Fix missing service networking identity in project, PSA (#585)
* test * test * test * fix * tfdoc * fix tests * fix tests
This commit is contained in:
Ludovico Magnocavallo
GitHub
parent
976eb9fe48
commit
fef3ed8c93
|
|
@ -376,10 +376,10 @@ Don't forget to add a peering zone in the landing project and point it to the ne
|
|||
| [l7ilb_subnets](variables.tf#L81) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ dev = [ { ip_cidr_range = "10.128.159.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.191.0/24", region = "europe-west4" } ] prod = [ { ip_cidr_range = "10.128.223.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.255.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||
| [onprem_cidr](variables.tf#L99) | Onprem addresses in name => range format. | <code>map(string)</code> | | <code title="{ main = "10.0.0.0/24" }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L117) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L134) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) prod = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) })">object({…})</code> | | <code title="{ dev = { cloudsql-mysql-ew1 = { ranges = ["10.128.157.0/24"] routes = null } cloudsql-mysql-ew4 = { ranges = ["10.128.189.0/24"] routes = null } cloudsql-sqlserver-ew1 = { ranges = ["10.128.158.0/24"] routes = null } cloudsql-sqlserver-ew4 = { ranges = ["10.128.190.0/24"] routes = null } } prod = { cloudsql-mysql-ew1 = { ranges = ["10.128.221.0/24"] routes = null } cloudsql-mysql-ew4 = { ranges = ["10.128.253.0/24"] routes = null } cloudsql-sqlserver-ew1 = { ranges = ["10.128.222.0/24"] routes = null } cloudsql-sqlserver-ew4 = { ranges = ["10.128.254.0/24"] routes = null } } }">{…}</code> | |
|
||||
| [router_configs](variables.tf#L192) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { asn = "64512" adv = null } landing-trusted-ew4 = { asn = "64512" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L227) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-ew4 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L134) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code title="{ dev = { ranges = { cloudsql-mysql-ew1 = "10.128.157.0/24" cloudsql-mysql-ew4 = "10.128.189.0/24" cloudsql-sqlserver-ew1 = "10.128.158.0/24" cloudsql-sqlserver-ew4 = "10.128.190.0/24" } routes = null } prod = { ranges = { cloudsql-mysql-ew1 = "10.128.221.0/24" cloudsql-mysql-ew4 = "10.128.253.0/24" cloudsql-sqlserver-ew1 = "10.128.222.0/24" cloudsql-sqlserver-ew4 = "10.128.254.0/24" } routes = null } }">{…}</code> | |
|
||||
| [router_configs](variables.tf#L174) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { asn = "64512" adv = null } landing-trusted-ew4 = { asn = "64512" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L197) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L209) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-trusted-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } landing-trusted-ew4 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -134,57 +134,39 @@ variable "prefix" {
|
|||
variable "psa_ranges" {
|
||||
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
|
||||
type = object({
|
||||
dev = map(object({
|
||||
ranges = list(string)
|
||||
dev = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
prod = map(object({
|
||||
ranges = list(string)
|
||||
})
|
||||
prod = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
})
|
||||
})
|
||||
default = {
|
||||
dev = {
|
||||
cloudsql-mysql-ew1 = {
|
||||
ranges = ["10.128.157.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-mysql-ew4 = {
|
||||
ranges = ["10.128.189.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver-ew1 = {
|
||||
ranges = ["10.128.158.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver-ew4 = {
|
||||
ranges = ["10.128.190.0/24"]
|
||||
routes = null
|
||||
ranges = {
|
||||
cloudsql-mysql-ew1 = "10.128.157.0/24"
|
||||
cloudsql-mysql-ew4 = "10.128.189.0/24"
|
||||
cloudsql-sqlserver-ew1 = "10.128.158.0/24"
|
||||
cloudsql-sqlserver-ew4 = "10.128.190.0/24"
|
||||
}
|
||||
routes = null
|
||||
}
|
||||
prod = {
|
||||
cloudsql-mysql-ew1 = {
|
||||
ranges = ["10.128.221.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-mysql-ew4 = {
|
||||
ranges = ["10.128.253.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver-ew1 = {
|
||||
ranges = ["10.128.222.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver-ew4 = {
|
||||
ranges = ["10.128.254.0/24"]
|
||||
routes = null
|
||||
ranges = {
|
||||
cloudsql-mysql-ew1 = "10.128.221.0/24"
|
||||
