Improve PSN support in net-vpc module (#384)

* improve PSN support * fix variable order * fix example test * fix cloudsql example
2021-12-09 17:26:37 +01:00
parent 546385d3ee
commit 3758c8f3b0
8 changed files with 106 additions and 67 deletions
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -138,7 +138,7 @@ module "vpc" {
      secondary_ip_range = null
    }
  ]
-  private_service_networking_range = "10.10.0.0/16"
+  psn_ranges = ["10.10.0.0/16"]
 }
 # tftest:modules=1:resources=4
 ```
@@ -220,7 +220,7 @@ flow_logs:                        # enable, set to empty map to use defaults
 | *mtu* | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code title=""></code> |  | <code title="">null</code> |
 | *peering_config* | VPC peering configuration. | <code title="object&#40;&#123;&#10;peer_vpc_self_link &#61; string&#10;export_routes      &#61; bool&#10;import_routes      &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *peering_create_remote_end* | Skip creation of peering on the remote end when using peering_config | <code title="">bool</code> |  | <code title="">true</code> |
-| *private_service_networking_range* | RFC1919 CIDR range used for Google services that support private service networking. | <code title="">string</code> |  | <code title="null&#10;validation &#123;&#10;condition &#61; &#40;&#10;var.private_service_networking_range &#61;&#61; null &#124;&#124;&#10;can&#40;cidrnetmask&#40;var.private_service_networking_range&#41;&#41;&#10;&#41;&#10;error_message &#61; &#34;Specify a valid RFC1918 CIDR range for private service networking.&#34;&#10;&#125;">...</code> |
+| *psn_ranges* | CIDR ranges used for Google services that support Private Service Networking. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="null&#10;validation &#123;&#10;condition &#61; alltrue&#40;&#91;&#10;for r in&#40;var.psn_ranges &#61;&#61; null &#63; &#91;&#93; : var.psn_ranges&#41; :&#10;can&#40;cidrnetmask&#40;r&#41;&#41;&#10;&#93;&#41;&#10;error_message &#61; &#34;Specify a valid RFC1918 CIDR range for Private Service Networking.&#34;&#10;&#125;">...</code> |
 | *routes* | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;dest_range    &#61; string&#10;priority      &#61; number&#10;tags          &#61; list&#40;string&#41;&#10;next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10;next_hop      &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *routing_mode* | The network routing mode (default 'GLOBAL') | <code title="">string</code> |  | <code title="GLOBAL&#10;validation &#123;&#10;condition     &#61; var.routing_mode &#61;&#61; &#34;GLOBAL&#34; &#124;&#124; var.routing_mode &#61;&#61; &#34;REGIONAL&#34;&#10;error_message &#61; &#34;Routing type must be GLOBAL or REGIONAL.&#34;&#10;&#125;">...</code> |
 | *shared_vpc_host* | Enable shared VPC for this project. | <code title="">bool</code> |  | <code title="">false</code> |
--- a/modules/net-vpc/main.tf
+++ b/modules/net-vpc/main.tf
@@ -78,6 +78,13 @@ locals {
    ? null
    : element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0)
  )
+  psn_ranges = {
+    for r in(var.psn_ranges == null ? [] : var.psn_ranges) : r => {
+      address       = split("/", r)[0]
+      name          = replace(split("/", r)[0], ".", "-")
+      prefix_length = split("/", r)[1]
+    }
+  }
  routes = {
    gateway    = { for k, v in local._routes : k => v if v.next_hop_type == "gateway" }
    ilb        = { for k, v in local._routes : k => v if v.next_hop_type == "ilb" }
@@ -287,17 +294,6 @@ resource "google_compute_route" "vpn_tunnel" {
  next_hop_vpn_tunnel = each.value.next_hop
 }

-resource "google_compute_global_address" "psn_range" {
-  count         = var.private_service_networking_range == null ? 0 : 1
-  project       = var.project_id
-  name          = "${var.name}-google-psn"
-  purpose       = "VPC_PEERING"
-  address_type  = "INTERNAL"
-  address       = split("/", var.private_service_networking_range)[0]
-  prefix_length = split("/", var.private_service_networking_range)[1]
-  network       = local.network.id
-}
-
 resource "google_dns_policy" "default" {
  count                     = var.dns_policy == null ? 0 : 1
  enable_inbound_forwarding = var.dns_policy.inbound
@@ -309,7 +305,7 @@ resource "google_dns_policy" "default" {
  }

  dynamic "alternative_name_server_config" {
-    for_each = var.dns_policy.outbound == null ? [] : [1]
+    for_each = toset(var.dns_policy.outbound == null ? [] : [""])
    content {
      dynamic "target_name_servers" {
        for_each = toset(var.dns_policy.outbound.private_ns)
@@ -330,9 +326,22 @@ resource "google_dns_policy" "default" {
  }
 }

-resource "google_service_networking_connection" "psn_connection" {
-  count                   = var.private_service_networking_range == null ? 0 : 1
-  network                 = local.network.id
-  service                 = "servicenetworking.googleapis.com"
-  reserved_peering_ranges = [google_compute_global_address.psn_range.0.name]
+resource "google_compute_global_address" "psn_ranges" {
+  for_each      = local.psn_ranges
+  project       = var.project_id
+  name          = "${var.name}-psn-${each.value.name}"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  address       = each.value.address
+  prefix_length = each.value.prefix_length
+  network       = local.network.id
+}
+
+resource "google_service_networking_connection" "psn_connection" {
+  for_each = toset(local.psn_ranges == {} ? [] : [""])
+  network  = local.network.id
+  service  = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = [
+    for k, v in google_compute_global_address.psn_ranges : v.name
+  ]
 }
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -103,24 +103,24 @@ variable "peering_create_remote_end" {
  default     = true
 }

-variable "private_service_networking_range" {
-  description = "RFC1919 CIDR range used for Google services that support private service networking."
-  type        = string
-  default     = null
-  validation {
-    condition = (
-      var.private_service_networking_range == null ||
-      can(cidrnetmask(var.private_service_networking_range))
-    )
-    error_message = "Specify a valid RFC1918 CIDR range for private service networking."
-  }
-}
-
 variable "project_id" {
  description = "The ID of the project where this VPC will be created"
  type        = string
 }

+variable "psn_ranges" {
+  description = "CIDR ranges used for Google services that support Private Service Networking."
+  type        = list(string)
+  default     = null
+  validation {
+    condition = alltrue([
+      for r in(var.psn_ranges == null ? [] : var.psn_ranges) :
+      can(cidrnetmask(r))
+    ])
+    error_message = "Specify a valid RFC1918 CIDR range for Private Service Networking."
+  }
+}
+
 variable "routes" {
  description = "Network routes, keyed by name."
  type = map(object({