zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #230 from terraform-google-modules/jccb/psn 

Add support for private service connect
This commit is contained in:
Julio Castillo 2021-04-21 14:32:36 +02:00 committed by GitHub
parent 4824bc7009 140378f2f5
commit fce410372d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 102 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
modules/net-vpc/README.md
View File

@ -121,6 +121,26 @@ module "vpc-host" {
# tftest:modules=1:resources=7
```
### Private Service Networking
```hcl
module "vpc" {
source = "./modules/net-vpc"
project_id = "my-project"
name = "my-network"
subnets = [
{
ip_cidr_range = "10.0.0.0/24"
name = "production"
region = "europe-west1"
secondary_ip_range = null
}
]
private_service_networking_range = "10.10.0.0/16"
}
# tftest:modules=1:resources=4
```
<!-- BEGIN TFDOC -->
## Variables
@ -137,6 +157,7 @@ module "vpc-host" {
| *mtu* | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code title=""></code> | | <code title="">null</code> |
| *peering_config* | VPC peering configuration. | <code title="object&#40;&#123;&#10;peer_vpc_self_link &#61; string&#10;export_routes &#61; bool&#10;import_routes &#61; bool&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *peering_create_remote_end* | Skip creation of peering on the remote end when using peering_config | <code title="">bool</code> | | <code title="">true</code> |
| *private_service_networking_range* | RFC1919 CIDR range used for Google services that support private service networking. | <code title="">string</code> | | <code title="null&#10;validation &#123;&#10;condition &#61; &#40;&#10;var.private_service_networking_range &#61;&#61; null &#124;&#124;&#10;can&#40;cidrnetmask&#40;var.private_service_networking_range&#41;&#41;&#10;&#41;&#10;error_message &#61; &#34;Specify a valid RFC1918 CIDR range for private service networking.&#34;&#10;&#125;">...</code> |
| *routes* | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;dest_range &#61; string&#10;priority &#61; number&#10;tags &#61; list&#40;string&#41;&#10;next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10;next_hop &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *routing_mode* | The network routing mode (default 'GLOBAL') | <code title="">string</code> | | <code title="GLOBAL&#10;validation &#123;&#10;condition &#61; var.routing_mode &#61;&#61; &#34;GLOBAL&#34; &#124;&#124; var.routing_mode &#61;&#61; &#34;REGIONAL&#34;&#10;error_message &#61; &#34;Routing type must be GLOBAL or REGIONAL.&#34;&#10;&#125;">...</code> |
| *shared_vpc_host* | Enable shared VPC for this project. | <code title="">bool</code> | | <code title="">false</code> |

18
modules/net-vpc/main.tf
View File

@ -227,3 +227,21 @@ resource "google_compute_route" "vpn_tunnel" {
tags = each.value.tags
next_hop_vpn_tunnel = each.value.next_hop
}
resource "google_compute_global_address" "psn_range" {
count = var.private_service_networking_range == null ? 0 : 1
project = var.project_id
name = "google-private-service-networking"
purpose = "VPC_PEERING"
address_type = "INTERNAL"
address = split("/", var.private_service_networking_range)[0]
prefix_length = split("/", var.private_service_networking_range)[1]
network = local.network.id
}
resource "google_service_networking_connection" "psn_connection" {
count = var.private_service_networking_range == null ? 0 : 1
network = local.network.id
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = [google_compute_global_address.psn_range.0.name]
}

12
modules/net-vpc/outputs.tf
View File

@ -17,16 +17,25 @@
output "network" {
description = "Network resource."
value = local.network
depends_on = [
google_service_networking_connection.psn_connection
]
}
output "name" {
description = "The name of the VPC being created."
value = local.network.name
depends_on = [
google_service_networking_connection.psn_connection
]
}
output "self_link" {
description = "The URI of the VPC being created."
value = local.network.self_link
depends_on = [
google_service_networking_connection.psn_connection
]
}
output "project_id" {
@ -38,7 +47,8 @@ output "project_id" {
)
depends_on = [
google_compute_shared_vpc_host_project.shared_vpc_host,
google_compute_shared_vpc_service_project.service_projects
google_compute_shared_vpc_service_project.service_projects,
google_service_networking_connection.psn_connection
]
}

13
modules/net-vpc/variables.tf
View File

@ -159,3 +159,16 @@ variable "vpc_create" {
type = bool
default = true
}
variable "private_service_networking_range" {
description = "RFC1919 CIDR range used for Google services that support private service networking."
type = string
default = null
validation {
condition = (
var.private_service_networking_range == null ||
can(cidrnetmask(var.private_service_networking_range))
)
error_message = "Specify a valid RFC1918 CIDR range for private service networking."
}
}

31
tests/modules/net_vpc/fixture/main.tf
View File

@ -15,19 +15,20 @@
*/
module "test" {
source = "../../../../modules/net-vpc"
project_id = var.project_id
name = var.name
iam = var.iam
log_configs = var.log_configs
log_config_defaults = var.log_config_defaults
peering_config = var.peering_config
routes = var.routes
shared_vpc_host = var.shared_vpc_host
shared_vpc_service_projects = var.shared_vpc_service_projects
subnets = var.subnets
subnet_descriptions = var.subnet_descriptions
subnet_flow_logs = var.subnet_flow_logs
subnet_private_access = var.subnet_private_access
auto_create_subnetworks = var.auto_create_subnetworks
source = "../../../../modules/net-vpc"
project_id = var.project_id
name = var.name
iam = var.iam
log_configs = var.log_configs
log_config_defaults = var.log_config_defaults
peering_config = var.peering_config
routes = var.routes
shared_vpc_host = var.shared_vpc_host
shared_vpc_service_projects = var.shared_vpc_service_projects
subnets = var.subnets
subnet_descriptions = var.subnet_descriptions
subnet_flow_logs = var.subnet_flow_logs
subnet_private_access = var.subnet_private_access
auto_create_subnetworks = var.auto_create_subnetworks
private_service_networking_range = var.private_service_networking_range
}

6
tests/modules/net_vpc/fixture/variables.tf
View File

@ -119,3 +119,9 @@ variable "subnet_private_access" {
type = map(bool)
default = {}
}
variable "private_service_networking_range" {
description = "RFC1919 CIDR range used for Google services that support private service networking."
type = string
default = null
}

17
tests/modules/net_vpc/test_plan.py
View File

@ -88,3 +88,20 @@ def test_vpc_routes(plan_runner):
resource = [r for r in resources if r['values']
['name'] == 'my-vpc-next-hop-test'][0]
assert resource['values']['next_hop_%s' % next_hop_type]
def test_vpc_psn(plan_runner):
_, resources = plan_runner(
FIXTURES_DIR, private_service_networking_range="10.10.0.0/16"
)
assert len(resources) == 3
address = [r["values"] for r in resources if r["type"] == "google_compute_global_address"][0]
assert address["address"] == "10.10.0.0"
assert address["address_type"] == "INTERNAL"
assert address["prefix_length"] == 16
assert address["purpose"] == "VPC_PEERING"
connection = [r["values"] for r in resources if r["type"] == "google_service_networking_connection"][0]
assert connection["service"] == "servicenetworking.googleapis.com"
assert connection["reserved_peering_ranges"] == ["google-private-service-networking"]