diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index 805746e0a..a5cb7362c 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -321,7 +321,7 @@ module "vpc" {
### Private Service Networking with peering routes and peered Cloud DNS domains
-Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC.
+Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC. Labels are applied to the google_compute_global_address resource.
```hcl
module "vpc" {
@@ -339,6 +339,7 @@ module "vpc" {
ranges = { myrange = "10.0.1.0/24" }
export_routes = true
import_routes = true
+ labels = { environment = "test", data_classification = "sensitive" }
peered_domains = ["gcp.example.com."]
}]
}
@@ -915,16 +916,16 @@ secondary_ip_ranges:
| [network_attachments](variables.tf#L189) | PSC network attachments, names as keys. | map(object({…})) | | {} |
| [peering_config](variables.tf#L202) | VPC peering configuration. | object({…}) | | null |
| [policy_based_routes](variables.tf#L213) | Policy based routes, keyed by name. | map(object({…})) | | {} |
-| [psa_configs](variables.tf#L266) | The Private Service Access configuration. | list(object({…})) | | [] |
-| [routes](variables.tf#L297) | Network routes, keyed by name. | map(object({…})) | | {} |
-| [routing_mode](variables.tf#L318) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" |
-| [shared_vpc_host](variables.tf#L328) | Enable shared VPC for this project. | bool | | false |
-| [shared_vpc_service_projects](variables.tf#L334) | Shared VPC service projects to register with this host. | list(string) | | [] |
-| [subnets](variables.tf#L340) | Subnet configuration. | list(object({…})) | | [] |
-| [subnets_private_nat](variables.tf#L420) | List of private NAT subnets. | list(object({…})) | | [] |
-| [subnets_proxy_only](variables.tf#L432) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] |
-| [subnets_psc](variables.tf#L466) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] |
-| [vpc_reuse](variables.tf#L498) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | object({…}) | | null |
+| [psa_configs](variables.tf#L266) | The Private Service Access configuration. | list(object({…})) | | [] |
+| [routes](variables.tf#L298) | Network routes, keyed by name. | map(object({…})) | | {} |
+| [routing_mode](variables.tf#L319) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" |
+| [shared_vpc_host](variables.tf#L329) | Enable shared VPC for this project. | bool | | false |
+| [shared_vpc_service_projects](variables.tf#L335) | Shared VPC service projects to register with this host. | list(string) | | [] |
+| [subnets](variables.tf#L341) | Subnet configuration. | list(object({…})) | | [] |
+| [subnets_private_nat](variables.tf#L421) | List of private NAT subnets. | list(object({…})) | | [] |
+| [subnets_proxy_only](variables.tf#L433) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] |
+| [subnets_psc](variables.tf#L467) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] |
+| [vpc_reuse](variables.tf#L499) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | object({…}) | | null |
## Outputs
diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf
index 1fb234f50..1aa9c703f 100644
--- a/modules/net-vpc/psa.tf
+++ b/modules/net-vpc/psa.tf
@@ -20,8 +20,9 @@ locals {
_psa_configs_ranges = flatten([
for config in local.psa_configs : [
for k, v in config.ranges : {
- key = "${config.key}${k}"
- value = v
+ key = "${config.key}${k}"
+ value = v
+ labels = config.labels
}
]
])
@@ -47,6 +48,12 @@ locals {
for v in local._psa_configs_ranges :
v.key => lookup(local.ctx.cidr_ranges, v.value, v.value)
}
+
+ psa_configs_labels = {
+ for v in local._psa_configs_ranges :
+ v.key => v.labels
+ }
+
psa_peered_domains = {
for v in local._psa_peered_domains : v.key => v
}
@@ -56,6 +63,7 @@ resource "google_compute_global_address" "psa_ranges" {
for_each = local.psa_configs_ranges
project = local.project_id
network = local.network.id
+ labels = local.psa_configs_labels[each.key]
name = each.key
purpose = "VPC_PEERING"
address_type = "INTERNAL"
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index 1f7c2e02f..075c24a59 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -268,6 +268,7 @@ variable "psa_configs" {
type = list(object({
deletion_policy = optional(string, null)
ranges = map(string)
+ labels = optional(map(string), {})
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
diff --git a/tests/modules/net_vpc/examples/psa-routes.yaml b/tests/modules/net_vpc/examples/psa-routes.yaml
index 014efcb81..57254ad76 100644
--- a/tests/modules/net_vpc/examples/psa-routes.yaml
+++ b/tests/modules/net_vpc/examples/psa-routes.yaml
@@ -22,6 +22,9 @@ values:
prefix_length: 24
project: project-id
purpose: VPC_PEERING
+ labels:
+ data_classification: sensitive
+ environment: test
timeouts: null
module.vpc.google_compute_network.network[0]:
auto_create_subnetworks: false