diff --git a/blueprints/apigee/bigquery-analytics/main.tf b/blueprints/apigee/bigquery-analytics/main.tf
index 0aea7bbc6..b90bec071 100644
--- a/blueprints/apigee/bigquery-analytics/main.tf
+++ b/blueprints/apigee/bigquery-analytics/main.tf
@@ -65,14 +65,14 @@ module "vpc" {
name = "subnet-psc-${k}"
region = k
}]
- psa_config = {
+ psa_configs = [{
ranges = merge({ for k, v in var.instances :
"apigee-runtime-${k}" => v.runtime_ip_cidr_range
}, { for k, v in var.instances :
"apigee-troubleshooting-${k}" => v.troubleshooting_ip_cidr_range
}
)
- }
+ }]
}
module "apigee" {
diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf
index afad0f0d2..ec3df275a 100644
--- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf
+++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf
@@ -55,12 +55,12 @@ module "apigee_vpc" {
name = "subnet-psc"
region = var.region
}]
- psa_config = {
+ psa_configs = [{
ranges = {
"apigee-runtime" = var.apigee_runtime_ip_cidr_range
"apigee-troubleshooting" = var.apigee_troubleshooting_ip_cidr_range
}
- }
+ }]
}
module "apigee" {
diff --git a/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf b/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf
index 020466e2b..2821d6875 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf
+++ b/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf
@@ -19,9 +19,9 @@ module "db" {
encryption_key_name = var.service_encryption_keys != null ? try(var.service_encryption_keys[var.regions.primary], null) : null
network_config = {
connectivity = {
- psa_config = {
+ psa_configs = [{
private_network = local.vpc_self_link
- }
+ }]
}
}
name = "${var.prefix}-db"
diff --git a/blueprints/data-solutions/cloudsql-multiregion/main.tf b/blueprints/data-solutions/cloudsql-multiregion/main.tf
index cf6d7535a..966a3ffec 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/main.tf
+++ b/blueprints/data-solutions/cloudsql-multiregion/main.tf
@@ -108,10 +108,10 @@ module "vpc" {
region = var.regions.primary
}
]
- psa_config = {
+ psa_configs = [{
ranges = { cloud-sql = var.sql_configuration.psa_range }
routes = null
- }
+ }]
}
module "firewall" {
diff --git a/blueprints/data-solutions/vertex-mlops/main.tf b/blueprints/data-solutions/vertex-mlops/main.tf
index 55e5614e2..7af79eeb2 100644
--- a/blueprints/data-solutions/vertex-mlops/main.tf
+++ b/blueprints/data-solutions/vertex-mlops/main.tf
@@ -147,12 +147,12 @@ module "vpc-local" {
"secondary_ip_range" : null
}
]
- psa_config = {
+ psa_configs = [{
ranges = {
"vertex" : "10.13.0.0/18"
}
routes = null
- }
+ }]
}
module "firewall" {
diff --git a/blueprints/third-party-solutions/gitlab/services.tf b/blueprints/third-party-solutions/gitlab/services.tf
index b5168be94..54b09eb37 100644
--- a/blueprints/third-party-solutions/gitlab/services.tf
+++ b/blueprints/third-party-solutions/gitlab/services.tf
@@ -37,9 +37,9 @@ module "db" {
network_config = {
authorized_networks = {}
connectivity = {
- psa_config = {
+ psa_configs = [{
private_network = var.network_config.network_self_link
- }
+ }]
}
}
database_version = var.cloudsql_config.database_version
diff --git a/blueprints/third-party-solutions/phpipam/cloudsql.tf b/blueprints/third-party-solutions/phpipam/cloudsql.tf
index 391151c73..05dd2fc74 100644
--- a/blueprints/third-party-solutions/phpipam/cloudsql.tf
+++ b/blueprints/third-party-solutions/phpipam/cloudsql.tf
@@ -25,9 +25,9 @@ module "cloudsql" {
databases = [local.cloudsql_conf.db]
network_config = {
connectivity = {
- psa_config = {
+ psa_configs = [{
private_network = local.network
- }
+ }]
}
}
prefix = var.prefix
diff --git a/blueprints/third-party-solutions/phpipam/main.tf b/blueprints/third-party-solutions/phpipam/main.tf
index f08d69d28..f21d7cfe1 100644
--- a/blueprints/third-party-solutions/phpipam/main.tf
+++ b/blueprints/third-party-solutions/phpipam/main.tf
@@ -75,12 +75,11 @@ module "vpc" {
count = var.vpc_config == null ? 1 : 0
project_id = module.project.project_id
name = "${var.prefix}-sql-vpc"
-
- psa_config = {
+ psa_configs = [{
ranges = {
cloud-sql = var.ip_ranges.psa
}
- }
+ }]
subnets = [
{
ip_cidr_range = var.ip_ranges.ilb
diff --git a/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf b/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf
index e6546cee2..304b0ac6f 100644
--- a/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf
+++ b/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf
@@ -31,11 +31,11 @@ module "vpc" {
region = var.region
}
]
- psa_config = {
+ psa_configs = [{
ranges = {
cloud-sql = var.ip_ranges.psa
}
- }
+ }]
}
@@ -56,9 +56,9 @@ module "cloudsql" {
project_id = module.project.project_id
network_config = {
connectivity = {
- psa_config = {
+ psa_configs = [{
private_network = module.vpc.self_link
- }
+ }]
}
}
name = "${var.prefix}-mysql"
diff --git a/fast/stages/2-networking-a-peering/README.md b/fast/stages/2-networking-a-peering/README.md
index 6b0c24d6c..eb5c26657 100644
--- a/fast/stages/2-networking-a-peering/README.md
+++ b/fast/stages/2-networking-a-peering/README.md
@@ -401,10 +401,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [fast_features](variables.tf#L116) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap |
| [outputs_location](variables.tf#L146) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | object({…}) | | {} | |
-| [psa_ranges](variables.tf#L163) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | |
-| [regions](variables.tf#L182) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L194) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
-| [vpn_onprem_primary_config](variables.tf#L208) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [psa_ranges](variables.tf#L163) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | |
+| [regions](variables.tf#L183) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L195) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [vpn_onprem_primary_config](variables.tf#L209) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-a-peering/net-dev.tf b/fast/stages/2-networking-a-peering/net-dev.tf
index 7f7e0e772..13a49498b 100644
--- a/fast/stages/2-networking-a-peering/net-dev.tf
+++ b/fast/stages/2-networking-a-peering/net-dev.tf
@@ -83,7 +83,7 @@ module "dev-spoke-vpc" {
factories_config = {
subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
}
- psa_config = try(var.psa_ranges.dev, null)
+ psa_configs = var.psa_ranges.dev
# set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-a-peering/net-prod.tf b/fast/stages/2-networking-a-peering/net-prod.tf
index dd4b532f4..0f8d9b393 100644
--- a/fast/stages/2-networking-a-peering/net-prod.tf
+++ b/fast/stages/2-networking-a-peering/net-prod.tf
@@ -81,7 +81,7 @@ module "prod-spoke-vpc" {
factories_config = {
subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
}
- psa_config = try(var.psa_ranges.prod, null)
+ psa_configs = var.psa_ranges.prod
# set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-a-peering/variables.tf b/fast/stages/2-networking-a-peering/variables.tf
index 46639d39f..2d2216a9a 100644
--- a/fast/stages/2-networking-a-peering/variables.tf
+++ b/fast/stages/2-networking-a-peering/variables.tf
@@ -163,20 +163,21 @@ variable "prefix" {
variable "psa_ranges" {
description = "IP ranges used for Private Service Access (CloudSQL, etc.)."
type = object({
- dev = object({
+ dev = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
- prod = object({
+ })), [])
+ prod = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
+ })), [])
})
- default = null
+ nullable = false
+ default = {}
}
variable "regions" {
diff --git a/fast/stages/2-networking-b-vpn/README.md b/fast/stages/2-networking-b-vpn/README.md
index 132ae5256..3fe961ff7 100644
--- a/fast/stages/2-networking-b-vpn/README.md
+++ b/fast/stages/2-networking-b-vpn/README.md
@@ -424,11 +424,11 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [factories_config](variables.tf#L95) | Configuration for network resource factories. | object({…}) | | {…} | |
| [fast_features](variables.tf#L116) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap |
| [outputs_location](variables.tf#L146) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L163) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | |
-| [regions](variables.tf#L182) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L194) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [psa_ranges](variables.tf#L163) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | |
+| [regions](variables.tf#L183) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L195) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
| [vpn_configs](variables-vpn.tf#L17) | Hub to spokes VPN configurations. | object({…}) | | {} | |
-| [vpn_onprem_primary_config](variables.tf#L208) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [vpn_onprem_primary_config](variables.tf#L209) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-b-vpn/net-dev.tf b/fast/stages/2-networking-b-vpn/net-dev.tf
index 7f7e0e772..13a49498b 100644
--- a/fast/stages/2-networking-b-vpn/net-dev.tf
+++ b/fast/stages/2-networking-b-vpn/net-dev.tf
@@ -83,7 +83,7 @@ module "dev-spoke-vpc" {
factories_config = {
subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
}
- psa_config = try(var.psa_ranges.dev, null)
+ psa_configs = var.psa_ranges.dev
# set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-b-vpn/net-prod.tf b/fast/stages/2-networking-b-vpn/net-prod.tf
index dd4b532f4..0f8d9b393 100644
--- a/fast/stages/2-networking-b-vpn/net-prod.tf
+++ b/fast/stages/2-networking-b-vpn/net-prod.tf
@@ -81,7 +81,7 @@ module "prod-spoke-vpc" {
factories_config = {
subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
}
- psa_config = try(var.psa_ranges.prod, null)
+ psa_configs = var.psa_ranges.prod
# set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-b-vpn/variables.tf b/fast/stages/2-networking-b-vpn/variables.tf
index 46639d39f..2d2216a9a 100644
--- a/fast/stages/2-networking-b-vpn/variables.tf
+++ b/fast/stages/2-networking-b-vpn/variables.tf
@@ -163,20 +163,21 @@ variable "prefix" {
variable "psa_ranges" {
description = "IP ranges used for Private Service Access (CloudSQL, etc.)."
type = object({
- dev = object({
+ dev = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
- prod = object({
+ })), [])
+ prod = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
+ })), [])
})
- default = null
+ nullable = false
+ default = {}
}
variable "regions" {
diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md
index 2142ce7c3..ee1990644 100644
--- a/fast/stages/2-networking-c-nva/README.md
+++ b/fast/stages/2-networking-c-nva/README.md
@@ -471,11 +471,11 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [gcp_ranges](variables.tf#L136) | GCP address ranges in name => range format. | map(string) | | {…} | |
| [onprem_cidr](variables.tf#L151) | Onprem addresses in name => range format. | map(string) | | {…} | |
| [outputs_location](variables.tf#L169) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L186) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | |
-| [regions](variables.tf#L205) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L217) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
-| [vpn_onprem_primary_config](variables.tf#L231) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
-| [vpn_onprem_secondary_config](variables.tf#L274) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
+| [psa_ranges](variables.tf#L186) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | |
+| [regions](variables.tf#L206) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L218) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [vpn_onprem_primary_config](variables.tf#L232) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [vpn_onprem_secondary_config](variables.tf#L275) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-c-nva/net-dev.tf b/fast/stages/2-networking-c-nva/net-dev.tf
index 28b218b0a..9344c8af4 100644
--- a/fast/stages/2-networking-c-nva/net-dev.tf
+++ b/fast/stages/2-networking-c-nva/net-dev.tf
@@ -83,7 +83,7 @@ module "dev-spoke-vpc" {
subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
}
delete_default_routes_on_create = true
- psa_config = try(var.psa_ranges.dev, null)
+ psa_configs = var.psa_ranges.dev
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-c-nva/net-prod.tf b/fast/stages/2-networking-c-nva/net-prod.tf
index 81af9967a..e37e77cf3 100644
--- a/fast/stages/2-networking-c-nva/net-prod.tf
+++ b/fast/stages/2-networking-c-nva/net-prod.tf
@@ -81,7 +81,7 @@ module "prod-spoke-vpc" {
subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
}
delete_default_routes_on_create = true
- psa_config = try(var.psa_ranges.prod, null)
+ psa_configs = var.psa_ranges.prod
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-c-nva/variables.tf b/fast/stages/2-networking-c-nva/variables.tf
index 30654d6cd..c600271cd 100644
--- a/fast/stages/2-networking-c-nva/variables.tf
+++ b/fast/stages/2-networking-c-nva/variables.tf
@@ -186,20 +186,21 @@ variable "prefix" {
variable "psa_ranges" {
description = "IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format."
type = object({
- dev = object({
+ dev = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
- prod = object({
+ })), [])
+ prod = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
+ })), [])
})
- default = null
+ nullable = false
+ default = {}
}
variable "regions" {
diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md
index 14c0a63c3..12c2ab747 100644
--- a/fast/stages/2-networking-d-separate-envs/README.md
+++ b/fast/stages/2-networking-d-separate-envs/README.md
@@ -342,11 +342,11 @@ Regions are defined via the `regions` variable which sets up a mapping between t
| [factories_config](variables.tf#L87) | Configuration for network resource factories. | object({…}) | | {…} | |
| [fast_features](variables.tf#L108) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap |
| [outputs_location](variables.tf#L138) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L155) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
-| [regions](variables.tf#L174) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
-| [vpn_onprem_dev_primary_config](variables.tf#L198) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | |
-| [vpn_onprem_prod_primary_config](variables.tf#L241) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | |
+| [psa_ranges](variables.tf#L155) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | |
+| [regions](variables.tf#L175) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L185) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [vpn_onprem_dev_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | |
+| [vpn_onprem_prod_primary_config](variables.tf#L242) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-d-separate-envs/net-dev.tf b/fast/stages/2-networking-d-separate-envs/net-dev.tf
index 5d880e085..addc5a104 100644
--- a/fast/stages/2-networking-d-separate-envs/net-dev.tf
+++ b/fast/stages/2-networking-d-separate-envs/net-dev.tf
@@ -82,7 +82,7 @@ module "dev-spoke-vpc" {
factories_config = {
subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
}
- psa_config = try(var.psa_ranges.dev, null)
+ psa_configs = var.psa_ranges.dev
# set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-d-separate-envs/net-prod.tf b/fast/stages/2-networking-d-separate-envs/net-prod.tf
index af740c4fb..c0dbff37d 100644
--- a/fast/stages/2-networking-d-separate-envs/net-prod.tf
+++ b/fast/stages/2-networking-d-separate-envs/net-prod.tf
@@ -80,7 +80,7 @@ module "prod-spoke-vpc" {
factories_config = {
subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
}
- psa_config = try(var.psa_ranges.prod, null)
+ psa_configs = var.psa_ranges.prod
# set explicit routes for googleapis in case the default route is deleted
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-d-separate-envs/variables.tf b/fast/stages/2-networking-d-separate-envs/variables.tf
index 0c4165b3a..a6c569c10 100644
--- a/fast/stages/2-networking-d-separate-envs/variables.tf
+++ b/fast/stages/2-networking-d-separate-envs/variables.tf
@@ -155,20 +155,21 @@ variable "prefix" {
variable "psa_ranges" {
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
type = object({
- dev = object({
+ dev = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
- prod = object({
+ })), [])
+ prod = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
+ })), [])
})
- default = null
+ nullable = false
+ default = {}
}
variable "regions" {
diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-e-nva-bgp/README.md
index ca0401955..4e2d7d258 100644
--- a/fast/stages/2-networking-e-nva-bgp/README.md
+++ b/fast/stages/2-networking-e-nva-bgp/README.md
@@ -498,12 +498,12 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [ncc_asn](variables.tf#L151) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | |
| [onprem_cidr](variables.tf#L162) | Onprem addresses in name => range format. | map(string) | | {…} | |
| [outputs_location](variables.tf#L180) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L197) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | |
-| [regions](variables.tf#L216) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L228) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
-| [vpn_onprem_primary_config](variables.tf#L242) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
-| [vpn_onprem_secondary_config](variables.tf#L285) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
-| [zones](variables.tf#L328) | Zones in which NVAs are deployed. | list(string) | | ["b", "c"] | |
+| [psa_ranges](variables.tf#L197) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | |
+| [regions](variables.tf#L217) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L229) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [vpn_onprem_primary_config](variables.tf#L243) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [vpn_onprem_secondary_config](variables.tf#L286) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
+| [zones](variables.tf#L329) | Zones in which NVAs are deployed. | list(string) | | ["b", "c"] | |
## Outputs
diff --git a/fast/stages/2-networking-e-nva-bgp/net-dev.tf b/fast/stages/2-networking-e-nva-bgp/net-dev.tf
index 277ff8fc3..bb7bd165e 100644
--- a/fast/stages/2-networking-e-nva-bgp/net-dev.tf
+++ b/fast/stages/2-networking-e-nva-bgp/net-dev.tf
@@ -82,7 +82,7 @@ module "dev-spoke-vpc" {
subnets_folder = "${var.factories_config.data_dir}/subnets/dev"
}
delete_default_routes_on_create = true
- psa_config = try(var.psa_ranges.dev, null)
+ psa_configs = var.psa_ranges.dev
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-e-nva-bgp/net-prod.tf b/fast/stages/2-networking-e-nva-bgp/net-prod.tf
index 8ed524bad..6325c5766 100644
--- a/fast/stages/2-networking-e-nva-bgp/net-prod.tf
+++ b/fast/stages/2-networking-e-nva-bgp/net-prod.tf
@@ -80,7 +80,7 @@ module "prod-spoke-vpc" {
subnets_folder = "${var.factories_config.data_dir}/subnets/prod"
}
delete_default_routes_on_create = true
- psa_config = try(var.psa_ranges.prod, null)
+ psa_configs = var.psa_ranges.prod
# Set explicit routes for googleapis; send everything else to NVAs
create_googleapis_routes = {
private = true
diff --git a/fast/stages/2-networking-e-nva-bgp/variables.tf b/fast/stages/2-networking-e-nva-bgp/variables.tf
index 8fd60c8ba..6377f6405 100644
--- a/fast/stages/2-networking-e-nva-bgp/variables.tf
+++ b/fast/stages/2-networking-e-nva-bgp/variables.tf
@@ -197,20 +197,21 @@ variable "prefix" {
variable "psa_ranges" {
description = "IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format."
type = object({
- dev = object({
+ dev = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
- prod = object({
+ })), [])
+ prod = optional(list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
- })
+ })), [])
})
- default = null
+ nullable = false
+ default = {}
}
variable "regions" {
diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md
index 7c705f5d1..c1474cec1 100644
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@@ -25,9 +25,9 @@ module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = module.project.project_id
name = "my-network"
- psa_config = {
+ psa_configs = [{
ranges = { cloud-sql = "10.60.0.0/16" }
- }
+ }]
}
module "db" {
@@ -117,6 +117,7 @@ module "db" {
```
### CMEK encryption
+
```hcl
module "project" {
diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index 8e7f530c6..fecfc0b4e 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -13,6 +13,7 @@ This module allows creation and management of VPC networks including subnetworks
- [Shared VPC](#shared-vpc)
- [Private Service Networking](#private-service-networking)
- [Private Service Networking with peering routes and peered Cloud DNS domains](#private-service-networking-with-peering-routes-and-peered-cloud-dns-domains)
+ - [Private Service Networking with multiple service providers](#private-service-networking-with-multiple-service-providers)
- [Subnets for Private Service Connect, Proxy-only subnets](#subnets-for-private-service-connect-proxy-only-subnets)
- [PSC Network Attachments](#psc-network-attachments)
- [DNS Policies](#dns-policies)
@@ -247,9 +248,9 @@ module "vpc" {
region = "europe-west1"
}
]
- psa_config = {
+ psa_configs = [{
ranges = { myrange = "10.0.1.0/24" }
- }
+ }]
}
# tftest modules=1 resources=7 inventory=psa.yaml e2e
```
@@ -270,16 +271,44 @@ module "vpc" {
region = "europe-west1"
}
]
- psa_config = {
+ psa_configs = [{
ranges = { myrange = "10.0.1.0/24" }
export_routes = true
import_routes = true
peered_domains = ["gcp.example.com."]
- }
+ }]
}
# tftest modules=1 resources=8 inventory=psa-routes.yaml e2e
```
+### Private Service Networking with multiple service providers
+
+```hcl
+module "vpc" {
+ source = "./fabric/modules/net-vpc"
+ project_id = var.project_id
+ name = "my-network"
+ subnets = [
+ {
+ ip_cidr_range = "10.0.0.0/24"
+ name = "production"
+ region = "europe-west1"
+ }
+ ]
+ psa_configs = [
+ {
+ ranges = { myrange = "10.0.1.0/24" }
+ # service_producer = "servicenetworking.googleapis.com" # default value
+ },
+ {
+ ranges = { netapp = "10.0.2.0/24" }
+ service_producer = "netapp.servicenetworking.goog"
+ }
+ ]
+}
+# tftest modules=1 resources=10 inventory=psa-multiple-providers.yaml e2e
+```
+
### Subnets for Private Service Connect, Proxy-only subnets
Along with common private subnets module supports creation more service specific subnets for the following purposes:
@@ -627,15 +656,15 @@ module "vpc" {
| [network_attachments](variables.tf#L100) | PSC network attachments, names as keys. | map(object({…})) | | {} |
| [peering_config](variables.tf#L113) | VPC peering configuration. | object({…}) | | null |
| [policy_based_routes](variables.tf#L124) | Policy based routes, keyed by name. | map(object({…})) | | {} |
-| [psa_config](variables.tf#L177) | The Private Service Access configuration. | object({…}) | | null |
-| [routes](variables.tf#L189) | Network routes, keyed by name. | map(object({…})) | | {} |
-| [routing_mode](variables.tf#L210) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" |
-| [shared_vpc_host](variables.tf#L220) | Enable shared VPC for this project. | bool | | false |
-| [shared_vpc_service_projects](variables.tf#L226) | Shared VPC service projects to register with this host. | list(string) | | [] |
-| [subnets](variables.tf#L232) | Subnet configuration. | list(object({…})) | | [] |
-| [subnets_proxy_only](variables.tf#L279) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] |
-| [subnets_psc](variables.tf#L313) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] |
-| [vpc_create](variables.tf#L345) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true |
+| [psa_configs](variables.tf#L177) | The Private Service Access configuration. | list(object({…})) | | [] |
+| [routes](variables.tf#L198) | Network routes, keyed by name. | map(object({…})) | | {} |
+| [routing_mode](variables.tf#L219) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" |
+| [shared_vpc_host](variables.tf#L229) | Enable shared VPC for this project. | bool | | false |
+| [shared_vpc_service_projects](variables.tf#L235) | Shared VPC service projects to register with this host. | list(string) | | [] |
+| [subnets](variables.tf#L241) | Subnet configuration. | list(object({…})) | | [] |
+| [subnets_proxy_only](variables.tf#L288) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] |
+| [subnets_psc](variables.tf#L322) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] |
+| [vpc_create](variables.tf#L354) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true |
## Outputs
diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf
index 6f7146a19..401b7aa27 100644
--- a/modules/net-vpc/psa.tf
+++ b/modules/net-vpc/psa.tf
@@ -17,54 +17,74 @@
# tfdoc:file:description Private Service Access resources.
locals {
- psa_config_ranges = try(var.psa_config.ranges, {})
+ _psa_configs_ranges = flatten([
+ for config in local.psa_configs : [
+ for k, v in config.ranges : {
+ key = "${config.key}-${k}"
+ value = v
+ }
+ ]
+ ])
+ _psa_peered_domains = flatten([
+ for config in local.psa_configs : [
+ for v in config.peered_domains : {
+ key = "${config.key}-${replace(v, ".", "-")}"
+ dns_suffix = v
+ service_producer = config.service_producer
+ }
+ ]
+ ])
+ psa_configs = {
+ for v in var.psa_configs : v.service_producer => merge(v, {
+ key = replace(v.service_producer, ".", "-")
+ })
+ }
+ psa_configs_ranges = {
+ for v in local._psa_configs_ranges : v.key => v.value
+ }
+ psa_peered_domains = {
+ for v in local._psa_peered_domains : v.key => v
+ }
}
resource "google_compute_global_address" "psa_ranges" {
- for_each = local.psa_config_ranges
+ for_each = local.psa_configs_ranges
project = var.project_id
+ network = local.network.id
name = each.key
purpose = "VPC_PEERING"
address_type = "INTERNAL"
address = split("/", each.value)[0]
prefix_length = split("/", each.value)[1]
- network = local.network.id
-}
-
-moved {
- from = google_service_networking_connection.psa_connection["1"]
- to = google_service_networking_connection.psa_connection[0]
}
resource "google_service_networking_connection" "psa_connection" {
- count = var.psa_config != null ? 1 : 0
- network = local.network.id
- service = var.psa_config.service_producer
+ for_each = local.psa_configs
+ network = local.network.id
+ service = each.key
reserved_peering_ranges = [
- for k, v in google_compute_global_address.psa_ranges : v.name
+ for k, v in google_compute_global_address.psa_ranges :
+ v.name if startswith(k, each.value.key)
]
}
-moved {
- from = google_compute_network_peering_routes_config.psa_routes["1"]
- to = google_compute_network_peering_routes_config.psa_routes[0]
-}
-
resource "google_compute_network_peering_routes_config" "psa_routes" {
- count = var.psa_config != null ? 1 : 0
- project = var.project_id
- peering = google_service_networking_connection.psa_connection[0].peering
+ for_each = local.psa_configs
+ project = var.project_id
+ peering = (
+ google_service_networking_connection.psa_connection[each.key].peering
+ )
network = local.network.name
- export_custom_routes = var.psa_config.export_routes
- import_custom_routes = var.psa_config.import_routes
+ export_custom_routes = each.value.export_routes
+ import_custom_routes = each.value.import_routes
}
resource "google_service_networking_peered_dns_domain" "name" {
- for_each = toset(try(var.psa_config.peered_domains, []))
+ for_each = local.psa_peered_domains
project = var.project_id
- name = trimsuffix(replace(each.value, ".", "-"), "-")
network = local.network.name
- dns_suffix = each.value
- service = var.psa_config.service_producer
+ name = each.key
+ dns_suffix = each.value.dns_suffix
+ service = each.value.service_producer
depends_on = [google_service_networking_connection.psa_connection]
}
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index f50297c22..21fae5a76 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -174,16 +174,25 @@ variable "project_id" {
type = string
}
-variable "psa_config" {
+variable "psa_configs" {
description = "The Private Service Access configuration."
- type = object({
+ type = list(object({
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
peered_domains = optional(list(string), [])
service_producer = optional(string, "servicenetworking.googleapis.com")
- })
- default = null
+ }))
+ nullable = false
+ default = []
+ validation {
+ condition = (
+ length(var.psa_configs) == length(toset([
+ for v in var.psa_configs : v.service_producer
+ ]))
+ )
+ error_message = "At most one configuration is possible for each service producer."
+ }
}
variable "routes" {
diff --git a/tests/modules/cloudsql_instance/examples/simple.yaml b/tests/modules/cloudsql_instance/examples/simple.yaml
index fdc663e21..5103c12b4 100644
--- a/tests/modules/cloudsql_instance/examples/simple.yaml
+++ b/tests/modules/cloudsql_instance/examples/simple.yaml
@@ -14,22 +14,138 @@
values:
module.db.google_sql_database_instance.primary:
+ clone: []
database_version: POSTGRES_13
+ deletion_protection: true
name: db
project: my-db-project
region: europe-west1
+ restore_backup_context: []
+ root_password: null
settings:
- activation_policy: ALWAYS
+ active_directory_config: []
+ advanced_machine_features: []
availability_type: ZONAL
+ collation: null
+ data_cache_config: []
+ database_flags: []
deletion_protection_enabled: true
+ deny_maintenance_period: []
disk_autoresize: true
+ disk_autoresize_limit: 0
disk_type: PD_SSD
+ edition: ENTERPRISE
insights_config: []
ip_configuration:
- allocated_ip_range: null
authorized_networks: []
+ enable_private_path_for_google_cloud_services: null
ipv4_enabled: false
+ psc_config: []
+ require_ssl: null
+ maintenance_window: []
+ password_validation_policy: []
+ pricing_plan: PER_USE
+ sql_server_audit_config: []
tier: db-g1-small
+ time_zone: null
+ timeouts: null
+ module.project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ folder_id: null
+ labels: null
+ name: my-db-project
+ org_id: '1122334455'
+ project_id: my-db-project
+ skip_delete: false
+ timeouts: null
+ module.project.google_project_iam_member.servicenetworking[0]:
+ condition: []
+ project: my-db-project
+ role: roles/servicenetworking.serviceAgent
+ module.project.google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: my-db-project
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.project.google_project_service_identity.servicenetworking[0]:
+ project: my-db-project
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-cloud-sql"]:
+ address: 10.60.0.0
+ address_type: INTERNAL
+ description: null
+ ip_version: null
+ name: servicenetworking-googleapis-com-cloud-sql
+ prefix_length: 16
+ project: my-db-project
+ purpose: VPC_PEERING
+ timeouts: null
+ module.vpc.google_compute_network.network[0]:
+ auto_create_subnetworks: false
+ delete_default_routes_on_create: false
+ description: Terraform-managed.
+ enable_ula_internal_ipv6: null
+ name: my-network
+ network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+ project: my-db-project
+ routing_mode: GLOBAL
+ timeouts: null
+ module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
+ export_custom_routes: false
+ import_custom_routes: false
+ network: my-network
+ project: my-db-project
+ timeouts: null
+ module.vpc.google_compute_route.gateway["private-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.8/30
+ name: my-network-private-googleapis
+ network: my-network
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: my-db-project
+ tags: null
+ timeouts: null
+ module.vpc.google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: my-network-restricted-googleapis
+ network: my-network
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: my-db-project
+ tags: null
+ timeouts: null
+ module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
+ deletion_policy: null
+ reserved_peering_ranges:
+ - servicenetworking-googleapis-com-cloud-sql
+ service: servicenetworking.googleapis.com
+ timeouts: null
counts:
+ google_compute_global_address: 1
+ google_compute_network: 1
+ google_compute_network_peering_routes_config: 1
+ google_compute_route: 2
+ google_project: 1
+ google_project_iam_member: 1
+ google_project_service: 1
+ google_project_service_identity: 1
+ google_service_networking_connection: 1
google_sql_database_instance: 1
+ modules: 3
+ resources: 11
+
+outputs: {}
diff --git a/tests/modules/net_vpc/examples/psa-multiple-providers.yaml b/tests/modules/net_vpc/examples/psa-multiple-providers.yaml
new file mode 100644
index 000000000..f2bd9c741
--- /dev/null
+++ b/tests/modules/net_vpc/examples/psa-multiple-providers.yaml
@@ -0,0 +1,57 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-myrange"]:
+ address: 10.0.1.0
+ address_type: INTERNAL
+ name: servicenetworking-googleapis-com-myrange
+ prefix_length: 24
+ project: project-id
+ purpose: VPC_PEERING
+ module.vpc.google_compute_global_address.psa_ranges["netapp-servicenetworking-goog-netapp"]:
+ address: 10.0.2.0
+ address_type: INTERNAL
+ name: netapp-servicenetworking-goog-netapp
+ prefix_length: 24
+ project: project-id
+ purpose: VPC_PEERING
+ module.vpc.google_compute_network.network[0]:
+ name: my-network
+ project: project-id
+ module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
+ export_custom_routes: false
+ import_custom_routes: false
+ project: project-id
+ module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
+ ip_cidr_range: 10.0.0.0/24
+ name: production
+ project: project-id
+ module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
+ reserved_peering_ranges:
+ - servicenetworking-googleapis-com-myrange
+ service: servicenetworking.googleapis.com
+ module.vpc.google_service_networking_connection.psa_connection["netapp.servicenetworking.goog"]:
+ reserved_peering_ranges:
+ - netapp-servicenetworking-goog-netapp
+ service: netapp.servicenetworking.goog
+
+counts:
+ google_compute_global_address: 2
+ google_compute_network: 1
+ google_compute_network_peering_routes_config: 2
+ google_compute_subnetwork: 1
+ google_service_networking_connection: 2
+
+outputs: {}
\ No newline at end of file
diff --git a/tests/modules/net_vpc/examples/psa-routes.yaml b/tests/modules/net_vpc/examples/psa-routes.yaml
index efbcb2da7..c64353b78 100644
--- a/tests/modules/net_vpc/examples/psa-routes.yaml
+++ b/tests/modules/net_vpc/examples/psa-routes.yaml
@@ -13,42 +13,94 @@
# limitations under the License.
values:
- module.vpc.google_compute_global_address.psa_ranges["myrange"]:
+ module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-myrange"]:
address: 10.0.1.0
address_type: INTERNAL
- name: myrange
+ description: null
+ ip_version: null
+ name: servicenetworking-googleapis-com-myrange
prefix_length: 24
project: project-id
purpose: VPC_PEERING
+ timeouts: null
module.vpc.google_compute_network.network[0]:
+ auto_create_subnetworks: false
+ delete_default_routes_on_create: false
+ description: Terraform-managed.
+ enable_ula_internal_ipv6: null
name: my-network
+ network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
project: project-id
routing_mode: GLOBAL
- module.vpc.google_compute_network_peering_routes_config.psa_routes[0]:
+ timeouts: null
+ module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
export_custom_routes: true
import_custom_routes: true
+ network: my-network
project: project-id
+ timeouts: null
+ module.vpc.google_compute_route.gateway["private-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.8/30
+ name: my-network-private-googleapis
+ network: my-network
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: project-id
+ tags: null
+ timeouts: null
+ module.vpc.google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: my-network-restricted-googleapis
+ network: my-network
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: project-id
+ tags: null
+ timeouts: null
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
+ description: Terraform-managed.
ip_cidr_range: 10.0.0.0/24
+ ipv6_access_type: null
+ log_config: []
name: production
+ network: my-network
private_ip_google_access: true
project: project-id
region: europe-west1
+ role: null
secondary_ip_range: []
- module.vpc.google_service_networking_connection.psa_connection[0]:
+ timeouts: null
+ module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
+ deletion_policy: null
reserved_peering_ranges:
- - myrange
+ - servicenetworking-googleapis-com-myrange
service: servicenetworking.googleapis.com
- module.vpc.google_service_networking_peered_dns_domain.name["gcp.example.com."]:
+ timeouts: null
+ module.vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-gcp-example-com-"]:
dns_suffix: gcp.example.com.
- name: gcp-example-com
+ name: servicenetworking-googleapis-com-gcp-example-com-
+ network: my-network
project: project-id
service: servicenetworking.googleapis.com
+ timeouts: null
counts:
google_compute_global_address: 1
google_compute_network: 1
google_compute_network_peering_routes_config: 1
+ google_compute_route: 2
google_compute_subnetwork: 1
google_service_networking_connection: 1
- google_service_networking_peered_dns_domain: 1
\ No newline at end of file
+ google_service_networking_peered_dns_domain: 1
+ modules: 1
+ resources: 8
+
+outputs: {}
diff --git a/tests/modules/net_vpc/examples/psa.yaml b/tests/modules/net_vpc/examples/psa.yaml
index 6af1a1d52..806bf443f 100644
--- a/tests/modules/net_vpc/examples/psa.yaml
+++ b/tests/modules/net_vpc/examples/psa.yaml
@@ -13,34 +13,86 @@
# limitations under the License.
values:
- module.vpc.google_compute_global_address.psa_ranges["myrange"]:
+ module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-myrange"]:
address: 10.0.1.0
address_type: INTERNAL
- name: myrange
+ description: null
+ ip_version: null
+ name: servicenetworking-googleapis-com-myrange
prefix_length: 24
project: project-id
purpose: VPC_PEERING
+ timeouts: null
module.vpc.google_compute_network.network[0]:
+ auto_create_subnetworks: false
+ delete_default_routes_on_create: false
+ description: Terraform-managed.
+ enable_ula_internal_ipv6: null
name: my-network
+ network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
project: project-id
- module.vpc.google_compute_network_peering_routes_config.psa_routes[0]:
+ routing_mode: GLOBAL
+ timeouts: null
+ module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
export_custom_routes: false
import_custom_routes: false
+ network: my-network
project: project-id
+ timeouts: null
+ module.vpc.google_compute_route.gateway["private-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.8/30
+ name: my-network-private-googleapis
+ network: my-network
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: project-id
+ tags: null
+ timeouts: null
+ module.vpc.google_compute_route.gateway["restricted-googleapis"]:
+ description: Terraform-managed.
+ dest_range: 199.36.153.4/30
+ name: my-network-restricted-googleapis
+ network: my-network
+ next_hop_gateway: default-internet-gateway
+ next_hop_ilb: null
+ next_hop_instance: null
+ next_hop_vpn_tunnel: null
+ priority: 1000
+ project: project-id
+ tags: null
+ timeouts: null
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
+ description: Terraform-managed.
ip_cidr_range: 10.0.0.0/24
+ ipv6_access_type: null
+ log_config: []
name: production
+ network: my-network
+ private_ip_google_access: true
project: project-id
- module.vpc.google_service_networking_connection.psa_connection[0]:
+ region: europe-west1
+ role: null
+ secondary_ip_range: []
+ timeouts: null
+ module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
+ deletion_policy: null
reserved_peering_ranges:
- - myrange
+ - servicenetworking-googleapis-com-myrange
service: servicenetworking.googleapis.com
+ timeouts: null
counts:
google_compute_global_address: 1
google_compute_network: 1
google_compute_network_peering_routes_config: 1
+ google_compute_route: 2
google_compute_subnetwork: 1
google_service_networking_connection: 1
+ modules: 1
+ resources: 7
-outputs: {}
\ No newline at end of file
+outputs: {}
diff --git a/tests/modules/net_vpc/psa_routes_export.tfvars b/tests/modules/net_vpc/psa_routes_export.tfvars
index 9fbe4ddf7..697288504 100644
--- a/tests/modules/net_vpc/psa_routes_export.tfvars
+++ b/tests/modules/net_vpc/psa_routes_export.tfvars
@@ -1,7 +1,7 @@
-psa_config = {
+psa_configs = [{
ranges = {
bar = "172.16.100.0/24"
}
export_routes = true
import_routes = false
-}
+}]
diff --git a/tests/modules/net_vpc/psa_routes_export.yaml b/tests/modules/net_vpc/psa_routes_export.yaml
index 6b42919bb..69e807191 100644
--- a/tests/modules/net_vpc/psa_routes_export.yaml
+++ b/tests/modules/net_vpc/psa_routes_export.yaml
@@ -13,12 +13,12 @@
# limitations under the License.
values:
- google_compute_global_address.psa_ranges["bar"]:
+ google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-bar"]:
address: 172.16.100.0
address_type: INTERNAL
description: null
ip_version: null
- name: bar
+ name: servicenetworking-googleapis-com-bar
prefix_length: 24
project: test-project
purpose: VPC_PEERING
@@ -30,13 +30,13 @@ values:
name: test
project: test-project
routing_mode: GLOBAL
- google_compute_network_peering_routes_config.psa_routes[0]:
+ google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
export_custom_routes: true
import_custom_routes: false
project: test-project
- google_service_networking_connection.psa_connection[0]:
+ google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
reserved_peering_ranges:
- - bar
+ - servicenetworking-googleapis-com-bar
service: servicenetworking.googleapis.com
counts:
diff --git a/tests/modules/net_vpc/psa_routes_import.tfvars b/tests/modules/net_vpc/psa_routes_import.tfvars
index beeaf433a..0863f387d 100644
--- a/tests/modules/net_vpc/psa_routes_import.tfvars
+++ b/tests/modules/net_vpc/psa_routes_import.tfvars
@@ -1,7 +1,7 @@
-psa_config = {
+psa_configs = [{
ranges = {
bar = "172.16.100.0/24"
}
export_routes = false
import_routes = true
-}
+}]
diff --git a/tests/modules/net_vpc/psa_routes_import.yaml b/tests/modules/net_vpc/psa_routes_import.yaml
index 1bf772884..c7a39efec 100644
--- a/tests/modules/net_vpc/psa_routes_import.yaml
+++ b/tests/modules/net_vpc/psa_routes_import.yaml
@@ -13,12 +13,12 @@
# limitations under the License.
values:
- google_compute_global_address.psa_ranges["bar"]:
+ google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-bar"]:
address: 172.16.100.0
address_type: INTERNAL
description: null
ip_version: null
- name: bar
+ name: servicenetworking-googleapis-com-bar
prefix_length: 24
project: test-project
purpose: VPC_PEERING
@@ -30,13 +30,13 @@ values:
name: test
project: test-project
routing_mode: GLOBAL
- google_compute_network_peering_routes_config.psa_routes[0]:
+ google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
export_custom_routes: false
import_custom_routes: true
project: test-project
- google_service_networking_connection.psa_connection[0]:
+ google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
reserved_peering_ranges:
- - bar
+ - servicenetworking-googleapis-com-bar
service: servicenetworking.googleapis.com
counts:
diff --git a/tests/modules/net_vpc/psa_routes_import_export.tfvars b/tests/modules/net_vpc/psa_routes_import_export.tfvars
index 205922311..5851891b6 100644
--- a/tests/modules/net_vpc/psa_routes_import_export.tfvars
+++ b/tests/modules/net_vpc/psa_routes_import_export.tfvars
@@ -1,7 +1,7 @@
-psa_config = {
+psa_configs = [{
ranges = {
bar = "172.16.100.0/24"
}
export_routes = true
import_routes = true
-}
+}]
diff --git a/tests/modules/net_vpc/psa_routes_import_export.yaml b/tests/modules/net_vpc/psa_routes_import_export.yaml
index d74c51c34..ea68ffd2e 100644
--- a/tests/modules/net_vpc/psa_routes_import_export.yaml
+++ b/tests/modules/net_vpc/psa_routes_import_export.yaml
@@ -13,12 +13,12 @@
# limitations under the License.
values:
- google_compute_global_address.psa_ranges["bar"]:
+ google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-bar"]:
address: 172.16.100.0
address_type: INTERNAL
description: null
ip_version: null
- name: bar
+ name: servicenetworking-googleapis-com-bar
prefix_length: 24
project: test-project
purpose: VPC_PEERING
@@ -30,13 +30,13 @@ values:
name: test
project: test-project
routing_mode: GLOBAL
- google_compute_network_peering_routes_config.psa_routes[0]:
+ google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
export_custom_routes: true
import_custom_routes: true
project: test-project
- google_service_networking_connection.psa_connection[0]:
+ google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
reserved_peering_ranges:
- - bar
+ - servicenetworking-googleapis-com-bar
service: servicenetworking.googleapis.com
counts: