CloudSQL PSC Endpoints support (#2242)
* Add PSC endpoints consumers to net-address * Cloud SQL E2E tests
This commit is contained in:
Wiktor Niesiobędzki
committed by
GitHub
GitHub
parent
35a17a46ba
commit
6a3c7fe444
@@ -122,6 +122,26 @@ module "addresses" {
|
||||
# tftest modules=1 resources=1 inventory=psc.yaml e2e
|
||||
```
|
||||
|
||||
To create PSC address targeting a service regional provider use the `service_attachment` property.
|
||||
```hcl
|
||||
module "addresses" {
|
||||
source = "./fabric/modules/net-address"
|
||||
project_id = var.project_id
|
||||
psc_addresses = {
|
||||
cloudsql-one = {
|
||||
address = "10.0.16.32"
|
||||
subnet_self_link = var.subnet.self_link
|
||||
region = var.region
|
||||
service_attachment = {
|
||||
psc_service_attachment_link = module.cloudsql-instance.psc_service_attachment_link
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=3 fixtures=fixtures/cloudsql-instance.tf inventory=psc-service-attachment.yaml e2e
|
||||
```
|
||||
|
||||
|
||||
### IPSec Interconnect addresses
|
||||
|
||||
```hcl
|
||||
@@ -176,8 +196,8 @@ module "addresses" {
|
||||
| [internal_addresses](variables.tf#L50) | Map of internal addresses to create, keyed by name. | <code title="map(object({ region = string subnetwork = string address = optional(string) description = optional(string, "Terraform managed.") ipv6 = optional(map(string)) # To be left empty for ipv6 labels = optional(map(string)) name = optional(string) purpose = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [ipsec_interconnect_addresses](variables.tf#L65) | Map of internal addresses used for HPA VPN over Cloud Interconnect. | <code title="map(object({ region = string address = string network = string description = optional(string, "Terraform managed.") name = optional(string) prefix_length = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [network_attachments](variables.tf#L84) | PSC network attachments, names as keys. | <code title="map(object({ subnet_self_link = string automatic_connection = optional(bool, false) description = optional(string, "Terraform-managed.") producer_accept_lists = optional(list(string)) producer_reject_lists = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psa_addresses](variables.tf#L102) | Map of internal addresses used for Private Service Access. | <code title="map(object({ address = string network = string prefix_length = number description = optional(string, "Terraform managed.") name = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psc_addresses](variables.tf#L115) | Map of internal addresses used for Private Service Connect. | <code title="map(object({ address = string network = string description = optional(string, "Terraform managed.") name = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psa_addresses](variables.tf#L102) | Map of internal addresses used for Private Service Access. | <code title="map(object({ address = string network = string prefix_length = number description = optional(string, "Terraform managed.") name = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psc_addresses](variables.tf#L114) | Map of internal addresses used for Private Service Connect. | <code title="map(object({ address = string description = optional(string, "Terraform managed.") name = optional(string) network = optional(string) region = optional(string) subnet_self_link = optional(string) service_attachment = optional(object({ # so we can safely check if service_attachemnt != null in for_each psc_service_attachment_link = string })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
@@ -193,5 +213,6 @@ module "addresses" {
|
||||
|
||||
## Fixtures
|
||||
|
||||
- [cloudsql-instance.tf](../../tests/fixtures/cloudsql-instance.tf)
|
||||
- [net-vpc-ipv6.tf](../../tests/fixtures/net-vpc-ipv6.tf)
|
||||
<!-- END TFDOC -->
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -14,20 +14,6 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
network_attachments = {
|
||||
for k, v in var.network_attachments : k => merge(v, {
|
||||
region = regex("regions/([^/]+)", v.subnet_self_link)[0]
|
||||
# not using the full self link generates a permadiff
|
||||
subnet_self_link = (
|
||||
startswith(v.subnet_self_link, "https://")
|
||||
? v.subnet_self_link
|
||||
: "https://www.googleapis.com/compute/v1/${v.subnet_self_link}"
|
||||
)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_global_address" "global" {
|
||||
for_each = var.global_addresses
|
||||
project = var.project_id
|
||||
@@ -66,18 +52,6 @@ resource "google_compute_address" "internal" {
|
||||
subnetwork = each.value.subnetwork
|
||||
}
|
||||
|
||||
resource "google_compute_global_address" "psc" {
|
||||
for_each = var.psc_addresses
|
||||
project = var.project_id
|
||||
name = coalesce(each.value.name, each.key)
|
||||
description = each.value.description
|
||||
address = try(each.value.address, null)
|
||||
address_type = "INTERNAL"
|
||||
network = each.value.network
|
||||
purpose = "PRIVATE_SERVICE_CONNECT"
|
||||
# labels = lookup(var.internal_address_labels, each.key, {})
|
||||
}
|
||||
|
||||
resource "google_compute_global_address" "psa" {
|
||||
for_each = var.psa_addresses
|
||||
project = var.project_id
|
||||
@@ -104,17 +78,3 @@ resource "google_compute_address" "ipsec_interconnect" {
|
||||
purpose = "IPSEC_INTERCONNECT"
|
||||
}
|
||||
|
||||
resource "google_compute_network_attachment" "default" {
|
||||
provider = google-beta
|
||||
for_each = local.network_attachments
|
||||
project = var.project_id
|
||||
region = each.value.region
|
||||
name = each.key
|
||||
description = each.value.description
|
||||
connection_preference = (
|
||||
each.value.automatic_connection ? "ACCEPT_AUTOMATIC" : "ACCEPT_MANUAL"
|
||||
)
|
||||
subnetworks = [each.value.subnet_self_link]
|
||||
producer_accept_lists = each.value.producer_accept_lists
|
||||
producer_reject_lists = each.value.producer_reject_lists
|
||||
}
|
||||
|
||||
102
modules/net-address/psc.tf
Normal file
102
modules/net-address/psc.tf
Normal file
@@ -0,0 +1,102 @@
|
||||
/**
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
network_attachments = {
|
||||
for k, v in var.network_attachments : k => merge(v, {
|
||||
region = regex("regions/([^/]+)", v.subnet_self_link)[0]
|
||||
# not using the full self link generates a permadiff
|
||||
subnet_self_link = (
|
||||
startswith(v.subnet_self_link, "https://")
|
||||
? v.subnet_self_link
|
||||
: "https://www.googleapis.com/compute/v1/${v.subnet_self_link}"
|
||||
)
|
||||
})
|
||||
}
|
||||
regional_psc = {
|
||||
for name, psc in var.psc_addresses : name => psc if psc.region != null
|
||||
|
||||
}
|
||||
global_psc = {
|
||||
for name, psc in var.psc_addresses : name => psc if psc.region == null
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_network_attachment" "default" {
|
||||
provider = google-beta
|
||||
for_each = local.network_attachments
|
||||
project = var.project_id
|
||||
region = each.value.region
|
||||
name = each.key
|
||||
description = each.value.description
|
||||
connection_preference = (
|
||||
each.value.automatic_connection ? "ACCEPT_AUTOMATIC" : "ACCEPT_MANUAL"
|
||||
)
|
||||
subnetworks = [each.value.subnet_self_link]
|
||||
producer_accept_lists = each.value.producer_accept_lists
|
||||
producer_reject_lists = each.value.producer_reject_lists
|
||||
}
|
||||
|
||||
# global PSC services
|
||||
resource "google_compute_global_address" "psc" {
|
||||
for_each = local.global_psc
|
||||
project = var.project_id
|
||||
name = coalesce(each.value.name, each.key)
|
||||
description = each.value.description
|
||||
address = try(each.value.address, null)
|
||||
address_type = "INTERNAL"
|
||||
network = each.value.network
|
||||
purpose = "PRIVATE_SERVICE_CONNECT"
|
||||
# labels = lookup(var.internal_address_labels, each.key, {})
|
||||
}
|
||||
|
||||
resource "google_compute_global_forwarding_rule" "psc_consumer" {
|
||||
for_each = { for name, psc in local.global_psc : name => psc if psc.service_attachment != null }
|
||||
name = coalesce(each.value.name, each.key)
|
||||
project = var.project_id
|
||||
subnetwork = each.value.subnet_self_link
|
||||
ip_address = google_compute_global_address.psc[each.key].self_link
|
||||
load_balancing_scheme = ""
|
||||
target = each.value.service_attachment.psc_service_attachment_link
|
||||
}
|
||||
|
||||
# regional PSC services
|
||||
resource "google_compute_address" "psc" {
|
||||
for_each = local.regional_psc
|
||||
project = var.project_id
|
||||
name = coalesce(each.value.name, each.key)
|
||||
address = try(each.value.address, null)
|
||||
address_type = "INTERNAL"
|
||||
description = each.value.description
|
||||
network = each.value.network
|
||||
# purpose not applicable for regional address
|
||||
# purpose = "PRIVATE_SERVICE_CONNECT"
|
||||
region = each.value.region
|
||||
subnetwork = each.value.subnet_self_link
|
||||
# labels = lookup(var.internal_address_labels, each.key, {})
|
||||
}
|
||||
|
||||
resource "google_compute_forwarding_rule" "psc_consumer" {
|
||||
for_each = { for name, psc in local.regional_psc : name => psc if psc.service_attachment != null }
|
||||
name = coalesce(each.value.name, each.key)
|
||||
project = var.project_id
|
||||
region = each.value.region
|
||||
subnetwork = each.value.subnet_self_link
|
||||
ip_address = google_compute_address.psc[each.key].self_link
|
||||
load_balancing_scheme = ""
|
||||
recreate_closed_psc = true
|
||||
target = each.value.service_attachment.psc_service_attachment_link
|
||||
}
|
||||
@@ -107,7 +107,6 @@ variable "psa_addresses" {
|
||||
prefix_length = number
|
||||
description = optional(string, "Terraform managed.")
|
||||
name = optional(string)
|
||||
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
@@ -115,10 +114,27 @@ variable "psa_addresses" {
|
||||
variable "psc_addresses" {
|
||||
description = "Map of internal addresses used for Private Service Connect."
|
||||
type = map(object({
|
||||
address = string
|
||||
network = string
|
||||
description = optional(string, "Terraform managed.")
|
||||
name = optional(string)
|
||||
address = string
|
||||
description = optional(string, "Terraform managed.")
|
||||
name = optional(string)
|
||||
network = optional(string)
|
||||
region = optional(string)
|
||||
subnet_self_link = optional(string)
|
||||
service_attachment = optional(object({ # so we can safely check if service_attachemnt != null in for_each
|
||||
psc_service_attachment_link = string
|
||||
}))
|
||||
}))
|
||||
default = {}
|
||||
validation {
|
||||
condition = alltrue([for key, value in var.psc_addresses : (value.region != null || (value.region == null && value.network != null))])
|
||||
error_message = "Provide network if creating global PSC addresses / endpoints."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue([for key, value in var.psc_addresses : (value.region == null || (value.region != null && value.subnet_self_link != null))])
|
||||
error_message = "Provide subnet_self_link if creating regional PSC addresses / endpoints."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue([for key, value in var.psc_addresses : !(value.subnet_self_link != null && value.network != null)])
|
||||
error_message = "Do not provide network and subnet_self_link at the same time"
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user