From 9414779cc230f95028e71a57970c8fceefceca5b Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Tue, 16 Apr 2024 17:02:36 +0200 Subject: [PATCH] Allow multiple PSA service providers in net-vpc module (#2218) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * allowing multiple PSA service providers in net-vpc module * tfdoc * tfdoc * Add tfvars/yaml tests * fix module and tests * re-enable inventory * merge fix * Add multiple PSA test case * fix cloudsql example --------- Co-authored-by: Wiktor Niesiobędzki --- blueprints/apigee/bigquery-analytics/main.tf | 4 +- .../apigee.tf | 4 +- .../cloudsql-multiregion/cloudsql.tf | 4 +- .../cloudsql-multiregion/main.tf | 4 +- .../data-solutions/vertex-mlops/main.tf | 4 +- .../third-party-solutions/gitlab/services.tf | 4 +- .../third-party-solutions/phpipam/cloudsql.tf | 4 +- .../third-party-solutions/phpipam/main.tf | 5 +- .../wordpress/cloudrun/cloudsql.tf | 8 +- fast/stages/2-networking-a-peering/README.md | 8 +- fast/stages/2-networking-a-peering/net-dev.tf | 2 +- .../stages/2-networking-a-peering/net-prod.tf | 2 +- .../2-networking-a-peering/variables.tf | 11 +- fast/stages/2-networking-b-vpn/README.md | 8 +- fast/stages/2-networking-b-vpn/net-dev.tf | 2 +- fast/stages/2-networking-b-vpn/net-prod.tf | 2 +- fast/stages/2-networking-b-vpn/variables.tf | 11 +- fast/stages/2-networking-c-nva/README.md | 10 +- fast/stages/2-networking-c-nva/net-dev.tf | 2 +- fast/stages/2-networking-c-nva/net-prod.tf | 2 +- fast/stages/2-networking-c-nva/variables.tf | 11 +- .../2-networking-d-separate-envs/README.md | 10 +- .../2-networking-d-separate-envs/net-dev.tf | 2 +- .../2-networking-d-separate-envs/net-prod.tf | 2 +- .../2-networking-d-separate-envs/variables.tf | 11 +- fast/stages/2-networking-e-nva-bgp/README.md | 12 +- fast/stages/2-networking-e-nva-bgp/net-dev.tf | 2 +- .../stages/2-networking-e-nva-bgp/net-prod.tf | 2 +- .../2-networking-e-nva-bgp/variables.tf | 11 +- modules/cloudsql-instance/README.md | 5 +- modules/net-vpc/README.md | 55 +++++++-- modules/net-vpc/psa.tf | 72 +++++++---- modules/net-vpc/variables.tf | 17 ++- .../cloudsql_instance/examples/simple.yaml | 116 ++++++++++++++++++ .../examples/psa-multiple-providers.yaml | 57 +++++++++ .../modules/net_vpc/examples/psa-routes.yaml | 68 ++++++++-- tests/modules/net_vpc/examples/psa.yaml | 64 +++++++++- .../modules/net_vpc/psa_routes_export.tfvars | 4 +- tests/modules/net_vpc/psa_routes_export.yaml | 10 +- .../modules/net_vpc/psa_routes_import.tfvars | 4 +- tests/modules/net_vpc/psa_routes_import.yaml | 10 +- .../net_vpc/psa_routes_import_export.tfvars | 4 +- .../net_vpc/psa_routes_import_export.yaml | 10 +- 43 files changed, 500 insertions(+), 160 deletions(-) create mode 100644 tests/modules/net_vpc/examples/psa-multiple-providers.yaml diff --git a/blueprints/apigee/bigquery-analytics/main.tf b/blueprints/apigee/bigquery-analytics/main.tf index 0aea7bbc6..b90bec071 100644 --- a/blueprints/apigee/bigquery-analytics/main.tf +++ b/blueprints/apigee/bigquery-analytics/main.tf @@ -65,14 +65,14 @@ module "vpc" { name = "subnet-psc-${k}" region = k }] - psa_config = { + psa_configs = [{ ranges = merge({ for k, v in var.instances : "apigee-runtime-${k}" => v.runtime_ip_cidr_range }, { for k, v in var.instances : "apigee-troubleshooting-${k}" => v.troubleshooting_ip_cidr_range } ) - } + }] } module "apigee" { diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf index afad0f0d2..ec3df275a 100644 --- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf +++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf @@ -55,12 +55,12 @@ module "apigee_vpc" { name = "subnet-psc" region = var.region }] - psa_config = { + psa_configs = [{ ranges = { "apigee-runtime" = var.apigee_runtime_ip_cidr_range "apigee-troubleshooting" = var.apigee_troubleshooting_ip_cidr_range } - } + }] } module "apigee" { diff --git a/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf b/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf index 020466e2b..2821d6875 100644 --- a/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf +++ b/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf @@ -19,9 +19,9 @@ module "db" { encryption_key_name = var.service_encryption_keys != null ? try(var.service_encryption_keys[var.regions.primary], null) : null network_config = { connectivity = { - psa_config = { + psa_configs = [{ private_network = local.vpc_self_link - } + }] } } name = "${var.prefix}-db" diff --git a/blueprints/data-solutions/cloudsql-multiregion/main.tf b/blueprints/data-solutions/cloudsql-multiregion/main.tf index cf6d7535a..966a3ffec 100644 --- a/blueprints/data-solutions/cloudsql-multiregion/main.tf +++ b/blueprints/data-solutions/cloudsql-multiregion/main.tf @@ -108,10 +108,10 @@ module "vpc" { region = var.regions.primary } ] - psa_config = { + psa_configs = [{ ranges = { cloud-sql = var.sql_configuration.psa_range } routes = null - } + }] } module "firewall" { diff --git a/blueprints/data-solutions/vertex-mlops/main.tf b/blueprints/data-solutions/vertex-mlops/main.tf index 55e5614e2..7af79eeb2 100644 --- a/blueprints/data-solutions/vertex-mlops/main.tf +++ b/blueprints/data-solutions/vertex-mlops/main.tf @@ -147,12 +147,12 @@ module "vpc-local" { "secondary_ip_range" : null } ] - psa_config = { + psa_configs = [{ ranges = { "vertex" : "10.13.0.0/18" } routes = null - } + }] } module "firewall" { diff --git a/blueprints/third-party-solutions/gitlab/services.tf b/blueprints/third-party-solutions/gitlab/services.tf index b5168be94..54b09eb37 100644 --- a/blueprints/third-party-solutions/gitlab/services.tf +++ b/blueprints/third-party-solutions/gitlab/services.tf @@ -37,9 +37,9 @@ module "db" { network_config = { authorized_networks = {} connectivity = { - psa_config = { + psa_configs = [{ private_network = var.network_config.network_self_link - } + }] } } database_version = var.cloudsql_config.database_version diff --git a/blueprints/third-party-solutions/phpipam/cloudsql.tf b/blueprints/third-party-solutions/phpipam/cloudsql.tf index 391151c73..05dd2fc74 100644 --- a/blueprints/third-party-solutions/phpipam/cloudsql.tf +++ b/blueprints/third-party-solutions/phpipam/cloudsql.tf @@ -25,9 +25,9 @@ module "cloudsql" { databases = [local.cloudsql_conf.db] network_config = { connectivity = { - psa_config = { + psa_configs = [{ private_network = local.network - } + }] } } prefix = var.prefix diff --git a/blueprints/third-party-solutions/phpipam/main.tf b/blueprints/third-party-solutions/phpipam/main.tf index f08d69d28..f21d7cfe1 100644 --- a/blueprints/third-party-solutions/phpipam/main.tf +++ b/blueprints/third-party-solutions/phpipam/main.tf @@ -75,12 +75,11 @@ module "vpc" { count = var.vpc_config == null ? 