kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CloudSQL PSC Endpoints support (#2242)

Browse Source 
* Add PSC endpoints consumers to net-address
* Cloud SQL E2E tests
This commit is contained in:
Wiktor Niesiobędzki
2024-05-12 12:00:39 +02:00
committed by GitHub
parent 35a17a46ba
commit 6a3c7fe444
19 changed files with 464 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

175
modules/cloudsql-instance/README.md
View File

@@ -1,4 +1,4 @@
# Cloud SQL instance with read replicas
# Cloud SQL instance module
This module manages the creation of Cloud SQL instances with potential read replicas in other regions. It can also create an initial set of users and databases via the `users` and `databases` parameters.
@@ -6,7 +6,24 @@ Note that this module assumes that some options are the same for both the primar
*Warning:* if you use the `users` field, you terraform state will contain each user's password in plain text.
## Simple example
<!-- BEGIN TOC -->
- [Examples](#examples)
- [Simple example](#simple-example)
- [Cross-regional read replica](#cross-regional-read-replica)
- [Custom flags, databases and users](#custom-flags-databases-and-users)
- [CMEK encryption](#cmek-encryption)
- [Instance with PSC enabled](#instance-with-psc-enabled)
- [Enable public IP](#enable-public-ip)
- [Query Insights](#query-insights)
- [Maintenance Config](#maintenance-config)
- [SSL Config](#ssl-config)
- [Variables](#variables)
- [Outputs](#outputs)
- [Fixtures](#fixtures)
<!-- END TOC -->
## Examples
### Simple example
This example shows how to setup a project, VPC and a standalone Cloud SQL instance.
@@ -14,10 +31,12 @@ This example shows how to setup a project, VPC and a standalone Cloud SQL instan
module "project" {
source = "./fabric/modules/project"
billing_account = var.billing_account_id
parent = var.organization_id
name = "my-db-project"
parent = var.folder_id
name = "db-prj"
prefix = var.prefix
services = [
"servicenetworking.googleapis.com"
"servicenetworking.googleapis.com",
"sqladmin.googleapis.com",
]
}
@@ -25,9 +44,18 @@ module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = module.project.project_id
name = "my-network"
# need only one - psa_config or subnets_psc
psa_configs = [{
ranges = { cloud-sql = "10.60.0.0/16" }
ranges = { cloud-sql = "10.60.0.0/16" }
deletion_policy = "ABANDON"
}]
subnets_psc = [
{
ip_cidr_range = "10.0.3.0/24"
name = "psc"
region = var.region
}
]
}
module "db" {
@@ -38,17 +66,20 @@ module "db" {
psa_config = {
private_network = module.vpc.self_link
}
# psc_allowed_consumer_projects = [var.project_id]
}
}
name = "db"
region = "europe-west1"
database_version = "POSTGRES_13"
tier = "db-g1-small"
name = "db"
region = var.region
database_version = "POSTGRES_13"
tier = "db-g1-small"
gcp_deletion_protection = false
terraform_deletion_protection = false
}
# tftest modules=3 resources=11 inventory=simple.yaml
# tftest modules=3 resources=14 inventory=simple.yaml e2e
```
## Cross-regional read replica
### Cross-regional read replica
```hcl
module "db" {
@@ -61,21 +92,23 @@ module "db" {
}
}
}
prefix = "myprefix"
name = "db"
region = "europe-west1"
prefix = "myprefix"
region = var.region
database_version = "POSTGRES_13"
tier = "db-g1-small"
replicas = {
replica1 = { region = "europe-west3", encryption_key_name = null }
replica2 = { region = "us-central1", encryption_key_name = null }
replica1 = { region = "europe-west3" }
replica2 = { region = "us-central1" }
}
gcp_deletion_protection = false
terraform_deletion_protection = false
}
# tftest modules=1 resources=3 inventory=replicas.yaml
# tftest modules=1 resources=3 inventory=replicas.yaml e2e
```
## Custom flags, databases and users
### Custom flags, databases and users
```hcl
module "db" {
@@ -89,7 +122,7 @@ module "db" {
}
}
name = "db"
region = "europe-west1"
region = var.region
database_version = "MYSQL_8_0"
tier = "db-g1-small"
@@ -112,47 +145,19 @@ module "db" {
password = "mypassword"
}
}
gcp_deletion_protection = false
terraform_deletion_protection = false
}
# tftest modules=1 resources=6 inventory=custom.yaml
# tftest modules=1 resources=6 inventory=custom.yaml e2e
```
### CMEK encryption
```hcl
module "project" {
source = "./fabric/modules/project"
billing_account = var.billing_account_id
parent = var.organization_id
name = "my-db-project"
services = [
"servicenetworking.googleapis.com",
"sqladmin.googleapis.com",
]
}
module "kms" {
source = "./fabric/modules/kms"
project_id = module.project.project_id
keyring = {
name = "keyring"
location = var.region
}
keys = {
key-sql = {
iam = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
"serviceAccount:${module.project.service_accounts.robots.sqladmin}"
]
}
}
}
}
module "db" {
source = "./fabric/modules/cloudsql-instance"
project_id = module.project.project_id
encryption_key_name = module.kms.keys["key-sql"].id
project_id = var.project_id
encryption_key_name = var.kms_key.id
network_config = {
connectivity = {
psa_config = {
@@ -160,13 +165,15 @@ module "db" {
}
}
}
name = "db"
region = var.region
database_version = "POSTGRES_13"
tier = "db-g1-small"
name = "db"
region = var.region
database_version = "POSTGRES_13"
tier = "db-g1-small"
gcp_deletion_protection = false
terraform_deletion_protection = false
}
# tftest modules=3 resources=10
# tftest modules=1 resources=2 fixtures=fixtures/cloudsql-kms-iam-grant.tf e2e
```
### Instance with PSC enabled
@@ -177,22 +184,25 @@ module "db" {
project_id = var.project_id
network_config = {
connectivity = {
psc_allowed_consumer_projects = ["my-project-id"]
psc_allowed_consumer_projects = [var.project_id]
}
}
prefix = "myprefix"
name = "db"
region = "europe-west1"
region = var.region
availability_type = "REGIONAL"
database_version = "POSTGRES_13"
tier = "db-g1-small"
gcp_deletion_protection = false
terraform_deletion_protection = false
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=psc.yaml e2e
```
### Enable public IP
Use `ipv_enabled` to create instances with a public IP.
Use `public_ipv4` to create instances with a public IP.
```hcl
module "db" {
@@ -206,15 +216,14 @@ module "db" {
}
}
}
name = "db"
region = "europe-west1"
tier = "db-g1-small"
database_version = "MYSQL_8_0"
replicas = {
replica1 = { region = "europe-west3", encryption_key_name = null }
}
name = "db"
region = var.region
tier = "db-g1-small"
database_version = "MYSQL_8_0"
gcp_deletion_protection = false
terraform_deletion_protection = false
}
# tftest modules=1 resources=2 inventory=public-ip.yaml
# tftest modules=1 resources=1 inventory=public-ip.yaml e2e
```
### Query Insights
@@ -233,15 +242,17 @@ module "db" {
}
}
name = "db"
region = "europe-west1"
region = var.region
database_version = "POSTGRES_13"
tier = "db-g1-small"
insights_config = {
query_string_length = 2048
}
gcp_deletion_protection = false
terraform_deletion_protection = false
}
# tftest modules=1 resources=1 inventory=insights.yaml
# tftest modules=1 resources=1 inventory=insights.yaml e2e
```
### Maintenance Config
@@ -260,13 +271,15 @@ module "db" {
}
}
name = "db"
region = "europe-west1"
region = var.region
database_version = "POSTGRES_13"
tier = "db-g1-small"
maintenance_config = {}
maintenance_config = {}
gcp_deletion_protection = false
terraform_deletion_protection = false
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 e2e
```
### SSL Config
@@ -285,13 +298,15 @@ module "db" {
}
}
name = "db"
region = "europe-west1"
region = var.region
database_version = "POSTGRES_13"
tier = "db-g1-small"
ssl = {}
ssl = {}
gcp_deletion_protection = false
terraform_deletion_protection = false
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 e2e
```
<!-- BEGIN TFDOC -->
## Variables
@@ -322,7 +337,7 @@ module "db" {
| [labels](variables.tf#L140) | Labels to be attached to all instances. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [maintenance_config](variables.tf#L146) | Set maintenance window configuration and maintenance deny period (up to 90 days). Date format: 'yyyy-mm-dd'. | <code title="object&#40;&#123;&#10; maintenance_window &#61; optional&#40;object&#40;&#123;&#10; day &#61; number&#10; hour &#61; number&#10; update_track &#61; optional&#40;string, null&#41;&#10; &#125;&#41;, null&#41;&#10; deny_maintenance_period &#61; optional&#40;object&#40;&#123;&#10; start_date &#61; string&#10; end_date &#61; string&#10; start_time &#61; optional&#40;string, &#34;00:00:00&#34;&#41;&#10; &#125;&#41;, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [prefix](variables.tf#L207) | Optional prefix used to generate instance names. | <code>string</code> | | <code>null</code> |
| [replicas](variables.tf#L227) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10; region &#61; string&#10; encryption_key_name &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [replicas](variables.tf#L227) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10; region &#61; string&#10; encryption_key_name &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [root_password](variables.tf#L236) | Root password of the Cloud SQL instance. Required for MS SQL Server. | <code>string</code> | | <code>null</code> |
| [ssl](variables.tf#L242) | Setting to enable SSL, set config and certificates. | <code title="object&#40;&#123;&#10; client_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10; require_ssl &#61; optional&#40;bool&#41;&#10; ssl_mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [terraform_deletion_protection](variables.tf#L258) | Prevent terraform from deleting instances. | <code>bool</code> | | <code>true</code> |
@@ -350,4 +365,8 @@ module "db" {
| [self_link](outputs.tf#L114) | Self link of the primary instance. | |
| [self_links](outputs.tf#L119) | Self links of all instances. | |
| [user_passwords](outputs.tf#L127) | Map of containing the password of all users created through terraform. | ✓ |
## Fixtures
- [cloudsql-kms-iam-grant.tf](../../tests/fixtures/cloudsql-kms-iam-grant.tf)
<!-- END TFDOC -->