From b49984e1b9525ddfe54eb4c9c5c385fc32af90c5 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 16:56:09 +1000 Subject: [PATCH 01/22] added support for global proxy only subnets --- modules/net-vpc/README.md | 10 ++++++++++ modules/net-vpc/subnets.tf | 4 ++++ 2 files changed, 14 insertions(+) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 81b9ad371..99db8b341 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -287,6 +287,8 @@ Along with common private subnets module supports creation more service specific - [Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) for Regional HTTPS Internal HTTPS Load Balancers - [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) subnets +- [Global Proxy-only subnet] (https://cloud.google.com/load-balancing/docs/proxy-only-subnets#envoy-lb) with purpose for Cross-region internal Application Load Balancers + ```hcl module "vpc" { source = "./fabric/modules/net-vpc" @@ -308,6 +310,14 @@ module "vpc" { region = "europe-west1" } ] + subnets_global_proxy_only = [ + { + ip_cidr_range = "10.0.4.0/24" + name = "global-proxy" + region = "australia-southeast2" + active = true + } + ] } # tftest modules=1 resources=5 inventory=proxy-only-subnets.yaml ``` diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index 0e656fd82..c8c927a37 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -79,6 +79,10 @@ locals { { for s in var.subnets_psc : "${s.region}/${s.name}" => s }, { for k, v in local._factory_subnets : k => v if v.purpose == "PRIVATE_SERVICE_CONNECT" } ) + subnets_global_proxy_only = merge( + { for s in var.subnets_psc : "${s.region}/${s.name}" => s }, + { for k, v in local._factory_subnets : k => v if v.purpose == "GLOBAL_MANAGED_PROXY" } + ) } resource "google_compute_subnetwork" "subnetwork" { From a18071ed36a45e89005f0aeab1f526523980b495 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 17:42:34 +1000 Subject: [PATCH 02/22] updated for global managed proxy --- modules/net-vpc/README.md | 2 +- modules/net-vpc/subnets.tf | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 99db8b341..a05925d64 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -314,7 +314,7 @@ module "vpc" { { ip_cidr_range = "10.0.4.0/24" name = "global-proxy" - region = "australia-southeast2" + region = "europe-west1" active = true } ] diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index c8c927a37..62bb41efb 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -140,6 +140,21 @@ resource "google_compute_subnetwork" "proxy_only" { purpose = "REGIONAL_MANAGED_PROXY" role = each.value.active != false ? "ACTIVE" : "BACKUP" } +resource "google_compute_subnetwork" "global_proxy_only" { + for_each = local.subnets_global_proxy_only + project = var.project_id + network = local.network.name + name = each.value.name + region = each.value.region + ip_cidr_range = each.value.ip_cidr_range + description = ( + each.value.description == null + ? "Terraform-managed proxy-only subnet for cross-regional Internal HTTPS LB." + : each.value.description + ) + purpose = "GLOBAL_MANAGED_PROXY" + role = each.value.active != false ? "ACTIVE" : "BACKUP" +} resource "google_compute_subnetwork" "psc" { for_each = local.subnets_psc From 8c264da20051ec994b89c91678ddc398c37de4da Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:14:17 +1000 Subject: [PATCH 03/22] small commits to add variables, append tests --- modules/net-vpc/outputs.tf | 5 +++++ modules/net-vpc/subnets.tf | 2 +- modules/net-vpc/variables.tf | 12 ++++++++++++ tests/modules/net_vpc/psa_routes_export.yaml | 1 + tests/modules/net_vpc/shared_vpc.yaml | 1 + 5 files changed, 20 insertions(+), 1 deletion(-) diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf index fbf07dba9..f41d5678a 100644 --- a/modules/net-vpc/outputs.tf +++ b/modules/net-vpc/outputs.tf @@ -137,3 +137,8 @@ output "subnets_psc" { description = "Private Service Connect subnet resources." value = { for k, v in google_compute_subnetwork.psc : k => v } } + +output "subnets_global_proxy_only" { + description = "Cross-region internal L7 ILB" + value = { for k, v in google_compute_subnetwork.global_proxy_only : k => v } +} \ No newline at end of file diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index 62bb41efb..e3f8aeac2 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -80,7 +80,7 @@ locals { { for k, v in local._factory_subnets : k => v if v.purpose == "PRIVATE_SERVICE_CONNECT" } ) subnets_global_proxy_only = merge( - { for s in var.subnets_psc : "${s.region}/${s.name}" => s }, + { for s in var.subnets_global_proxy_only : "${s.region}/${s.name}" => s }, { for k, v in local._factory_subnets : k => v if v.purpose == "GLOBAL_MANAGED_PROXY" } ) } diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index d8ca5608d..78cf7a4c9 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -240,6 +240,18 @@ variable "subnets_proxy_only" { nullable = false } +variable "subnets_global_proxy_only" { + description = "List of proxy-only subnets for Cross-region Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." + type = list(object({ + name = string + ip_cidr_range = string + region = string + description = optional(string) + active = bool + })) + default = [] + nullable = false +} variable "subnets_psc" { description = "List of subnets for Private Service Connect service producers." type = list(object({ diff --git a/tests/modules/net_vpc/psa_routes_export.yaml b/tests/modules/net_vpc/psa_routes_export.yaml index fd9239e81..85ebd929c 100644 --- a/tests/modules/net_vpc/psa_routes_export.yaml +++ b/tests/modules/net_vpc/psa_routes_export.yaml @@ -56,4 +56,5 @@ outputs: subnet_self_links: {} subnets: {} subnets_proxy_only: {} + subnets_global_proxy_only: {} subnets_psc: {} diff --git a/tests/modules/net_vpc/shared_vpc.yaml b/tests/modules/net_vpc/shared_vpc.yaml index 5b6ffd3e5..67c74d889 100644 --- a/tests/modules/net_vpc/shared_vpc.yaml +++ b/tests/modules/net_vpc/shared_vpc.yaml @@ -42,4 +42,5 @@ outputs: subnet_self_links: {} subnets: {} subnets_proxy_only: {} + subnets_global_proxy_only: {} subnets_psc: {} From 3c0391db5c7b3c6d818b55329d6d42921a1d8caa Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:24:06 +1000 Subject: [PATCH 04/22] slight change to readme thanks to tfdoc --- modules/net-vpc/README.md | 19 +++++++++++++++++-- modules/net-vpc/outputs.tf | 2 +- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index a05925d64..c64c58f38 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -20,6 +20,7 @@ This module allows creation and management of VPC networks including subnetworks - [Private Google Access routes](#private-google-access-routes) - [Allow Firewall Policy to be evaluated before Firewall Rules](#allow-firewall-policy-to-be-evaluated-before-firewall-rules) - [IPv6](#ipv6) +- [Files](#files) - [Variables](#variables) - [Outputs](#outputs) @@ -531,6 +532,18 @@ module "vpc" { # tftest modules=1 resources=5 inventory=ipv6.yaml ``` +## Files + +| name | description | resources | +|---|---|---| +| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_network · google_compute_network_peering · google_compute_shared_vpc_host_project · google_compute_shared_vpc_service_project · google_dns_policy | +| [outputs.tf](./outputs.tf) | Module outputs. | | +| [psa.tf](./psa.tf) | Private Service Access resources. | google_compute_global_address · google_compute_network_peering_routes_config · google_service_networking_connection | +| [routes.tf](./routes.tf) | Route resources. | google_compute_route | +| [subnets.tf](./subnets.tf) | Subnet resources. | google_compute_subnetwork · google_compute_subnetwork_iam_binding · google_compute_subnetwork_iam_member | +| [variables.tf](./variables.tf) | Module variables. | | +| [versions.tf](./versions.tf) | Version pins. | | + ## Variables | name | description | type | required | default | @@ -556,9 +569,10 @@ module "vpc" { | [subnet_iam_bindings](variables.tf#L173) | Authoritative IAM bindings in {REGION/NAME => {ROLE => {members = [], condition = {}}}}. | map(map(object({…}))) | | {} | | [subnet_iam_bindings_additive](variables.tf#L187) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | [subnets](variables.tf#L203) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_global_proxy_only](variables.tf#L243) | List of proxy-only subnets for Cross-region Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | | [subnets_proxy_only](variables.tf#L230) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L243) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L255) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [subnets_psc](variables.tf#L255) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L267) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs @@ -577,6 +591,7 @@ module "vpc" { | [subnet_secondary_ranges](outputs.tf#L110) | Map of subnet secondary ranges keyed by name. | | | [subnet_self_links](outputs.tf#L121) | Map of subnet self links keyed by name. | | | [subnets](outputs.tf#L126) | Subnet resources. | | +| [subnets_global_proxy_only](outputs.tf#L141) | Cross-region internal L7 ILB resources | | | [subnets_proxy_only](outputs.tf#L131) | L7 ILB or L7 Regional LB subnet resources. | | | [subnets_psc](outputs.tf#L136) | Private Service Connect subnet resources. | | diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf index f41d5678a..2462c48b8 100644 --- a/modules/net-vpc/outputs.tf +++ b/modules/net-vpc/outputs.tf @@ -139,6 +139,6 @@ output "subnets_psc" { } output "subnets_global_proxy_only" { - description = "Cross-region internal L7 ILB" + description = "Cross-region internal L7 ILB resources" value = { for k, v in google_compute_subnetwork.global_proxy_only : k => v } } \ No newline at end of file From 3cfabb32c5dc12b05ab981a7e81f86cbad69990a Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:29:08 +1000 Subject: [PATCH 05/22] fixed linter --- modules/net-vpc/README.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index c64c58f38..11b44a29e 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -532,17 +532,6 @@ module "vpc" { # tftest modules=1 resources=5 inventory=ipv6.yaml ``` -## Files - -| name | description | resources | -|---|---|---| -| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_network · google_compute_network_peering · google_compute_shared_vpc_host_project · google_compute_shared_vpc_service_project · google_dns_policy | -| [outputs.tf](./outputs.tf) | Module outputs. | | -| [psa.tf](./psa.tf) | Private Service Access resources. | google_compute_global_address · google_compute_network_peering_routes_config · google_service_networking_connection | -| [routes.tf](./routes.tf) | Route resources. | google_compute_route | -| [subnets.tf](./subnets.tf) | Subnet