Add net-vpc-factory and starter-gcd dataset to 0-org-setup, fix context in net-vpc-factory (#3860)
* feat(fast/0-org-setup): integrate net-vpc-factory into stage 0 * initial starter dataset * starter pack * fix(fast/0-org-setup): correct factory vpcs paths definition and update test inventory * feat(fast/0-org-setup): add VPC and subnet outputs and update stage tfvars * test(fast/0-org-setup): update gcd starter defaults and regenerate inventory * fix(modules/net-vpc-factory): remove internal defaults logic and pass context correctly * fix typo in dataset fw rule, add missing boilerplate, set sane defaults for net vpc factory * terraform fmt * tfdoc, copyright year * schema docs * yamllint
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
6847fae28d
commit
85b0871085
@@ -181,10 +181,10 @@ ingress:
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [factories_config](variables.tf#L97) | Path to folder with YAML resource description data files. | <code>object({…})</code> | ✓ | |
|
||||
| [factories_config](variables.tf#L99) | Path to folder with YAML resource description data files. | <code>object({…})</code> | ✓ | |
|
||||
| [context](variables.tf#L17) | Context-specific interpolations. | <code>object({…})</code> | | <code>{}</code> |
|
||||
| [data_defaults](variables.tf#L27) | Optional default values used when corresponding vpc data from files are missing. | <code>object({…})</code> | | <code>{}</code> |
|
||||
| [data_overrides](variables.tf#L62) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | <code>object({…})</code> | | <code>{}</code> |
|
||||
| [data_defaults](variables.tf#L29) | Optional default values used when corresponding vpc data from files are missing. | <code>object({…})</code> | | <code>{}</code> |
|
||||
| [data_overrides](variables.tf#L64) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | <code>object({…})</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -1,35 +0,0 @@
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# yaml-language-server: $schema=../schemas/defaults.schema.json
|
||||
|
||||
context:
|
||||
cidr_ranges_sets:
|
||||
healthchecks:
|
||||
- 35.191.0.0/16
|
||||
- 130.211.0.0/22
|
||||
- 209.85.152.0/22
|
||||
- 209.85.204.0/22
|
||||
rfc1918:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
locations:
|
||||
primary: europe-west1
|
||||
secondary: europe-west3
|
||||
iam_principals: {}
|
||||
vpcs:
|
||||
auto_create_subnetworks: false
|
||||
delete_default_route_on_create: true
|
||||
mtu: 1500
|
||||
@@ -15,23 +15,11 @@
|
||||
*/
|
||||
|
||||
locals {
|
||||
ctx = var.context
|
||||
_vpcs_files = try(
|
||||
fileset(local.paths.vpcs, "**/.config.yaml"),
|
||||
[]
|
||||
)
|
||||
_defaults = try(
|
||||
yamldecode(file(local.paths.defaults)), {}
|
||||
)
|
||||
context = {
|
||||
locations = merge(
|
||||
var.context.locations, try(local._defaults.context.locations, {})
|
||||
)
|
||||
project_ids = merge(
|
||||
var.context.project_ids, try(local._defaults.context.project_ids, {})
|
||||
)
|
||||
cidr_ranges_sets = try(local._defaults.context.cidr_ranges_sets, {})
|
||||
iam_principals = try(local._defaults.context.iam_principals, {})
|
||||
}
|
||||
_vpcs_preprocess = [
|
||||
for f in local._vpcs_files : merge(
|
||||
yamldecode(file("${coalesce(local.paths.vpcs, "-")}/${f}")),
|
||||
@@ -54,7 +42,6 @@ locals {
|
||||
}
|
||||
vpcs = {
|
||||
for k, v in local._vpcs : k => merge(
|
||||
try(local._defaults.vpcs, {}),
|
||||
{ for k, v in var.data_defaults : k => v if v != null },
|
||||
v,
|
||||
{ for k, v in var.data_overrides : k => v if v != null },
|
||||
@@ -81,6 +68,7 @@ locals {
|
||||
module "vpcs" {
|
||||
source = "../net-vpc"
|
||||
for_each = local.vpcs
|
||||
context = local.ctx
|
||||
project_id = try(each.value.project_id, null)
|
||||
name = try(each.value.name, null)
|
||||
auto_create_subnetworks = try(each.value.auto_create_subnetworks, null)
|
||||
@@ -95,7 +83,6 @@ module "vpcs" {
|
||||
network_attachments = try(each.value.network_attachments, {})
|
||||
psa_configs = try(each.value.psa_configs, [])
|
||||
routing_mode = try(each.value.routing_mode, "GLOBAL")
|
||||
context = local.context
|
||||
}
|
||||
|
||||
module "firewall" {
|
||||
