kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into vpc-sc-02

Browse Source
This commit is contained in:
lcaggio
2021-05-18 09:52:45 +02:00
committed by GitHub
parent 558e31a5bd 744143d793
commit 585b3a79ee
32 changed files with 1558 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/iam-service-account/README.md
View File

@@ -41,6 +41,7 @@ module "myproject-default-service-accounts" {
| *iam_project_roles* | Project roles granted to the service account, by project id. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">{}</code> |
| *iam_storage_roles* | Storage roles granted to the service account, by bucket name. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">{}</code> |
| *prefix* | Prefix applied to service account names. | <code title="">string</code> | | <code title="">null</code> |
| *service_account_create* | Create service account. When set to false, uses a data source to reference an existing service account. | <code title="">bool</code> | | <code title="">true</code> |
## Outputs

19
modules/iam-service-account/main.tf
View File

@@ -57,10 +57,23 @@ locals {
: map("", null)
, {})
prefix = var.prefix != null ? "${var.prefix}-" : ""
resource_iam_email = "serviceAccount:${google_service_account.service_account.email}"
resource_iam_email = "serviceAccount:${local.service_account.email}"
service_account = (
var.service_account_create
? try(google_service_account.service_account.0, null)
: try(data.google_service_account.service_account.0, null)
)
}
data "google_service_account" "service_account" {
count = var.service_account_create ? 0 : 1
project = var.project_id
account_id = "${local.prefix}${var.name}"
}
resource "google_service_account" "service_account" {
count = var.service_account_create ? 1 : 0
project = var.project_id
account_id = "${local.prefix}${var.name}"
display_name = var.display_name
@@ -68,12 +81,12 @@ resource "google_service_account" "service_account" {
resource "google_service_account_key" "key" {
for_each = var.generate_key ? { 1 = 1 } : {}
service_account_id = google_service_account.service_account.email
service_account_id = local.service_account.email
}
resource "google_service_account_iam_binding" "roles" {
for_each = var.iam
service_account_id = google_service_account.service_account.name
service_account_id = local.service_account.name
role = each.key
members = each.value
}

4
modules/iam-service-account/outputs.tf
View File

@@ -16,12 +16,12 @@
output "service_account" {
description = "Service account resource."
value = google_service_account.service_account
value = local.service_account
}
output "email" {
description = "Service account email."
value = google_service_account.service_account.email
value = local.service_account.email
}
output "iam_email" {

6
modules/iam-service-account/variables.tf
View File

@@ -77,3 +77,9 @@ variable "project_id" {
description = "Project id where service account will be created."
type = string
}
variable "service_account_create" {
description = "Create service account. When set to false, uses a data source to reference an existing service account."
type = bool
default = true
}

28
modules/net-vpc/README.md
View File

@@ -141,6 +141,33 @@ module "vpc" {
# tftest:modules=1:resources=4
```
### DNS Policies
```hcl
module "vpc" {
source = "./modules/net-vpc"
project_id = "my-project"
name = "my-network"
dns_policy = {
inbound = true
logging = false
outbound = {
private_ns = ["10.0.0.1"]
public_ns = ["8.8.8.8"]
}
}
subnets = [
{
ip_cidr_range = "10.0.0.0/24"
name = "production"
region = "europe-west1"
secondary_ip_range = {}
}
]
}
# tftest:modules=1:resources=3
```
<!-- BEGIN TFDOC -->
## Variables
@@ -151,6 +178,7 @@ module "vpc" {
| *auto_create_subnetworks* | Set to true to create an auto mode subnet, defaults to custom mode. | <code title="">bool</code> | | <code title="">false</code> |
| *delete_default_routes_on_create* | Set to true to delete the default routes at creation time. | <code title="">bool</code> | | <code title="">false</code> |
| *description* | An optional description of this resource (triggers recreation on change). | <code title="">string</code> | | <code title="">Terraform-managed.</code> |
| *dns_policy* | None | <code title="object&#40;&#123;&#10;inbound &#61; bool&#10;logging &#61; bool&#10;outbound &#61; object&#40;&#123;&#10;private_ns &#61; list&#40;string&#41;&#10;public_ns &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *iam* | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">{}</code> |
| *log_config_defaults* | Default configuration for flow logs when enabled. | <code title="object&#40;&#123;&#10;aggregation_interval &#61; string&#10;flow_sampling &#61; number&#10;metadata &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;aggregation_interval &#61; &#34;INTERVAL_5_SEC&#34;&#10;flow_sampling &#61; 0.5&#10;metadata &#61; &#34;INCLUDE_ALL_METADATA&#34;&#10;&#125;">...</code> |
| *log_configs* | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code title="map&#40;map&#40;string&#41;&#41;">map(map(string))</code> | | <code title="">{}</code> |

32
modules/net-vpc/main.tf
View File

@@ -239,6 +239,38 @@ resource "google_compute_global_address" "psn_range" {
network = local.network.id
}
resource "google_dns_policy" "default" {
count = var.dns_policy == null ? 0 : 1
enable_inbound_forwarding = var.dns_policy.inbound
enable_logging = var.dns_policy.logging
name = var.name
project = var.project_id
networks {
network_url = local.network.id
}
dynamic "alternative_name_server_config" {
for_each = var.dns_policy.outbound == null ? [] : [1]
content {
dynamic "target_name_servers" {
for_each = toset(var.dns_policy.outbound.private_ns)
iterator = ns
content {
ipv4_address = ns.key
forwarding_path = "private"
}
}
dynamic "target_name_servers" {
for_each = toset(var.dns_policy.outbound.public_ns)
iterator = ns
content {
ipv4_address = ns.key
}
}
}
}
}
resource "google_service_networking_connection" "psn_connection" {
count = var.private_service_networking_range == null ? 0 : 1
network = local.network.id

38
modules/net-vpc/variables.tf
View File

@@ -32,6 +32,18 @@ variable "description" {
default = "Terraform-managed."
}
variable "dns_policy" {
type = object({
inbound = bool
logging = bool
outbound = object({
private_ns = list(string)
public_ns = list(string)
})
})
default = null
}
variable "iam" {
description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
type = map(map(list(string)))
@@ -84,6 +96,19 @@ variable "peering_create_remote_end" {
default = true
}
variable "private_service_networking_range" {
description = "RFC1919 CIDR range used for Google services that support private service networking."
type = string
default = null
validation {
condition = (
var.private_service_networking_range == null ||
can(cidrnetmask(var.private_service_networking_range))
)
error_message = "Specify a valid RFC1918 CIDR range for private service networking."
}
}
variable "project_id" {
description = "The ID of the project where this VPC will be created"
type = string
@@ -159,16 +184,3 @@ variable "vpc_create" {
type = bool
default = true
}
variable "private_service_networking_range" {
description = "RFC1919 CIDR range used for Google services that support private service networking."
type = string
default = null
validation {
condition = (
var.private_service_networking_range == null ||
can(cidrnetmask(var.private_service_networking_range))
)
error_message = "Specify a valid RFC1918 CIDR range for private service networking."
}
}