diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index 81b9ad37..3be4d37d 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -299,6 +299,13 @@ module "vpc" {
name = "regional-proxy"
region = "europe-west1"
active = true
+ },
+ {
+ ip_cidr_range = "10.0.4.0/24"
+ name = "global-proxy"
+ region = "australia-southeast2"
+ active = true
+ global = true
}
]
subnets_psc = [
@@ -309,7 +316,7 @@ module "vpc" {
}
]
}
-# tftest modules=1 resources=5 inventory=proxy-only-subnets.yaml
+# tftest modules=1 resources=6 inventory=proxy-only-subnets.yaml
```
### DNS Policies
@@ -348,7 +355,7 @@ module "vpc" {
name = "my-network"
data_folder = "config/subnets"
}
-# tftest modules=1 resources=9 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml
+# tftest modules=1 resources=10 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-proxy-global,subnet-psc inventory=factory.yaml
```
```yaml
@@ -392,6 +399,13 @@ ip_cidr_range: 10.1.0.0/24
purpose: REGIONAL_MANAGED_PROXY
```
+```yaml
+# tftest-file id=subnet-proxy-global path=config/subnets/subnet-proxy-global.yaml
+region: australia-southeast2
+ip_cidr_range: 10.4.0.0/24
+purpose: GLOBAL_MANAGED_PROXY
+```
+
```yaml
# tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml
region: europe-west4
@@ -546,9 +560,9 @@ module "vpc" {
| [subnet_iam_bindings](variables.tf#L173) | Authoritative IAM bindings in {REGION/NAME => {ROLE => {members = [], condition = {}}}}. | map(map(object({…})))
| | {}
|
| [subnet_iam_bindings_additive](variables.tf#L187) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…}))
| | {}
|
| [subnets](variables.tf#L203) | Subnet configuration. | list(object({…}))
| | []
|
-| [subnets_proxy_only](variables.tf#L230) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
-| [subnets_psc](variables.tf#L243) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
-| [vpc_create](variables.tf#L255) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
+| [subnets_proxy_only](variables.tf#L230) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
+| [subnets_psc](variables.tf#L244) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
+| [vpc_create](variables.tf#L256) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
## Outputs
diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf
index fbf07dba..503923d9 100644
--- a/modules/net-vpc/outputs.tf
+++ b/modules/net-vpc/outputs.tf
@@ -136,4 +136,4 @@ output "subnets_proxy_only" {
output "subnets_psc" {
description = "Private Service Connect subnet resources."
value = { for k, v in google_compute_subnetwork.psc : k => v }
-}
+}
\ No newline at end of file
diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf
index 0e656fd8..db8cc3ef 100644
--- a/modules/net-vpc/subnets.tf
+++ b/modules/net-vpc/subnets.tf
@@ -35,6 +35,7 @@ locals {
iam_members = try(v.iam_members, [])
purpose = try(v.purpose, null)
active = try(v.active, null)
+ global = null
}
}
_factory_subnets_iam = [
@@ -73,7 +74,8 @@ locals {
)
subnets_proxy_only = merge(
{ for s in var.subnets_proxy_only : "${s.region}/${s.name}" => s },
- { for k, v in local._factory_subnets : k => v if v.purpose == "REGIONAL_MANAGED_PROXY" }
+ { for k, v in local._factory_subnets : k => v if v.purpose == "REGIONAL_MANAGED_PROXY" },
+ { for k, v in local._factory_subnets : k => v if v.purpose == "GLOBAL_MANAGED_PROXY" }
)
subnets_psc = merge(
{ for s in var.subnets_psc : "${s.region}/${s.name}" => s },
@@ -130,11 +132,17 @@ resource "google_compute_subnetwork" "proxy_only" {
ip_cidr_range = each.value.ip_cidr_range
description = (
each.value.description == null
- ? "Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB."
+ ? "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
: each.value.description
)
- purpose = "REGIONAL_MANAGED_PROXY"
- role = each.value.active != false ? "ACTIVE" : "BACKUP"
+ purpose = try(
+ each.value.purpose,
+ each.value.global != false
+ ? "GLOBAL_MANAGED_PROXY"
+ : "REGIONAL_MANAGED_PROXY"
+ )
+
+ role = each.value.active != false ? "ACTIVE" : "BACKUP"
}
resource "google_compute_subnetwork" "psc" {
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index d8ca5608..30d7afd3 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -228,13 +228,14 @@ variable "subnets" {
}
variable "subnets_proxy_only" {
- description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
+ description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
type = list(object({
name = string
ip_cidr_range = string
region = string
description = optional(string)
active = bool
+ global = optional(bool, false)
}))
default = []
nullable = false
diff --git a/tests/modules/net_vpc/examples/factory.yaml b/tests/modules/net_vpc/examples/factory.yaml
index fb348397..50aa01e1 100644
--- a/tests/modules/net_vpc/examples/factory.yaml
+++ b/tests/modules/net_vpc/examples/factory.yaml
@@ -48,8 +48,7 @@ values:
tags: null
timeouts: null
module.vpc.google_compute_subnetwork.proxy_only["europe-west4/subnet-proxy"]:
- description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal
- HTTPS LB.
+ description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
ip_cidr_range: 10.1.0.0/24
ipv6_access_type: null
log_config: []
@@ -59,6 +58,17 @@ values:
region: europe-west4
role: ACTIVE
timeouts: null
+ module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/subnet-proxy-global"]:
+ description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
+ ip_cidr_range: 10.4.0.0/24
+ ipv6_access_type: null
+ log_config: []
+ name: subnet-proxy-global
+ project: my-project
+ purpose: GLOBAL_MANAGED_PROXY
+ region: australia-southeast2
+ role: ACTIVE
+ timeouts: null
module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc"]:
description: Terraform-managed subnet for Private Service Connect (PSC NAT).
ip_cidr_range: 10.2.0.0/24
@@ -127,9 +137,9 @@ values:
counts:
google_compute_network: 1
google_compute_route: 2
- google_compute_subnetwork: 5
+ google_compute_subnetwork: 6
google_compute_subnetwork_iam_binding: 1
modules: 1
- resources: 9
+ resources: 10
outputs: {}
diff --git a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml
index 6e2069aa..cf32912d 100644
--- a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml
+++ b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml
@@ -17,7 +17,7 @@ values:
name: my-network
project: my-project
module.vpc.google_compute_subnetwork.proxy_only["europe-west1/regional-proxy"]:
- description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB.
+ description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
ip_cidr_range: 10.0.1.0/24
log_config: []
name: regional-proxy
@@ -25,6 +25,15 @@ values:
purpose: REGIONAL_MANAGED_PROXY
region: europe-west1
role: ACTIVE
+ module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/global-proxy"]:
+ description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
+ ip_cidr_range: 10.0.4.0/24
+ log_config: []
+ name: global-proxy
+ project: my-project
+ purpose: GLOBAL_MANAGED_PROXY
+ region: australia-southeast2
+ role: ACTIVE
module.vpc.google_compute_subnetwork.psc["europe-west1/psc"]:
description: Terraform-managed subnet for Private Service Connect (PSC NAT).
ip_cidr_range: 10.0.3.0/24
@@ -37,4 +46,4 @@ values:
counts:
google_compute_network: 1
- google_compute_subnetwork: 2
+ google_compute_subnetwork: 3