diff --git a/CHANGELOG.md b/CHANGELOG.md
index 32db3f32c..f6e785775 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,8 +7,9 @@ All notable changes to this project will be documented in this file.
- SQL Server AlwaysOn availability groups example
- CloudSQ: fixed Terraform change detection when backup is disabled
- Allow multiple CIDR blocks in the ip_range for Apigee Instance
-- Add prefix to project factory SA bindings
-- Add support for Private Service Connect and Reginal Managed Proxy subnets for `net-vpc` module
+- Add prefix to project factory SA bindings
+- **incompatible change** `subnets_l7ilb` variable is deprecated in the `net-vpc` module, instead `subnets_proxy_only` variable [should be used](https://cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create)
+- Add support for [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) and [Proxy-only](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) subnets to `net-vpc` module
**FAST**
diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index a963b671e..0941302b5 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -171,6 +171,38 @@ module "vpc" {
# tftest modules=1 resources=5
```
+### Subnets for Private Service Connect, Proxy-only subnets
+
+Along with common private subnets module supports creation more service specific subnets for the following purposes:
+
+ - [Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) for Regional HTTPS Internal HTTPS Load Balancers
+ - [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) subnets
+
+```hcl
+module "vpc" {
+ source = "./modules/net-vpc"
+ project_id = "my-project"
+ name = "my-network"
+
+ subnets_proxy_only = [
+ {
+ ip_cidr_range = "10.0.1.0/24"
+ name = "regional-proxy"
+ region = "europe-west1"
+ active = true
+ }
+ ]
+ subnets_psc = [
+ {
+ ip_cidr_range = "10.0.3.0/24"
+ name = "psc"
+ region = "europe-west1"
+ }
+ ]
+}
+# tftest modules=1 resources=3
+```
+
### DNS Policies
```hcl
@@ -257,10 +289,9 @@ flow_logs: # enable, set to empty map to use defaults
| [subnet_flow_logs](variables.tf#L163) | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | map(bool) | | {} |
| [subnet_private_access](variables.tf#L169) | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | map(bool) | | {} |
| [subnets](variables.tf#L175) | List of subnets being created. | list(object({…})) | | [] |
-| [subnets_l7ilb](variables.tf#L186) | List of subnets for private HTTPS load balancer. | list(object({…})) | | [] |
-| [subnets_l7rlb](variables.tf#L197) | List of proxy-only subnets for HTTPS regional load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] |
-| [subnets_psc](variables.tf#L208) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] |
-| [vpc_create](variables.tf#L218) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true |
+| [subnets_proxy_only](variables.tf#L186) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] |
+| [subnets_psc](variables.tf#L197) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] |
+| [vpc_create](variables.tf#L207) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true |
## Outputs
@@ -276,7 +307,8 @@ flow_logs: # enable, set to empty map to use defaults
| [subnet_secondary_ranges](outputs.tf#L85) | Map of subnet secondary ranges keyed by name. | |
| [subnet_self_links](outputs.tf#L96) | Map of subnet self links keyed by name. | |
| [subnets](outputs.tf#L102) | Subnet resources. | |
-| [subnets_l7ilb](outputs.tf#L107) | L7 ILB subnet resources. | |
+| [subnets_proxy_only](outputs.tf#L107) | L7 ILB or L7 Regional LB subnet resources. | |
+| [subnets_psc](outputs.tf#L112) | Private Service Connect subnet resources. | |
The key format is `subnet_region/subnet_name`. For example `europe-west1/my_subnet`.
diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf
index d1e68c343..fd79de659 100644
--- a/modules/net-vpc/outputs.tf
+++ b/modules/net-vpc/outputs.tf
@@ -104,7 +104,12 @@ output "subnets" {
value = { for k, v in google_compute_subnetwork.subnetwork : k => v }
}
-output "subnets_l7ilb" {
- description = "L7 ILB subnet resources."
- value = { for k, v in google_compute_subnetwork.l7ilb : k => v }
+output "subnets_proxy_only" {
+ description = "L7 ILB or L7 Regional LB subnet resources."
+ value = { for k, v in google_compute_subnetwork.proxy_only : k => v }
+}
+
+output "subnets_psc" {
+ description = "Private Service Connect subnet resources."
+ value = { for k, v in google_compute_subnetwork.psc : k => v }
}
diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf
index c46c394e3..1cc892a01 100644
--- a/modules/net-vpc/subnets.tf
+++ b/modules/net-vpc/subnets.tf
@@ -85,12 +85,8 @@ locals {
{ for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet },
local._factory_subnets
)
- subnets_l7ilb = {
- for subnet in var.subnets_l7ilb :
- "${subnet.region}/${subnet.name}" => subnet
- }
- subnets_l7rlb = {
- for subnet in var.subnets_l7rlb :
+ subnets_proxy_only = {
+ for subnet in var.subnets_proxy_only :
"${subnet.region}/${subnet.name}" => subnet
}
subnets_psc = {
@@ -131,28 +127,8 @@ resource "google_compute_subnetwork" "subnetwork" {
}
}
-resource "google_compute_subnetwork" "l7ilb" {
- provider = google-beta
- for_each = local.subnets_l7ilb
- project = var.project_id
- network = local.network.name
- region = each.value.region
- name = each.value.name
- ip_cidr_range = each.value.ip_cidr_range
- purpose = "INTERNAL_HTTPS_LOAD_BALANCER"
- role = (
- each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP"
- )
- description = lookup(
- local.subnet_descriptions,
- "${each.value.region}/${each.value.name}",
- "Terraform-managed."
- )
-}
-
-resource "google_compute_subnetwork" "l7rlb" {
- provider = google-beta
- for_each = local.subnets_l7rlb
+resource "google_compute_subnetwork" "proxy_only" {
+ for_each = local.subnets_proxy_only
project = var.project_id
network = local.network.name
region = each.value.region
@@ -165,12 +141,11 @@ resource "google_compute_subnetwork" "l7rlb" {
description = lookup(
local.subnet_descriptions,
"${each.value.region}/${each.value.name}",
- "Terraform-managed."
+ "Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB."
)
}
resource "google_compute_subnetwork" "psc" {
- provider = google-beta
for_each = local.subnets_psc
project = var.project_id
network = local.network.name
@@ -181,7 +156,7 @@ resource "google_compute_subnetwork" "psc" {
description = lookup(
local.subnet_descriptions,
"${each.value.region}/${each.value.name}",
- "Terraform-managed."
+ "Terraform-managed subnet for Private Service Connect (PSC NAT)."
)
}
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index 5a85e921d..16b40eec9 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -183,19 +183,8 @@ variable "subnets" {
default = []
}
-variable "subnets_l7ilb" {
- description = "List of subnets for private HTTPS load balancer."
- type = list(object({
- active = bool
- name = string
- ip_cidr_range = string
- region = string
- }))
- default = []
-}
-
-variable "subnets_l7rlb" {
- description = "List of proxy-only subnets for HTTPS regional load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
+variable "subnets_proxy_only" {
+ description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
type = list(object({
active = bool
name = string