1 : 0 project_id = module.project.project_id name = "${var.prefix}-sql-vpc" - - psa_config = { + psa_configs = [{ ranges = { cloud-sql = var.ip_ranges.psa } - } + }] subnets = [ { ip_cidr_range = var.ip_ranges.ilb diff --git a/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf b/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf index e6546cee2..304b0ac6f 100644 --- a/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf +++ b/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf @@ -31,11 +31,11 @@ module "vpc" { region = var.region } ] - psa_config = { + psa_configs = [{ ranges = { cloud-sql = var.ip_ranges.psa } - } + }] } @@ -56,9 +56,9 @@ module "cloudsql" { project_id = module.project.project_id network_config = { connectivity = { - psa_config = { + psa_configs = [{ private_network = module.vpc.self_link - } + }] } } name = "${var.prefix}-mysql" diff --git a/fast/stages/2-networking-a-peering/README.md b/fast/stages/2-networking-a-peering/README.md index 6b0c24d6c..eb5c26657 100644 --- a/fast/stages/2-networking-a-peering/README.md +++ b/fast/stages/2-networking-a-peering/README.md @@ -401,10 +401,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [fast_features](variables.tf#L116) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [outputs_location](variables.tf#L146) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [peering_configs](variables-peerings.tf#L19) | Peering configurations. | object({…}) | | {} | | -| [psa_ranges](variables.tf#L163) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | | -| [regions](variables.tf#L182) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables.tf#L194) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_primary_config](variables.tf#L208) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | +| [psa_ranges](variables.tf#L163) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | +| [regions](variables.tf#L183) | Region definitions. | object({…}) | | {…} | | +| [service_accounts](variables.tf#L195) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_primary_config](variables.tf#L209) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-a-peering/net-dev.tf b/fast/stages/2-networking-a-peering/net-dev.tf index 7f7e0e772..13a49498b 100644 --- a/fast/stages/2-networking-a-peering/net-dev.tf +++ b/fast/stages/2-networking-a-peering/net-dev.tf @@ -83,7 +83,7 @@ module "dev-spoke-vpc" { factories_config = { subnets_folder = "${var.factories_config.data_dir}/subnets/dev" } - psa_config = try(var.psa_ranges.dev, null) + psa_configs = var.psa_ranges.dev # set explicit routes for googleapis in case the default route is deleted create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-a-peering/net-prod.tf b/fast/stages/2-networking-a-peering/net-prod.tf index dd4b532f4..0f8d9b393 100644 --- a/fast/stages/2-networking-a-peering/net-prod.tf +++ b/fast/stages/2-networking-a-peering/net-prod.tf @@ -81,7 +81,7 @@ module "prod-spoke-vpc" { factories_config = { subnets_folder = "${var.factories_config.data_dir}/subnets/prod" } - psa_config = try(var.psa_ranges.prod, null) + psa_configs = var.psa_ranges.prod # set explicit routes for googleapis in case the default route is deleted create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-a-peering/variables.tf b/fast/stages/2-networking-a-peering/variables.tf index 46639d39f..2d2216a9a 100644 --- a/fast/stages/2-networking-a-peering/variables.tf +++ b/fast/stages/2-networking-a-peering/variables.tf @@ -163,20 +163,21 @@ variable "prefix" { variable "psa_ranges" { description = "IP ranges used for Private Service Access (CloudSQL, etc.)." type = object({ - dev = object({ + dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) - prod = object({ + })), []) + prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) + })), []) }) - default = null + nullable = false + default = {} } variable "regions" { diff --git a/fast/stages/2-networking-b-vpn/README.md b/fast/stages/2-networking-b-vpn/README.md index 132ae5256..3fe961ff7 100644 --- a/fast/stages/2-networking-b-vpn/README.md +++ b/fast/stages/2-networking-b-vpn/README.md @@ -424,11 +424,11 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [factories_config](variables.tf#L95) | Configuration for network resource factories. | object({…}) | | {…} | | | [fast_features](variables.tf#L116) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [outputs_location](variables.tf#L146) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L163) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | | -| [regions](variables.tf#L182) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables.tf#L194) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [psa_ranges](variables.tf#L163) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | +| [regions](variables.tf#L183) | Region definitions. | object({…}) | | {…} | | +| [service_accounts](variables.tf#L195) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | | [vpn_configs](variables-vpn.tf#L17) | Hub to spokes VPN configurations. | object({…}) | | {} | | -| [vpn_onprem_primary_config](variables.tf#L208) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | +| [vpn_onprem_primary_config](variables.tf#L209) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-b-vpn/net-dev.tf