From 4fa1dc431df66b9a60707074d956becdf80789ac Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Fri, 14 Oct 2022 11:02:33 +0200 Subject: [PATCH] Refactor net-vpc module for Terraform 1.3 (#880) * module tests pass * doc examples * refactor blueprints * fast stages * fix comment typo * fix module factory test --- blueprints/cloud-operations/adfs/main.tf | 7 +- .../asset-inventory-feed-remediation/main.tf | 7 +- .../dns-fine-grained-iam/main.tf | 7 +- .../examples/shared-vpc-example/network.tf | 7 +- .../cloud-operations/glb_and_armor/main.tf | 21 ++-- .../network-dashboard/tests/test.tf | 21 ++-- .../packer-image-builder/main.tf | 7 +- .../unmanaged-instances-healthcheck/main.tf | 7 +- .../vm-migration/single-project/main.tf | 7 +- .../cloudsql-multiregion/main.tf | 9 +- .../cmek-via-centralized-kms/main.tf | 7 +- blueprints/data-solutions/composer-2/main.tf | 2 +- .../data-platform-foundations/02-load.tf | 7 +- .../03-orchestration.tf | 2 +- .../04-transformation.tf | 7 +- .../data-solutions/data-playground/main.tf | 9 +- .../gcs-to-bq-with-least-privileges/vpc.tf | 7 +- .../data-solutions/sqlserver-alwayson/vpc.tf | 7 +- blueprints/gke/binauthz/main.tf | 2 +- .../multi-cluster-mesh-gke-fleet-api/vpc.tf | 9 +- .../networking/decentralized-firewall/main.tf | 14 +-- blueprints/networking/filtering-proxy/main.tf | 14 +-- .../networking/hub-and-spoke-peering/main.tf | 16 ++- .../networking/hub-and-spoke-vpn/net-dev.tf | 4 +- .../hub-and-spoke-vpn/net-landing.tf | 4 +- .../networking/hub-and-spoke-vpn/net-prod.tf | 4 +- .../networking/ilb-next-hop/vpc-left.tf | 9 +- .../networking/ilb-next-hop/vpc-right.tf | 12 +- .../nginx-reverse-proxy-cluster/main.tf | 8 +- .../onprem-google-access-dns/main.tf | 14 +-- .../main.tf | 18 ++- blueprints/networking/shared-vpc-gke/main.tf | 11 +- .../wordpress/cloudrun/cloudsql.tf | 12 +- fast/assets/schemas/subnet.schema.yaml | 6 +- .../subnets/dev/dev-dataplatform-ew1.yaml | 2 +- fast/stages/02-networking-nva/landing.tf | 15 +-- fast/stages/02-networking-nva/spoke-dev.tf | 2 - fast/stages/02-networking-nva/spoke-prod.tf | 2 - fast/stages/02-networking-peering/landing.tf | 8 +- .../stages/02-networking-peering/spoke-dev.tf | 4 - .../02-networking-peering/spoke-prod.tf | 4 - .../02-networking-separate-envs/spoke-dev.tf | 4 - .../02-networking-separate-envs/spoke-prod.tf | 4 - fast/stages/02-networking-vpn/landing.tf | 8 +- fast/stages/02-networking-vpn/spoke-dev.tf | 4 - fast/stages/02-networking-vpn/spoke-prod.tf | 4 - modules/net-vpc/README.md | 56 ++++----- modules/net-vpc/main.tf | 34 +++-- modules/net-vpc/psa.tf | 16 +-- modules/net-vpc/subnets.tf | 118 +++++++----------- modules/net-vpc/variables.tf | 113 +++++++---------- .../net_vpc/fixture/data/factory-subnet.yaml | 4 +- tests/modules/net_vpc/fixture/main.tf | 11 +- tests/modules/net_vpc/fixture/variables.tf | 108 +++++++--------- tests/modules/net_vpc/test_plan.py | 53 ++++---- tests/modules/net_vpc/test_plan_psa.py | 18 +-- tests/modules/net_vpc/test_plan_subnets.py | 116 +++++++++-------- 57 files changed, 419 insertions(+), 594 deletions(-) diff --git a/blueprints/cloud-operations/adfs/main.tf b/blueprints/cloud-operations/adfs/main.tf index 31ea0745e..beb06fbdd 100644 --- a/blueprints/cloud-operations/adfs/main.tf +++ b/blueprints/cloud-operations/adfs/main.tf @@ -44,10 +44,9 @@ module "vpc" { name = "${local.prefix}vpc" subnets = [ { - ip_cidr_range = var.subnet_ip_cidr_block - name = "subnet" - region = var.region - secondary_ip_range = null + ip_cidr_range = var.subnet_ip_cidr_block + name = "subnet" + region = var.region } ] } diff --git a/blueprints/cloud-operations/asset-inventory-feed-remediation/main.tf b/blueprints/cloud-operations/asset-inventory-feed-remediation/main.tf index a9f3f8e9e..7fbe780c8 100644 --- a/blueprints/cloud-operations/asset-inventory-feed-remediation/main.tf +++ b/blueprints/cloud-operations/asset-inventory-feed-remediation/main.tf @@ -48,10 +48,9 @@ module "vpc" { project_id = module.project.project_id name = var.name subnets = [{ - ip_cidr_range = "192.168.0.0/24" - name = "${var.name}-default" - region = var.region - secondary_ip_range = {} + ip_cidr_range = "192.168.0.0/24" + name = "${var.name}-default" + region = var.region }] } diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/main.tf b/blueprints/cloud-operations/dns-fine-grained-iam/main.tf index 612e76e6d..c86774991 100644 --- a/blueprints/cloud-operations/dns-fine-grained-iam/main.tf +++ b/blueprints/cloud-operations/dns-fine-grained-iam/main.tf @@ -37,10 +37,9 @@ module "vpc" { project_id = module.project.project_id name = var.name subnets = [{ - ip_cidr_range = "192.168.0.0/24" - name = "${var.name}-default" - region = var.region - secondary_ip_range = {} + ip_cidr_range = "192.168.0.0/24" + name = "${var.name}-default" + region = var.region }] } diff --git a/blueprints/cloud-operations/dns-shared-vpc/examples/shared-vpc-example/network.tf b/blueprints/cloud-operations/dns-shared-vpc/examples/shared-vpc-example/network.tf index 725ef6363..f6025d78a 100644 --- a/blueprints/cloud-operations/dns-shared-vpc/examples/shared-vpc-example/network.tf +++ b/blueprints/cloud-operations/dns-shared-vpc/examples/shared-vpc-example/network.tf @@ -22,10 +22,9 @@ module "shared-vpc" { subnets = [ { - name = "subnet-01" - ip_cidr_range = "10.10.1.0/24" - region = var.region - secondary_ip_range = {} + name = "subnet-01" + ip_cidr_range = "10.10.1.0/24" + region = var.region } ] } diff --git a/blueprints/cloud-operations/glb_and_armor/main.tf b/blueprints/cloud-operations/glb_and_armor/main.tf index 357e1006f..6e43bc15e 100644 --- a/blueprints/cloud-operations/glb_and_armor/main.tf +++ b/blueprints/cloud-operations/glb_and_armor/main.tf @@ -43,22 +43,19 @@ module "vpc" { name = "${local.prefix}vpc" subnets = [ { - ip_cidr_range = "10.0.1.0/24" - name = "subnet-ew1" - region = "europe-west1" - secondary_ip_range = null + ip_cidr_range = "10.0.1.0/24" + name = "subnet-ew1" + region = "europe-west1" }, { - ip_cidr_range = "10.0.2.0/24" - name = "subnet-ue1" - region = "us-east1" - secondary_ip_range = null + ip_cidr_range = "10.0.2.0/24" + name = "subnet-ue1" + region = "us-east1" }, { - ip_cidr_range = "10.0.3.0/24" - name = "subnet-uw1" - region = "us-west1" - secondary_ip_range = null + ip_cidr_range = "10.0.3.0/24" + name = "subnet-uw1" + region = "us-west1" } ] } diff --git a/blueprints/cloud-operations/network-dashboard/tests/test.tf b/blueprints/cloud-operations/network-dashboard/tests/test.tf index 2f04485bc..bb9d6d317 100644 --- a/blueprints/cloud-operations/network-dashboard/tests/test.tf +++ b/blueprints/cloud-operations/network-dashboard/tests/test.tf @@ -40,10 +40,9 @@ module "vpc-hub" { name = "vpc-hub" subnets = [ { - ip_cidr_range = "10.0.10.0/24" - name = "subnet-hub-1" - region = var.region - secondary_ip_range = {} + ip_cidr_range = "10.0.10.0/24" + name = "subnet-hub-1" + region = var.region } ] } @@ -81,10 +80,9 @@ module "vpc-prod" { name = "vpc-prod" subnets = [ { - ip_cidr_range = "10.0.20.0/24" - name = "subnet-prod-1" - region = var.region - secondary_ip_range = {} + ip_cidr_range = "10.0.20.0/24" + name = "subnet-prod-1" + region = var.region } ] } @@ -122,10 +120,9 @@ module "vpc-dev" { name = "vpc-dev" subnets = [ { - ip_cidr_range = "10.0.30.0/24" - name = "subnet-dev-1" - region = var.region - secondary_ip_range = {} + ip_cidr_range = "10.0.30.0/24" + name = "subnet-dev-1" + region = var.region } ] } diff --git a/blueprints/cloud-operations/packer-image-builder/main.tf b/blueprints/cloud-operations/packer-image-builder/main.tf index 084e26c5f..f8ea374f7 100644 --- a/blueprints/cloud-operations/packer-image-builder/main.tf +++ b/blueprints/cloud-operations/packer-image-builder/main.tf @@ -56,10 +56,9 @@ module "vpc" { name = "image-builder" subnets = [ { - name = local.compute_subnet_name - ip_cidr_range = var.cidrs.image-builder - region = var.region - secondary_ip_range = null + name = local.compute_subnet_name + ip_cidr_range = var.cidrs.image-builder + region = var.region } ] } diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf b/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf index b7bb42266..98882b055 100644 --- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf +++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf @@ -43,10 +43,9 @@ module "vpc" { name = "vpc" subnets = [ { - name = "apps" - ip_cidr_range = "10.8.32.0/24" - region = var.region - secondary_ip_range = null + name = "apps" + ip_cidr_range = "10.8.32.0/24" + region = var.region } ] } diff --git a/blueprints/cloud-operations/vm-migration/single-project/main.tf b/blueprints/cloud-operations/vm-migration/single-project/main.tf index 6adf9fbd5..acb06a91b 100644 --- a/blueprints/cloud-operations/vm-migration/single-project/main.tf +++ b/blueprints/cloud-operations/vm-migration/single-project/main.tf @@ -58,10 +58,9 @@ module "landing-vpc" { name = "landing-vpc" subnets = [ { - ip_cidr_range = var.vpc_config.ip_cidr_range - name = "landing-vpc-${var.vpc_config.region}" - region = var.vpc_config.region - secondary_ip_range = {} + ip_cidr_range = var.vpc_config.ip_cidr_range + name = "landing-vpc-${var.vpc_config.region}" + region = var.vpc_config.region } ] } diff --git a/blueprints/data-solutions/cloudsql-multiregion/main.tf b/blueprints/data-solutions/cloudsql-multiregion/main.tf index 14dedd84a..41a111fed 100644 --- a/blueprints/data-solutions/cloudsql-multiregion/main.tf +++ b/blueprints/data-solutions/cloudsql-multiregion/main.tf @@ -36,7 +36,7 @@ locals { local.data_eng_principals_iam, [module.service-account-sql.iam_email] ) - # compute engeneering + # compute engineering "roles/compute.instanceAdmin.v1" = local.data_eng_principals_iam "roles/compute.osLogin" = local.data_eng_principals_iam "roles/compute.viewer" = local.data_eng_principals_iam @@ -115,10 +115,9 @@ module "vpc" { name = "vpc" subnets = [ { - ip_cidr_range = "10.0.0.0/20" - name = "subnet" - region = var.regions.primary - secondary_ip_range = {} + ip_cidr_range = "10.0.0.0/20" + name = "subnet" + region = var.regions.primary } ] diff --git a/blueprints/data-solutions/cmek-via-centralized-kms/main.tf b/blueprints/data-solutions/cmek-via-centralized-kms/main.tf index 260d2e38b..d507bfdff 100644 --- a/blueprints/data-solutions/cmek-via-centralized-kms/main.tf +++ b/blueprints/data-solutions/cmek-via-centralized-kms/main.tf @@ -51,10 +51,9 @@ module "vpc" { name = var.vpc_name subnets = [ { - ip_cidr_range = var.vpc_ip_cidr_range - name = var.vpc_subnet_name - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.vpc_ip_cidr_range + name = var.vpc_subnet_name + region = var.region } ] } diff --git a/blueprints/data-solutions/composer-2/main.tf b/blueprints/data-solutions/composer-2/main.tf index 23904096d..407eb5f23 100644 --- a/blueprints/data-solutions/composer-2/main.tf +++ b/blueprints/data-solutions/composer-2/main.tf @@ -120,7 +120,7 @@ module "vpc" { ip_cidr_range = "10.0.0.0/20" name = "subnet" region = var.region - secondary_ip_range = { + secondary_ip_ranges = { pods = "10.10.8.0/22" services = "10.10.12.0/24" } diff --git a/blueprints/data-solutions/data-platform-foundations/02-load.tf b/blueprints/data-solutions/data-platform-foundations/02-load.tf index 933804118..5c61da9f8 100644 --- a/blueprints/data-solutions/data-platform-foundations/02-load.tf +++ b/blueprints/data-solutions/data-platform-foundations/02-load.tf @@ -110,10 +110,9 @@ module "load-vpc" { name = "${var.prefix}-default" subnets = [ { - ip_cidr_range = "10.10.0.0/24" - name = "default" - region = var.region - secondary_ip_range = {} + ip_cidr_range = "10.10.0.0/24" + name = "default" + region = var.region } ] } diff --git a/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf b/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf index e624c1973..7519fa8a5 100644 --- a/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf +++ b/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf @@ -121,7 +121,7 @@ module "orch-vpc" { ip_cidr_range = "10.10.0.0/24" name = "default" region = var.region - secondary_ip_range = { + secondary_ip_ranges = { pods = "10.10.8.0/22" services = "10.10.12.0/24" } diff --git a/blueprints/data-solutions/data-platform-foundations/04-transformation.tf b/blueprints/data-solutions/data-platform-foundations/04-transformation.tf index fa71e27a5..e696bec6b 100644 --- a/blueprints/data-solutions/data-platform-foundations/04-transformation.tf +++ b/blueprints/data-solutions/data-platform-foundations/04-transformation.tf @@ -134,10 +134,9 @@ module "transf-vpc" { name = "${var.prefix}-default" subnets = [ { - ip_cidr_range = "10.10.0.0/24" - name = "default" - region = var.region - secondary_ip_range = {} + ip_cidr_range = "10.10.0.0/24" + name = "default" + region = var.region } ] } diff --git a/blueprints/data-solutions/data-playground/main.tf b/blueprints/data-solutions/data-playground/main.tf index fa5164a68..2bcd69ab8 100644 --- a/blueprints/data-solutions/data-playground/main.tf +++ b/blueprints/data-solutions/data-playground/main.tf @@ -41,7 +41,7 @@ module "project" { "storage-component.googleapis.com" ] policy_boolean = { - # "constraints/compute.requireOsLogin" = false + # "constraints/compute.requireOsLogin" = false # Example of applying a project wide policy, mainly useful for Composer } service_encryption_key_ids = { @@ -61,10 +61,9 @@ module "vpc" { name = "${var.prefix}-vpc" subnets = [ { - ip_cidr_range = var.vpc_config.ip_cidr_range - name = "${var.prefix}-subnet" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.vpc_config.ip_cidr_range + name = "${var.prefix}-subnet" + region = var.region } ] } diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf index 21c344787..aab9a657b 100644 --- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf +++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf @@ -19,10 +19,9 @@ module "vpc" { name = "${var.prefix}-vpc" subnets = [ { - ip_cidr_range = var.vpc_subnet_range - name = "subnet" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.vpc_subnet_range + name = "subnet" + region = var.region } ] } diff --git a/blueprints/data-solutions/sqlserver-alwayson/vpc.tf b/blueprints/data-solutions/sqlserver-alwayson/vpc.tf index c83a7561a..dbbf38a79 100644 --- a/blueprints/data-solutions/sqlserver-alwayson/vpc.tf +++ b/blueprints/data-solutions/sqlserver-alwayson/vpc.tf @@ -58,10 +58,9 @@ module "vpc" { name = var.network subnets = var.project_create != null ? [ { - ip_cidr_range = var.vpc_ip_cidr_range - name = var.subnetwork - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.vpc_ip_cidr_range + name = var.subnetwork + region = var.region } ] : [] vpc_create = var.project_create != null ? true : false diff --git a/blueprints/gke/binauthz/main.tf b/blueprints/gke/binauthz/main.tf index 1596776a1..793239436 100644 --- a/blueprints/gke/binauthz/main.tf +++ b/blueprints/gke/binauthz/main.tf @@ -66,7 +66,7 @@ module "vpc" { ip_cidr_range = var.subnet_cidr_block name = "subnet" region = var.region - secondary_ip_range = { + secondary_ip_ranges = { pods = var.pods_cidr_block services = var.services_cidr_block } diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf index 395e20cd7..6c09546a2 100644 --- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf +++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf @@ -25,15 +25,14 @@ module "svpc" { ip_cidr_range = config.subnet_cidr_block name = "subnet-${key}" region = var.region - secondary_ip_range = { + secondary_ip_ranges = { pods = config.pods_cidr_block services = config.services_cidr_block } }], [{ - ip_cidr_range = var.mgmt_subnet_cidr_block - name = "subnet-mgmt" - region = var.mgmt_server_config.region - secondary_ip_range = null + ip_cidr_range = var.mgmt_subnet_cidr_block + name = "subnet-mgmt" + region = var.mgmt_server_config.region }]) } diff --git a/blueprints/networking/decentralized-firewall/main.tf b/blueprints/networking/decentralized-firewall/main.tf index 57c87e999..ab42b6495 100644 --- a/blueprints/networking/decentralized-firewall/main.tf +++ b/blueprints/networking/decentralized-firewall/main.tf @@ -52,10 +52,9 @@ module "vpc-prod" { name = "prod-vpc" subnets = [ { - ip_cidr_range = var.ip_ranges.prod - name = "prod" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.prod + name = "prod" + region = var.region } ] } @@ -66,10 +65,9 @@ module "vpc-dev" { name = "dev-vpc" subnets = [ { - ip_cidr_range = var.ip_ranges.dev - name = "dev" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.dev + name = "dev" + region = var.region } ] } diff --git a/blueprints/networking/filtering-proxy/main.tf b/blueprints/networking/filtering-proxy/main.tf index 5b9a85d89..884fbd300 100644 --- a/blueprints/networking/filtering-proxy/main.tf +++ b/blueprints/networking/filtering-proxy/main.tf @@ -58,16 +58,14 @@ module "vpc" { name = "vpc" subnets = [ { - name = "apps" - ip_cidr_range = var.cidrs.apps - region = var.region - secondary_ip_range = null + name = "apps" + ip_cidr_range = var.cidrs.apps + region = var.region }, { - name = "proxy" - ip_cidr_range = var.cidrs.proxy - region = var.region - secondary_ip_range = null + name = "proxy" + ip_cidr_range = var.cidrs.proxy + region = var.region } ] } diff --git a/blueprints/networking/hub-and-spoke-peering/main.tf b/blueprints/networking/hub-and-spoke-peering/main.tf index 7e9f0f8aa..525e20d0f 100644 --- a/blueprints/networking/hub-and-spoke-peering/main.tf +++ b/blueprints/networking/hub-and-spoke-peering/main.tf @@ -52,10 +52,9 @@ module "vpc-hub" { name = "${local.prefix}hub" subnets = [ { - ip_cidr_range = var.ip_ranges.hub - name = "${local.prefix}hub-1" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.hub + name = "${local.prefix}hub-1" + region = var.region } ] } @@ -86,10 +85,9 @@ module "vpc-spoke-1" { name = "${local.prefix}spoke-1" subnets = [ { - ip_cidr_range = var.ip_ranges.spoke-1 - name = "${local.prefix}spoke-1-1" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.spoke-1 + name = "${local.prefix}spoke-1-1" + region = var.region } ] } @@ -131,7 +129,7 @@ module "vpc-spoke-2" { ip_cidr_range = var.ip_ranges.spoke-2 name = "${local.prefix}spoke-2-1" region = var.region - secondary_ip_range = { + secondary_ip_ranges = { pods = var.ip_secondary_ranges.spoke-2-pods services = var.ip_secondary_ranges.spoke-2-services } diff --git a/blueprints/networking/hub-and-spoke-vpn/net-dev.tf b/blueprints/networking/hub-and-spoke-vpn/net-dev.tf index eedca0f75..5fe08acc0 100644 --- a/blueprints/networking/hub-and-spoke-vpn/net-dev.tf +++ b/blueprints/networking/hub-and-spoke-vpn/net-dev.tf @@ -23,7 +23,7 @@ module "dev-vpc" { ip_cidr_range = var.ip_ranges.dev-0-r1 name = "${local.prefix}dev-0" region = var.regions.r1 - secondary_ip_range = try( + secondary_ip_ranges = try( var.ip_secondary_ranges.dev-0-r1, {} ) }, @@ -31,7 +31,7 @@ module "dev-vpc" { ip_cidr_range = var.ip_ranges.dev-0-r2 name = "${local.prefix}dev-0" region = var.regions.r2 - secondary_ip_range = try( + secondary_ip_ranges = try( var.ip_secondary_ranges.dev-0-r2, {} ) } diff --git a/blueprints/networking/hub-and-spoke-vpn/net-landing.tf b/blueprints/networking/hub-and-spoke-vpn/net-landing.tf index baaea4bc6..24d17ef41 100644 --- a/blueprints/networking/hub-and-spoke-vpn/net-landing.tf +++ b/blueprints/networking/hub-and-spoke-vpn/net-landing.tf @@ -23,7 +23,7 @@ module "landing-vpc" { ip_cidr_range = var.ip_ranges.land-0-r1 name = "${local.prefix}lnd-0" region = var.regions.r1 - secondary_ip_range = try( + secondary_ip_ranges = try( var.ip_secondary_ranges.land-0-r1, {} ) }, @@ -31,7 +31,7 @@ module "landing-vpc" { ip_cidr_range = var.ip_ranges.land-0-r2 name = "${local.prefix}lnd-0" region = var.regions.r2 - secondary_ip_range = try( + secondary_ip_ranges = try( var.ip_secondary_ranges.land-0-r2, {} ) } diff --git a/blueprints/networking/hub-and-spoke-vpn/net-prod.tf b/blueprints/networking/hub-and-spoke-vpn/net-prod.tf index c058537d2..a7700aebf 100644 --- a/blueprints/networking/hub-and-spoke-vpn/net-prod.tf +++ b/blueprints/networking/hub-and-spoke-vpn/net-prod.tf @@ -23,7 +23,7 @@ module "prod-vpc" { ip_cidr_range = var.ip_ranges.prod-0-r1 name = "${local.prefix}prd-0" region = var.regions.r1 - secondary_ip_range = try( + secondary_ip_ranges = try( var.ip_secondary_ranges.prod-0-r1, {} ) }, @@ -31,7 +31,7 @@ module "prod-vpc" { ip_cidr_range = var.ip_ranges.prod-0-r2 name = "${local.prefix}prd-0" region = var.regions.r2 - secondary_ip_range = try( + secondary_ip_ranges = try( var.ip_secondary_ranges.prod-0-r2, {} ) } diff --git a/blueprints/networking/ilb-next-hop/vpc-left.tf b/blueprints/networking/ilb-next-hop/vpc-left.tf index 07fc91b74..426614c9f 100644 --- a/blueprints/networking/ilb-next-hop/vpc-left.tf +++ b/blueprints/networking/ilb-next-hop/vpc-left.tf @@ -20,17 +20,14 @@ module "vpc-left" { name = "${local.prefix}left" subnets = [ { - ip_cidr_range = var.ip_ranges.left - name = "${local.prefix}left" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.left + name = "${local.prefix}left" + region = var.region }, ] routes = { to-right = { dest_range = var.ip_ranges.right - priority = null - tags = null next_hop_type = "ilb" next_hop = module.ilb-left.forwarding_rule.self_link } diff --git a/blueprints/networking/ilb-next-hop/vpc-right.tf b/blueprints/networking/ilb-next-hop/vpc-right.tf index 0343c4d75..95350eb09 100644 --- a/blueprints/networking/ilb-next-hop/vpc-right.tf +++ b/blueprints/networking/ilb-next-hop/vpc-right.tf @@ -20,31 +20,25 @@ module "vpc-right" { name = "${local.prefix}right" subnets = [ { - ip_cidr_range = var.ip_ranges.right - name = "${local.prefix}right" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.right + name = "${local.prefix}right" + region = var.region }, ] routes = { to-left-ilb = { dest_range = var.ip_ranges.left priority = var.ilb_right_enable ? 900 : 1100 - tags = null next_hop_type = "ilb" next_hop = module.ilb-right.forwarding_rule.self_link } to-left-gw-1 = { dest_range = var.ip_ranges.left - priority = null - tags = null next_hop_type = "instance" next_hop = module.gw[var.zones[0]].self_link } to-left-gw-2 = { dest_range = var.ip_ranges.left - priority = null - tags = null next_hop_type = "instance" next_hop = module.gw[var.zones[1]].self_link } diff --git a/blueprints/networking/nginx-reverse-proxy-cluster/main.tf b/blueprints/networking/nginx-reverse-proxy-cluster/main.tf index a6baacb23..42b5ec610 100644 --- a/blueprints/networking/nginx-reverse-proxy-cluster/main.tf +++ b/blueprints/networking/nginx-reverse-proxy-cluster/main.tf @@ -149,13 +149,11 @@ module "vpc" { name = var.network subnets = [ { - name = var.subnetwork - ip_cidr_range = var.cidrs[var.subnetwork] - region = var.region - secondary_ip_range = null + name = var.subnetwork + ip_cidr_range = var.cidrs[var.subnetwork] + region = var.region }, ] - vpc_create = var.network_create } diff --git a/blueprints/networking/onprem-google-access-dns/main.tf b/blueprints/networking/onprem-google-access-dns/main.tf index b8e8f90ce..18159080e 100644 --- a/blueprints/networking/onprem-google-access-dns/main.tf +++ b/blueprints/networking/onprem-google-access-dns/main.tf @@ -56,16 +56,14 @@ module "vpc" { name = "to-onprem" subnets = [ { - ip_cidr_range = var.ip_ranges.gcp1 - name = "subnet1" - region = var.region.gcp1 - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.gcp1 + name = "subnet1" + region = var.region.gcp1 }, { - ip_cidr_range = var.ip_ranges.gcp2 - name = "subnet2" - region = var.region.gcp2 - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.gcp2 + name = "subnet2" + region = var.region.gcp2 } ] } diff --git a/blueprints/networking/private-cloud-function-from-onprem/main.tf b/blueprints/networking/private-cloud-function-from-onprem/main.tf index 5e8e2e569..528cabe05 100644 --- a/blueprints/networking/private-cloud-function-from-onprem/main.tf +++ b/blueprints/networking/private-cloud-function-from-onprem/main.tf @@ -42,15 +42,12 @@ module "vpc-onprem" { name = "${var.name}-onprem" subnets = [ { - ip_cidr_range = var.ip_ranges.onprem - name = "${var.name}-onprem" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.onprem + name = "${var.name}-onprem" + region = var.region + enable_private_access = false } ] - subnet_private_access = { - "${var.region}/${var.name}-onprem" = false - } } module "firewall-onprem" { @@ -65,10 +62,9 @@ module "vpc-hub" { name = "${var.name}-hub" subnets = [ { - ip_cidr_range = var.ip_ranges.hub - name = "${var.name}-hub" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.hub + name = "${var.name}-hub" + region = var.region } ] } diff --git a/blueprints/networking/shared-vpc-gke/main.tf b/blueprints/networking/shared-vpc-gke/main.tf index cbfa311d1..47b2b533b 100644 --- a/blueprints/networking/shared-vpc-gke/main.tf +++ b/blueprints/networking/shared-vpc-gke/main.tf @@ -97,22 +97,21 @@ module "vpc-shared" { name = "shared-vpc" subnets = [ { - ip_cidr_range = var.ip_ranges.gce - name = "gce" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.gce + name = "gce" + region = var.region }, { ip_cidr_range = var.ip_ranges.gke name = "gke" region = var.region - secondary_ip_range = { + secondary_ip_ranges = { pods = var.ip_secondary_ranges.gke-pods services = var.ip_secondary_ranges.gke-services } } ] - iam = { + subnet_iam = { "${var.region}/gce" = { "roles/compute.networkUser" = concat(var.owners_gce, [ "serviceAccount:${module.project-svc-gce.service_accounts.cloud_services}", diff --git a/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf b/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf index 11e6e3111..743020e04 100644 --- a/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf +++ b/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf @@ -26,19 +26,15 @@ module "vpc" { name = "${local.prefix}sql-vpc" subnets = [ { - ip_cidr_range = var.ip_ranges.sql_vpc - name = "subnet" - region = var.region - secondary_ip_range = {} + ip_cidr_range = var.ip_ranges.sql_vpc + name = "subnet" + region = var.region } ] - - # Private Service Access psa_config = { ranges = { cloud-sql = var.ip_ranges.psa } - routes = null } } @@ -67,4 +63,4 @@ module "cloudsql" { users = { "${local.cloudsql_conf.user}" = "${local.cloudsql_conf.pass}" } -} \ No newline at end of file +} diff --git a/fast/assets/schemas/subnet.schema.yaml b/fast/assets/schemas/subnet.schema.yaml index 9cae66601..c928a1b90 100644 --- a/fast/assets/schemas/subnet.schema.yaml +++ b/fast/assets/schemas/subnet.schema.yaml @@ -16,14 +16,16 @@ region: str() description: str() ip_cidr_range: str() # optional attributes -private_ip_google_access: bool(required=False) # defaults to true +enable_private_access: bool(required=False) # defaults to true iam_users: list(str(), required=False) iam_groups: list(str(), required=False) iam_service_accounts: list(str(), required=False) -secondary_ip_range: map(str(), key=str(), required=False) +secondary_ip_ranges: map(str(), key=str(), required=False) flow_logs: any(include('flow_logs'), required=False) --- flow_logs: - aggregation_interval: enum('INTERVAL_5_SEC', 'INTERVAL_30_SEC', 'INTERVAL_1_MIN', 'INTERVAL_5_MIN', 'INTERVAL_10_MIN', 'INTERVAL_15_MIN', required=False) + - filter_expression: str() - flow_sampling: num(min=0, max=1, required=False) - metadata: enum('EXCLUDE_ALL_METADATA', 'INCLUDE_ALL_METADATA', 'CUSTOM_METADATA', required=False) + - metadata_fields: map(str(), key=str(), required=False) diff --git a/fast/stages/02-networking-nva/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/02-networking-nva/data/subnets/dev/dev-dataplatform-ew1.yaml index 92994826d..2c682405c 100644 --- a/fast/stages/02-networking-nva/data/subnets/dev/dev-dataplatform-ew1.yaml +++ b/fast/stages/02-networking-nva/data/subnets/dev/dev-dataplatform-ew1.yaml @@ -3,6 +3,6 @@ region: europe-west1 description: Default subnet for dev Data Platform ip_cidr_range: 10.128.48.0/24 -secondary_ip_range: +secondary_ip_ranges: pods: 100.128.48.0/20 services: 100.255.48.0/24 diff --git a/fast/stages/02-networking-nva/landing.tf b/fast/stages/02-networking-nva/landing.tf index 7022b10fc..be051b766 100644 --- a/fast/stages/02-networking-nva/landing.tf +++ b/fast/stages/02-networking-nva/landing.tf @@ -49,13 +49,10 @@ module "landing-untrusted-vpc" { project_id = module.landing-project.project_id name = "prod-untrusted-landing-0" mtu = 1500 - dns_policy = { - inbound = false - logging = false - outbound = null + inbound = false + logging = false } - data_folder = "${var.data_dir}/subnets/landing-untrusted" } @@ -108,24 +105,18 @@ module "landing-trusted-vpc" { routes = { private-googleapis = { dest_range = "199.36.153.8/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } } dns_policy = { - inbound = true - logging = false - outbound = null + inbound = true } data_folder = "${var.data_dir}/subnets/landing-trusted" diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf index 3499206f5..3c6843e2a 100644 --- a/fast/stages/02-networking-nva/spoke-dev.tf +++ b/fast/stages/02-networking-nva/spoke-dev.tf @@ -56,14 +56,12 @@ module "dev-spoke-vpc" { private-googleapis = { dest_range = "199.36.153.8/30" priority = 999 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" priority = 999 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf index 6a0c26c8b..5d35ca8fe 100644 --- a/fast/stages/02-networking-nva/spoke-prod.tf +++ b/fast/stages/02-networking-nva/spoke-prod.tf @@ -56,14 +56,12 @@ module "prod-spoke-vpc" { private-googleapis = { dest_range = "199.36.153.8/30" priority = 999 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" priority = 999 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/fast/stages/02-networking-peering/landing.tf b/fast/stages/02-networking-peering/landing.tf index b090219bd..ccd0d6254 100644 --- a/fast/stages/02-networking-peering/landing.tf +++ b/fast/stages/02-networking-peering/landing.tf @@ -48,23 +48,17 @@ module "landing-vpc" { name = "prod-landing-0" mtu = 1500 dns_policy = { - inbound = true - logging = false - outbound = null + inbound = true } # set explicit routes for googleapis in case the default route is deleted routes = { private-googleapis = { dest_range = "199.36.153.8/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/fast/stages/02-networking-peering/spoke-dev.tf b/fast/stages/02-networking-peering/spoke-dev.tf index e9ad6fbff..9fe6c480f 100644 --- a/fast/stages/02-networking-peering/spoke-dev.tf +++ b/fast/stages/02-networking-peering/spoke-dev.tf @@ -55,15 +55,11 @@ module "dev-spoke-vpc" { routes = { private-googleapis = { dest_range = "199.36.153.8/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/fast/stages/02-networking-peering/spoke-prod.tf b/fast/stages/02-networking-peering/spoke-prod.tf index 77a0e0879..8ff69a98c 100644 --- a/fast/stages/02-networking-peering/spoke-prod.tf +++ b/fast/stages/02-networking-peering/spoke-prod.tf @@ -55,15 +55,11 @@ module "prod-spoke-vpc" { routes = { private-googleapis = { dest_range = "199.36.153.8/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/fast/stages/02-networking-separate-envs/spoke-dev.tf b/fast/stages/02-networking-separate-envs/spoke-dev.tf index 94350d33e..08eac2305 100644 --- a/fast/stages/02-networking-separate-envs/spoke-dev.tf +++ b/fast/stages/02-networking-separate-envs/spoke-dev.tf @@ -54,15 +54,11 @@ module "dev-spoke-vpc" { routes = { private-googleapis = { dest_range = "199.36.153.8/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/fast/stages/02-networking-separate-envs/spoke-prod.tf b/fast/stages/02-networking-separate-envs/spoke-prod.tf index d1b692b5b..4261f1ce0 100644 --- a/fast/stages/02-networking-separate-envs/spoke-prod.tf +++ b/fast/stages/02-networking-separate-envs/spoke-prod.tf @@ -54,15 +54,11 @@ module "prod-spoke-vpc" { routes = { private-googleapis = { dest_range = "199.36.153.8/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/fast/stages/02-networking-vpn/landing.tf b/fast/stages/02-networking-vpn/landing.tf index b090219bd..ccd0d6254 100644 --- a/fast/stages/02-networking-vpn/landing.tf +++ b/fast/stages/02-networking-vpn/landing.tf @@ -48,23 +48,17 @@ module "landing-vpc" { name = "prod-landing-0" mtu = 1500 dns_policy = { - inbound = true - logging = false - outbound = null + inbound = true } # set explicit routes for googleapis in case the default route is deleted routes = { private-googleapis = { dest_range = "199.36.153.8/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf index e9ad6fbff..9fe6c480f 100644 --- a/fast/stages/02-networking-vpn/spoke-dev.tf +++ b/fast/stages/02-networking-vpn/spoke-dev.tf @@ -55,15 +55,11 @@ module "dev-spoke-vpc" { routes = { private-googleapis = { dest_range = "199.36.153.8/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf index 77a0e0879..8ff69a98c 100644 --- a/fast/stages/02-networking-vpn/spoke-prod.tf +++ b/fast/stages/02-networking-vpn/spoke-prod.tf @@ -55,15 +55,11 @@ module "prod-spoke-vpc" { routes = { private-googleapis = { dest_range = "199.36.153.8/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } restricted-googleapis = { dest_range = "199.36.153.4/30" - priority = 1000 - tags = [] next_hop_type = "gateway" next_hop = "default-internet-gateway" } diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 1791b1a3f..ef5705934 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -18,7 +18,7 @@ module "vpc" { ip_cidr_range = "10.0.0.0/24" name = "production" region = "europe-west1" - secondary_ip_range = { + secondary_ip_ranges = { pods = "172.16.0.0/20" services = "192.168.0.0/24" } @@ -27,7 +27,6 @@ module "vpc" { ip_cidr_range = "10.0.16.0/24" name = "production" region = "europe-west2" - secondary_ip_range = {} } ] } @@ -49,7 +48,6 @@ module "vpc-hub" { ip_cidr_range = "10.0.0.0/24" name = "subnet-1" region = "europe-west1" - secondary_ip_range = null }] } @@ -61,11 +59,9 @@ module "vpc-spoke-1" { ip_cidr_range = "10.0.1.0/24" name = "subnet-2" region = "europe-west1" - secondary_ip_range = null }] peering_config = { peer_vpc_self_link = module.vpc-hub.self_link - export_routes = false import_routes = true } } @@ -108,7 +104,7 @@ module "vpc-host" { local.service_project_1.project_id, local.service_project_2.project_id ] - iam = { + subnet_iam = { "europe-west1/subnet-1" = { "roles/compute.networkUser" = [ local.service_project_1.cloud_services_service_account, @@ -135,12 +131,10 @@ module "vpc" { ip_cidr_range = "10.0.0.0/24" name = "production" region = "europe-west1" - secondary_ip_range = null } ] psa_config = { ranges = { myrange = "10.0.1.0/24" } - routes = null } } # tftest modules=1 resources=5 @@ -160,12 +154,12 @@ module "vpc" { ip_cidr_range = "10.0.0.0/24" name = "production" region = "europe-west1" - secondary_ip_range = null } ] psa_config = { ranges = { myrange = "10.0.1.0/24" } - routes = { export=true, import=true } + export_routes = true + import_routes = true } } # tftest modules=1 resources=5 @@ -212,7 +206,6 @@ module "vpc" { name = "my-network" dns_policy = { inbound = true - logging = false outbound = { private_ns = ["10.0.0.1"] public_ns = ["8.8.8.8"] @@ -223,7 +216,6 @@ module "vpc" { ip_cidr_range = "10.0.0.0/24" name = "production" region = "europe-west1" - secondary_ip_range = {} } ] } @@ -250,11 +242,11 @@ region: europe-west1 description: Sample description ip_cidr_range: 10.0.0.0/24 # optional attributes -private_ip_google_access: false # defaults to true +enable_private_access: false # defaults to true iam_users: ["foobar@example.com"] # grant compute/networkUser to users iam_groups: ["lorem@example.com"] # grant compute/networkUser to groups iam_service_accounts: ["fbz@prj.iam.gserviceaccount.com"] -secondary_ip_range: # map of secondary ip ranges +secondary_ip_ranges: # map of secondary ip ranges secondary-range-a: 192.168.0.0/24 flow_logs: # enable, set to empty map to use defaults - aggregation_interval: "INTERVAL_5_SEC" @@ -267,31 +259,25 @@ flow_logs: # enable, set to empty map to use defaults | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L85) | The name of the network being created. | string | ✓ | | -| [project_id](variables.tf#L106) | The ID of the project where this VPC will be created. | string | ✓ | | +| [name](variables.tf#L60) | The name of the network being created. | string | ✓ | | +| [project_id](variables.tf#L76) | The ID of the project where this VPC will be created. | string | ✓ | | | [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | bool | | false | | [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | string | | null | | [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | bool | | false | | [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | string | | "Terraform-managed." | -| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | object({…}) | | null | -| [iam](variables.tf#L54) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string))) | | {} | -| [log_config_defaults](variables.tf#L60) | Default configuration for flow logs when enabled. | object({…}) | | {…} | -| [log_configs](variables.tf#L74) | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | map(map(string)) | | {} | -| [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | | | null | -| [peering_config](variables.tf#L90) | VPC peering configuration. | object({…}) | | null | -| [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | bool | | true | -| [psa_config](variables.tf#L111) | The Private Service Access configuration for Service Networking. | object({…}) | | null | -| [routes](variables.tf#L123) | Network routes, keyed by name. | map(object({…})) | | {} | -| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | -| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | bool | | false | -| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | list(string) | | [] | -| [subnet_descriptions](variables.tf#L157) | Optional map of subnet descriptions, keyed by subnet 'region/name'. | map(string) | | {} | -| [subnet_flow_logs](variables.tf#L163) | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | map(bool) | | {} | -| [subnet_private_access](variables.tf#L169) | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | map(bool) | | {} | -| [subnets](variables.tf#L175) | List of subnets being created. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L186) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L197) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L207) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | object({…}) | | null | +| [mtu](variables.tf#L54) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | number | | null | +| [peering_config](variables.tf#L65) | VPC peering configuration. | object({…}) | | null | +| [psa_config](variables.tf#L81) | The Private Service Access configuration for Service Networking. | object({…}) | | null | +| [routes](variables.tf#L91) | Network routes, keyed by name. | map(object({…})) | | {} | +| [routing_mode](variables.tf#L111) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | +| [shared_vpc_host](variables.tf#L121) | Enable shared VPC for this project. | bool | | false | +| [shared_vpc_service_projects](variables.tf#L127) | Shared VPC service projects to register with this host. | list(string) | | [] | +| [subnet_iam](variables.tf#L133) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | map(map(list(string))) | | {} | +| [subnets](variables.tf#L139) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L164) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L176) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L186) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs diff --git a/modules/net-vpc/main.tf b/modules/net-vpc/main.tf index 18388e0c1..7eedc95ac 100644 --- a/modules/net-vpc/main.tf +++ b/modules/net-vpc/main.tf @@ -55,8 +55,12 @@ resource "google_compute_network_peering" "local" { } resource "google_compute_network_peering" "remote" { - provider = google-beta - count = var.peering_config != null && var.peering_create_remote_end ? 1 : 0 + provider = google-beta + count = ( + var.peering_config != null && try(var.peering_config.create_remote_peer, true) + ? 1 + : 0 + ) name = "${local.peer_network}-${var.name}" network = var.peering_config.peer_vpc_self_link peer_network = local.network.self_link @@ -74,10 +78,10 @@ resource "google_compute_shared_vpc_host_project" "shared_vpc_host" { resource "google_compute_shared_vpc_service_project" "service_projects" { provider = google-beta - for_each = ( + for_each = toset( var.shared_vpc_host && var.shared_vpc_service_projects != null - ? toset(var.shared_vpc_service_projects) - : toset([]) + ? var.shared_vpc_service_projects + : [] ) host_project = var.project_id service_project = each.value @@ -86,19 +90,23 @@ resource "google_compute_shared_vpc_service_project" "service_projects" { resource "google_dns_policy" "default" { count = var.dns_policy == null ? 0 : 1 - enable_inbound_forwarding = var.dns_policy.inbound - enable_logging = var.dns_policy.logging - name = var.name project = var.project_id + name = var.name + enable_inbound_forwarding = try(var.dns_policy.inbound, null) + enable_logging = try(var.dns_policy.logging, null) networks { network_url = local.network.id } dynamic "alternative_name_server_config" { - for_each = toset(var.dns_policy.outbound == null ? [] : [""]) + for_each = var.dns_policy.outbound != null ? [""] : [] content { dynamic "target_name_servers" { - for_each = toset(var.dns_policy.outbound.private_ns) + for_each = ( + var.dns_policy.outbound.private_ns != null + ? var.dns_policy.outbound.private_ns + : [] + ) iterator = ns content { ipv4_address = ns.key @@ -106,7 +114,11 @@ resource "google_dns_policy" "default" { } } dynamic "target_name_servers" { - for_each = toset(var.dns_policy.outbound.public_ns) + for_each = ( + var.dns_policy.outbound.public_ns != null + ? var.dns_policy.outbound.public_ns + : [] + ) iterator = ns content { ipv4_address = ns.key diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf index 4a10ca5c1..19c47d4d0 100644 --- a/modules/net-vpc/psa.tf +++ b/modules/net-vpc/psa.tf @@ -17,15 +17,11 @@ # tfdoc:file:description Private Service Access resources. locals { - psa_config = ( - var.psa_config == null - ? { ranges = {}, routes = null } - : var.psa_config - ) + psa_config_ranges = try(var.psa_config.ranges, {}) } resource "google_compute_global_address" "psa_ranges" { - for_each = local.psa_config.ranges + for_each = local.psa_config_ranges project = var.project_id name = each.key purpose = "VPC_PEERING" @@ -36,7 +32,7 @@ resource "google_compute_global_address" "psa_ranges" { } resource "google_service_networking_connection" "psa_connection" { - for_each = var.psa_config == null ? {} : { 1 = 1 } + for_each = var.psa_config != null ? { 1 = 1 } : {} network = local.network.id service = "servicenetworking.googleapis.com" reserved_peering_ranges = [ @@ -45,10 +41,10 @@ resource "google_service_networking_connection" "psa_connection" { } resource "google_compute_network_peering_routes_config" "psa_routes" { - for_each = var.psa_config == null ? {} : { 1 = 1 } + for_each = var.psa_config != null ? { 1 = 1 } : {} project = var.project_id peering = google_service_networking_connection.psa_connection["1"].peering network = local.network.name - export_custom_routes = try(var.psa_config.routes.export, false) - import_custom_routes = try(var.psa_config.routes.import, false) + export_custom_routes = var.psa_config.export_routes + import_custom_routes = var.psa_config.import_routes } diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index 02576e8e1..0496405ba 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -21,11 +21,19 @@ locals { for f in fileset(var.data_folder, "**/*.yaml") : trimsuffix(basename(f), ".yaml") => yamldecode(file("${var.data_folder}/${f}")) } - _factory_descriptions = { - for k, v in local._factory_data : - "${v.region}/${k}" => try(v.description, null) + _factory_subnets = { + for k, v in local._factory_data : "${v.region}/${k}" => { + name = k + ip_cidr_range = v.ip_cidr_range + region = v.region + description = try(v.description, null) + enable_private_access = try(v.enable_private_access, true) + flow_logs_config = try(v.flow_logs, null) + ipv6 = try(v.ipv6, null) + secondary_ip_ranges = try(v.secondary_ip_ranges, null) + } } - _factory_iam_members = [ + _factory_subnets_iam = [ for k, v in local._factory_subnets : { subnet = k role = "roles/compute.networkUser" @@ -36,32 +44,8 @@ locals { ) } ] - _factory_flow_logs = { - for k, v in local._factory_data : "${v.region}/${k}" => merge( - var.log_config_defaults, try(v.flow_logs, {}) - ) if try(v.flow_logs, null) != null - } - _factory_private_access = { - for k, v in local._factory_data : "${v.region}/${k}" => try( - v.private_ip_google_access, true - ) - } - _factory_subnets = { - for k, v in local._factory_data : "${v.region}/${k}" => { - ip_cidr_range = v.ip_cidr_range - name = k - region = v.region - secondary_ip_range = try(v.secondary_ip_range, {}) - } - } - _iam = var.iam == null ? {} : var.iam - _subnet_flow_logs = { - for k, v in var.subnet_flow_logs : k => merge( - var.log_config_defaults, try(var.log_configs[k], {}) - ) - } _subnet_iam_members = flatten([ - for subnet, roles in local._iam : [ + for subnet, roles in(var.subnet_iam == null ? {} : var.subnet_iam) : [ for role, members in roles : { members = members role = role @@ -69,19 +53,10 @@ locals { } ] ]) - subnet_descriptions = merge( - local._factory_descriptions, var.subnet_descriptions - ) subnet_iam_members = concat( - [for k in local._factory_iam_members : k if length(k.members) > 0], + [for k in local._factory_subnets_iam : k if length(k.members) > 0], local._subnet_iam_members ) - subnet_flow_logs = merge( - local._factory_flow_logs, local._subnet_flow_logs - ) - subnet_private_access = merge( - local._factory_private_access, var.subnet_private_access - ) subnets = merge( { for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet }, local._factory_subnets @@ -97,33 +72,30 @@ locals { } resource "google_compute_subnetwork" "subnetwork" { - for_each = local.subnets - project = var.project_id - network = local.network.name - region = each.value.region - name = each.value.name - ip_cidr_range = each.value.ip_cidr_range - secondary_ip_range = each.value.secondary_ip_range == null ? [] : [ - for name, range in each.value.secondary_ip_range : + for_each = local.subnets + project = var.project_id + network = local.network.name + name = each.value.name + region = each.value.region + ip_cidr_range = each.value.ip_cidr_range + description = try(each.value.description, "Terraform-managed.") + private_ip_google_access = each.value.enable_private_access + secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [ + for name, range in each.value.secondary_ip_ranges : { range_name = name, ip_cidr_range = range } ] - description = lookup( - local.subnet_descriptions, each.key, "Terraform-managed." - ) - private_ip_google_access = lookup( - local.subnet_private_access, each.key, true - ) dynamic "log_config" { - for_each = toset( - try(local.subnet_flow_logs[each.key], {}) != {} - ? [local.subnet_flow_logs[each.key]] - : [] - ) - iterator = config + for_each = each.value.flow_logs_config != null ? [""] : [] content { - aggregation_interval = config.value.aggregation_interval - flow_sampling = config.value.flow_sampling - metadata = config.value.metadata + aggregation_interval = each.value.flow_logs_config.aggregation_interval + filter_expr = each.value.flow_logs_config.filter_expression + flow_sampling = each.value.flow_logs_config.flow_sampling + metadata = each.value.flow_logs_config.metadata + metadata_fields = ( + each.value.flow_logs_config.metadata == "CUSTOM_METADATA" + ? each.value.flow_logs_config.metadata_fields + : null + ) } } } @@ -132,33 +104,31 @@ resource "google_compute_subnetwork" "proxy_only" { for_each = local.subnets_proxy_only project = var.project_id network = local.network.name - region = each.value.region name = each.value.name + region = each.value.region ip_cidr_range = each.value.ip_cidr_range - purpose = "REGIONAL_MANAGED_PROXY" + description = try( + each.value.description, + "Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB." + ) + purpose = "REGIONAL_MANAGED_PROXY" role = ( each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP" ) - description = lookup( - local.subnet_descriptions, - "${each.value.region}/${each.value.name}", - "Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB." - ) } resource "google_compute_subnetwork" "psc" { for_each = local.subnets_psc project = var.project_id network = local.network.name - region = each.value.region name = each.value.name + region = each.value.region ip_cidr_range = each.value.ip_cidr_range - purpose = "PRIVATE_SERVICE_CONNECT" - description = lookup( - local.subnet_descriptions, - "${each.value.region}/${each.value.name}", + description = try( + each.value.description, "Terraform-managed subnet for Private Service Connect (PSC NAT)." ) + purpose = "PRIVATE_SERVICE_CONNECT" } resource "google_compute_subnetwork_iam_binding" "binding" { diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 16b40eec9..1a2925c08 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -41,44 +41,19 @@ variable "description" { variable "dns_policy" { description = "DNS policy setup for the VPC." type = object({ - inbound = bool - logging = bool - outbound = object({ + inbound = optional(bool) + logging = optional(bool) + outbound = optional(object({ private_ns = list(string) public_ns = list(string) - }) + })) }) default = null } -variable "iam" { - description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format." - type = map(map(list(string))) - default = {} -} - -variable "log_config_defaults" { - description = "Default configuration for flow logs when enabled." - type = object({ - aggregation_interval = string - flow_sampling = number - metadata = string - }) - default = { - aggregation_interval = "INTERVAL_5_SEC" - flow_sampling = 0.5 - metadata = "INCLUDE_ALL_METADATA" - } -} - -variable "log_configs" { - description = "Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled." - type = map(map(string)) - default = {} -} - variable "mtu" { description = "Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes." + type = number default = null } @@ -91,18 +66,13 @@ variable "peering_config" { description = "VPC peering configuration." type = object({ peer_vpc_self_link = string - export_routes = bool - import_routes = bool + create_remote_peer = optional(bool, true) + export_routes = optional(bool) + import_routes = optional(bool) }) default = null } -variable "peering_create_remote_end" { - description = "Skip creation of peering on the remote end when using peering_config." - type = bool - default = true -} - variable "project_id" { description = "The ID of the project where this VPC will be created." type = string @@ -111,11 +81,9 @@ variable "project_id" { variable "psa_config" { description = "The Private Service Access configuration for Service Networking." type = object({ - ranges = map(string) - routes = object({ - export = bool - import = bool - }) + ranges = map(string) + export_routes = optional(bool, false) + import_routes = optional(bool, false) }) default = null } @@ -124,12 +92,20 @@ variable "routes" { description = "Network routes, keyed by name." type = map(object({ dest_range = string - priority = number - tags = list(string) next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string + priority = optional(number) + tags = optional(list(string)) })) - default = {} + default = {} + nullable = false + validation { + condition = alltrue([ + for r in var.routes : + contains(["gateway", "instance", "ip", "vpn_tunnel", "ilb"], r.next_hop_type) + ]) + error_message = "Unsupported next hop type for route." + } } variable "routing_mode" { @@ -154,31 +130,33 @@ variable "shared_vpc_service_projects" { default = [] } -variable "subnet_descriptions" { - description = "Optional map of subnet descriptions, keyed by subnet 'region/name'." - type = map(string) - default = {} -} - -variable "subnet_flow_logs" { - description = "Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'." - type = map(bool) - default = {} -} - -variable "subnet_private_access" { - description = "Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'." - type = map(bool) +variable "subnet_iam" { + description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format." + type = map(map(list(string))) default = {} } variable "subnets" { - description = "List of subnets being created." + description = "Subnet configuration." type = list(object({ - name = string - ip_cidr_range = string - region = string - secondary_ip_range = map(string) + name = string + ip_cidr_range = string + region = string + description = optional(string) + enable_private_access = optional(bool, true) + flow_logs_config = optional(object({ + aggregation_interval = optional(string) + filter_expression = optional(string) + flow_sampling = optional(number) + metadata = optional(string) + # only if metadata == "CUSTOM_METADATA" + metadata_fields = optional(list(string)) + })) + ipv6 = optional(object({ + access_type = optional(string) + enable_private_access = optional(bool, true) + })) + secondary_ip_ranges = optional(map(string)) })) default = [] } @@ -186,10 +164,11 @@ variable "subnets" { variable "subnets_proxy_only" { description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." type = list(object({ - active = bool name = string ip_cidr_range = string region = string + description = optional(string) + active = bool })) default = [] } diff --git a/tests/modules/net_vpc/fixture/data/factory-subnet.yaml b/tests/modules/net_vpc/fixture/data/factory-subnet.yaml index 03bd1f989..d0f4bd8f1 100644 --- a/tests/modules/net_vpc/fixture/data/factory-subnet.yaml +++ b/tests/modules/net_vpc/fixture/data/factory-subnet.yaml @@ -15,9 +15,9 @@ region: europe-west1 description: Sample description ip_cidr_range: 10.128.0.0/24 -private_ip_google_access: false +enable_private_access: false iam_users: ["foobar@example.com"] iam_groups: ["lorem@example.com"] iam_service_accounts: ["foobar@project-id.iam.gserviceaccount.com"] -secondary_ip_range: +secondary_ip_ranges: secondary-range-a: 192.168.128.0/24 diff --git a/tests/modules/net_vpc/fixture/main.tf b/tests/modules/net_vpc/fixture/main.tf index 444906f19..f0e4696e0 100644 --- a/tests/modules/net_vpc/fixture/main.tf +++ b/tests/modules/net_vpc/fixture/main.tf @@ -16,19 +16,14 @@ module "test" { source = "../../../../modules/net-vpc" - project_id = var.project_id - name = var.name - iam = var.iam - log_configs = var.log_configs - log_config_defaults = var.log_config_defaults + project_id = "test-project" + name = "test" peering_config = var.peering_config routes = var.routes shared_vpc_host = var.shared_vpc_host shared_vpc_service_projects = var.shared_vpc_service_projects + subnet_iam = var.subnet_iam subnets = var.subnets - subnet_descriptions = var.subnet_descriptions - subnet_flow_logs = var.subnet_flow_logs - subnet_private_access = var.subnet_private_access auto_create_subnetworks = var.auto_create_subnetworks psa_config = var.psa_config data_folder = var.data_folder diff --git a/tests/modules/net_vpc/fixture/variables.tf b/tests/modules/net_vpc/fixture/variables.tf index 8cf433760..868966c8b 100644 --- a/tests/modules/net_vpc/fixture/variables.tf +++ b/tests/modules/net_vpc/fixture/variables.tf @@ -14,110 +14,88 @@ * limitations under the License. */ -variable "project_id" { - type = string - default = "my-project" -} - -variable "name" { - type = string - default = "my-vpc" -} - variable "auto_create_subnetworks" { type = bool default = false } -variable "iam" { - type = map(map(set(string))) +variable "data_folder" { + type = string default = null } -variable "log_configs" { +variable "delete_default_routes_on_create" { + type = bool + default = false +} + +variable "description" { + type = string + default = "Terraform-managed." +} + +variable "dns_policy" { type = any default = null } -variable "log_config_defaults" { - type = any - default = { - aggregation_interval = "INTERVAL_5_SEC" - flow_sampling = 0.5 - metadata = "INCLUDE_ALL_METADATA" - } +variable "mtu" { + type = number + default = null } variable "peering_config" { - type = object({ - peer_vpc_self_link = string - export_routes = bool - import_routes = bool - }) + type = any default = null } variable "psa_config" { - description = "The Private Service Access configuration." - type = any - default = null -} - -variable "routes" { type = any default = null } +variable "routes" { + type = any + default = {} + nullable = false +} + variable "routing_mode" { - description = "The network routing mode (default 'GLOBAL')." - type = string - default = "GLOBAL" + type = string + default = "GLOBAL" } variable "shared_vpc_host" { - description = "Enable shared VPC for this project." - type = bool - default = false + type = bool + default = false } variable "shared_vpc_service_projects" { - description = "Shared VPC service projects to register with this host." - type = list(string) - default = [] + type = list(string) + default = [] } variable "subnets" { - description = "The list of subnets being created." - type = any - default = [] + type = any + default = [] } -variable "subnet_descriptions" { - description = "Optional map of subnet descriptions, keyed by subnet name." - type = map(string) - default = {} +variable "subnet_iam" { + type = map(map(list(string))) + default = {} } -variable "subnet_flow_logs" { - description = "Optional map of boolean to control flow logs (default is disabled), keyed by subnet name." - type = map(bool) - default = {} +variable "subnets_proxy_only" { + type = any + default = [] } -variable "subnet_private_access" { - description = "Optional map of boolean to control private Google access (default is enabled), keyed by subnet name." - type = map(bool) - default = {} +variable "subnets_psc" { + type = any + default = [] } -variable "private_service_networking_range" { - description = "RFC1919 CIDR range used for Google services that support private service networking." - type = string - default = null -} - -variable "data_folder" { - description = "An optional folder containing the subnet configurations in YaML format." - type = string - default = null +variable "vpc_create" { + type = bool + default = true } diff --git a/tests/modules/net_vpc/test_plan.py b/tests/modules/net_vpc/test_plan.py index 6b3267149..2f49f801b 100644 --- a/tests/modules/net_vpc/test_plan.py +++ b/tests/modules/net_vpc/test_plan.py @@ -12,23 +12,19 @@ # See the License for the specific language governing permissions and # limitations under the License. -_VAR_PEER_VPC_CONFIG = ( - '{' - 'peer_vpc_self_link="projects/my-project/global/networks/my-peer-vpc", ' - 'export_routes=true, import_routes=null' - '}' -) -_VAR_ROUTES_TEMPLATE = ( - '{' - ' next-hop-test = {' - ' dest_range="192.168.128.0/24", priority=1000, tags=null, ' - ' next_hop_type="%s", next_hop="%s"},' - ' gateway-test = {' - ' dest_range="0.0.0.0/0", priority=100, tags=["tag-a"], ' - ' next_hop_type="gateway", ' - ' next_hop="global/gateways/default-internet-gateway"}' - '}' -) +_VAR_PEER_VPC_CONFIG = '''{ + peer_vpc_self_link="projects/my-project/global/networks/peer", + export_routes=true, import_routes=null +}''' +_VAR_ROUTES_TEMPLATE = '''{ + next-hop = { + dest_range="192.168.128.0/24", tags=null, + next_hop_type="%s", next_hop="%s"}, + gateway = { + dest_range="0.0.0.0/0", priority=100, tags=["tag-a"], + next_hop_type="gateway", + next_hop="global/gateways/default-internet-gateway"} +}''' _VAR_ROUTES_NEXT_HOPS = { 'gateway': 'global/gateways/default-internet-gateway', 'instance': 'zones/europe-west1-b/test', @@ -43,8 +39,8 @@ def test_vpc_simple(plan_runner): _, resources = plan_runner() assert len(resources) == 1 assert [r['type'] for r in resources] == ['google_compute_network'] - assert [r['values']['name'] for r in resources] == ['my-vpc'] - assert [r['values']['project'] for r in resources] == ['my-project'] + assert [r['values']['name'] for r in resources] == ['test'] + assert [r['values']['project'] for r in resources] == ['test-project'] def test_vpc_shared(plan_runner): @@ -62,13 +58,14 @@ def test_vpc_peering(plan_runner): "Test vpc peering variables." _, resources = plan_runner(peering_config=_VAR_PEER_VPC_CONFIG) assert len(resources) == 3 - assert set(r['type'] for r in resources) == set([ - 'google_compute_network', 'google_compute_network_peering' - ]) - peerings = [r['values'] - for r in resources if r['type'] == 'google_compute_network_peering'] - assert [p['name'] for p in peerings] == [ - 'my-vpc-my-peer-vpc', 'my-peer-vpc-my-vpc'] + assert set(r['type'] for r in resources) == set( + ['google_compute_network', 'google_compute_network_peering']) + peerings = [ + r['values'] + for r in resources + if r['type'] == 'google_compute_network_peering' + ] + assert [p['name'] for p in peerings] == ['test-peer', 'peer-test'] assert [p['export_custom_routes'] for p in peerings] == [True, False] assert [p['import_custom_routes'] for p in peerings] == [False, True] @@ -79,6 +76,6 @@ def test_vpc_routes(plan_runner): _var_routes = _VAR_ROUTES_TEMPLATE % (next_hop_type, next_hop) _, resources = plan_runner(routes=_var_routes) assert len(resources) == 3 - resource = [r for r in resources if r['values'] - ['name'] == 'my-vpc-next-hop-test'][0] + resource = [r for r in resources if r['values']['name'] == 'test-next-hop' + ][0] assert resource['values']['next_hop_%s' % next_hop_type] diff --git a/tests/modules/net_vpc/test_plan_psa.py b/tests/modules/net_vpc/test_plan_psa.py index cec1fc040..359977d65 100644 --- a/tests/modules/net_vpc/test_plan_psa.py +++ b/tests/modules/net_vpc/test_plan_psa.py @@ -35,11 +35,9 @@ def test_routes_export(plan_runner): psa_config = '''{ ranges = { bar = "172.16.100.0/24" - }, - routes = { - export = true - import = false } + export_routes = true + import_routes = false }''' _, resources = plan_runner(psa_config=psa_config) assert len(resources) == 4 @@ -55,10 +53,8 @@ def test_routes_import(plan_runner): ranges = { bar = "172.16.100.0/24" }, - routes = { - export = false - import = true - } + export_routes = false + import_routes = true }''' _, resources = plan_runner(psa_config=psa_config) for r in resources: @@ -73,10 +69,8 @@ def test_routes_export_import(plan_runner): ranges = { bar = "172.16.100.0/24" }, - routes = { - export = true - import = true - } + export_routes = true + import_routes = true }''' _, resources = plan_runner(psa_config=psa_config) for r in resources: diff --git a/tests/modules/net_vpc/test_plan_subnets.py b/tests/modules/net_vpc/test_plan_subnets.py index 992d4a98b..266d46de2 100644 --- a/tests/modules/net_vpc/test_plan_subnets.py +++ b/tests/modules/net_vpc/test_plan_subnets.py @@ -12,73 +12,87 @@ # See the License for the specific language governing permissions and # limitations under the License. -_VAR_SUBNETS = ( - '[ ' - '{name = "a", region = "europe-west1", ip_cidr_range = "10.0.0.0/24",' - ' secondary_ip_range=null},' - '{name = "b", region = "europe-west1", ip_cidr_range = "10.0.1.0/24",' - ' secondary_ip_range=null},' - '{name = "c", region = "europe-west1", ip_cidr_range = "10.0.2.0/24",' - ' secondary_ip_range={a="192.168.0.0/24", b="192.168.1.0/24"}},' - ']') - -_VAR_DATA_FOLDER = "data" +DATA_FOLDER = "data" +SUBNET_IAM = '''{ + "europe-west1/a" = { + "roles/compute.networkUser" = ["user:a@example.com", "group:g-a@example.com"] + } + "europe-west1/c" = { + "roles/compute.networkUser" = ["user:c@example.com", "group:g-c@example.com"] + } +}''' +SUBNETS = '''[ + { + name = "a", region = "europe-west1", ip_cidr_range = "10.0.0.0/24" + }, + { + name = "b", region = "europe-west1", ip_cidr_range = "10.0.1.0/24", + description="Subnet b", enable_private_access=false + }, + { + name = "c", region = "europe-west1", ip_cidr_range = "10.0.2.0/24", + secondary_ip_ranges={a="192.168.0.0/24", b="192.168.1.0/24"} + }, + { + name = "d", region = "europe-west1", ip_cidr_range = "10.0.3.0/24", + flow_logs_config = { + flow_sampling = 0.5, aggregation_interval = "INTERVAL_10_MIN" + } + }, +]''' def test_subnet_factory(plan_runner): "Test subnet factory." - _, resources = plan_runner(data_folder=_VAR_DATA_FOLDER) + _, resources = plan_runner(data_folder=DATA_FOLDER) assert len(resources) == 3 subnets = [ r['values'] for r in resources if r['type'] == 'google_compute_subnetwork' ] assert {s['name'] for s in subnets} == {'factory-subnet', 'factory-subnet2'} assert {len(s['secondary_ip_range']) for s in subnets} == {0, 1} + assert {s['private_ip_google_access'] for s in subnets} == {True, False} -def test_subnets_simple(plan_runner): +def test_subnets(plan_runner): "Test subnets variable." - _, resources = plan_runner(subnets=_VAR_SUBNETS) - assert len(resources) == 4 + _, resources = plan_runner(subnet_iam=SUBNET_IAM, subnets=SUBNETS) + assert len(resources) == 7 subnets = [ r['values'] for r in resources if r['type'] == 'google_compute_subnetwork' ] - assert {s['name'] for s in subnets} == {'a', 'b', 'c'} - assert {len(s['secondary_ip_range']) for s in subnets} == {0, 0, 2} - - -def test_subnet_log_configs(plan_runner): - "Test subnets flow logs configuration and defaults." - log_config = '{"europe-west1/a" = { flow_sampling = 0.1 }}' - log_config_defaults = ( - '{aggregation_interval = "INTERVAL_10_MIN", flow_sampling = 0.5, ' - 'metadata = "INCLUDE_ALL_METADATA"}') - subnet_flow_logs = '{"europe-west1/a"=true, "europe-west1/b"=true}' - _, resources = plan_runner(subnets=_VAR_SUBNETS, log_configs=log_config, - log_config_defaults=log_config_defaults, - subnet_flow_logs=subnet_flow_logs) - assert len(resources) == 4 - flow_logs = {} - for r in resources: - if r['type'] != 'google_compute_subnetwork': - continue - flow_logs[r['values']['name']] = [{ - key: config[key] for key in config.keys() & - {'aggregation_interval', 'flow_sampling', 'metadata'} - } for config in r['values']['log_config']] - assert flow_logs == { - # enable, override one default option - 'a': [{ - 'aggregation_interval': 'INTERVAL_10_MIN', - 'flow_sampling': 0.1, - 'metadata': 'INCLUDE_ALL_METADATA' - }], - # enable, use defaults - 'b': [{ + assert {s['name'] for s in subnets} == {'a', 'b', 'c', 'd'} + assert {len(s['secondary_ip_range']) for s in subnets} == {0, 0, 2, 0} + log_config = {s['name']: s['log_config'] for s in subnets if s['log_config']} + assert log_config == { + 'd': [{ 'aggregation_interval': 'INTERVAL_10_MIN', + 'filter_expr': 'true', 'flow_sampling': 0.5, - 'metadata': 'INCLUDE_ALL_METADATA' - }], - # don't enable - 'c': [] + 'metadata': 'INCLUDE_ALL_METADATA', + 'metadata_fields': None + }] + } + bindings = { + r['index']: r['values'] + for r in resources + if r['type'] == 'google_compute_subnetwork_iam_binding' + } + assert bindings == { + 'europe-west1/a.roles/compute.networkUser': { + 'condition': [], + 'members': ['group:g-a@example.com', 'user:a@example.com'], + 'project': 'test-project', + 'region': 'europe-west1', + 'role': 'roles/compute.networkUser', + 'subnetwork': 'a' + }, + 'europe-west1/c.roles/compute.networkUser': { + 'condition': [], + 'members': ['group:g-c@example.com', 'user:c@example.com'], + 'project': 'test-project', + 'region': 'europe-west1', + 'role': 'roles/compute.networkUser', + 'subnetwork': 'c' + }, }