cloudsql-mysql-ew4 = "10.128.253.0/24"
|
||||
cloudsql-sqlserver-ew1 = "10.128.222.0/24"
|
||||
cloudsql-sqlserver-ew4 = "10.128.254.0/24"
|
||||
}
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -298,10 +298,10 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
|
|||
| [l7ilb_subnets](variables.tf#L76) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.93.0/24", region = "europe-west4" } ] dev = [ { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.61.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L104) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map(object({ export_local_custom_routes = bool export_peer_custom_routes = bool }))">map(object({…}))</code> | | <code title="{ dev = { export_local_custom_routes = true export_peer_custom_routes = true } prod = { export_local_custom_routes = true export_peer_custom_routes = true } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) prod = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) })">object({…})</code> | | <code title="{ dev = { cloudsql-mysql = { ranges = ["10.128.62.0/24"] routes = null } cloudsql-sqlserver = { ranges = ["10.128.63.0/24"] routes = null } } prod = { cloudsql-mysql = { ranges = ["10.128.94.0/24"] routes = null } cloudsql-sqlserver = { ranges = ["10.128.95.0/24"] routes = null } } }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L163) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L181) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L193) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code title="{ dev = { ranges = { cloudsql-mysql = "10.128.62.0/24" cloudsql-sqlserver = "10.128.63.0/24" } routes = null } prod = { ranges = { cloudsql-mysql = "10.128.94.0/24" cloudsql-sqlserver = "10.128.95.0/24" } routes = null } }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L157) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L175) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L187) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -121,41 +121,35 @@ variable "prefix" {
|
|||
variable "psa_ranges" {
|
||||
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
|
||||
type = object({
|
||||
dev = map(object({
|
||||
ranges = list(string)
|
||||
dev = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
prod = map(object({
|
||||
ranges = list(string)
|
||||
})
|
||||
prod = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
})
|
||||
})
|
||||
default = {
|
||||
dev = {
|
||||
cloudsql-mysql = {
|
||||
ranges = ["10.128.62.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver = {
|
||||
ranges = ["10.128.63.0/24"]
|
||||
routes = null
|
||||
ranges = {
|
||||
cloudsql-mysql = "10.128.62.0/24"
|
||||
cloudsql-sqlserver = "10.128.63.0/24"
|
||||
}
|
||||
routes = null
|
||||
}
|
||||
prod = {
|
||||
cloudsql-mysql = {
|
||||
ranges = ["10.128.94.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver = {
|
||||
ranges = ["10.128.95.0/24"]
|
||||
routes = null
|
||||
ranges = {
|
||||
cloudsql-mysql = "10.128.94.0/24"
|
||||
cloudsql-sqlserver = "10.128.95.0/24"
|
||||
}
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -321,11 +321,11 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
|
|||
| [dns](variables.tf#L58) | Onprem DNS resolvers. | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||
| [l7ilb_subnets](variables.tf#L76) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.93.0/24", region = "europe-west4" } ] dev = [ { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, { ip_cidr_range = "10.128.61.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L104) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) prod = map(object({ ranges = list(string) routes = object({ export = bool import = bool }) })) })">object({…})</code> | | <code title="{ dev = { cloudsql-mysql = { ranges = ["10.128.62.0/24"] routes = null } cloudsql-sqlserver = { ranges = ["10.128.63.0/24"] routes = null } } prod = { cloudsql-mysql = { ranges = ["10.128.94.0/24"] routes = null } cloudsql-sqlserver = { ranges = ["10.128.95.0/24"] routes = null } } }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L163) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object({ dev = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) prod = object({ ranges = map(string) routes = object({ export = bool import = bool }) }) })">object({…})</code> | | <code title="{ dev = { ranges = { cloudsql-mysql = "10.128.62.0/24" cloudsql-sqlserver = "10.128.63.0/24" } routes = null } prod = { ranges = { cloudsql-mysql = "10.128.94.0/24" cloudsql-sqlserver = "10.128.95.0/24" } routes = null } }">{…}</code> | |
