Refactor net-vpc module for Terraform 1.3 (#880)
* module tests pass * doc examples * refactor blueprints * fast stages * fix comment typo * fix module factory test
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
1ead60122d
commit
4fa1dc431d
@@ -18,7 +18,7 @@ module "vpc" {
|
||||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = {
|
||||
secondary_ip_ranges = {
|
||||
pods = "172.16.0.0/20"
|
||||
services = "192.168.0.0/24"
|
||||
}
|
||||
@@ -27,7 +27,6 @@ module "vpc" {
|
||||
ip_cidr_range = "10.0.16.0/24"
|
||||
name = "production"
|
||||
region = "europe-west2"
|
||||
secondary_ip_range = {}
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -49,7 +48,6 @@ module "vpc-hub" {
|
||||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "subnet-1"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = null
|
||||
}]
|
||||
}
|
||||
|
||||
@@ -61,11 +59,9 @@ module "vpc-spoke-1" {
|
||||
ip_cidr_range = "10.0.1.0/24"
|
||||
name = "subnet-2"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = null
|
||||
}]
|
||||
peering_config = {
|
||||
peer_vpc_self_link = module.vpc-hub.self_link
|
||||
export_routes = false
|
||||
import_routes = true
|
||||
}
|
||||
}
|
||||
@@ -108,7 +104,7 @@ module "vpc-host" {
|
||||
local.service_project_1.project_id,
|
||||
local.service_project_2.project_id
|
||||
]
|
||||
iam = {
|
||||
subnet_iam = {
|
||||
"europe-west1/subnet-1" = {
|
||||
"roles/compute.networkUser" = [
|
||||
local.service_project_1.cloud_services_service_account,
|
||||
@@ -135,12 +131,10 @@ module "vpc" {
|
||||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = null
|
||||
}
|
||||
]
|
||||
psa_config = {
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5
|
||||
@@ -160,12 +154,12 @@ module "vpc" {
|
||||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = null
|
||||
}
|
||||
]
|
||||
psa_config = {
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
routes = { export=true, import=true }
|
||||
export_routes = true
|
||||
import_routes = true
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5
|
||||
@@ -212,7 +206,6 @@ module "vpc" {
|
||||
name = "my-network"
|
||||
dns_policy = {
|
||||
inbound = true
|
||||
logging = false
|
||||
outbound = {
|
||||
private_ns = ["10.0.0.1"]
|
||||
public_ns = ["8.8.8.8"]
|
||||
@@ -223,7 +216,6 @@ module "vpc" {
|
||||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
secondary_ip_range = {}
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -250,11 +242,11 @@ region: europe-west1
|
||||
description: Sample description
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
# optional attributes
|
||||
private_ip_google_access: false # defaults to true
|
||||
enable_private_access: false # defaults to true
|
||||
iam_users: ["foobar@example.com"] # grant compute/networkUser to users
|
||||
iam_groups: ["lorem@example.com"] # grant compute/networkUser to groups
|
||||
iam_service_accounts: ["fbz@prj.iam.gserviceaccount.com"]
|
||||
secondary_ip_range: # map of secondary ip ranges
|
||||
secondary_ip_ranges: # map of secondary ip ranges
|
||||
secondary-range-a: 192.168.0.0/24
|
||||
flow_logs: # enable, set to empty map to use defaults
|
||||
- aggregation_interval: "INTERVAL_5_SEC"
|
||||
@@ -267,31 +259,25 @@ flow_logs: # enable, set to empty map to use defaults
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L85) | The name of the network being created. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L106) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L60) | The name of the network being created. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L76) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
|
||||
| [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | <code>bool</code> | | <code>false</code> |
|
||||
| [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | <code>string</code> | | <code>null</code> |
|
||||
| [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | <code>bool</code> | | <code>false</code> |
|
||||
| [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | <code>string</code> | | <code>"Terraform-managed."</code> |
|
||||
| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | <code title="object({ inbound = bool logging = bool outbound = object({ private_ns = list(string) public_ns = list(string) }) })">object({…})</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L54) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [log_config_defaults](variables.tf#L60) | Default configuration for flow logs when enabled. | <code title="object({ aggregation_interval = string flow_sampling = number metadata = string })">object({…})</code> | | <code title="{ aggregation_interval = "INTERVAL_5_SEC" flow_sampling = 0.5 metadata = "INCLUDE_ALL_METADATA" }">{…}</code> |
|
||||
| [log_configs](variables.tf#L74) | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code>map(map(string))</code> | | <code>{}</code> |
|
||||
| [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code></code> | | <code>null</code> |
|
||||
| [peering_config](variables.tf#L90) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string export_routes = bool import_routes = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | <code>bool</code> | | <code>true</code> |
|
||||
| [psa_config](variables.tf#L111) | The Private Service Access configuration for Service Networking. | <code title="object({ ranges = map(string) routes = object({ export = bool import = bool }) })">object({…})</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L123) | Network routes, keyed by name. | <code title="map(object({ dest_range = string priority = number tags = list(string) next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L151) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnet_descriptions](variables.tf#L157) | Optional map of subnet descriptions, keyed by subnet 'region/name'. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [subnet_flow_logs](variables.tf#L163) | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [subnet_private_access](variables.tf#L169) | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [subnets](variables.tf#L175) | List of subnets being created. | <code title="list(object({ name = string ip_cidr_range = string region = string secondary_ip_range = map(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L186) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ active = bool name = string ip_cidr_range = string region = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L197) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L207) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | <code title="object({ inbound = optional(bool) logging = optional(bool) outbound = optional(object({ private_ns = list(string) public_ns = list(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| [mtu](variables.tf#L54) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code>number</code> | | <code>null</code> |
|
||||
| [peering_config](variables.tf#L65) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string create_remote_peer = optional(bool, true) export_routes = optional(bool) import_routes = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||
| [psa_config](variables.tf#L81) | The Private Service Access configuration for Service Networking. | <code title="object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) })">object({…})</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L91) | Network routes, keyed by name. | <code title="map(object({ dest_range = string next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string priority = optional(number) tags = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L111) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L121) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L127) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnet_iam](variables.tf#L133) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [subnets](variables.tf#L139) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string) enable_private_access = optional(bool, true) })) secondary_ip_ranges = optional(map(string)) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L164) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = bool }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L176) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L186) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -55,8 +55,12 @@ resource "google_compute_network_peering" "local" {
|
||||
}
|
||||
|
||||
resource "google_compute_network_peering" "remote" {
|
||||
provider = google-beta
|
||||
count = var.peering_config != null && var.peering_create_remote_end ? 1 : 0
|
||||
provider = google-beta
|
||||
count = (
|
||||
var.peering_config != null && try(var.peering_config.create_remote_peer, true)
|
||||
? 1
|
||||
: 0
|
||||
)
|
||||
name = "${local.peer_network}-${var.name}"
|
||||
network = var.peering_config.peer_vpc_self_link
|
||||
peer_network = local.network.self_link
|
||||
@@ -74,10 +78,10 @@ resource "google_compute_shared_vpc_host_project" "shared_vpc_host" {
|
||||
|
||||
resource "google_compute_shared_vpc_service_project" "service_projects" {
|
||||
provider = google-beta
|
||||
for_each = (
|
||||
for_each = toset(
|
||||
var.shared_vpc_host && var.shared_vpc_service_projects != null
|
||||
? toset(var.shared_vpc_service_projects)
|
||||
: toset([])
|
||||
? var.shared_vpc_service_projects
|
||||
: []
|
||||
)
|
||||
host_project = var.project_id
|
||||
service_project = each.value
|
||||
@@ -86,19 +90,23 @@ resource "google_compute_shared_vpc_service_project" "service_projects" {
|
||||
|
||||
resource "google_dns_policy" "default" {
|
||||
count = var.dns_policy == null ? 0 : 1
|
||||
enable_inbound_forwarding = var.dns_policy.inbound
|
||||
enable_logging = var.dns_policy.logging
|
||||
name = var.name
|
||||
project = var.project_id
|
||||
name = var.name
|
||||
enable_inbound_forwarding = try(var.dns_policy.inbound, null)
|
||||
enable_logging = try(var.dns_policy.logging, null)
|
||||
networks {
|
||||
network_url = local.network.id
|
||||
}
|
||||
|
||||
dynamic "alternative_name_server_config" {
|
||||
for_each = toset(var.dns_policy.outbound == null ? [] : [""])
|
||||
for_each = var.dns_policy.outbound != null ? [""] : []
|
||||
content {
|
||||
dynamic "target_name_servers" {
|
||||
for_each = toset(var.dns_policy.outbound.private_ns)
|
||||
for_each = (
|
||||
var.dns_policy.outbound.private_ns != null
|
||||
? var.dns_policy.outbound.private_ns
|
||||
: []
|
||||
)
|
||||
iterator = ns
|
||||
content {
|
||||
ipv4_address = ns.key
|
||||
@@ -106,7 +114,11 @@ resource "google_dns_policy" "default" {
|
||||
}
|
||||
}
|
||||
dynamic "target_name_servers" {
|
||||
for_each = toset(var.dns_policy.outbound.public_ns)
|
||||
for_each = (
|
||||
var.dns_policy.outbound.public_ns != null
|
||||
? var.dns_policy.outbound.public_ns
|
||||
: []
|
||||
)
|
||||
iterator = ns
|
||||
content {
|
||||
ipv4_address = ns.key
|
||||
|
||||
@@ -17,15 +17,11 @@
|
||||
# tfdoc:file:description Private Service Access resources.
|
||||
|
||||
locals {
|
||||
psa_config = (
|
||||
var.psa_config == null
|
||||
? { ranges = {}, routes = null }
|
||||
: var.psa_config
|
||||
)
|
||||
psa_config_ranges = try(var.psa_config.ranges, {})
|
||||
}
|
||||
|
||||
resource "google_compute_global_address" "psa_ranges" {
|
||||
for_each = local.psa_config.ranges
|
||||
for_each = local.psa_config_ranges
|
||||
project = var.project_id
|
||||
name = each.key
|
||||
purpose = "VPC_PEERING"
|
||||
@@ -36,7 +32,7 @@ resource "google_compute_global_address" "psa_ranges" {
|
||||
}
|
||||
|
||||
resource "google_service_networking_connection" "psa_connection" {
|
||||
for_each = var.psa_config == null ? {} : { 1 = 1 }
|
||||
for_each = var.psa_config != null ? { 1 = 1 } : {}
|
||||
network = local.network.id
|
||||
service = "servicenetworking.googleapis.com"
|
||||
reserved_peering_ranges = [
|
||||
@@ -45,10 +41,10 @@ resource "google_service_networking_connection" "psa_connection" {
|
||||
}
|
||||
|
||||
resource "google_compute_network_peering_routes_config" "psa_routes" {
|
||||
for_each = var.psa_config == null ? {} : { 1 = 1 }
|
||||
for_each = var.psa_config != null ? { 1 = 1 } : {}
|
||||
project = var.project_id
|
||||
peering = google_service_networking_connection.psa_connection["1"].peering
|
||||
network = local.network.name
|
||||
export_custom_routes = try(var.psa_config.routes.export, false)
|
||||
import_custom_routes = try(var.psa_config.routes.import, false)
|
||||
export_custom_routes = var.psa_config.export_routes
|
||||
import_custom_routes = var.psa_config.import_routes
|
||||
}
|
||||
|
||||
@@ -21,11 +21,19 @@ locals {
|
||||
for f in fileset(var.data_folder, "**/*.yaml") :
|
||||
trimsuffix(basename(f), ".yaml") => yamldecode(file("${var.data_folder}/${f}"))
|
||||
}
|
||||
_factory_descriptions = {
|
||||
for k, v in local._factory_data :
|
||||
"${v.region}/${k}" => try(v.description, null)
|
||||
_factory_subnets = {
|
||||
for k, v in local._factory_data : "${v.region}/${k}" => {
|
||||
name = k
|
||||
ip_cidr_range = v.ip_cidr_range
|
||||
region = v.region
|
||||
description = try(v.description, null)
|
||||
enable_private_access = try(v.enable_private_access, true)
|
||||
flow_logs_config = try(v.flow_logs, null)
|
||||
ipv6 = try(v.ipv6, null)
|
||||
secondary_ip_ranges = try(v.secondary_ip_ranges, null)
|
||||
}
|
||||
}
|
||||
_factory_iam_members = [
|
||||
_factory_subnets_iam = [
|
||||
for k, v in local._factory_subnets : {
|
||||
subnet = k
|
||||
role = "roles/compute.networkUser"
|
||||
@@ -36,32 +44,8 @@ locals {
|
||||
)
|
||||
}
|
||||
]
|
||||
_factory_flow_logs = {
|
||||
for k, v in local._factory_data : "${v.region}/${k}" => merge(
|
||||
var.log_config_defaults, try(v.flow_logs, {})
|
||||
) if try(v.flow_logs, null) != null
|
||||
}
|
||||
_factory_private_access = {
|
||||
for k, v in local._factory_data : "${v.region}/${k}" => try(
|
||||
v.private_ip_google_access, true
|
||||
)
|
||||
}
|
||||
_factory_subnets = {
|
||||
for k, v in local._factory_data : "${v.region}/${k}" => {
|
||||
ip_cidr_range = v.ip_cidr_range
|
||||
name = k
|
||||
region = v.region
|
||||
secondary_ip_range = try(v.secondary_ip_range, {})
|
||||
}
|
||||
}
|
||||
_iam = var.iam == null ? {} : var.iam
|
||||
_subnet_flow_logs = {
|
||||
for k, v in var.subnet_flow_logs : k => merge(
|
||||
var.log_config_defaults, try(var.log_configs[k], {})
|
||||
)
|
||||
}
|
||||
_subnet_iam_members = flatten([
|
||||
for subnet, roles in local._iam : [
|
||||
for subnet, roles in(var.subnet_iam == null ? {} : var.subnet_iam) : [
|
||||
for role, members in roles : {
|
||||
members = members
|
||||
role = role
|
||||
@@ -69,19 +53,10 @@ locals {
|
||||
}
|
||||
]
|
||||
])
|
||||
subnet_descriptions = merge(
|
||||
local._factory_descriptions, var.subnet_descriptions
|
||||
)
|
||||
subnet_iam_members = concat(
|
||||
[for k in local._factory_iam_members : k if length(k.members) > 0],
|
||||
[for k in local._factory_subnets_iam : k if length(k.members) > 0],
|
||||
local._subnet_iam_members
|
||||
)
|
||||
subnet_flow_logs = merge(
|
||||
local._factory_flow_logs, local._subnet_flow_logs
|
||||
)
|
||||
subnet_private_access = merge(
|
||||
local._factory_private_access, var.subnet_private_access
|
||||
)
|
||||
subnets = merge(
|
||||
{ for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet },
|
||||
local._factory_subnets
|
||||
@@ -97,33 +72,30 @@ locals {
|
||||
}
|
||||
|
||||
resource "google_compute_subnetwork" "subnetwork" {
|
||||
for_each = local.subnets
|
||||
project = var.project_id
|
||||
network = local.network.name
|
||||
region = each.value.region
|
||||
name = each.value.name
|
||||
ip_cidr_range = each.value.ip_cidr_range
|
||||
secondary_ip_range = each.value.secondary_ip_range == null ? [] : [
|
||||
for name, range in each.value.secondary_ip_range :
|
||||
for_each = local.subnets
|
||||
project = var.project_id
|
||||
network = local.network.name
|
||||
name = each.value.name
|
||||
region = each.value.region
|
||||
ip_cidr_range = each.value.ip_cidr_range
|
||||
description = try(each.value.description, "Terraform-managed.")
|
||||
private_ip_google_access = each.value.enable_private_access
|
||||
secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
|
||||
for name, range in each.value.secondary_ip_ranges :
|
||||
{ range_name = name, ip_cidr_range = range }
|
||||
]
|
||||
description = lookup(
|
||||
local.subnet_descriptions, each.key, "Terraform-managed."
|
||||
)
|
||||
private_ip_google_access = lookup(
|
||||
local.subnet_private_access, each.key, true
|
||||
)
|
||||
dynamic "log_config" {
|
||||
for_each = toset(
|
||||
try(local.subnet_flow_logs[each.key], {}) != {}
|
||||
? [local.subnet_flow_logs[each.key]]
|
||||
: []
|
||||
)
|
||||
iterator = config
|
||||
for_each = each.value.flow_logs_config != null ? [""] : []
|
||||
content {
|
||||
aggregation_interval = config.value.aggregation_interval
|
||||
flow_sampling = config.value.flow_sampling
|
||||
metadata = config.value.metadata
|
||||
aggregation_interval = each.value.flow_logs_config.aggregation_interval
|
||||
filter_expr = each.value.flow_logs_config.filter_expression
|
||||
flow_sampling = each.value.flow_logs_config.flow_sampling
|
||||
metadata = each.value.flow_logs_config.metadata
|
||||
metadata_fields = (
|
||||
each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
|
||||
? each.value.flow_logs_config.metadata_fields
|
||||
: null
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -132,33 +104,31 @@ resource "google_compute_subnetwork" "proxy_only" {
|
||||
for_each = local.subnets_proxy_only
|
||||
project = var.project_id
|
||||
network = local.network.name
|
||||
region = each.value.region
|
||||
name = each.value.name
|
||||
region = each.value.region
|
||||
ip_cidr_range = each.value.ip_cidr_range
|
||||
purpose = "REGIONAL_MANAGED_PROXY"
|
||||
description = try(
|
||||
each.value.description,
|
||||
"Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB."
|
||||
)
|
||||
purpose = "REGIONAL_MANAGED_PROXY"
|
||||
role = (
|
||||
each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP"
|
||||
)
|
||||
description = lookup(
|
||||
local.subnet_descriptions,
|
||||
"${each.value.region}/${each.value.name}",
|
||||
"Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB."
|
||||
)
|
||||
}
|
||||
|
||||
resource "google_compute_subnetwork" "psc" {
|
||||
for_each = local.subnets_psc
|
||||
project = var.project_id
|
||||
network = local.network.name
|
||||
region = each.value.region
|
||||
name = each.value.name
|
||||
region = each.value.region
|
||||
ip_cidr_range = each.value.ip_cidr_range
|
||||
purpose = "PRIVATE_SERVICE_CONNECT"
|
||||
description = lookup(
|
||||
local.subnet_descriptions,
|
||||
"${each.value.region}/${each.value.name}",
|
||||
description = try(
|
||||
each.value.description,
|
||||
"Terraform-managed subnet for Private Service Connect (PSC NAT)."
|
||||
)
|
||||
purpose = "PRIVATE_SERVICE_CONNECT"
|
||||
}
|
||||
|
||||
resource "google_compute_subnetwork_iam_binding" "binding" {
|
||||
|
||||
@@ -41,44 +41,19 @@ variable "description" {
|
||||
variable "dns_policy" {
|
||||
description = "DNS policy setup for the VPC."
|
||||
type = object({
|
||||
inbound = bool
|
||||
logging = bool
|
||||
outbound = object({
|
||||
inbound = optional(bool)
|
||||
logging = optional(bool)
|
||||
outbound = optional(object({
|
||||
private_ns = list(string)
|
||||
public_ns = list(string)
|
||||
})
|
||||
}))
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "iam" {
|
||||
description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "log_config_defaults" {
|
||||
description = "Default configuration for flow logs when enabled."
|
||||
type = object({
|
||||
aggregation_interval = string
|
||||
flow_sampling = number
|
||||
metadata = string
|
||||
})
|
||||
default = {
|
||||
aggregation_interval = "INTERVAL_5_SEC"
|
||||
flow_sampling = 0.5
|
||||
metadata = "INCLUDE_ALL_METADATA"
|
||||
}
|
||||
}
|
||||
|
||||
variable "log_configs" {
|
||||
description = "Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled."
|
||||
type = map(map(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "mtu" {
|
||||
description = "Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes."
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
@@ -91,18 +66,13 @@ variable "peering_config" {
|
||||
description = "VPC peering configuration."
|
||||
type = object({
|
||||
peer_vpc_self_link = string
|
||||
export_routes = bool
|
||||
import_routes = bool
|
||||
create_remote_peer = optional(bool, true)
|
||||
export_routes = optional(bool)
|
||||
import_routes = optional(bool)
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "peering_create_remote_end" {
|
||||
description = "Skip creation of peering on the remote end when using peering_config."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
description = "The ID of the project where this VPC will be created."
|
||||
type = string
|
||||
@@ -111,11 +81,9 @@ variable "project_id" {
|
||||
variable "psa_config" {
|
||||
description = "The Private Service Access configuration for Service Networking."
|
||||
type = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
ranges = map(string)
|
||||
export_routes = optional(bool, false)
|
||||
import_routes = optional(bool, false)
|
||||
})
|
||||
default = null
|
||||
}
|
||||
@@ -124,12 +92,20 @@ variable "routes" {
|
||||
description = "Network routes, keyed by name."
|
||||
type = map(object({
|
||||
dest_range = string
|
||||
priority = number
|
||||
tags = list(string)
|
||||
next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb
|
||||
next_hop = string
|
||||
priority = optional(number)
|
||||
tags = optional(list(string))
|
||||
}))
|
||||
default = {}
|
||||
default = {}
|
||||
nullable = false
|
||||
validation {
|
||||
condition = alltrue([
|
||||
for r in var.routes :
|
||||
contains(["gateway", "instance", "ip", "vpn_tunnel", "ilb"], r.next_hop_type)
|
||||
])
|
||||
error_message = "Unsupported next hop type for route."
|
||||
}
|
||||
}
|
||||
|
||||
variable "routing_mode" {
|
||||
@@ -154,31 +130,33 @@ variable "shared_vpc_service_projects" {
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "subnet_descriptions" {
|
||||
description = "Optional map of subnet descriptions, keyed by subnet 'region/name'."
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "subnet_flow_logs" {
|
||||
description = "Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'."
|
||||
type = map(bool)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "subnet_private_access" {
|
||||
description = "Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'."
|
||||
type = map(bool)
|
||||
variable "subnet_iam" {
|
||||
description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "subnets" {
|
||||
description = "List of subnets being created."
|
||||
description = "Subnet configuration."
|
||||
type = list(object({
|
||||
name = string
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
secondary_ip_range = map(string)
|
||||
name = string
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
description = optional(string)
|
||||
enable_private_access = optional(bool, true)
|
||||
flow_logs_config = optional(object({
|
||||
aggregation_interval = optional(string)
|
||||
filter_expression = optional(string)
|
||||
flow_sampling = optional(number)
|
||||
metadata = optional(string)
|
||||
# only if metadata == "CUSTOM_METADATA"
|
||||
metadata_fields = optional(list(string))
|
||||
}))
|
||||
ipv6 = optional(object({
|
||||
access_type = optional(string)
|
||||
enable_private_access = optional(bool, true)
|
||||
}))
|
||||
secondary_ip_ranges = optional(map(string))
|
||||
}))
|
||||
default = []
|
||||
}
|
||||
@@ -186,10 +164,11 @@ variable "subnets" {
|
||||
variable "subnets_proxy_only" {
|
||||
description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
|
||||
type = list(object({
|
||||
active = bool
|
||||
name = string
|
||||
ip_cidr_range = string
|
||||
region = string
|
||||
description = optional(string)
|
||||
active = bool
|
||||
}))
|
||||
default = []
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user