b/fast/stages/2-networking-b-vpn/net-dev.tf index 7f7e0e772..13a49498b 100644 --- a/fast/stages/2-networking-b-vpn/net-dev.tf +++ b/fast/stages/2-networking-b-vpn/net-dev.tf @@ -83,7 +83,7 @@ module "dev-spoke-vpc" { factories_config = { subnets_folder = "${var.factories_config.data_dir}/subnets/dev" } - psa_config = try(var.psa_ranges.dev, null) + psa_configs = var.psa_ranges.dev # set explicit routes for googleapis in case the default route is deleted create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-b-vpn/net-prod.tf b/fast/stages/2-networking-b-vpn/net-prod.tf index dd4b532f4..0f8d9b393 100644 --- a/fast/stages/2-networking-b-vpn/net-prod.tf +++ b/fast/stages/2-networking-b-vpn/net-prod.tf @@ -81,7 +81,7 @@ module "prod-spoke-vpc" { factories_config = { subnets_folder = "${var.factories_config.data_dir}/subnets/prod" } - psa_config = try(var.psa_ranges.prod, null) + psa_configs = var.psa_ranges.prod # set explicit routes for googleapis in case the default route is deleted create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-b-vpn/variables.tf b/fast/stages/2-networking-b-vpn/variables.tf index 46639d39f..2d2216a9a 100644 --- a/fast/stages/2-networking-b-vpn/variables.tf +++ b/fast/stages/2-networking-b-vpn/variables.tf @@ -163,20 +163,21 @@ variable "prefix" { variable "psa_ranges" { description = "IP ranges used for Private Service Access (CloudSQL, etc.)." type = object({ - dev = object({ + dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) - prod = object({ + })), []) + prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) + })), []) }) - default = null + nullable = false + default = {} } variable "regions" { diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md index 2142ce7c3..ee1990644 100644 --- a/fast/stages/2-networking-c-nva/README.md +++ b/fast/stages/2-networking-c-nva/README.md @@ -471,11 +471,11 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [gcp_ranges](variables.tf#L136) | GCP address ranges in name => range format. | map(string) | | {…} | | | [onprem_cidr](variables.tf#L151) | Onprem addresses in name => range format. | map(string) | | {…} | | | [outputs_location](variables.tf#L169) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L186) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | | -| [regions](variables.tf#L205) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables.tf#L217) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_primary_config](variables.tf#L231) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | -| [vpn_onprem_secondary_config](variables.tf#L274) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | +| [psa_ranges](variables.tf#L186) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | +| [regions](variables.tf#L206) | Region definitions. | object({…}) | | {…} | | +| [service_accounts](variables.tf#L218) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_primary_config](variables.tf#L232) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | +| [vpn_onprem_secondary_config](variables.tf#L275) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-c-nva/net-dev.tf b/fast/stages/2-networking-c-nva/net-dev.tf index 28b218b0a..9344c8af4 100644 --- a/fast/stages/2-networking-c-nva/net-dev.tf +++ b/fast/stages/2-networking-c-nva/net-dev.tf @@ -83,7 +83,7 @@ module "dev-spoke-vpc" { subnets_folder = "${var.factories_config.data_dir}/subnets/dev" } delete_default_routes_on_create = true - psa_config = try(var.psa_ranges.dev, null) + psa_configs = var.psa_ranges.dev # Set explicit routes for googleapis; send everything else to NVAs create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-c-nva/net-prod.tf b/fast/stages/2-networking-c-nva/net-prod.tf index 81af9967a..e37e77cf3 100644 --- a/fast/stages/2-networking-c-nva/net-prod.tf +++ b/fast/stages/2-networking-c-nva/net-prod.tf @@ -81,7 +81,7 @@ module "prod-spoke-vpc" { subnets_folder = "${var.factories_config.data_dir}/subnets/prod" } delete_default_routes_on_create = true - psa_config = try(var.psa_ranges.prod, null) + psa_configs = var.psa_ranges.prod # Set explicit routes for googleapis; send everything else to NVAs create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-c-nva/variables.tf b/fast/stages/2-networking-c-nva/variables.tf index 30654d6cd..c600271cd 100644 --- a/fast/stages/2-networking-c-nva/variables.tf +++ b/fast/stages/2-networking-c-nva/variables.tf @@ -186,20 +186,21 @@ variable "prefix" { variable "psa_ranges" { description = "IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format." type = object({ - dev = object({ + dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) - prod = object({ + })), []) + prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) + })), []) }) - default = null + nullable = false + default = {} } variable "regions" { diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md index 14c0a63c3..12c2ab747 100644 --- a/fast/stages/2-networking-d-separate-envs/README.md +++ b/fast/stages/2-networking-d-separate-envs/README.md @@ -342,11 +342,11 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [factories_config](variables.tf#L87) | Configuration for network resource factories. | object({…}) | | {…} | | | [fast_features](variables.tf#L108) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [outputs_location](variables.tf#L138) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L155) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | -| [regions](variables.tf#L174) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_dev_primary_config](variables.tf#L198) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | -| [vpn_onprem_prod_primary_config](variables.tf#L241) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | +| [psa_ranges](variables.tf#L155) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | +| [regions](variables.tf#L175) | Region definitions. | object({…}) | | {…} | | +| [service_accounts](variables.tf#L185) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_dev_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | +| [vpn_onprem_prod_primary_config](variables.tf#L242) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-d-separate-envs/net-dev.tf b/fast/stages/2-networking-d-separate-envs/net-dev.tf index 5d880e085..addc5a104 100644 --- a/fast/stages/2-networking-d-separate-envs/net-dev.tf +++ b/fast/stages/2-networking-d-separate-envs/net-dev.tf @@ -82,7 +82,7 @@ module "dev-spoke-vpc" { factories_config = { subnets_folder = "${var.factories_config.data_dir}/subnets/dev" } - psa_config = try(var.psa_ranges.dev, null) + psa_configs = var.psa_ranges.dev # set explicit routes for googleapis in case the default route is deleted create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-d-separate-envs/net-prod.tf b/fast/stages/2-networking-d-separate-envs/net-prod.tf index af740c4fb..c0dbff37d 100644 --- a/fast/stages/2-networking-d-separate-envs/net-prod.tf +++ b/fast/stages/2-networking-d-separate-envs/net-prod.tf @@ -80,7 +80,7 @@ module "prod-spoke-vpc" { factories_config = { subnets_folder = "${var.factories_config.data_dir}/subnets/prod" } - psa_config = try(var.psa_ranges.prod, null) + psa_configs = var.psa_ranges.prod # set explicit routes for googleapis in case the default route is deleted create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-d-separate-envs/variables.tf b/fast/stages/2-networking-d-separate-envs/variables.tf index 0c4165b3a..a6c569c10 100644 --- a/fast/stages/2-networking-d-separate-envs/variables.tf +++ b/fast/stages/2-networking-d-separate-envs/variables.tf @@ -155,20 +155,21 @@ variable "prefix" { variable "psa_ranges" { description = "IP ranges used for Private Service Access (e.g. CloudSQL)." type = object({ - dev = object({ + dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) - prod = object({ + })), []) + prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) + })), []) }) - default = null + nullable = false + default = {} } variable "regions" { diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-e-nva-bgp/README.md index ca0401955..4e2d7d258 100644 --- a/fast/stages/2-networking-e-nva-bgp/README.md +++ b/fast/stages/2-networking-e-nva-bgp/README.md @@ -498,12 +498,12 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [ncc_asn](variables.tf#L151) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | | | [onprem_cidr](variables.tf#L162) | Onprem addresses in name => range format. | map(string) | | {…} | | | [outputs_location](variables.tf#L180) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L197) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | | -| [regions](variables.tf#L216) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables.tf#L228) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_primary_config](variables.tf#L242) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | -| [vpn_onprem_secondary_config](variables.tf#L285) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | -| [zones](variables.tf#L328) | Zones in which NVAs are deployed. | list(string) | | ["b", "c"] | | +| [psa_ranges](variables.tf#L197) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | +| [regions](variables.tf#L217) | Region definitions. | object({…}) | | {…} | | +| [service_accounts](variables.tf#L229) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_primary_config](variables.tf#L243) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | +| [vpn_onprem_secondary_config](variables.tf#L286) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | +| [zones](variables.tf#L329) | Zones in which NVAs are deployed. | list(string) | | ["b", "c"] | | ## Outputs diff --git a/fast/stages/2-networking-e-nva-bgp/net-dev.tf b/fast/stages/2-networking-e-nva-bgp/net-dev.tf index 277ff8fc3..bb7bd165e 100644 --- a/fast/stages/2-networking-e-nva-bgp/net-dev.tf +++ b/fast/stages/2-networking-e-nva-bgp/net-dev.tf @@ -82,7 +82,7 @@ module "dev-spoke-vpc" { subnets_folder = "${var.factories_config.data_dir}/subnets/dev" } delete_default_routes_on_create = true - psa_config = try(var.psa_ranges.dev, null) + psa_configs = var.psa_ranges.dev # Set explicit routes for googleapis; send everything else to NVAs create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-e-nva-bgp/net-prod.tf b/fast/stages/2-networking-e-nva-bgp/net-prod.tf index 8ed524bad..6325c5766 100644 --- a/fast/stages/2-networking-e-nva-bgp/net-prod.tf +++ b/fast/stages/2-networking-e-nva-bgp/net-prod.tf @@ -80,7 +80,7 @@ module "prod-spoke-vpc" { subnets_folder = "${var.factories_config.data_dir}/subnets/prod" } delete_default_routes_on_create = true - psa_config = try(var.psa_ranges.prod, null) + psa_configs = var.psa_ranges.prod # Set explicit routes for googleapis; send everything else to NVAs create_googleapis_routes = { private = true diff --git a/fast/stages/2-networking-e-nva-bgp/variables.tf b/fast/stages/2-networking-e-nva-bgp/variables.tf index 8fd60c8ba..6377f6405 100644 --- a/fast/stages/2-networking-e-nva-bgp/variables.tf +++ b/fast/stages/2-networking-e-nva-bgp/variables.tf @@ -197,20 +197,21 @@ variable "prefix" { variable "psa_ranges" { description = "IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format." type = object({ - dev = object({ + dev = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) - prod = object({ + })), []) + prod = optional(list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) - }) + })), []) }) - default = null + nullable = false + default = {} } variable "regions" { diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md index 7c705f5d1..c1474cec1 100644 --- a/modules/cloudsql-instance/README.md +++ b/modules/cloudsql-instance/README.md @@ -25,9 +25,9 @@ module "vpc" { source = "./fabric/modules/net-vpc" project_id = module.project.project_id name = "my-network" - psa_config = { + psa_configs = [{ ranges = { cloud-sql = "10.60.0.0/16" } - } + }] } module "db" { @@ -117,6 +117,7 @@ module "db" { ``` ### CMEK encryption + ```hcl module "project" { diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 8e7f530c6..fecfc0b4e 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -13,6 +13,7 @@ This module allows creation and management of VPC networks including subnetworks - [Shared VPC](#shared-vpc) - [Private Service Networking](#private-service-networking) - [Private Service Networking with peering routes and peered Cloud DNS domains](#private-service-networking-with-peering-routes-and-peered-cloud-dns-domains) + - [Private Service Networking with multiple service providers](#private-service-networking-with-multiple-service-providers) - [Subnets for Private Service Connect, Proxy-only subnets](#subnets-for-private-service-connect-proxy-only-subnets) - [PSC Network Attachments](#psc-network-attachments) - [DNS Policies](#dns-policies) @@ -247,9 +248,9 @@ module "vpc" { region = "europe-west1" } ] - psa_config = { + psa_configs = [{ ranges = { myrange = "10.0.1.0/24" } - } + }] } # tftest modules=1 resources=7 inventory=psa.yaml e2e ``` @@ -270,16 +271,44 @@ module "vpc" { region = "europe-west1" } ] - psa_config = { + psa_configs = [{ ranges = { myrange = "10.0.1.0/24" } export_routes = true import_routes = true peered_domains = ["gcp.example.com."] - } + }] } # tftest modules=1 resources=8 inventory=psa-routes.yaml e2e ``` +### Private Service Networking with multiple service providers + +```hcl +module "vpc" { + source = "./fabric/modules/net-vpc" + project_id = var.project_id + name = "my-network" + subnets = [ + { + ip_cidr_range = "10.0.0.0/24" + name = "production" + region = "europe-west1" + } + ] + psa_configs = [ + { + ranges = { myrange = "10.0.1.0/24" } + # service_producer = "servicenetworking.googleapis.com" # default value + }, + { + ranges = { netapp = "10.0.2.0/24" } + service_producer = "netapp.servicenetworking.goog" + } + ] +} +# tftest modules=1 resources=10 inventory=psa-multiple-providers.yaml e2e +``` + ### Subnets for Private Service Connect, Proxy-only subnets Along with common private subnets module supports creation more service specific subnets for the following purposes: @@ -627,15 +656,15 @@ module "vpc" { | [network_attachments](variables.tf#L100) | PSC network attachments, names as keys. | map(object({…})) | | {} | | [peering_config](variables.tf#L113) | VPC peering configuration. | object({…}) | | null | | [policy_based_routes](variables.tf#L124) | Policy based routes, keyed by name. | map(object({…})) | | {} | -| [psa_config](variables.tf#L177) | The Private Service Access configuration. | object({…}) | | null | -| [routes](variables.tf#L189) | Network routes, keyed by name. | map(object({…})) | | {} | -| [routing_mode](variables.tf#L210) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | -| [shared_vpc_host](variables.tf#L220) | Enable shared VPC for this project. | bool | | false | -| [shared_vpc_service_projects](variables.tf#L226) | Shared VPC service projects to register with this host. | list(string) | | [] | -| [subnets](variables.tf#L232) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L279) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L313) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L345) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [psa_configs](variables.tf#L177) | The Private Service Access configuration. | list(object({…})) | | [] | +| [routes](variables.tf#L198) | Network routes, keyed by name. | map(object({…})) | | {} | +| [routing_mode](variables.tf#L219) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | +| [shared_vpc_host](variables.tf#L229) | Enable shared VPC for this project. | bool | | false | +| [shared_vpc_service_projects](variables.tf#L235) | Shared VPC service projects to register with this host. | list(string) | | [] | +| [subnets](variables.tf#L241) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L288) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L322) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L354) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf index 6f7146a19..401b7aa27 100644 --- a/modules/net-vpc/psa.tf +++ b/modules/net-vpc/psa.tf @@ -17,54 +17,74 @@ # tfdoc:file:description Private Service Access resources. locals { - psa_config_ranges = try(var.psa_config.ranges, {}) + _psa_configs_ranges = flatten([ + for config in local.psa_configs : [ + for k, v in config.ranges : { + key = "${config.key}-${k}" + value = v + } + ] + ]) + _psa_peered_domains = flatten([ + for config in local.psa_configs : [ + for v in config.peered_domains : { + key = "${config.key}-${replace(v, ".", "-")}" + dns_suffix = v + service_producer = config.service_producer + } + ] + ]) + psa_configs = { + for v in var.psa_configs : v.service_producer => merge(v, { + key = replace(v.service_producer, ".", "-") + }) + } + psa_configs_ranges = { + for v in local._psa_configs_ranges : v.key => v.value + } + psa_peered_domains = { + for v in local._psa_peered_domains : v.key => v + } } resource "google_compute_global_address" "psa_ranges" { - for_each = local.psa_config_ranges + for_each = local.psa_configs_ranges project = var.project_id + network = local.network.id name = each.key purpose = "VPC_PEERING" address_type = "INTERNAL" address = split("/", each.value)[0] prefix_length = split("/", each.value)[1] - network = local.network.id -} - -moved { - from = google_service_networking_connection.psa_connection["1"] - to = google_service_networking_connection.psa_connection[0] } resource "google_service_networking_connection" "psa_connection" { - count = var.psa_config != null ? 1 : 0 - network = local.network.id - service = var.psa_config.service_producer + for_each = local.psa_configs + network = local.network.id + service = each.key reserved_peering_ranges = [ - for k, v in google_compute_global_address.psa_ranges : v.name + for k, v in google_compute_global_address.psa_ranges : + v.name if startswith(k, each.value.key) ] } -moved { - from = google_compute_network_peering_routes_config.psa_routes["1"] - to = google_compute_network_peering_routes_config.psa_routes[0] -} - resource "google_compute_network_peering_routes_config" "psa_routes" { - count = var.psa_config != null ? 1 : 0 - project = var.project_id - peering = google_service_networking_connection.psa_connection[0].peering + for_each = local.psa_configs + project = var.project_id + peering = ( + google_service_networking_connection.psa_connection[each.key].peering + ) network = local.network.name - export_custom_routes = var.psa_config.export_routes - import_custom_routes = var.psa_config.import_routes + export_custom_routes = each.value.export_routes + import_custom_routes = each.value.import_routes } resource "google_service_networking_peered_dns_domain" "name" { - for_each = toset(try(var.psa_config.peered_domains, [])) + for_each = local.psa_peered_domains project = var.project_id - name = trimsuffix(replace(each.value, ".", "-"), "-") network = local.network.name - dns_suffix = each.value - service = var.psa_config.service_producer + name = each.key + dns_suffix = each.value.dns_suffix + service = each.value.service_producer depends_on = [google_service_networking_connection.psa_connection] } diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index f50297c22..21fae5a76 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -174,16 +174,25 @@ variable "project_id" { type = string } -variable "psa_config" { +variable "psa_configs" { description = "The Private Service Access configuration." - type = object({ + type = list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) service_producer = optional(string, "servicenetworking.googleapis.com") - }) - default = null + })) + nullable = false + default = [] + validation { + condition = ( + length(var.psa_configs) == length(toset([ + for v in var.psa_configs : v.service_producer + ])) + ) + error_message = "At most one configuration is possible for each service producer." + } } variable "routes" { diff --git a/tests/modules/cloudsql_instance/examples/simple.yaml b/tests/modules/cloudsql_instance/examples/simple.yaml index fdc663e21..5103c12b4 100644 --- a/tests/modules/cloudsql_instance/examples/simple.yaml +++ b/tests/modules/cloudsql_instance/examples/simple.yaml @@ -14,22 +14,138 @@ values: module.db.google_sql_database_instance.primary: + clone: [] database_version: POSTGRES_13 + deletion_protection: true name: db project: my-db-project region: europe-west1 + restore_backup_context: [] + root_password: null settings: - activation_policy: ALWAYS + active_directory_config: [] + advanced_machine_features: [] availability_type: ZONAL + collation: null + data_cache_config: [] + database_flags: [] deletion_protection_enabled: true + deny_maintenance_period: [] disk_autoresize: true + disk_autoresize_limit: 0 disk_type: PD_SSD + edition: ENTERPRISE insights_config: [] ip_configuration: - allocated_ip_range: null authorized_networks: [] + enable_private_path_for_google_cloud_services: null ipv4_enabled: false + psc_config: [] + require_ssl: null + maintenance_window: [] + password_validation_policy: [] + pricing_plan: PER_USE + sql_server_audit_config: [] tier: db-g1-small + time_zone: null + timeouts: null + module.project.google_project.project[0]: + auto_create_network: false + billing_account: 123456-123456-123456 + folder_id: null + labels: null + name: my-db-project + org_id: '1122334455' + project_id: my-db-project + skip_delete: false + timeouts: null + module.project.google_project_iam_member.servicenetworking[0]: + condition: [] + project: my-db-project + role: roles/servicenetworking.serviceAgent + module.project.google_project_service.project_services["servicenetworking.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: my-db-project + service: servicenetworking.googleapis.com + timeouts: null + module.project.google_project_service_identity.servicenetworking[0]: + project: my-db-project + service: servicenetworking.googleapis.com + timeouts: null + module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-cloud-sql"]: + address: 10.60.0.0 + address_type: INTERNAL + description: null + ip_version: null + name: servicenetworking-googleapis-com-cloud-sql + prefix_length: 16 + project: my-db-project + purpose: VPC_PEERING + timeouts: null + module.vpc.google_compute_network.network[0]: + auto_create_subnetworks: false + delete_default_routes_on_create: false + description: Terraform-managed. + enable_ula_internal_ipv6: null + name: my-network + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL + project: my-db-project + routing_mode: GLOBAL + timeouts: null + module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]: + export_custom_routes: false + import_custom_routes: false + network: my-network + project: my-db-project + timeouts: null + module.vpc.google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: my-network-private-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: my-db-project + tags: null + timeouts: null + module.vpc.google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: my-network-restricted-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: my-db-project + tags: null + timeouts: null + module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]: + deletion_policy: null + reserved_peering_ranges: + - servicenetworking-googleapis-com-cloud-sql + service: servicenetworking.googleapis.com + timeouts: null counts: + google_compute_global_address: 1 + google_compute_network: 1 + google_compute_network_peering_routes_config: 1 + google_compute_route: 2 + google_project: 1 + google_project_iam_member: 1 + google_project_service: 1 + google_project_service_identity: 1 + google_service_networking_connection: 1 google_sql_database_instance: 1 + modules: 3 + resources: 11 + +outputs: {} diff --git a/tests/modules/net_vpc/examples/psa-multiple-providers.yaml b/tests/modules/net_vpc/examples/psa-multiple-providers.yaml new file mode 100644 index 000000000..f2bd9c741 --- /dev/null +++ b/tests/modules/net_vpc/examples/psa-multiple-providers.yaml @@ -0,0 +1,57 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-myrange"]: + address: 10.0.1.0 + address_type: INTERNAL + name: servicenetworking-googleapis-com-myrange + prefix_length: 24 + project: project-id + purpose: VPC_PEERING + module.vpc.google_compute_global_address.psa_ranges["netapp-servicenetworking-goog-netapp"]: + address: 10.0.2.0 + address_type: INTERNAL + name: netapp-servicenetworking-goog-netapp + prefix_length: 24 + project: project-id + purpose: VPC_PEERING + module.vpc.google_compute_network.network[0]: + name: my-network + project: project-id + module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]: + export_custom_routes: false + import_custom_routes: false + project: project-id + module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]: + ip_cidr_range: 10.0.0.0/24 + name: production + project: project-id + module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]: + reserved_peering_ranges: + - servicenetworking-googleapis-com-myrange + service: servicenetworking.googleapis.com + module.vpc.google_service_networking_connection.psa_connection["netapp.servicenetworking.goog"]: + reserved_peering_ranges: + - netapp-servicenetworking-goog-netapp + service: netapp.servicenetworking.goog + +counts: + google_compute_global_address: 2 + google_compute_network: 1 + google_compute_network_peering_routes_config: 2 + google_compute_subnetwork: 1 + google_service_networking_connection: 2 + +outputs: {} \ No newline at end of file diff --git a/tests/modules/net_vpc/examples/psa-routes.yaml b/tests/modules/net_vpc/examples/psa-routes.yaml index efbcb2da7..c64353b78 100644 --- a/tests/modules/net_vpc/examples/psa-routes.yaml +++ b/tests/modules/net_vpc/examples/psa-routes.yaml @@ -13,42 +13,94 @@ # limitations under the License. values: - module.vpc.google_compute_global_address.psa_ranges["myrange"]: + module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-myrange"]: address: 10.0.1.0 address_type: INTERNAL - name: myrange + description: null + ip_version: null + name: servicenetworking-googleapis-com-myrange prefix_length: 24 project: project-id purpose: VPC_PEERING + timeouts: null module.vpc.google_compute_network.network[0]: + auto_create_subnetworks: false + delete_default_routes_on_create: false + description: Terraform-managed. + enable_ula_internal_ipv6: null name: my-network + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL project: project-id routing_mode: GLOBAL - module.vpc.google_compute_network_peering_routes_config.psa_routes[0]: + timeouts: null + module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]: export_custom_routes: true import_custom_routes: true + network: my-network project: project-id + timeouts: null + module.vpc.google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: my-network-private-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: project-id + tags: null + timeouts: null + module.vpc.google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: my-network-restricted-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: project-id + tags: null + timeouts: null module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]: + description: Terraform-managed. ip_cidr_range: 10.0.0.0/24 + ipv6_access_type: null + log_config: [] name: production + network: my-network private_ip_google_access: true project: project-id region: europe-west1 + role: null secondary_ip_range: [] - module.vpc.google_service_networking_connection.psa_connection[0]: + timeouts: null + module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]: + deletion_policy: null reserved_peering_ranges: - - myrange + - servicenetworking-googleapis-com-myrange service: servicenetworking.googleapis.com - module.vpc.google_service_networking_peered_dns_domain.name["gcp.example.com."]: + timeouts: null + module.vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-gcp-example-com-"]: dns_suffix: gcp.example.com. - name: gcp-example-com + name: servicenetworking-googleapis-com-gcp-example-com- + network: my-network project: project-id service: servicenetworking.googleapis.com + timeouts: null counts: google_compute_global_address: 1 google_compute_network: 1 google_compute_network_peering_routes_config: 1 + google_compute_route: 2 google_compute_subnetwork: 1 google_service_networking_connection: 1 - google_service_networking_peered_dns_domain: 1 \ No newline at end of file + google_service_networking_peered_dns_domain: 1 + modules: 1 + resources: 8 + +outputs: {} diff --git a/tests/modules/net_vpc/examples/psa.yaml b/tests/modules/net_vpc/examples/psa.yaml index 6af1a1d52..806bf443f 100644 --- a/tests/modules/net_vpc/examples/psa.yaml +++ b/tests/modules/net_vpc/examples/psa.yaml @@ -13,34 +13,86 @@ # limitations under the License. values: - module.vpc.google_compute_global_address.psa_ranges["myrange"]: + module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-myrange"]: address: 10.0.1.0 address_type: INTERNAL - name: myrange + description: null + ip_version: null + name: servicenetworking-googleapis-com-myrange prefix_length: 24 project: project-id purpose: VPC_PEERING + timeouts: null module.vpc.google_compute_network.network[0]: + auto_create_subnetworks: false + delete_default_routes_on_create: false + description: Terraform-managed. + enable_ula_internal_ipv6: null name: my-network + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL project: project-id - module.vpc.google_compute_network_peering_routes_config.psa_routes[0]: + routing_mode: GLOBAL + timeouts: null + module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]: export_custom_routes: false import_custom_routes: false + network: my-network project: project-id + timeouts: null + module.vpc.google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: my-network-private-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: project-id + tags: null + timeouts: null + module.vpc.google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: my-network-restricted-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: project-id + tags: null + timeouts: null module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]: + description: Terraform-managed. ip_cidr_range: 10.0.0.0/24 + ipv6_access_type: null + log_config: [] name: production + network: my-network + private_ip_google_access: true project: project-id - module.vpc.google_service_networking_connection.psa_connection[0]: + region: europe-west1 + role: null + secondary_ip_range: [] + timeouts: null + module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]: + deletion_policy: null reserved_peering_ranges: - - myrange + - servicenetworking-googleapis-com-myrange service: servicenetworking.googleapis.com + timeouts: null counts: google_compute_global_address: 1 google_compute_network: 1 google_compute_network_peering_routes_config: 1 + google_compute_route: 2 google_compute_subnetwork: 1 google_service_networking_connection: 1 + modules: 1 + resources: 7 -outputs: {} \ No newline at end of file +outputs: {} diff --git a/tests/modules/net_vpc/psa_routes_export.tfvars b/tests/modules/net_vpc/psa_routes_export.tfvars index 9fbe4ddf7..697288504 100644 --- a/tests/modules/net_vpc/psa_routes_export.tfvars +++ b/tests/modules/net_vpc/psa_routes_export.tfvars @@ -1,7 +1,7 @@ -psa_config = { +psa_configs = [{ ranges = { bar = "172.16.100.0/24" } export_routes = true import_routes = false -} +}] diff --git a/tests/modules/net_vpc/psa_routes_export.yaml b/tests/modules/net_vpc/psa_routes_export.yaml index 6b42919bb..69e807191 100644 --- a/tests/modules/net_vpc/psa_routes_export.yaml +++ b/tests/modules/net_vpc/psa_routes_export.yaml @@ -13,12 +13,12 @@ # limitations under the License. values: - google_compute_global_address.psa_ranges["bar"]: + google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-bar"]: address: 172.16.100.0 address_type: INTERNAL description: null ip_version: null - name: bar + name: servicenetworking-googleapis-com-bar prefix_length: 24 project: test-project purpose: VPC_PEERING @@ -30,13 +30,13 @@ values: name: test project: test-project routing_mode: GLOBAL - google_compute_network_peering_routes_config.psa_routes[0]: + google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]: export_custom_routes: true import_custom_routes: false project: test-project - google_service_networking_connection.psa_connection[0]: + google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]: reserved_peering_ranges: - - bar + - servicenetworking-googleapis-com-bar service: servicenetworking.googleapis.com counts: diff --git a/tests/modules/net_vpc/psa_routes_import.tfvars b/tests/modules/net_vpc/psa_routes_import.tfvars index beeaf433a..0863f387d 100644 --- a/tests/modules/net_vpc/psa_routes_import.tfvars +++ b/tests/modules/net_vpc/psa_routes_import.tfvars @@ -1,7 +1,7 @@ -psa_config = { +psa_configs = [{ ranges = { bar = "172.16.100.0/24" } export_routes = false import_routes = true -} +}] diff --git a/tests/modules/net_vpc/psa_routes_import.yaml b/tests/modules/net_vpc/psa_routes_import.yaml index 1bf772884..c7a39efec 100644 --- a/tests/modules/net_vpc/psa_routes_import.yaml +++ b/tests/modules/net_vpc/psa_routes_import.yaml @@ -13,12 +13,12 @@ # limitations under the License. values: - google_compute_global_address.psa_ranges["bar"]: + google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-bar"]: address: 172.16.100.0 address_type: INTERNAL description: null ip_version: null - name: bar + name: servicenetworking-googleapis-com-bar prefix_length: 24 project: test-project purpose: VPC_PEERING @@ -30,13 +30,13 @@ values: name: test project: test-project routing_mode: GLOBAL - google_compute_network_peering_routes_config.psa_routes[0]: + google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]: export_custom_routes: false import_custom_routes: true project: test-project - google_service_networking_connection.psa_connection[0]: + google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]: reserved_peering_ranges: - - bar + - servicenetworking-googleapis-com-bar service: servicenetworking.googleapis.com counts: diff --git a/tests/modules/net_vpc/psa_routes_import_export.tfvars b/tests/modules/net_vpc/psa_routes_import_export.tfvars index 205922311..5851891b6 100644 --- a/tests/modules/net_vpc/psa_routes_import_export.tfvars +++ b/tests/modules/net_vpc/psa_routes_import_export.tfvars @@ -1,7 +1,7 @@ -psa_config = { +psa_configs = [{ ranges = { bar = "172.16.100.0/24" } export_routes = true import_routes = true -} +}] diff --git a/tests/modules/net_vpc/psa_routes_import_export.yaml b/tests/modules/net_vpc/psa_routes_import_export.yaml index d74c51c34..ea68ffd2e 100644 --- a/tests/modules/net_vpc/psa_routes_import_export.yaml +++ b/tests/modules/net_vpc/psa_routes_import_export.yaml @@ -13,12 +13,12 @@ # limitations under the License. values: - google_compute_global_address.psa_ranges["bar"]: + google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-bar"]: address: 172.16.100.0 address_type: INTERNAL description: null ip_version: null - name: bar + name: servicenetworking-googleapis-com-bar prefix_length: 24 project: test-project purpose: VPC_PEERING @@ -30,13 +30,13 @@ values: name: test project: test-project routing_mode: GLOBAL - google_compute_network_peering_routes_config.psa_routes[0]: + google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]: export_custom_routes: true import_custom_routes: true project: test-project - google_service_networking_connection.psa_connection[0]: + google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]: reserved_peering_ranges: - - bar + - servicenetworking-googleapis-com-bar service: servicenetworking.googleapis.com counts: