From 5374899b369c36cd85d2a8f802fb2cd538c83ee5 Mon Sep 17 00:00:00 2001 From: David Liebert <58755731+LaoZhuBaba@users.noreply.github.com> Date: Thu, 8 Jan 2026 02:19:48 +1300 Subject: [PATCH] added support for labels with google_compute_global_address resource (#3622) Co-authored-by: Julio Castillo --- modules/net-vpc/README.md | 23 ++++++++++--------- modules/net-vpc/psa.tf | 12 ++++++++-- modules/net-vpc/variables.tf | 1 + .../modules/net_vpc/examples/psa-routes.yaml | 3 +++ 4 files changed, 26 insertions(+), 13 deletions(-) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 805746e0a..a5cb7362c 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -321,7 +321,7 @@ module "vpc" { ### Private Service Networking with peering routes and peered Cloud DNS domains -Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC. +Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC. Labels are applied to the google_compute_global_address resource. ```hcl module "vpc" { @@ -339,6 +339,7 @@ module "vpc" { ranges = { myrange = "10.0.1.0/24" } export_routes = true import_routes = true + labels = { environment = "test", data_classification = "sensitive" } peered_domains = ["gcp.example.com."] }] } @@ -915,16 +916,16 @@ secondary_ip_ranges: | [network_attachments](variables.tf#L189) | PSC network attachments, names as keys. | map(object({…})) | | {} | | [peering_config](variables.tf#L202) | VPC peering configuration. | object({…}) | | null | | [policy_based_routes](variables.tf#L213) | Policy based routes, keyed by name. | map(object({…})) | | {} | -| [psa_configs](variables.tf#L266) | The Private Service Access configuration. | list(object({…})) | | [] | -| [routes](variables.tf#L297) | Network routes, keyed by name. | map(object({…})) | | {} | -| [routing_mode](variables.tf#L318) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | -| [shared_vpc_host](variables.tf#L328) | Enable shared VPC for this project. | bool | | false | -| [shared_vpc_service_projects](variables.tf#L334) | Shared VPC service projects to register with this host. | list(string) | | [] | -| [subnets](variables.tf#L340) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_private_nat](variables.tf#L420) | List of private NAT subnets. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L432) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L466) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_reuse](variables.tf#L498) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | object({…}) | | null | +| [psa_configs](variables.tf#L266) | The Private Service Access configuration. | list(object({…})) | | [] | +| [routes](variables.tf#L298) | Network routes, keyed by name. | map(object({…})) | | {} | +| [routing_mode](variables.tf#L319) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | +| [shared_vpc_host](variables.tf#L329) | Enable shared VPC for this project. | bool | | false | +| [shared_vpc_service_projects](variables.tf#L335) | Shared VPC service projects to register with this host. | list(string) | | [] | +| [subnets](variables.tf#L341) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_private_nat](variables.tf#L421) | List of private NAT subnets. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L433) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L467) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_reuse](variables.tf#L499) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | object({…}) | | null | ## Outputs diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf index 1fb234f50..1aa9c703f 100644 --- a/modules/net-vpc/psa.tf +++ b/modules/net-vpc/psa.tf @@ -20,8 +20,9 @@ locals { _psa_configs_ranges = flatten([ for config in local.psa_configs : [ for k, v in config.ranges : { - key = "${config.key}${k}" - value = v + key = "${config.key}${k}" + value = v + labels = config.labels } ] ]) @@ -47,6 +48,12 @@ locals { for v in local._psa_configs_ranges : v.key => lookup(local.ctx.cidr_ranges, v.value, v.value) } + + psa_configs_labels = { + for v in local._psa_configs_ranges : + v.key => v.labels + } + psa_peered_domains = { for v in local._psa_peered_domains : v.key => v } @@ -56,6 +63,7 @@ resource "google_compute_global_address" "psa_ranges" { for_each = local.psa_configs_ranges project = local.project_id network = local.network.id + labels = local.psa_configs_labels[each.key] name = each.key purpose = "VPC_PEERING" address_type = "INTERNAL" diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 1f7c2e02f..075c24a59 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -268,6 +268,7 @@ variable "psa_configs" { type = list(object({ deletion_policy = optional(string, null) ranges = map(string) + labels = optional(map(string), {}) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) diff --git a/tests/modules/net_vpc/examples/psa-routes.yaml b/tests/modules/net_vpc/examples/psa-routes.yaml index 014efcb81..57254ad76 100644 --- a/tests/modules/net_vpc/examples/psa-routes.yaml +++ b/tests/modules/net_vpc/examples/psa-routes.yaml @@ -22,6 +22,9 @@ values: prefix_length: 24 project: project-id purpose: VPC_PEERING + labels: + data_classification: sensitive + environment: test timeouts: null module.vpc.google_compute_network.network[0]: auto_create_subnetworks: false