|
||||
| [router_onprem_configs](variables.tf#L157) | Configurations for routers used for onprem connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "65533" adv = null } }">{…}</code> | |
|
||||
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { asn = "64512", adv = null } landing-ew4 = { asn = "64512", adv = null } spoke-dev-ew1 = { asn = "64513", adv = null } spoke-dev-ew4 = { asn = "64513", adv = null } spoke-prod-ew1 = { asn = "64514", adv = null } spoke-prod-ew4 = { asn = "64514", adv = null } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L181) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L193) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [service_accounts](variables.tf#L175) | Automation service accounts in name => email format. | <code title="object({ data-platform-dev = string data-platform-prod = string project-factory-dev = string project-factory-prod = string })">object({…})</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [vpn_onprem_configs](variables.tf#L187) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) peer_external_gateway = object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) }) tunnels = list(object({ peer_asn = number peer_external_gateway_interface = number secret = string session_range = string vpn_gateway_interface = number })) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all" ] } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" interfaces = [ { id = 0, ip_address = "8.8.8.8" }, ] } tunnels = [ { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.0/30" vpn_gateway_interface = 0 }, { peer_asn = 65534 peer_external_gateway_interface = 0 secret = "foobar" session_range = "169.254.1.4/30" vpn_gateway_interface = 1 } ] } }">{…}</code> | |
|
||||
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) session_range = string }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } session_range = null } landing-ew4 = { adv = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } session_range = null } dev-ew1 = { adv = { default = false custom = ["gcp_dev"] } session_range = "169.254.0.0/27" } prod-ew1 = { adv = { default = false custom = ["gcp_prod"] } session_range = "169.254.0.64/27" } prod-ew4 = { adv = { default = false custom = ["gcp_prod"] } session_range = "169.254.0.96/27" } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
|
|
|||
|
|
@ -121,41 +121,35 @@ variable "prefix" {
|
|||
variable "psa_ranges" {
|
||||
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
|
||||
type = object({
|
||||
dev = map(object({
|
||||
ranges = list(string)
|
||||
dev = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
prod = map(object({
|
||||
ranges = list(string)
|
||||
})
|
||||
prod = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
})
|
||||
})
|
||||
default = {
|
||||
dev = {
|
||||
cloudsql-mysql = {
|
||||
ranges = ["10.128.62.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver = {
|
||||
ranges = ["10.128.63.0/24"]
|
||||
routes = null
|
||||
ranges = {
|
||||
cloudsql-mysql = "10.128.62.0/24"
|
||||
cloudsql-sqlserver = "10.128.63.0/24"
|
||||
}
|
||||
routes = null
|
||||
}
|
||||
prod = {
|
||||
cloudsql-mysql = {
|
||||
ranges = ["10.128.94.0/24"]
|
||||
routes = null
|
||||
}
|
||||
cloudsql-sqlserver = {
|
||||
ranges = ["10.128.95.0/24"]
|
||||
routes = null
|
||||
ranges = {
|
||||
cloudsql-mysql = "10.128.94.0/24"
|
||||
cloudsql-sqlserver = "10.128.95.0/24"
|
||||
}
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,7 +25,10 @@ module "vpc" {
|
|||
source = "./modules/net-vpc"
|
||||
project_id = module.project.project_id
|
||||
name = "my-network"
|
||||
psa_config = {cloudsql-ew1-0 = {ranges = ["10.60.0.0/16"], routes = null}}
|
||||
psa_config = {
|
||||
ranges = { cloud-sql = "10.60.0.0/16" }
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
|
||||
module "db" {
|
||||
|
|
@ -37,7 +40,7 @@ module "db" {
|
|||
database_version = "POSTGRES_13"
|
||||
tier = "db-g1-small"
|
||||
}
|
||||
# tftest modules=3 resources=6
|
||||
# tftest modules=3 resources=9
|
||||
```
|
||||
|
||||
## Cross-regional read replica
|
||||
|
|
|
|||
|
|
@ -139,17 +139,15 @@ module "vpc" {
|
|||
}
|
||||
]
|
||||
psa_config = {
|
||||
my_service = {
|
||||
ranges = [
|
||||
"10.0.1.0/24"
|
||||
],
|
||||
routes = null
|
||||
}
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
# tftest modules=1 resources=5
|
||||
```
|
||||
|
||||
### Private Service Networking with peering routes
|
||||
|
||||
Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC.
