Add support for static IPs NAT to 2-networking (#3889)

* feat(2-networking): add support for static IPs NAT * fix(linting): fix linting * fix(linting): fix linting * fix(2-networking): factory-cloudnat don't assume that the context values are present. * fix(2-networking): factory-cloudnat pass region in a try to forward the problem to the module --------- Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2026-05-06 16:21:58 +03:00
parent 04e64c4ae2
commit 8eca61bb46
11 changed files with 241 additions and 5 deletions
--- a/fast/stages/2-networking/README.md
+++ b/fast/stages/2-networking/README.md
@@ -284,6 +284,19 @@ nat_config:
 # [...]
 ```

+- **External IPs for NAT:** You can specify how many static IPs do you want, so they would be reserved and kept static. This is helpful when you need to connect to an external service that needs to whitelist the IPs. This is done by defining the number of static IP addresses in the `nat` section of a VPC's `.config.yaml` file.
+
+For example:
+
+```yaml
+# [...]
+nat_config:
+  nat-ew8:
+    num_nat_ips: 3
+    region: $locations:primary
+# [...]
+```
+
 - **Cloud Routers:** The `factory-routers.tf` file manages Cloud Routers, which are used with Cloud VPN and Cloud Interconnect to exchange routes with on-premises networks. Routers are configured within each VPC's `.config.yaml` file.

 ```yaml
@@ -359,7 +372,7 @@ Internally created resources are mapped to context namespaces, and use specific

 | name | description | modules | resources |
 |---|---|---|---|
-| [factory-cloudnat.tf](./factory-cloudnat.tf) | Cloud NAT factory. | <code>net-cloudnat</code> |  |
+| [factory-cloudnat.tf](./factory-cloudnat.tf) | Cloud NAT factory. | <code>net-address</code> · <code>net-cloudnat</code> |  |
 | [factory-dns.tf](./factory-dns.tf) | DNS zones and RPZ factory. | <code>dns</code> · <code>dns-response-policy</code> |  |
 | [factory-firewall-policies.tf](./factory-firewall-policies.tf) | Firewall policies factory. | <code>net-firewall-policy</code> |  |
 | [factory-ncc.tf](./factory-ncc.tf) | NCC Hubs and Groups factory |  | <code>google_network_connectivity_group</code> · <code>google_network_connectivity_hub</code> · <code>google_network_connectivity_spoke</code> |
--- a/fast/stages/2-networking/factory-cloudnat.tf
+++ b/fast/stages/2-networking/factory-cloudnat.tf
@@ -29,6 +29,8 @@ locals {
          config_timeouts           = try(nat_config.config_timeouts, {})
          endpoint_types            = try(nat_config.endpoint_types, null)
          logging_filter            = try(nat_config.logging_filter, null)
+          num_nat_ips               = try(nat_config.num_nat_ips, 0)
+          region                    = try(nat_config.region, null)
          router_asn                = try(nat_config.router_asn, null)
          router_create             = try(nat_config.router_create, true)
          router_network            = module.vpc-factory.vpcs[vpc_key].id
@@ -40,12 +42,25 @@ locals {
  ])...)
 }

+module "addresses" {
+  source     = "../../../modules/net-address"
+  for_each   = { for k, v in local.nat_configs : k => v if tonumber(v.num_nat_ips) > 0 }
+  project_id = each.value.project_id
+  external_addresses = {
+    for i in range(tonumber(each.value.num_nat_ips)) : "${each.value.name}-ip-${i}" => { region = each.value.region }
+  }
+  context = merge(local.ctx, {
+    project_ids = local.ctx_projects.project_ids
+    locations   = local.ctx.locations
+  })
+}
+
 module "nat" {
  source                    = "../../../modules/net-cloudnat"
  for_each                  = local.nat_configs
  project_id                = each.value.project_id
  name                      = each.value.name
-  addresses                 = each.value.addresses
+  addresses                 = concat(each.value.addresses, [for a in try(module.addresses[each.key].external_addresses, {}) : a.self_link])
  config_port_allocation    = each.value.config_port_allocation
  config_source_subnetworks = each.value.config_source_subnetworks
  config_timeouts           = each.value.config_timeouts
@@ -58,8 +73,9 @@ module "nat" {
  rules                     = each.value.rules
  type                      = each.value.type
  context = merge(local.ctx, {
-    project_ids    = local.ctx_projects.project_ids
-    vpc_self_links = local.ctx_vpcs.self_links
-    locations      = local.ctx.locations
+    project_ids = local.ctx_projects.project_ids
+    networks    = local.ctx_vpcs.self_links
+    locations   = local.ctx.locations
+    subnets     = local.ctx_vpcs.subnets_by_vpc
  })
 }
--- a/fast/stages/2-networking/schemas/vpc.schema.json
+++ b/fast/stages/2-networking/schemas/vpc.schema.json
@@ -197,6 +197,9 @@
          "properties": {
            "region": {
              "type": "string"
+            },
+            "num_nat_ips": {
+              "type": "number"
            }
          }
        }
--- a/fast/stages/2-networking/schemas/vpc.schema.md
+++ b/fast/stages/2-networking/schemas/vpc.schema.md
@@ -67,6 +67,7 @@
 - **nat_config**<a name="refs-nat_config"></a>: *object*
  - **`^[a-z0-9-]+$`**: *object*
    - ⁺**region**: *string*
+    - **num_nat_ips**: *number*
 - **ncc_config**<a name="refs-ncc_config"></a>: *object*
  - ⁺**hub**: *string*
  - **group**: *string*