net-ilb-l7/backend-service.tf @@ -26,6 +26,9 @@ locals { }, { for k, v in google_compute_region_network_endpoint_group.default : k => v.id + }, + { + for k, v in google_compute_region_network_endpoint_group.psc : k => v.id } ) hc_ids = { diff --git a/modules/net-ilb-l7/main.tf b/modules/net-ilb-l7/main.tf index 2ca114ae..9d5f7154 100644 --- a/modules/net-ilb-l7/main.tf +++ b/modules/net-ilb-l7/main.tf @@ -49,6 +49,10 @@ locals { zone = v.gce != null ? v.gce.zone : v.hybrid.zone } if v.gce != null || v.hybrid != null } + neg_regional_psc = { + for k, v in var.neg_configs : + k => v if v.psc != null + } proxy_ssl_certificates = concat( coalesce(var.ssl_certificates.certificate_ids, []), [for k, v in google_compute_region_ssl_certificate.default : v.id] @@ -187,3 +191,15 @@ resource "google_compute_region_network_endpoint_group" "default" { url_mask = each.value.target_urlmask } } + +resource "google_compute_region_network_endpoint_group" "psc" { + for_each = local.neg_regional_psc + project = var.project_id + region = each.value.psc.region + name = "${var.name}-${each.key}" + //description = coalesce(each.value.description, var.description) + network_endpoint_type = "PRIVATE_SERVICE_CONNECT" + psc_target_service = each.value.psc.target_service + network = each.value.psc.network + subnetwork = each.value.psc.subnetwork +} diff --git a/modules/net-ilb-l7/variables.tf b/modules/net-ilb-l7/variables.tf index 09b3f7ac..40158aca 100644 --- a/modules/net-ilb-l7/variables.tf +++ b/modules/net-ilb-l7/variables.tf @@ -90,7 +90,12 @@ variable "neg_configs" { port = number }))) })) - # psc = optional(object({})) + psc = optional(object({ + region = string + target_service = string + network = optional(string) + subnetwork = optional(string) + })) })) default = {} nullable = false @@ -99,7 +104,8 @@ variable "neg_configs" { for k, v in var.neg_configs : ( (try(v.cloudrun, null) == null ? 0 : 1) + (try(v.gce, null) == null ? 0 : 1) + - (try(v.hybrid, null) == null ? 0 : 1) == 1 + (try(v.hybrid, null) == null ? 0 : 1) + + (try(v.psc, null) == null ? 0 : 1) == 1 ) ]) error_message = "Only one type of neg can be configured at a time." From a7b944aa8e9b902d13ca9724ad5faaa85b3e1313 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 8 Jun 2023 12:05:54 +0200 Subject: [PATCH 3/4] fix serverless neg example (#1430) --- modules/net-ilb-l7/README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/net-ilb-l7/README.md b/modules/net-ilb-l7/README.md index 64d47623..330a9a5a 100644 --- a/modules/net-ilb-l7/README.md +++ b/modules/net-ilb-l7/README.md @@ -283,11 +283,7 @@ module "ilb-l7" { region = "europe-west1" backend_service_configs = { default = { - backends = [{ - balancing_mode = "RATE" - group = "my-neg" - max_rate = { per_endpoint = 1 } - }] + backends = [{ group = "my-neg" }] } } neg_configs = { From e900e9c9517fad45dd00ae36c183a40f2278fa33 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 8 Jun 2023 14:00:10 +0200 Subject: [PATCH 4/4] Make internal/external addresses optional in compute-vm Fixes 1431 --- blueprints/data-solutions/sqlserver-alwayson/instances.tf | 4 +--- fast/stages/2-networking-e-nva-bgp/nva.tf | 2 -- modules/compute-vm/README.md | 6 +++--- modules/compute-vm/variables.tf | 6 +++--- 4 files changed, 7 insertions(+), 11 deletions(-) diff --git a/blueprints/data-solutions/sqlserver-alwayson/instances.tf b/blueprints/data-solutions/sqlserver-alwayson/instances.tf index 89f39a61..ab9f1217 100644 --- a/blueprints/data-solutions/sqlserver-alwayson/instances.tf +++ b/blueprints/data-solutions/sqlserver-alwayson/instances.tf @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -68,7 +68,6 @@ module "nodes" { nat = false addresses = { internal = module.ip-addresses.internal_addresses[each.value].address - external = null } }] @@ -122,7 +121,6 @@ module "witness" { nat = false addresses = { internal = module.ip-addresses.internal_addresses[each.value].address - external = null } }] diff --git a/fast/stages/2-networking-e-nva-bgp/nva.tf b/fast/stages/2-networking-e-nva-bgp/nva.tf index baf6018a..66ede6fd 100644 --- a/fast/stages/2-networking-e-nva-bgp/nva.tf +++ b/fast/stages/2-networking-e-nva-bgp/nva.tf @@ -152,7 +152,6 @@ module "nva" { subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.shortname}"] nat = false addresses = { - external = null internal = google_compute_address.nva_static_ip_untrusted[each.key].address } }, @@ -161,7 +160,6 @@ module "nva" { subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.shortname}"] nat = false addresses = { - external = null internal = google_compute_address.nva_static_ip_trusted[each.key].address } } diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md index c4badae3..1e22e8dd 100644 --- a/modules/compute-vm/README.md +++ b/modules/compute-vm/README.md @@ -215,7 +215,7 @@ module "vm-internal-ip" { network_interfaces = [{ network = var.vpc.self_link subnetwork = var.subnet.self_link - addresses = { external = null, internal = "10.0.0.2" } + addresses = { internal = "10.0.0.2" } }] } @@ -228,7 +228,7 @@ module "vm-external-ip" { network = var.vpc.self_link subnetwork = var.subnet.self_link nat = true - addresses = { external = "8.8.8.8", internal = null } + addresses = { external = "8.8.8.8" } }] } # tftest modules=2 resources=2 inventory=ips.yaml @@ -507,7 +507,7 @@ module "instance-group" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [name](variables.tf#L182) | Instance name. | string | ✓ | | -| [network_interfaces](variables.tf#L187) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | list(object({…})) | ✓ | | +| [network_interfaces](variables.tf#L187) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | list(object({…})) | ✓ | | | [project_id](variables.tf#L224) | Project id. | string | ✓ | | | [zone](variables.tf#L283) | Compute zone. | string | ✓ | | | [attached_disk_defaults](variables.tf#L17) | Defaults for attached disks options. | object({…}) | | {…} | diff --git a/modules/compute-vm/variables.tf b/modules/compute-vm/variables.tf index bda75438..8ec1e716 100644 --- a/modules/compute-vm/variables.tf +++ b/modules/compute-vm/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -191,8 +191,8 @@ variable "network_interfaces" { network = string subnetwork = string addresses = optional(object({ - internal = string - external = string + internal = optional(string) + external = optional(string) }), null) alias_ips = optional(map(string), {}) nic_type = optional(string)