From f919a8dba063e06bc613953d0583463649c7fbdd Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Mon, 26 Oct 2020 23:17:25 +0100 Subject: [PATCH] Update GKE SVPC example to prevent -target usage --- networking/shared-vpc-gke/README.md | 13 ------------- networking/shared-vpc-gke/main.tf | 15 ++++++++++----- tests/networking/shared_vpc_gke/test_plan.py | 9 +++------ 3 files changed, 13 insertions(+), 24 deletions(-) diff --git a/networking/shared-vpc-gke/README.md b/networking/shared-vpc-gke/README.md index 2215d765..2bc72fda 100644 --- a/networking/shared-vpc-gke/README.md +++ b/networking/shared-vpc-gke/README.md @@ -6,19 +6,6 @@ The sample has been purposefully kept simple so that it can be used as a basis f ![High-level diagram](diagram.png "High-level diagram") -## Applying the example - -The example cannot be applied from scratch with a single `terraform apply` command, as Terraform is unable to manage Shared VPC project registration for multiple projects, before those are created and exist in state. To apply the example from scratch, follow this order: - -```bash -tf apply \ - -target module.project-svc-gce \ - -target module.project-svc-gke -tf apply -``` - -Once the first command has run successfully, the service projects exist in state and can be referenced by the multiple resource in the host project module that manages project registration. - ## Accessing the bastion instance and GKE cluster The bastion VM has no public address so access is mediated via [IAP](https://cloud.google.com/iap/docs), which is supported transparently in the `gcloud compute ssh` command. Authentication is via OS Login set as a project default. diff --git a/networking/shared-vpc-gke/main.tf b/networking/shared-vpc-gke/main.tf index 2e0296e2..8b7d0534 100644 --- a/networking/shared-vpc-gke/main.tf +++ b/networking/shared-vpc-gke/main.tf @@ -27,11 +27,8 @@ module "project-host" { name = "net" services = concat(var.project_services, ["dns.googleapis.com"]) shared_vpc_host_config = { - enabled = true - service_projects = [ - module.project-svc-gce.project_id, - module.project-svc-gke.project_id - ] + enabled = true + service_projects = [] # defined later } iam_roles = [ "roles/container.hostServiceAgentUser", "roles/owner" @@ -53,6 +50,10 @@ module "project-svc-gce" { services = var.project_services oslogin = true oslogin_admins = var.owners_gce + shared_vpc_service_config = { + attach = true + host_project = module.project-host.project_id + } iam_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter", @@ -75,6 +76,10 @@ module "project-svc-gke" { prefix = var.prefix name = "gke" services = var.project_services + shared_vpc_service_config = { + attach = true + host_project = module.project-host.project_id + } iam_roles = [ "roles/container.developer", "roles/logging.logWriter", diff --git a/tests/networking/shared_vpc_gke/test_plan.py b/tests/networking/shared_vpc_gke/test_plan.py index 41e5f7c0..c0c0b1c6 100644 --- a/tests/networking/shared_vpc_gke/test_plan.py +++ b/tests/networking/shared_vpc_gke/test_plan.py @@ -22,9 +22,6 @@ FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture') def test_resources(e2e_plan_runner): "Test that plan works and the numbers of resources is as expected." - modules, resources = e2e_plan_runner(FIXTURES_DIR, targets=[ - "module.test.module.project-svc-gce", - "module.test.module.project-svc-gke" - ]) - assert len(modules) == 4 - assert len(resources) == 16 + modules, resources = e2e_plan_runner(FIXTURES_DIR) + assert len(modules) == 11 + assert len(resources) == 43