|
||||
|
||||
```hcl
|
||||
|
|
@ -166,15 +164,8 @@ module "vpc" {
|
|||
}
|
||||
]
|
||||
psa_config = {
|
||||
my_service = {
|
||||
ranges = [
|
||||
"10.0.1.0/24"
|
||||
],
|
||||
routes = {
|
||||
export=true,
|
||||
import=true
|
||||
}
|
||||
}
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
routes = { export=true, import=true }
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5
|
||||
|
|
@ -257,7 +248,7 @@ flow_logs: # enable, set to empty map to use defaults
|
|||
| [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code></code> | | <code>null</code> |
|
||||
| [peering_config](variables.tf#L90) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string export_routes = bool import_routes = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | <code>bool</code> | | <code>true</code> |
|
||||
| [psa_config](variables.tf#L111) | The Private Service Access configuration. | <code title="map(object({ ranges = list(string) # CIDRs in the format x.x.x.x/yy routes = object({ export = bool import = bool }) }))">map(object({…}))</code> | | <code>null</code> |
|
||||
| [psa_config](variables.tf#L111) | The Private Service Access configuration for Service Networking. | <code title="object({ ranges = map(string) routes = object({ export = bool import = bool }) })">object({…})</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L123) | Network routes, keyed by name. | <code title="map(object({ dest_range = string priority = number tags = list(string) next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
|
|
|
|||
|
|
@ -52,17 +52,7 @@ locals {
|
|||
secondary_ip_range = try(v.secondary_ip_range, {})
|
||||
}
|
||||
}
|
||||
_iam = var.iam == null ? {} : var.iam
|
||||
_psa_ranges = flatten([
|
||||
for k, v in coalesce(var.psa_config, {}) : [
|
||||
for r in v.ranges : {
|
||||
key = "${k}:${index(v.ranges, r)}"
|
||||
name = "${k}-${index(v.ranges, r)}"
|
||||
address = try(split("/", r)[0], null)
|
||||
prefix_length = try(split("/", r)[1], null)
|
||||
}
|
||||
]
|
||||
])
|
||||
_iam = var.iam == null ? {} : var.iam
|
||||
_routes = var.routes == null ? {} : var.routes
|
||||
_subnet_flow_logs = {
|
||||
for k, v in var.subnet_flow_logs : k => merge(
|
||||
|
|
@ -88,7 +78,11 @@ locals {
|
|||
? null
|
||||
: element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0)
|
||||
)
|
||||
psa_ranges = { for e in local._psa_ranges : e.key => e }
|
||||
psa_config = (
|
||||
var.psa_config == null
|
||||
? { ranges = {}, routes = null }
|
||||
: var.psa_config
|
||||
)
|
||||
routes = {
|
||||
gateway = { for k, v in local._routes : k => v if v.next_hop_type == "gateway" }
|
||||
ilb = { for k, v in local._routes : k => v if v.next_hop_type == "ilb" }
|
||||
|
|
@ -333,31 +327,30 @@ resource "google_dns_policy" "default" {
|
|||
}
|
||||
|
||||
resource "google_compute_global_address" "psa_ranges" {
|
||||
for_each = local.psa_ranges
|
||||
for_each = local.psa_config.ranges
|
||||
project = var.project_id
|
||||
name = each.value.name
|
||||
name = each.key
|
||||
purpose = "VPC_PEERING"
|
||||
address_type = "INTERNAL"
|
||||
address = each.value.address
|
||||
prefix_length = each.value.prefix_length
|
||||
address = split("/", each.value)[0]
|
||||
prefix_length = split("/", each.value)[1]
|
||||
network = local.network.id
|
||||
}
|
||||
|
||||
resource "google_service_networking_connection" "psa_connection" {
|
||||
for_each = coalesce(var.psa_config, {})
|
||||
for_each = var.psa_config == null ? {} : { 1 = 1 }
|
||||
network = local.network.id
|
||||
