Deprecate subnets_l7ilb variable, add support for proxy_only and psc subnets.

CHANGELOG.md

@@ -7,8 +7,9 @@ All notable changes to this project will be documented in this file.
 - SQL Server AlwaysOn availability groups example
 - CloudSQ: fixed Terraform change detection when backup is disabled
 - Allow multiple CIDR blocks in the ip_range for Apigee Instance
-- Add prefix to project factory SA bindings 
-- Add support for Private Service Connect and Reginal Managed Proxy subnets for `net-vpc` module
+- Add prefix to project factory SA bindings
+- **incompatible change** `subnets_l7ilb` variable is deprecated in the `net-vpc` module, instead `subnets_proxy_only` variable [should be used](https://cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create)
+- Add support for [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) and [Proxy-only](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) subnets to `net-vpc` module
 
 **FAST**
 

modules/net-vpc/README.md

@@ -171,6 +171,38 @@ module "vpc" {
 # tftest modules=1 resources=5
 ```
 
+### Subnets for Private Service Connect, Proxy-only subnets
+
+Along with common private subnets module supports creation more service specific subnets for the following purposes:
+
+ - [Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) for Regional HTTPS Internal HTTPS Load Balancers
+ - [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) subnets
+
+```hcl
+module "vpc" {
+  source     = "./modules/net-vpc"
+  project_id = "my-project"
+  name       = "my-network"
+
+  subnets_proxy_only = [
+    {
+      ip_cidr_range = "10.0.1.0/24"
+      name          = "regional-proxy"
+      region        = "europe-west1"
+      active        = true
+    }
+  ]
+  subnets_psc = [
+    {
+      ip_cidr_range = "10.0.3.0/24"
+      name          = "psc"
+      region        = "europe-west1"
+    }
+  ]
+}
+# tftest modules=1 resources=3
+```
+
 ### DNS Policies
 
 ```hcl
@@ -257,10 +289,9 @@ flow_logs:                        # enable, set to empty map to use defaults
 | [subnet_flow_logs](variables.tf#L163) | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | <code>map&#40;bool&#41;</code> |  | <code>&#123;&#125;</code> |
 | [subnet_private_access](variables.tf#L169) | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | <code>map&#40;bool&#41;</code> |  | <code>&#123;&#125;</code> |
 | [subnets](variables.tf#L175) | List of subnets being created. | <code title="list&#40;object&#40;&#123;&#10;  name               &#61; string&#10;  ip_cidr_range      &#61; string&#10;  region             &#61; string&#10;  secondary_ip_range &#61; map&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnets_l7ilb](variables.tf#L186) | List of subnets for private HTTPS load balancer. | <code title="list&#40;object&#40;&#123;&#10;  active        &#61; bool&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnets_l7rlb](variables.tf#L197) | List of proxy-only subnets for HTTPS regional load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10;  active        &#61; bool&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnets_psc](variables.tf#L208) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [vpc_create](variables.tf#L218) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> |  | <code>true</code> |
+| [subnets_proxy_only](variables.tf#L186) | List of proxy-only subnets for Regional HTTPS  or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10;  active        &#61; bool&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [subnets_psc](variables.tf#L197) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [vpc_create](variables.tf#L207) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> |  | <code>true</code> |
 
 ## Outputs
 
@@ -276,7 +307,8 @@ flow_logs:                        # enable, set to empty map to use defaults
 | [subnet_secondary_ranges](outputs.tf#L85) | Map of subnet secondary ranges keyed by name. |  |
 | [subnet_self_links](outputs.tf#L96) | Map of subnet self links keyed by name. |  |
 | [subnets](outputs.tf#L102) | Subnet resources. |  |
-| [subnets_l7ilb](outputs.tf#L107) | L7 ILB subnet resources. |  |
+| [subnets_proxy_only](outputs.tf#L107) | L7 ILB or L7 Regional LB subnet resources. |  |
+| [subnets_psc](outputs.tf#L112) | Private Service Connect subnet resources. |  |
 
 <!-- END TFDOC -->
 The key format is `subnet_region/subnet_name`. For example `europe-west1/my_subnet`.

modules/net-vpc/outputs.tf

@@ -104,7 +104,12 @@ output "subnets" {
   value       = { for k, v in google_compute_subnetwork.subnetwork : k => v }
 }
 
-output "subnets_l7ilb" {
-  description = "L7 ILB subnet resources."
-  value       = { for k, v in google_compute_subnetwork.l7ilb : k => v }
+output "subnets_proxy_only" {
+  description = "L7 ILB or L7 Regional LB subnet resources."
+  value       = { for k, v in google_compute_subnetwork.proxy_only : k => v }
+}
+
+output "subnets_psc" {
+  description = "Private Service Connect subnet resources."
+  value       = { for k, v in google_compute_subnetwork.psc : k => v }
 }

modules/net-vpc/subnets.tf

@@ -85,12 +85,8 @@ locals {
     { for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet },
     local._factory_subnets
   )
-  subnets_l7ilb = {
-    for subnet in var.subnets_l7ilb :
-    "${subnet.region}/${subnet.name}" => subnet
-  }
-  subnets_l7rlb = {
-    for subnet in var.subnets_l7rlb :
+  subnets_proxy_only = {
+    for subnet in var.subnets_proxy_only :
     "${subnet.region}/${subnet.name}" => subnet
   }
   subnets_psc = {
@@ -131,28 +127,8 @@ resource "google_compute_subnetwork" "subnetwork" {
   }
 }
 
-resource "google_compute_subnetwork" "l7ilb" {
-  provider      = google-beta
-  for_each      = local.subnets_l7ilb
-  project       = var.project_id
-  network       = local.network.name
-  region        = each.value.region
-  name          = each.value.name
-  ip_cidr_range = each.value.ip_cidr_range
-  purpose       = "INTERNAL_HTTPS_LOAD_BALANCER"
-  role = (
-    each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP"
-  )
-  description = lookup(
-    local.subnet_descriptions,
-    "${each.value.region}/${each.value.name}",
-    "Terraform-managed."
-  )
-}
-
-resource "google_compute_subnetwork" "l7rlb" {
-  provider      = google-beta
-  for_each      = local.subnets_l7rlb
+resource "google_compute_subnetwork" "proxy_only" {
+  for_each      = local.subnets_proxy_only
   project       = var.project_id
   network       = local.network.name
   region        = each.value.region
@@ -165,12 +141,11 @@ resource "google_compute_subnetwork" "l7rlb" {
   description = lookup(
     local.subnet_descriptions,
     "${each.value.region}/${each.value.name}",
-    "Terraform-managed."
+    "Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB."
   )
 }
 
 resource "google_compute_subnetwork" "psc" {
-  provider      = google-beta
   for_each      = local.subnets_psc
   project       = var.project_id
   network       = local.network.name
@@ -181,7 +156,7 @@ resource "google_compute_subnetwork" "psc" {
   description = lookup(
     local.subnet_descriptions,
     "${each.value.region}/${each.value.name}",
-    "Terraform-managed."
+    "Terraform-managed subnet for Private Service Connect (PSC NAT)."
   )
 }
 

modules/net-vpc/variables.tf

@@ -183,19 +183,8 @@ variable "subnets" {
   default = []
 }
 
-variable "subnets_l7ilb" {
-  description = "List of subnets for private HTTPS load balancer."
-  type = list(object({
-    active        = bool
-    name          = string
-    ip_cidr_range = string
-    region        = string
-  }))
-  default = []
-}
-
-variable "subnets_l7rlb" {
-  description = "List of proxy-only subnets for HTTPS regional load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
+variable "subnets_proxy_only" {
+  description = "List of proxy-only subnets for Regional HTTPS  or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
   type = list(object({
     active        = bool
     name          = string