@@ -103,12 +90,10 @@ module "firewall" {
|
||||
for_each = {
|
||||
for k, v in local.vpcs : k => v if v.firewall_factory_config != null
|
||||
}
|
||||
context = local.ctx
|
||||
project_id = each.value.project_id
|
||||
network = each.value.name
|
||||
factories_config = each.value.firewall_factory_config
|
||||
default_rules_config = { disabled = true }
|
||||
context = {
|
||||
project_ids = local.context.project_ids
|
||||
}
|
||||
depends_on = [module.vpcs]
|
||||
depends_on = [module.vpcs]
|
||||
}
|
||||
|
||||
@@ -17,8 +17,10 @@
|
||||
variable "context" {
|
||||
description = "Context-specific interpolations."
|
||||
type = object({
|
||||
locations = optional(map(string), {})
|
||||
project_ids = optional(map(string), {})
|
||||
cidr_ranges_sets = optional(map(list(string)), {})
|
||||
iam_principals = optional(map(string), {})
|
||||
locations = optional(map(string), {})
|
||||
project_ids = optional(map(string), {})
|
||||
})
|
||||
default = {}
|
||||
nullable = false
|
||||
@@ -29,9 +31,9 @@ variable "data_defaults" {
|
||||
type = object({
|
||||
project_id = optional(string)
|
||||
description = optional(string, "Terraform managed")
|
||||
auto_create_subnetworks = optional(bool)
|
||||
auto_create_subnetworks = optional(bool, false)
|
||||
delete_default_routes_on_create = optional(bool, true)
|
||||
mtu = optional(number)
|
||||
mtu = optional(number, 1500)
|
||||
routing_mode = optional(string, "GLOBAL")
|
||||
firewall_policy_enforcement_order = optional(string, "AFTER_CLASSIC_FIREWALL")
|
||||
create_googleapis_routes = optional(object({
|
||||
@@ -99,8 +101,7 @@ variable "factories_config" {
|
||||
type = object({
|
||||
basepath = string
|
||||
paths = optional(object({
|
||||
defaults = optional(string, "defaults.yaml")
|
||||
vpcs = optional(string, "vpcs")
|
||||
vpcs = optional(string, "vpcs")
|
||||
}), {})
|
||||
})
|
||||
nullable = false
|
||||
|
||||
@@ -960,8 +960,8 @@ secondary_ip_ranges:
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L184) | The name of the network being created. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L261) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L183) | The name of the network being created. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L260) | The ID of the project where this VPC will be created. | <code>string</code> | ✓ | |
|
||||
| [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | <code>bool</code> | | <code>false</code> |
|
||||
| [context](variables.tf#L23) | Context-specific interpolations. | <code>object({…})</code> | | <code>{}</code> |
|
||||
| [create_googleapis_routes](variables.tf#L45) | Toggle creation of googleapis private/restricted routes. Disabled when vpc creation is turned off, or when set to null. | <code>object({…})</code> | | <code>{}</code> |
|
||||
@@ -970,23 +970,23 @@ secondary_ip_ranges:
|
||||
| [dns_policy](variables.tf#L70) | DNS policy setup for the VPC. | <code>object({…})</code> | | <code>null</code> |
|
||||
| [factories_config](variables.tf#L83) | Paths to data files and folders that enable factory functionality. | <code>object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy_enforcement_order](variables.tf#L92) | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | <code>string</code> | | <code>"AFTER_CLASSIC_FIREWALL"</code> |
|
||||
| [internal_ranges](variables.tf#L104) | Internal range configuration for IPAM operations within the VPC network. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [ipv6_config](variables.tf#L168) | Optional IPv6 configuration for this network. | <code>object({…})</code> | | <code>{}</code> |
|
||||
| [mtu](variables.tf#L178) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | <code>number</code> | | <code>null</code> |
|
||||
| [network_attachments](variables.tf#L189) | PSC network attachments, names as keys. | <code>map(object({…}))</code> | | <code>{}</code> |
|
||||
| [peering_config](variables.tf#L202) | VPC peering configuration. | <code>object({…})</code> | | <code>null</code> |
|
||||
