From 07e519a8b73f11e2e4dd12ac4107d5d466b910cf Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 27 Jun 2024 10:05:45 +0200 Subject: [PATCH] Allow Cloud NAT to only use secondary ranges (#2384) * Allow Cloud NAT to only use secondary ranges * Fix secondary_ranges validation * Fix linter --- modules/net-cloudnat/README.md | 39 +++++++++++++++++++------------ modules/net-cloudnat/main.tf | 7 +++++- modules/net-cloudnat/variables.tf | 15 ++++++++++++ 3 files changed, 45 insertions(+), 16 deletions(-) diff --git a/modules/net-cloudnat/README.md b/modules/net-cloudnat/README.md index b3848ee00..1a2b143a1 100644 --- a/modules/net-cloudnat/README.md +++ b/modules/net-cloudnat/README.md @@ -51,13 +51,22 @@ module "nat" { }, { # primary range only - self_link = "projects/${var.project_id}/regions/${var.region}/subnetworks/net-1" - all_ranges = false + self_link = "projects/${var.project_id}/regions/${var.region}/subnetworks/net-1" + all_ranges = false + primary_range = true }, { # both primary and specified secondary ranges self_link = "projects/${var.project_id}/regions/${var.region}/subnetworks/net-2" all_ranges = false + primary_range = true + secondary_ranges = ["pods"] + }, + { + # secondary range only + self_link = "projects/${var.project_id}/regions/${var.region}/subnetworks/net-3" + all_ranges = false + primary_range = false secondary_ranges = ["pods"] } ] @@ -177,21 +186,21 @@ module "nat" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L92) | Name of the Cloud NAT resource. | string | ✓ | | -| [project_id](variables.tf#L97) | Project where resources will be created. | string | ✓ | | -| [region](variables.tf#L102) | Region where resources will be created. | string | ✓ | | +| [name](variables.tf#L107) | Name of the Cloud NAT resource. | string | ✓ | | +| [project_id](variables.tf#L112) | Project where resources will be created. | string | ✓ | | +| [region](variables.tf#L117) | Region where resources will be created. | string | ✓ | | | [addresses](variables.tf#L17) | Optional list of external address self links. | list(string) | | [] | | [config_port_allocation](variables.tf#L23) | Configuration for how to assign ports to virtual machines. min_ports_per_vm and max_ports_per_vm have no effect unless enable_dynamic_port_allocation is set to 'true'. | object({…}) | | {} | -| [config_source_subnetworks](variables.tf#L39) | Subnetwork configuration. | object({…}) | | {} | -| [config_timeouts](variables.tf#L54) | Timeout configurations. | object({…}) | | {} | -| [endpoint_types](variables.tf#L67) | Specifies the endpoint Types supported by the NAT Gateway. Supported values include: ENDPOINT_TYPE_VM, ENDPOINT_TYPE_SWG, ENDPOINT_TYPE_MANAGED_PROXY_LB. | list(string) | | null | -| [logging_filter](variables.tf#L86) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string | | null | -| [router_asn](variables.tf#L107) | Router ASN used for auto-created router. | number | | null | -| [router_create](variables.tf#L113) | Create router. | bool | | true | -| [router_name](variables.tf#L119) | Router name, leave blank if router will be created to use auto generated name. | string | | null | -| [router_network](variables.tf#L125) | Name of the VPC used for auto-created router. | string | | null | -| [rules](variables.tf#L131) | List of rules associated with this NAT. | list(object({…})) | | [] | -| [type](variables.tf#L151) | Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'. | string | | "PUBLIC" | +| [config_source_subnetworks](variables.tf#L39) | Subnetwork configuration. | object({…}) | | {} | +| [config_timeouts](variables.tf#L69) | Timeout configurations. | object({…}) | | {} | +| [endpoint_types](variables.tf#L82) | Specifies the endpoint Types supported by the NAT Gateway. Supported values include: ENDPOINT_TYPE_VM, ENDPOINT_TYPE_SWG, ENDPOINT_TYPE_MANAGED_PROXY_LB. | list(string) | | null | +| [logging_filter](variables.tf#L101) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string | | null | +| [router_asn](variables.tf#L122) | Router ASN used for auto-created router. | number | | null | +| [router_create](variables.tf#L128) | Create router. | bool | | true | +| [router_name](variables.tf#L134) | Router name, leave blank if router will be created to use auto generated name. | string | | null | +| [router_network](variables.tf#L140) | Name of the VPC used for auto-created router. | string | | null | +| [rules](variables.tf#L146) | List of rules associated with this NAT. | list(object({…})) | | [] | +| [type](variables.tf#L166) | Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'. | string | | "PUBLIC" | ## Outputs diff --git a/modules/net-cloudnat/main.tf b/modules/net-cloudnat/main.tf index b5fc4a6ce..2c6d8eb67 100644 --- a/modules/net-cloudnat/main.tf +++ b/modules/net-cloudnat/main.tf @@ -100,7 +100,12 @@ resource "google_compute_router_nat" "nat" { subnetwork.value.all_ranges == true ? ["ALL_IP_RANGES"] : concat( - ["PRIMARY_IP_RANGE"], + ( + subnetwork.value.primary_range + ? ["PRIMARY_IP_RANGE"] + : [] + ) + , ( subnetwork.value.secondary_ranges == null ? [] diff --git a/modules/net-cloudnat/variables.tf b/modules/net-cloudnat/variables.tf index 08b4d3774..88fe1cb83 100644 --- a/modules/net-cloudnat/variables.tf +++ b/modules/net-cloudnat/variables.tf @@ -44,11 +44,26 @@ variable "config_source_subnetworks" { subnetworks = optional(list(object({ self_link = string all_ranges = optional(bool, true) + primary_range = optional(bool, false) secondary_ranges = optional(list(string)) })), []) }) nullable = false default = {} + validation { + condition = alltrue([ + for s in var.config_source_subnetworks.subnetworks : + (s.all_ranges == true) != ((s.primary_range == true) || try(length(s.secondary_ranges), 0) > 0) + ]) + error_message = "Either config_source_subnetworks.subnetworks.all_ranges is true or one of primary_range or secondary_ranges must be defined." + } + validation { + condition = ( + (var.config_source_subnetworks.all == true || + var.config_source_subnetworks.primary_ranges_only == true) != (length(try(var.config_source_subnetworks.subnetworks, [])) > 0) + ) + error_message = "Cannot use config_source_subnetworks.all and config_source_subnetworks.primary_ranges_only together with config_source_subnetworks.subnetworks." + } } variable "config_timeouts" {