From 62a299a6f52a369704ab3986b01cab44802daeb2 Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Wed, 13 Apr 2022 16:38:47 +0200 Subject: [PATCH] Deprecate subnets_l7ilb variable, add support for proxy_only and psc subnets. --- CHANGELOG.md | 5 +++-- modules/net-vpc/README.md | 42 +++++++++++++++++++++++++++++++----- modules/net-vpc/outputs.tf | 11 +++++++--- modules/net-vpc/subnets.tf | 37 ++++++------------------------- modules/net-vpc/variables.tf | 15 ++----------- 5 files changed, 56 insertions(+), 54 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32db3f32c..f6e785775 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,8 +7,9 @@ All notable changes to this project will be documented in this file. - SQL Server AlwaysOn availability groups example - CloudSQ: fixed Terraform change detection when backup is disabled - Allow multiple CIDR blocks in the ip_range for Apigee Instance -- Add prefix to project factory SA bindings -- Add support for Private Service Connect and Reginal Managed Proxy subnets for `net-vpc` module +- Add prefix to project factory SA bindings +- **incompatible change** `subnets_l7ilb` variable is deprecated in the `net-vpc` module, instead `subnets_proxy_only` variable [should be used](https://cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create) +- Add support for [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) and [Proxy-only](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) subnets to `net-vpc` module **FAST** diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index a963b671e..0941302b5 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -171,6 +171,38 @@ module "vpc" { # tftest modules=1 resources=5 ``` +### Subnets for Private Service Connect, Proxy-only subnets + +Along with common private subnets module supports creation more service specific subnets for the following purposes: + + - [Proxy-only subnets](https://cloud.google.com/load-balancing/docs/proxy-only-subnets) for Regional HTTPS Internal HTTPS Load Balancers + - [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets) subnets + +```hcl +module "vpc" { + source = "./modules/net-vpc" + project_id = "my-project" + name = "my-network" + + subnets_proxy_only = [ + { + ip_cidr_range = "10.0.1.0/24" + name = "regional-proxy" + region = "europe-west1" + active = true + } + ] + subnets_psc = [ + { + ip_cidr_range = "10.0.3.0/24" + name = "psc" + region = "europe-west1" + } + ] +} +# tftest modules=1 resources=3 +``` + ### DNS Policies ```hcl @@ -257,10 +289,9 @@ flow_logs: # enable, set to empty map to use defaults | [subnet_flow_logs](variables.tf#L163) | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | map(bool) | | {} | | [subnet_private_access](variables.tf#L169) | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | map(bool) | | {} | | [subnets](variables.tf#L175) | List of subnets being created. | list(object({…})) | | [] | -| [subnets_l7ilb](variables.tf#L186) | List of subnets for private HTTPS load balancer. | list(object({…})) | | [] | -| [subnets_l7rlb](variables.tf#L197) | List of proxy-only subnets for HTTPS regional load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L208) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L218) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [subnets_proxy_only](variables.tf#L186) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L197) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L207) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs @@ -276,7 +307,8 @@ flow_logs: # enable, set to empty map to use defaults | [subnet_secondary_ranges](outputs.tf#L85) | Map of subnet secondary ranges keyed by name. | | | [subnet_self_links](outputs.tf#L96) | Map of subnet self links keyed by name. | | | [subnets](outputs.tf#L102) | Subnet resources. | | -| [subnets_l7ilb](outputs.tf#L107) | L7 ILB subnet resources. | | +| [subnets_proxy_only](outputs.tf#L107) | L7 ILB or L7 Regional LB subnet resources. | | +| [subnets_psc](outputs.tf#L112) | Private Service Connect subnet resources. | | The key format is `subnet_region/subnet_name`. For example `europe-west1/my_subnet`. diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf index d1e68c343..fd79de659 100644 --- a/modules/net-vpc/outputs.tf +++ b/modules/net-vpc/outputs.tf @@ -104,7 +104,12 @@ output "subnets" { value = { for k, v in google_compute_subnetwork.subnetwork : k => v } } -output "subnets_l7ilb" { - description = "L7 ILB subnet resources." - value = { for k, v in google_compute_subnetwork.l7ilb : k => v } +output "subnets_proxy_only" { + description = "L7 ILB or L7 Regional LB subnet resources." + value = { for k, v in google_compute_subnetwork.proxy_only : k => v } +} + +output "subnets_psc" { + description = "Private Service Connect subnet resources." + value = { for k, v in google_compute_subnetwork.psc : k => v } } diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index c46c394e3..1cc892a01 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -85,12 +85,8 @@ locals { { for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet }, local._factory_subnets ) - subnets_l7ilb = { - for subnet in var.subnets_l7ilb : - "${subnet.region}/${subnet.name}" => subnet - } - subnets_l7rlb = { - for subnet in var.subnets_l7rlb : + subnets_proxy_only = { + for subnet in var.subnets_proxy_only : "${subnet.region}/${subnet.name}" => subnet } subnets_psc = { @@ -131,28 +127,8 @@ resource "google_compute_subnetwork" "subnetwork" { } } -resource "google_compute_subnetwork" "l7ilb" { - provider = google-beta - for_each = local.subnets_l7ilb - project = var.project_id - network = local.network.name - region = each.value.region - name = each.value.name - ip_cidr_range = each.value.ip_cidr_range - purpose = "INTERNAL_HTTPS_LOAD_BALANCER" - role = ( - each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP" - ) - description = lookup( - local.subnet_descriptions, - "${each.value.region}/${each.value.name}", - "Terraform-managed." - ) -} - -resource "google_compute_subnetwork" "l7rlb" { - provider = google-beta - for_each = local.subnets_l7rlb +resource "google_compute_subnetwork" "proxy_only" { + for_each = local.subnets_proxy_only project = var.project_id network = local.network.name region = each.value.region @@ -165,12 +141,11 @@ resource "google_compute_subnetwork" "l7rlb" { description = lookup( local.subnet_descriptions, "${each.value.region}/${each.value.name}", - "Terraform-managed." + "Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB." ) } resource "google_compute_subnetwork" "psc" { - provider = google-beta for_each = local.subnets_psc project = var.project_id network = local.network.name @@ -181,7 +156,7 @@ resource "google_compute_subnetwork" "psc" { description = lookup( local.subnet_descriptions, "${each.value.region}/${each.value.name}", - "Terraform-managed." + "Terraform-managed subnet for Private Service Connect (PSC NAT)." ) } diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 5a85e921d..16b40eec9 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -183,19 +183,8 @@ variable "subnets" { default = [] } -variable "subnets_l7ilb" { - description = "List of subnets for private HTTPS load balancer." - type = list(object({ - active = bool - name = string - ip_cidr_range = string - region = string - })) - default = [] -} - -variable "subnets_l7rlb" { - description = "List of proxy-only subnets for HTTPS regional load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." +variable "subnets_proxy_only" { + description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active." type = list(object({ active = bool name = string