| [policy_based_routes](variables.tf#L213) | Policy based routes, keyed by name. | <code>map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psa_configs](variables.tf#L266) | The Private Service Access configuration. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [routes](variables.tf#L298) | Network routes, keyed by name. | <code>map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L319) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [service_connection_policies](variables.tf#L329) | Service connection policies, keyed by name. | <code>map(object({…}))</code> | | <code>{}</code> |
|
||||
| [shared_vpc_host](variables.tf#L371) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L377) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnets](variables.tf#L383) | Subnet configuration. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_private_nat](variables.tf#L463) | List of private NAT subnets. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L475) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L509) | List of subnets for Private Service Connect service producers. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_reuse](variables.tf#L549) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | <code>object({…})</code> | | <code>null</code> |
|
||||
| [internal_ranges](variables.tf#L103) | Internal range configuration for IPAM operations within the VPC network. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [ipv6_config](variables.tf#L167) | Optional IPv6 configuration for this network. | <code>object({…})</code> | | <code>{}</code> |
|
||||
| [mtu](variables.tf#L177) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | <code>number</code> | | <code>null</code> |
|
||||
| [network_attachments](variables.tf#L188) | PSC network attachments, names as keys. | <code>map(object({…}))</code> | | <code>{}</code> |
|
||||
| [peering_config](variables.tf#L201) | VPC peering configuration. | <code>object({…})</code> | | <code>null</code> |
|
||||
| [policy_based_routes](variables.tf#L212) | Policy based routes, keyed by name. | <code>map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psa_configs](variables.tf#L265) | The Private Service Access configuration. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [routes](variables.tf#L297) | Network routes, keyed by name. | <code>map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L318) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [service_connection_policies](variables.tf#L328) | Service connection policies, keyed by name. | <code>map(object({…}))</code> | | <code>{}</code> |
|
||||
| [shared_vpc_host](variables.tf#L370) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L376) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnets](variables.tf#L382) | Subnet configuration. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_private_nat](variables.tf#L462) | List of private NAT subnets. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L474) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L508) | List of subnets for Private Service Connect service producers. | <code>list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_reuse](variables.tf#L548) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | <code>object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -94,7 +94,6 @@ variable "firewall_policy_enforcement_order" {
|
||||
type = string
|
||||
nullable = false
|
||||
default = "AFTER_CLASSIC_FIREWALL"
|
||||
|
||||
validation {
|
||||
condition = var.firewall_policy_enforcement_order == "BEFORE_CLASSIC_FIREWALL" || var.firewall_policy_enforcement_order == "AFTER_CLASSIC_FIREWALL"
|
||||
error_message = "Enforcement order must be BEFORE_CLASSIC_FIREWALL or AFTER_CLASSIC_FIREWALL."
|
||||
|
||||
@@ -65,10 +65,10 @@ resource "google_logging_organization_settings" "default" {
|
||||
? null
|
||||
: lookup(local.ctx.kms_keys, var.logging_settings.kms_key_name, var.logging_settings.kms_key_name)
|
||||
)
|
||||
storage_location = lookup(
|
||||
local.ctx.locations,
|
||||
coalesce(var.logging_settings.storage_location, ""),
|
||||
var.logging_settings.storage_location
|
||||
storage_location = (
|
||||
var.logging_settings.storage_location == null
|
||||
? null
|
||||
: lookup(local.ctx.locations, var.logging_settings.storage_location, var.logging_settings.storage_location)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user