resources. | google_compute_subnetwork · google_compute_subnetwork_iam_binding · google_compute_subnetwork_iam_member | -| [variables.tf](./variables.tf) | Module variables. | | -| [versions.tf](./versions.tf) | Version pins. | | ## Variables From e1aff29d5cc5008daccff25910af0c435a98daee Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:30:11 +1000 Subject: [PATCH 06/22] linting again --- modules/net-vpc/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 11b44a29e..5a0c56834 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -20,7 +20,6 @@ This module allows creation and management of VPC networks including subnetworks - [Private Google Access routes](#private-google-access-routes) - [Allow Firewall Policy to be evaluated before Firewall Rules](#allow-firewall-policy-to-be-evaluated-before-firewall-rules) - [IPv6](#ipv6) -- [Files](#files) - [Variables](#variables) - [Outputs](#outputs) From 7e0827db532883ac6039b98ea9f4fe426092cb31 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:33:08 +1000 Subject: [PATCH 07/22] re-ordered variables per lint error --- modules/net-vpc/variables.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 78cf7a4c9..37e138a8f 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -227,8 +227,8 @@ variable "subnets" { nullable = false } -variable "subnets_proxy_only" { - description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." +variable "subnets_global_proxy_only" { + description = "List of proxy-only subnets for Cross-region Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." type = list(object({ name = string ip_cidr_range = string @@ -240,8 +240,8 @@ variable "subnets_proxy_only" { nullable = false } -variable "subnets_global_proxy_only" { - description = "List of proxy-only subnets for Cross-region Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." +variable "subnets_proxy_only" { + description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." type = list(object({ name = string ip_cidr_range = string From c1b52b300cc9d6b902a2f76e86b1d1a721a91a57 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:41:25 +1000 Subject: [PATCH 08/22] trying to fix linting --- modules/net-vpc/README.md | 9 ++++++++- modules/net-vpc/outputs.tf | 10 +++++----- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 5a0c56834..cfd120ed0 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -287,7 +287,7 @@ Along with common private subnets module supports creation more service specific - [Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) for Regional HTTPS Internal HTTPS Load Balancers - [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) subnets -- [Global Proxy-only subnet] (https://cloud.google.com/load-balancing/docs/proxy-only-subnets#envoy-lb) with purpose for Cross-region internal Application Load Balancers +- [Global Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets#envoy-lb) with purpose for Cross-region internal Application Load Balancers ```hcl module "vpc" { @@ -395,6 +395,13 @@ flow_logs: # enable, set to empty map to use defaults filter_expression: null ``` +```yaml +# tftest-file id=subnet-global-proxy path=config/subnets/subnet-global-proxy.yaml +region: europe-west4 +ip_cidr_range: 10.0.3.0/24 +purpose: GLOBAL_MANAGED_PROXY +``` + ```yaml # tftest-file id=subnet-proxy path=config/subnets/subnet-proxy.yaml region: europe-west4 diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf index 2462c48b8..46e04b0bd 100644 --- a/modules/net-vpc/outputs.tf +++ b/modules/net-vpc/outputs.tf @@ -128,6 +128,11 @@ output "subnets" { value = { for k, v in google_compute_subnetwork.subnetwork : k => v } } +output "subnets_global_proxy_only" { + description = "Cross-region internal L7 ILB resources" + value = { for k, v in google_compute_subnetwork.global_proxy_only : k => v } +} + output "subnets_proxy_only" { description = "L7 ILB or L7 Regional LB subnet resources." value = { for k, v in google_compute_subnetwork.proxy_only : k => v } @@ -136,9 +141,4 @@ output "subnets_proxy_only" { output "subnets_psc" { description = "Private Service Connect subnet resources." value = { for k, v in google_compute_subnetwork.psc : k => v } -} - -output "subnets_global_proxy_only" { - description = "Cross-region internal L7 ILB resources" - value = { for k, v in google_compute_subnetwork.global_proxy_only : k => v } } \ No newline at end of file From adff09aa249f2540b98707b7e9e6ed0b29545f1a Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:45:32 +1000 Subject: [PATCH 09/22] linting error --- modules/net-vpc/README.md | 8 ++++---- modules/net-vpc/variables.tf | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index cfd120ed0..335e62b84 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -564,10 +564,10 @@ module "vpc" { | [subnet_iam_bindings](variables.tf#L173) | Authoritative IAM bindings in {REGION/NAME => {ROLE => {members = [], condition = {}}}}. | map(map(object({…}))) | | {} | | [subnet_iam_bindings_additive](variables.tf#L187) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | [subnets](variables.tf#L203) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_global_proxy_only](variables.tf#L243) | List of proxy-only subnets for Cross-region Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L230) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L255) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L267) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [subnets_global_proxy_only](variables.tf#L230) | List of proxy-only subnets for Cross-region Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L243) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L256) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L268) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 37e138a8f..44e7c4c8b 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -252,6 +252,7 @@ variable "subnets_proxy_only" { default = [] nullable = false } + variable "subnets_psc" { description = "List of subnets for Private Service Connect service producers." type = list(object({ From dac76a900b0a39a7654f8e5b65332b11230b96ae Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:47:05 +1000 Subject: [PATCH 10/22] fixed references --- modules/net-vpc/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 335e62b84..6dbb36d6b 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -586,7 +586,7 @@ module "vpc" { | [subnet_secondary_ranges](outputs.tf#L110) | Map of subnet secondary ranges keyed by name. | | | [subnet_self_links](outputs.tf#L121) | Map of subnet self links keyed by name. | | | [subnets](outputs.tf#L126) | Subnet resources. | | -| [subnets_global_proxy_only](outputs.tf#L141) | Cross-region internal L7 ILB resources | | -| [subnets_proxy_only](outputs.tf#L131) | L7 ILB or L7 Regional LB subnet resources. | | -| [subnets_psc](outputs.tf#L136) | Private Service Connect subnet resources. | | +| [subnets_global_proxy_only](outputs.tf#L131) | Cross-region internal L7 ILB resources | | +| [subnets_proxy_only](outputs.tf#L136) | L7 ILB or L7 Regional LB subnet resources. | | +| [subnets_psc](outputs.tf#L141) | Private Service Connect subnet resources. | | From f76d8fcb52190a7147605795c60a0260af283444 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:48:26 +1000 Subject: [PATCH 11/22] fixed period --- modules/net-vpc/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 6dbb36d6b..56e69e1d6 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -586,7 +586,7 @@ module "vpc" { | [subnet_secondary_ranges](outputs.tf#L110) | Map of subnet secondary ranges keyed by name. | | | [subnet_self_links](outputs.tf#L121) | Map of subnet self links keyed by name. | | | [subnets](outputs.tf#L126) | Subnet resources. | | -| [subnets_global_proxy_only](outputs.tf#L131) | Cross-region internal L7 ILB resources | | +| [subnets_global_proxy_only](outputs.tf#L131) | Cross-region internal L7 ILB resources. | | | [subnets_proxy_only](outputs.tf#L136) | L7 ILB or L7 Regional LB subnet resources. | | | [subnets_psc](outputs.tf#L141) | Private Service Connect subnet resources. | | From 3208bcd9d5e22c5070391b78a5f72247e005a993 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 20:50:18 +1000 Subject: [PATCH 12/22] matched the period --- modules/net-vpc/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf index 46e04b0bd..4f956a3a5 100644 --- a/modules/net-vpc/outputs.tf +++ b/modules/net-vpc/outputs.tf @@ -129,7 +129,7 @@ output "subnets" { } output "subnets_global_proxy_only" { - description = "Cross-region internal L7 ILB resources" + description = "Cross-region internal L7 ILB resources." value = { for k, v in google_compute_subnetwork.global_proxy_only : k => v } } From db5030e93fc1676c041464c4a69be5a1428dc291 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Mon, 11 Sep 2023 21:08:55 +1000 Subject: [PATCH 13/22] adding test --- modules/net-vpc/README.md | 7 +++---- .../modules/net_vpc/examples/proxy-only-subnets.yaml | 11 ++++++++++- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 56e69e1d6..091619c7d 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -286,7 +286,6 @@ Along with common private subnets module supports creation more service specific - [Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) for Regional HTTPS Internal HTTPS Load Balancers - [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) subnets - - [Global Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets#envoy-lb) with purpose for Cross-region internal Application Load Balancers ```hcl @@ -312,14 +311,14 @@ module "vpc" { ] subnets_global_proxy_only = [ { - ip_cidr_range = "10.0.4.0/24" + ip_cidr_range = "10.0.5.0/24" name = "global-proxy" region = "europe-west1" active = true } ] } -# tftest modules=1 resources=5 inventory=proxy-only-subnets.yaml +# tftest modules=1 resources=6 inventory=proxy-only-subnets.yaml ``` ### DNS Policies @@ -398,7 +397,7 @@ flow_logs: # enable, set to empty map to use defaults ```yaml # tftest-file id=subnet-global-proxy path=config/subnets/subnet-global-proxy.yaml region: europe-west4 -ip_cidr_range: 10.0.3.0/24 +ip_cidr_range: 10.0.5.0/24 purpose: GLOBAL_MANAGED_PROXY ``` diff --git a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml index 6e2069aaa..e5fd80065 100644 --- a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml +++ b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml @@ -16,6 +16,15 @@ values: module.vpc.google_compute_network.network[0]: name: my-network project: my-project + module.vpc.google_compute_subnetwork.global_proxy_only["europe-west1/global-proxy"]: + description: Terraform-managed global proxy-only subnet for cross-region Internal HTTPS LB. + ip_cidr_range: 10.0.5.0/24 + log_config: [] + name: global-proxy + project: my-project + purpose: GLOBAL_MANAGED_PROXY + region: europe-west1 + role: ACTIVE module.vpc.google_compute_subnetwork.proxy_only["europe-west1/regional-proxy"]: description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB. ip_cidr_range: 10.0.1.0/24 @@ -37,4 +46,4 @@ values: counts: google_compute_network: 1 - google_compute_subnetwork: 2 + google_compute_subnetwork: 3 From 5f2bc7fa92dca3ac7e8783430c7b13267e1d1b65 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Tue, 12 Sep 2023 14:58:49 +1000 Subject: [PATCH 14/22] refactored to recommended method --- .gitignore | 3 +- modules/net-vpc/README.md | 36 +++++++------------ modules/net-vpc/outputs.tf | 5 --- modules/net-vpc/subnets.tf | 23 ++---------- modules/net-vpc/variables.tf | 16 ++------- .../net_vpc/examples/proxy-only-subnets.yaml | 18 +++++----- tools/.python-version | 1 + 7 files changed, 28 insertions(+), 74 deletions(-) create mode 100644 tools/.python-version diff --git a/.gitignore b/.gitignore index cbf110dd2..314dbd636 100644 --- a/.gitignore +++ b/.gitignore @@ -54,4 +54,5 @@ blueprints/gke/autopilot/ansible/gssh.sh blueprints/gke/autopilot/ansible/vars/vars.yaml blueprints/gke/autopilot/bundle/monitoring/kustomization.yaml blueprints/gke/autopilot/bundle/locust/kustomization.yaml -blueprints/gke/autopilot/bundle.tar.gz \ No newline at end of file +blueprints/gke/autopilot/bundle.tar.gz +modules/net-vpc/README.md diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 091619c7d..d66171185 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -286,7 +286,6 @@ Along with common private subnets module supports creation more service specific - [Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) for Regional HTTPS Internal HTTPS Load Balancers - [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) subnets -- [Global Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets#envoy-lb) with purpose for Cross-region internal Application Load Balancers ```hcl module "vpc" { @@ -300,6 +299,13 @@ module "vpc" { name = "regional-proxy" region = "europe-west1" active = true + }, + { + ip_cidr_range = "10.0.4.0/24" + name = "global-proxy" + region = "australia-southeast2" + active = true + global = true } ] subnets_psc = [ @@ -309,14 +315,6 @@ module "vpc" { region = "europe-west1" } ] - subnets_global_proxy_only = [ - { - ip_cidr_range = "10.0.5.0/24" - name = "global-proxy" - region = "europe-west1" - active = true - } - ] } # tftest modules=1 resources=6 inventory=proxy-only-subnets.yaml ``` @@ -394,13 +392,6 @@ flow_logs: # enable, set to empty map to use defaults filter_expression: null ``` -```yaml -# tftest-file id=subnet-global-proxy path=config/subnets/subnet-global-proxy.yaml -region: europe-west4 -ip_cidr_range: 10.0.5.0/24 -purpose: GLOBAL_MANAGED_PROXY -``` - ```yaml # tftest-file id=subnet-proxy path=config/subnets/subnet-proxy.yaml region: europe-west4 @@ -537,7 +528,6 @@ module "vpc" { # tftest modules=1 resources=5 inventory=ipv6.yaml ``` - ## Variables | name | description | type | required | default | @@ -563,10 +553,9 @@ module "vpc" { | [subnet_iam_bindings](variables.tf#L173) | Authoritative IAM bindings in {REGION/NAME => {ROLE => {members = [], condition = {}}}}. | map(map(object({…}))) | | {} | | [subnet_iam_bindings_additive](variables.tf#L187) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | [subnets](variables.tf#L203) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_global_proxy_only](variables.tf#L230) | List of proxy-only subnets for Cross-region Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L243) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L256) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L268) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [subnets_proxy_only](variables.tf#L230) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L244) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L256) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs @@ -585,7 +574,6 @@ module "vpc" { | [subnet_secondary_ranges](outputs.tf#L110) | Map of subnet secondary ranges keyed by name. | | | [subnet_self_links](outputs.tf#L121) | Map of subnet self links keyed by name. | | | [subnets](outputs.tf#L126) | Subnet resources. | | -| [subnets_global_proxy_only](outputs.tf#L131) | Cross-region internal L7 ILB resources. | | -| [subnets_proxy_only](outputs.tf#L136) | L7 ILB or L7 Regional LB subnet resources. | | -| [subnets_psc](outputs.tf#L141) | Private Service Connect subnet resources. | | +| [subnets_proxy_only](outputs.tf#L131) | L7 ILB or L7 Regional LB subnet resources. | | +| [subnets_psc](outputs.tf#L136) | Private Service Connect subnet resources. | | diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf index 4f956a3a5..503923d9c 100644 --- a/modules/net-vpc/outputs.tf +++ b/modules/net-vpc/outputs.tf @@ -128,11 +128,6 @@ output "subnets" { value = { for k, v in google_compute_subnetwork.subnetwork : k => v } } -output "subnets_global_proxy_only" { - description = "Cross-region internal L7 ILB resources." - value = { for k, v in google_compute_subnetwork.global_proxy_only : k => v } -} - output "subnets_proxy_only" { description = "L7 ILB or L7 Regional LB subnet resources." value = { for k, v in google_compute_subnetwork.proxy_only : k => v } diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index e3f8aeac2..917c53434 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -79,10 +79,6 @@ locals { { for s in var.subnets_psc : "${s.region}/${s.name}" => s }, { for k, v in local._factory_subnets : k => v if v.purpose == "PRIVATE_SERVICE_CONNECT" } ) - subnets_global_proxy_only = merge( - { for s in var.subnets_global_proxy_only : "${s.region}/${s.name}" => s }, - { for k, v in local._factory_subnets : k => v if v.purpose == "GLOBAL_MANAGED_PROXY" } - ) } resource "google_compute_subnetwork" "subnetwork" { @@ -134,25 +130,10 @@ resource "google_compute_subnetwork" "proxy_only" { ip_cidr_range = each.value.ip_cidr_range description = ( each.value.description == null - ? "Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB." + ? "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB" : each.value.description ) - purpose = "REGIONAL_MANAGED_PROXY" - role = each.value.active != false ? "ACTIVE" : "BACKUP" -} -resource "google_compute_subnetwork" "global_proxy_only" { - for_each = local.subnets_global_proxy_only - project = var.project_id - network = local.network.name - name = each.value.name - region = each.value.region - ip_cidr_range = each.value.ip_cidr_range - description = ( - each.value.description == null - ? "Terraform-managed proxy-only subnet for cross-regional Internal HTTPS LB." - : each.value.description - ) - purpose = "GLOBAL_MANAGED_PROXY" + purpose = each.value.global != false ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY" role = each.value.active != false ? "ACTIVE" : "BACKUP" } diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 44e7c4c8b..30d7afd3f 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -227,27 +227,15 @@ variable "subnets" { nullable = false } -variable "subnets_global_proxy_only" { - description = "List of proxy-only subnets for Cross-region Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." - type = list(object({ - name = string - ip_cidr_range = string - region = string - description = optional(string) - active = bool - })) - default = [] - nullable = false -} - variable "subnets_proxy_only" { - description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." + description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." type = list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = bool + global = optional(bool, false) })) default = [] nullable = false diff --git a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml index e5fd80065..6bfef20fc 100644 --- a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml +++ b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml @@ -16,15 +16,6 @@ values: module.vpc.google_compute_network.network[0]: name: my-network project: my-project - module.vpc.google_compute_subnetwork.global_proxy_only["europe-west1/global-proxy"]: - description: Terraform-managed global proxy-only subnet for cross-region Internal HTTPS LB. - ip_cidr_range: 10.0.5.0/24 - log_config: [] - name: global-proxy - project: my-project - purpose: GLOBAL_MANAGED_PROXY - region: europe-west1 - role: ACTIVE module.vpc.google_compute_subnetwork.proxy_only["europe-west1/regional-proxy"]: description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB. ip_cidr_range: 10.0.1.0/24 @@ -34,6 +25,15 @@ values: purpose: REGIONAL_MANAGED_PROXY region: europe-west1 role: ACTIVE + module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/global-proxy"]: + description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB. + ip_cidr_range: 10.0.4.0/24 + log_config: [] + name: global-proxy + project: my-project + purpose: GLOBAL_MANAGED_PROXY + region: australia-southeast2 + role: ACTIVE module.vpc.google_compute_subnetwork.psc["europe-west1/psc"]: description: Terraform-managed subnet for Private Service Connect (PSC NAT). ip_cidr_range: 10.0.3.0/24 diff --git a/tools/.python-version b/tools/.python-version new file mode 100644 index 000000000..dfea59949 --- /dev/null +++ b/tools/.python-version @@ -0,0 +1 @@ +lint From 7d714f1d153d1b646b5ed640e72b61802d31b22c Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Tue, 12 Sep 2023 15:05:39 +1000 Subject: [PATCH 15/22] fixed a few missing things --- .gitignore | 1 - tests/modules/net_vpc/psa_routes_export.yaml | 1 - tests/modules/net_vpc/shared_vpc.yaml | 1 - tools/.python-version | 1 - 4 files changed, 4 deletions(-) delete mode 100644 tools/.python-version diff --git a/.gitignore b/.gitignore index 314dbd636..79a9cb65a 100644 --- a/.gitignore +++ b/.gitignore @@ -55,4 +55,3 @@ blueprints/gke/autopilot/ansible/vars/vars.yaml blueprints/gke/autopilot/bundle/monitoring/kustomization.yaml blueprints/gke/autopilot/bundle/locust/kustomization.yaml blueprints/gke/autopilot/bundle.tar.gz -modules/net-vpc/README.md diff --git a/tests/modules/net_vpc/psa_routes_export.yaml b/tests/modules/net_vpc/psa_routes_export.yaml index 85ebd929c..fd9239e81 100644 --- a/tests/modules/net_vpc/psa_routes_export.yaml +++ b/tests/modules/net_vpc/psa_routes_export.yaml @@ -56,5 +56,4 @@ outputs: subnet_self_links: {} subnets: {} subnets_proxy_only: {} - subnets_global_proxy_only: {} subnets_psc: {} diff --git a/tests/modules/net_vpc/shared_vpc.yaml b/tests/modules/net_vpc/shared_vpc.yaml index 67c74d889..5b6ffd3e5 100644 --- a/tests/modules/net_vpc/shared_vpc.yaml +++ b/tests/modules/net_vpc/shared_vpc.yaml @@ -42,5 +42,4 @@ outputs: subnet_self_links: {} subnets: {} subnets_proxy_only: {} - subnets_global_proxy_only: {} subnets_psc: {} diff --git a/tools/.python-version b/tools/.python-version deleted file mode 100644 index dfea59949..000000000 --- a/tools/.python-version +++ /dev/null @@ -1 +0,0 @@ -lint From d14ed73f2b465e46a141ad7d184e32ab5b125643 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Tue, 12 Sep 2023 15:06:09 +1000 Subject: [PATCH 16/22] gitignore weirdness --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 79a9cb65a..cbf110dd2 100644 --- a/.gitignore +++ b/.gitignore @@ -54,4 +54,4 @@ blueprints/gke/autopilot/ansible/gssh.sh blueprints/gke/autopilot/ansible/vars/vars.yaml blueprints/gke/autopilot/bundle/monitoring/kustomization.yaml blueprints/gke/autopilot/bundle/locust/kustomization.yaml -blueprints/gke/autopilot/bundle.tar.gz +blueprints/gke/autopilot/bundle.tar.gz \ No newline at end of file From 3479c407350ada67c7bfdcf1d803683a3bfafb5e Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Tue, 12 Sep 2023 15:53:28 +1000 Subject: [PATCH 17/22] fixing tests --- modules/net-vpc/subnets.tf | 4 ++-- tests/modules/net_vpc/examples/proxy-only-subnets.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index 917c53434..8dbe84ad9 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -33,7 +33,7 @@ locals { secondary_ip_ranges = try(v.secondary_ip_ranges, null) iam = try(v.iam, []) iam_members = try(v.iam_members, []) - purpose = try(v.purpose, null) + purpose = try(v.global, null) active = try(v.active, null) } } @@ -130,7 +130,7 @@ resource "google_compute_subnetwork" "proxy_only" { ip_cidr_range = each.value.ip_cidr_range description = ( each.value.description == null - ? "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB" + ? "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB." : each.value.description ) purpose = each.value.global != false ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY" diff --git a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml index 6bfef20fc..cf32912df 100644 --- a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml +++ b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml @@ -17,7 +17,7 @@ values: name: my-network project: my-project module.vpc.google_compute_subnetwork.proxy_only["europe-west1/regional-proxy"]: - description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB. + description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB. ip_cidr_range: 10.0.1.0/24 log_config: [] name: regional-proxy @@ -26,7 +26,7 @@ values: region: europe-west1 role: ACTIVE module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/global-proxy"]: - description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB. + description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB. ip_cidr_range: 10.0.4.0/24 log_config: [] name: global-proxy From f95e3ad9a206247b35e0147c380e5c3981c9a2c5 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Tue, 12 Sep 2023 17:17:10 +1000 Subject: [PATCH 18/22] fixed --- tests/modules/net_vpc/examples/factory.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/modules/net_vpc/examples/factory.yaml b/tests/modules/net_vpc/examples/factory.yaml index fb3483978..fa1f19ffc 100644 --- a/tests/modules/net_vpc/examples/factory.yaml +++ b/tests/modules/net_vpc/examples/factory.yaml @@ -48,8 +48,7 @@ values: tags: null timeouts: null module.vpc.google_compute_subnetwork.proxy_only["europe-west4/subnet-proxy"]: - description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal - HTTPS LB. + description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB. ip_cidr_range: 10.1.0.0/24 ipv6_access_type: null log_config: [] From 3d39a3ecf13da4d7d56bc3cf7499621dcca43038 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Wed, 13 Sep 2023 14:11:09 +1000 Subject: [PATCH 19/22] fixed up logic. --- modules/net-vpc/subnets.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index 8dbe84ad9..e3655f70d 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -33,8 +33,9 @@ locals { secondary_ip_ranges = try(v.secondary_ip_ranges, null) iam = try(v.iam, []) iam_members = try(v.iam_members, []) - purpose = try(v.global, null) + purpose = try(v.purpose, null) active = try(v.active, null) + global = try(v.purpose, null) } } _factory_subnets_iam = [ @@ -73,7 +74,8 @@ locals { ) subnets_proxy_only = merge( { for s in var.subnets_proxy_only : "${s.region}/${s.name}" => s }, - { for k, v in local._factory_subnets : k => v if v.purpose == "REGIONAL_MANAGED_PROXY" } + { for k, v in local._factory_subnets : k => v if v.purpose == "REGIONAL_MANAGED_PROXY" }, + { for k, v in local._factory_subnets : k => v if v.purpose == "GLOBAL_MANAGED_PROXY" } ) subnets_psc = merge( { for s in var.subnets_psc : "${s.region}/${s.name}" => s }, From 95a3752cc74594677f74f5c9b1791342e49c5784 Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 13 Sep 2023 08:31:51 +0200 Subject: [PATCH 20/22] update changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30ba93008..ae7a2676e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ All notable changes to this project will be documented in this file. ### FAST +- [[#1664](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1664)] Align pf stage sample data to new format ([ludoo](https://github.com/ludoo)) - [[#1663](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1663)] [#1661] Make FAST stage 1 resman tf destroy more reliable ([LucaPrete](https://github.com/LucaPrete)) - [[#1659](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1659)] Link project factory documentation from FAST stage ([ludoo](https://github.com/ludoo)) - [[#1658](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1658)] **incompatible change:** Change type of `iam_bindings` variable to allow multiple conditional bindings ([ludoo](https://github.com/ludoo)) @@ -47,6 +48,9 @@ All notable changes to this project will be documented in this file. ### MODULES +- [[#1669](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1669)] Fix for partner interconnect ([apichick](https://github.com/apichick)) +- [[#1668](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1668)] fix(compute-mig): add correct type optionality for metrics in autosca… ([NotArpit](https://github.com/NotArpit)) +- [[#1667](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1667)] fix(compute-mig): add mode property to compute_region_autoscaler ([NotArpit](https://github.com/NotArpit)) - [[#1658](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1658)] **incompatible change:** Change type of `iam_bindings` variable to allow multiple conditional bindings ([ludoo](https://github.com/ludoo)) - [[#1653](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1653)] Fixes to the apigee module ([juliocc](https://github.com/juliocc)) - [[#1642](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1642)] New phpIPAM serverless third parties solution in blueprints ([simonebruzzechesse](https://github.com/simonebruzzechesse)) From 09e6e8f4d2900e061fff26dc39b2b4ed0efbb841 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Wed, 13 Sep 2023 16:49:14 +1000 Subject: [PATCH 21/22] created passing test, fixed logic --- modules/net-vpc/README.md | 9 ++++++++- modules/net-vpc/subnets.tf | 11 ++++++++--- tests/modules/net_vpc/examples/factory.yaml | 15 +++++++++++++-- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index d66171185..3be4d37dd 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -355,7 +355,7 @@ module "vpc" { name = "my-network" data_folder = "config/subnets" } -# tftest modules=1 resources=9 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml +# tftest modules=1 resources=10 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-proxy-global,subnet-psc inventory=factory.yaml ``` ```yaml @@ -399,6 +399,13 @@ ip_cidr_range: 10.1.0.0/24 purpose: REGIONAL_MANAGED_PROXY ``` +```yaml +# tftest-file id=subnet-proxy-global path=config/subnets/subnet-proxy-global.yaml +region: australia-southeast2 +ip_cidr_range: 10.4.0.0/24 +purpose: GLOBAL_MANAGED_PROXY +``` + ```yaml # tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml region: europe-west4 diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index e3655f70d..1e3206e00 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -35,7 +35,7 @@ locals { iam_members = try(v.iam_members, []) purpose = try(v.purpose, null) active = try(v.active, null) - global = try(v.purpose, null) + global = null } } _factory_subnets_iam = [ @@ -135,8 +135,13 @@ resource "google_compute_subnetwork" "proxy_only" { ? "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB." : each.value.description ) - purpose = each.value.global != false ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY" - role = each.value.active != false ? "ACTIVE" : "BACKUP" + purpose = try( + each.value.purpose, + each.value.global != false + ? "GLOBAL_MANAGED_PROXY" + : "REGIONAL_MANAGED_PROXY") + + role = each.value.active != false ? "ACTIVE" : "BACKUP" } resource "google_compute_subnetwork" "psc" { diff --git a/tests/modules/net_vpc/examples/factory.yaml b/tests/modules/net_vpc/examples/factory.yaml index fa1f19ffc..50aa01e14 100644 --- a/tests/modules/net_vpc/examples/factory.yaml +++ b/tests/modules/net_vpc/examples/factory.yaml @@ -58,6 +58,17 @@ values: region: europe-west4 role: ACTIVE timeouts: null + module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/subnet-proxy-global"]: + description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB. + ip_cidr_range: 10.4.0.0/24 + ipv6_access_type: null + log_config: [] + name: subnet-proxy-global + project: my-project + purpose: GLOBAL_MANAGED_PROXY + region: australia-southeast2 + role: ACTIVE + timeouts: null module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc"]: description: Terraform-managed subnet for Private Service Connect (PSC NAT). ip_cidr_range: 10.2.0.0/24 @@ -126,9 +137,9 @@ values: counts: google_compute_network: 1 google_compute_route: 2 - google_compute_subnetwork: 5 + google_compute_subnetwork: 6 google_compute_subnetwork_iam_binding: 1 modules: 1 - resources: 9 + resources: 10 outputs: {} From ced8e498f82086e83b34f99f48edd6be5a9772e4 Mon Sep 17 00:00:00 2001 From: Dave Gulli Date: Wed, 13 Sep 2023 16:58:50 +1000 Subject: [PATCH 22/22] terraform fmt --- modules/net-vpc/subnets.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index 1e3206e00..db8cc3efc 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -139,7 +139,8 @@ resource "google_compute_subnetwork" "proxy_only" { each.value.purpose, each.value.global != false ? "GLOBAL_MANAGED_PROXY" - : "REGIONAL_MANAGED_PROXY") + : "REGIONAL_MANAGED_PROXY" + ) role = each.value.active != false ? "ACTIVE" : "BACKUP" }