service = "servicenetworking.googleapis.com"
|
||||
reserved_peering_ranges = [
|
||||
for k, v in google_compute_global_address.psa_ranges :
|
||||
v.name if try(split(":", k)[0], null) == each.key
|
||||
for k, v in google_compute_global_address.psa_ranges : v.name
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_compute_network_peering_routes_config" "psa_routes" {
|
||||
for_each = { for k, v in coalesce(var.psa_config, {}) : k => v if try(v.routes) != null }
|
||||
for_each = var.psa_config == null ? {} : { 1 = 1 }
|
||||
project = var.project_id
|
||||
peering = google_service_networking_connection.psa_connection[each.key].peering
|
||||
peering = google_service_networking_connection.psa_connection["1"].peering
|
||||
network = local.network.id
|
||||
export_custom_routes = coalesce(each.value.routes.export, false)
|
||||
import_custom_routes = coalesce(each.value.routes.import, false)
|
||||
export_custom_routes = try(var.psa_config.routes.export, false)
|
||||
import_custom_routes = try(var.psa_config.routes.import, false)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -109,14 +109,14 @@ variable "project_id" {
|
|||
}
|
||||
|
||||
variable "psa_config" {
|
||||
description = "The Private Service Access configuration."
|
||||
type = map(object({
|
||||
ranges = list(string) # CIDRs in the format x.x.x.x/yy
|
||||
description = "The Private Service Access configuration for Service Networking."
|
||||
type = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -250,7 +250,7 @@ module "project" {
|
|||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_project_metadata_item</code> · <code>google_essential_contacts_contact</code> · <code>google_monitoring_monitored_project</code> · <code>google_project</code> · <code>google_project_service</code> · <code>google_resource_manager_lien</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Project-level organization policies. | <code>google_project_organization_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | <code>google_kms_crypto_key_iam_member</code> · <code>google_project_service_identity</code> |
|
||||
| [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | <code>google_kms_crypto_key_iam_member</code> · <code>google_project_iam_member</code> · <code>google_project_service_identity</code> |
|
||||
| [shared-vpc.tf](./shared-vpc.tf) | Shared VPC project-level configuration. | <code>google_compute_shared_vpc_host_project</code> · <code>google_compute_shared_vpc_service_project</code> · <code>google_project_iam_member</code> |
|
||||
| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> |
|
||||
| [variables.tf](./variables.tf) | Module variables. | |
|
||||
|
|
@ -302,7 +302,7 @@ module "project" {
|
|||
| [name](outputs.tf#L25) | Project name. | |
|
||||
| [number](outputs.tf#L38) | Project number. | |
|
||||
| [project_id](outputs.tf#L51) | Project id. | |
|
||||
| [service_accounts](outputs.tf#L66) | Product robot service accounts in project. | |
|
||||
| [sink_writer_identities](outputs.tf#L82) | Writer identities created for each sink. | |
|
||||
| [service_accounts](outputs.tf#L68) | Product robot service accounts in project. | |
|
||||
| [sink_writer_identities](outputs.tf#L84) | Writer identities created for each sink. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
|||
|
|
@ -59,7 +59,9 @@ output "project_id" {
|
|||
google_project_service.project_services,
|
||||
google_compute_shared_vpc_service_project.service_projects,
|
||||
google_project_iam_member.shared_vpc_host_robots,
|
||||
google_kms_crypto_key_iam_member.service_identity_cmek
|
||||
google_kms_crypto_key_iam_member.service_identity_cmek,
|
||||
google_project_service_identity.servicenetworking,
|
||||
google_project_iam_member.servicenetworking
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -84,6 +84,21 @@ data "google_bigquery_default_service_account" "bq_sa" {
|
|||
depends_on = [google_project_service.project_services]
|
||||
}
|
||||
|
||||
resource "google_project_service_identity" "servicenetworking" {
|
||||
provider = google-beta
|
||||
count = contains(var.services, "servicenetworking.googleapis.com") ? 1 : 0
|
||||
project = local.project.project_id
|
||||
service = "servicenetworking.googleapis.com"
|
||||
depends_on = [google_project_service.project_services]
|
||||
}
|
||||
|
||||
resource "google_project_iam_member" "servicenetworking" {
|
||||
count = contains(var.services, "servicenetworking.googleapis.com") ? 1 : 0
|
||||
project = local.project.project_id
|
||||
role = "roles/servicenetworking.serviceAgent"
|
||||
member = "serviceAccount:${google_project_service_identity.servicenetworking.0.email}"
|
||||
}
|
||||
|
||||
# Secret Manager SA created just in time, we need to trigger the creation.
|
||||
resource "google_project_service_identity" "jit_si" {
|
||||
for_each = setintersection(var.services, local.service_accounts_jit_services)
|
||||
|
|
|
|||
|
|
@ -16,4 +16,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner()
|
||||
assert len(modules) == 7
|
||||
assert len(resources) == 23
|
||||
assert len(resources) == 27
|
||||
|
|
|
|||
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||
assert len(modules) == 40
|
||||
assert len(resources) == 282
|
||||
assert len(resources) == 296
|
||||
|
|
|
|||
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||
assert len(modules) == 11
|
||||
assert len(resources) == 44
|
||||
assert len(resources) == 46
|
||||
|
|
|
|||
|
|
@ -35,16 +35,12 @@ variable "iam" {
|
|||
}
|
||||
|
||||
variable "log_configs" {
|
||||
type = map(map(string))
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "log_config_defaults" {
|
||||
type = object({
|
||||
aggregation_interval = string
|
||||
flow_sampling = number
|
||||
metadata = string
|
||||
})
|
||||
type = any
|
||||
default = {
|
||||
aggregation_interval = "INTERVAL_5_SEC"
|
||||
flow_sampling = 0.5
|
||||
|
|
@ -63,24 +59,12 @@ variable "peering_config" {
|
|||
|
||||
variable "psa_config" {
|
||||
description = "The Private Service Access configuration."
|
||||
type = map(object({
|
||||
ranges = list(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
default = null
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "routes" {
|
||||
type = map(object({
|
||||
dest_range = string
|
||||
priority = number
|
||||
tags = list(string)
|
||||
next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb
|
||||
next_hop = string
|
||||
}))
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
|
|
@ -104,14 +88,8 @@ variable "shared_vpc_service_projects" {
|
|||
|
||||
variable "subnets" {
|
||||
description = "The list of subnets being created."
|
||||
type = list(object({
|
||||
name = string
|
||||
ip_cidr_range = string
|
||||
name = string
|
||||
region = string
|
||||
secondary_ip_range = map(string)
|
||||
}))
|
||||
default = []
|
||||
type = any
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "subnet_descriptions" {
|
||||
|
|
|
|||
|
|
@ -12,90 +12,74 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import tftest
|
||||
|
||||
|
||||
def test_single_range(plan_runner):
|
||||
"Test single PSA range."
|
||||
psa_config = '''{
|
||||
foobar = {
|
||||
ranges = [
|
||||
"172.16.100.0/24"
|
||||
],
|
||||
routes = null
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(psa_config=psa_config)
|
||||
assert len(resources) == 3
|
||||
|
||||
|
||||
def test_multi_range(plan_runner):
|
||||
"Test multiple PSA ranges."
|
||||
psa_config = '''{
|
||||
foobar = {
|
||||
ranges = [
|
||||
"172.16.100.0/24",
|
||||
"172.16.101.0/24"
|
||||
],
|
||||
routes = null
|
||||
ranges = {
|
||||
bar = "172.16.100.0/24"
|
||||
foo = "172.16.101.0/24"
|
||||
},
|
||||
frobniz = {
|
||||
ranges = [
|
||||
"172.16.102.0/24"
|
||||
],
|
||||
routes = null
|
||||
}
|
||||
routes = null
|
||||
}'''
|
||||
_, resources = plan_runner(psa_config=psa_config)
|
||||
assert len(resources) == 6
|
||||
assert len(resources) == 5
|
||||
for r in resources:
|
||||
if r['type'] == 'google_compute_network_peering_routes_config':
|
||||
assert not r['values']['export_custom_routes']
|
||||
assert not r['values']['import_custom_routes']
|
||||
|
||||
|
||||
def test_routes_export(plan_runner):
|
||||
"Test routes export."
|
||||
psa_config = '''{
|
||||
foobar = {
|
||||
ranges = [
|
||||
"172.16.100.0/24"
|
||||
],
|
||||
routes = {
|
||||
export = true
|
||||
import = false
|
||||
}
|
||||
ranges = {
|
||||
bar = "172.16.100.0/24"
|
||||
},
|
||||
routes = {
|
||||
export = true
|
||||
import = false
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(psa_config=psa_config)
|
||||
assert len(resources) == 4
|
||||
for r in resources:
|
||||
if r['type'] == 'google_compute_network_peering_routes_config':
|
||||
assert r['values']['export_custom_routes']
|
||||
assert not r['values']['import_custom_routes']
|
||||
|
||||
|
||||
def test_routes_import(plan_runner):
|
||||
"Test routes import."
|
||||
psa_config = '''{
|
||||
foobar = {
|
||||
ranges = [
|
||||
"172.16.100.0/24"
|
||||
],
|
||||
routes = {
|
||||
export = false
|
||||
import = true
|
||||
}
|
||||
ranges = {
|
||||
bar = "172.16.100.0/24"
|
||||
},
|
||||
routes = {
|
||||
export = false
|
||||
import = true
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(psa_config=psa_config)
|
||||
assert len(resources) == 4
|
||||
for r in resources:
|
||||
if r['type'] == 'google_compute_network_peering_routes_config':
|
||||
assert not r['values']['export_custom_routes']
|
||||
assert r['values']['import_custom_routes']
|
||||
|
||||
|
||||
def test_routes_export_import(plan_runner):
|
||||
"Test routes export and import."
|
||||
psa_config = '''{
|
||||
foobar = {
|
||||
ranges = [
|
||||
"172.16.100.0/24"
|
||||
],
|
||||
routes = {
|
||||
export = true
|
||||
import = true
|
||||
}
|
||||
ranges = {
|
||||
bar = "172.16.100.0/24"
|
||||
},
|
||||
routes = {
|
||||
export = true
|
||||
import = true
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(psa_config=psa_config)
|
||||
assert len(resources) == 4
|
||||
for r in resources:
|
||||
if r['type'] == 'google_compute_network_peering_routes_config':
|
||||
assert r['values']['export_custom_routes']
|
||||
assert r['values']['import_custom_routes']
|
||||
|
|
|
|||
Loading…
Reference in New Issue