From 9ab3b49f69588715e13eedb5fcb4a1f4186cd711 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 6 Oct 2023 17:31:32 +0200 Subject: [PATCH] Add PSA peered domains support to `net-vpc` (#1741) * Add PSA peered domains support to `net-vpc` * Fix tests --- modules/net-vpc/README.md | 33 ++++++++++--------- modules/net-vpc/psa.tf | 32 ++++++++++++++---- modules/net-vpc/variables.tf | 7 ++-- .../{psc-routes.yaml => psa-routes.yaml} | 15 ++++++--- .../net_vpc/examples/{psc.yaml => psa.yaml} | 4 +-- tests/modules/net_vpc/psa_routes_export.yaml | 6 ++-- tests/modules/net_vpc/psa_routes_import.yaml | 6 ++-- .../net_vpc/psa_routes_import_export.yaml | 6 ++-- 8 files changed, 69 insertions(+), 40 deletions(-) rename tests/modules/net_vpc/examples/{psc-routes.yaml => psa-routes.yaml} (81%) rename tests/modules/net_vpc/examples/{psc.yaml => psa.yaml} (98%) diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index ea86930ea..e3cc75fd1 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -12,7 +12,7 @@ This module allows creation and management of VPC networks including subnetworks - [Peering](#peering) - [Shared VPC](#shared-vpc) - [Private Service Networking](#private-service-networking) - - [Private Service Networking with peering routes](#private-service-networking-with-peering-routes) + - [Private Service Networking with peering routes and peered Cloud DNS domains](#private-service-networking-with-peering-routes-and-peered-cloud-dns-domains) - [Subnets for Private Service Connect, Proxy-only subnets](#subnets-for-private-service-connect-proxy-only-subnets) - [DNS Policies](#dns-policies) - [Subnet Factory](#subnet-factory) @@ -247,10 +247,10 @@ module "vpc" { ranges = { myrange = "10.0.1.0/24" } } } -# tftest modules=1 resources=7 inventory=psc.yaml +# tftest modules=1 resources=7 inventory=psa.yaml ``` -### Private Service Networking with peering routes +### Private Service Networking with peering routes and peered Cloud DNS domains Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC. @@ -267,12 +267,13 @@ module "vpc" { } ] psa_config = { - ranges = { myrange = "10.0.1.0/24" } - export_routes = true - import_routes = true + ranges = { myrange = "10.0.1.0/24" } + export_routes = true + import_routes = true + peered_domains = ["gcp.example.com."] } } -# tftest modules=1 resources=7 inventory=psc-routes.yaml +# tftest modules=1 resources=8 inventory=psa-routes.yaml ``` ### Subnets for Private Service Connect, Proxy-only subnets @@ -549,15 +550,15 @@ module "vpc" { | [ipv6_config](variables.tf#L79) | Optional IPv6 configuration for this network. | object({…}) | | {} | | [mtu](variables.tf#L89) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | number | | null | | [peering_config](variables.tf#L100) | VPC peering configuration. | object({…}) | | null | -| [psa_config](variables.tf#L116) | The Private Service Access configuration for Service Networking. | object({…}) | | null | -| [routes](variables.tf#L126) | Network routes, keyed by name. | map(object({…})) | | {} | -| [routing_mode](variables.tf#L147) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | -| [shared_vpc_host](variables.tf#L157) | Enable shared VPC for this project. | bool | | false | -| [shared_vpc_service_projects](variables.tf#L163) | Shared VPC service projects to register with this host. | list(string) | | [] | -| [subnets](variables.tf#L169) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L216) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L250) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L282) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [psa_config](variables.tf#L116) | The Private Service Access configuration for Service Networking. | object({…}) | | null | +| [routes](variables.tf#L127) | Network routes, keyed by name. | map(object({…})) | | {} | +| [routing_mode](variables.tf#L148) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | +| [shared_vpc_host](variables.tf#L158) | Enable shared VPC for this project. | bool | | false | +| [shared_vpc_service_projects](variables.tf#L164) | Shared VPC service projects to register with this host. | list(string) | | [] | +| [subnets](variables.tf#L170) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L217) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L251) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L283) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf index 19c47d4d0..29fe04082 100644 --- a/modules/net-vpc/psa.tf +++ b/modules/net-vpc/psa.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,20 +31,40 @@ resource "google_compute_global_address" "psa_ranges" { network = local.network.id } +moved { + from = google_service_networking_connection.psa_connection["1"] + to = google_service_networking_connection.psa_connection[0] +} + resource "google_service_networking_connection" "psa_connection" { - for_each = var.psa_config != null ? { 1 = 1 } : {} - network = local.network.id - service = "servicenetworking.googleapis.com" + count = var.psa_config != null ? 1 : 0 + network = local.network.id + service = "servicenetworking.googleapis.com" reserved_peering_ranges = [ for k, v in google_compute_global_address.psa_ranges : v.name ] } +moved { + from = google_compute_network_peering_routes_config.psa_routes["1"] + to = google_compute_network_peering_routes_config.psa_routes[0] +} + resource "google_compute_network_peering_routes_config" "psa_routes" { - for_each = var.psa_config != null ? { 1 = 1 } : {} + count = var.psa_config != null ? 1 : 0 project = var.project_id - peering = google_service_networking_connection.psa_connection["1"].peering + peering = google_service_networking_connection.psa_connection[0].peering network = local.network.name export_custom_routes = var.psa_config.export_routes import_custom_routes = var.psa_config.import_routes } + +resource "google_service_networking_peered_dns_domain" "name" { + for_each = toset(try(var.psa_config.peered_domains, [])) + project = var.project_id + name = trimsuffix(replace(each.value, ".", "-"), "-") + network = local.network.name + dns_suffix = each.value + service = "servicenetworking.googleapis.com" + depends_on = [google_service_networking_connection.psa_connection] +} diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 5c4cc692d..f463470d1 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -116,9 +116,10 @@ variable "project_id" { variable "psa_config" { description = "The Private Service Access configuration for Service Networking." type = object({ - ranges = map(string) - export_routes = optional(bool, false) - import_routes = optional(bool, false) + ranges = map(string) + export_routes = optional(bool, false) + import_routes = optional(bool, false) + peered_domains = optional(list(string), []) }) default = null } diff --git a/tests/modules/net_vpc/examples/psc-routes.yaml b/tests/modules/net_vpc/examples/psa-routes.yaml similarity index 81% rename from tests/modules/net_vpc/examples/psc-routes.yaml rename to tests/modules/net_vpc/examples/psa-routes.yaml index 6f459f4b7..fe2697813 100644 --- a/tests/modules/net_vpc/examples/psc-routes.yaml +++ b/tests/modules/net_vpc/examples/psa-routes.yaml @@ -16,8 +16,6 @@ values: module.vpc.google_compute_global_address.psa_ranges["myrange"]: address: 10.0.1.0 address_type: INTERNAL - description: null - ip_version: null name: myrange prefix_length: 24 project: my-project @@ -26,18 +24,26 @@ values: name: my-network project: my-project routing_mode: GLOBAL - module.vpc.google_compute_network_peering_routes_config.psa_routes["1"]: + module.vpc.google_compute_network_peering_routes_config.psa_routes[0]: export_custom_routes: true import_custom_routes: true project: my-project module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]: ip_cidr_range: 10.0.0.0/24 name: production + private_ip_google_access: true project: my-project - module.vpc.google_service_networking_connection.psa_connection["1"]: + region: europe-west1 + secondary_ip_range: [] + module.vpc.google_service_networking_connection.psa_connection[0]: reserved_peering_ranges: - myrange service: servicenetworking.googleapis.com + module.vpc.google_service_networking_peered_dns_domain.name["gcp.example.com."]: + dns_suffix: gcp.example.com. + name: gcp-example-com + project: my-project + service: servicenetworking.googleapis.com counts: google_compute_global_address: 1 @@ -45,3 +51,4 @@ counts: google_compute_network_peering_routes_config: 1 google_compute_subnetwork: 1 google_service_networking_connection: 1 + google_service_networking_peered_dns_domain: 1 diff --git a/tests/modules/net_vpc/examples/psc.yaml b/tests/modules/net_vpc/examples/psa.yaml similarity index 98% rename from tests/modules/net_vpc/examples/psc.yaml rename to tests/modules/net_vpc/examples/psa.yaml index c08fcb453..695678c47 100644 --- a/tests/modules/net_vpc/examples/psc.yaml +++ b/tests/modules/net_vpc/examples/psa.yaml @@ -23,7 +23,7 @@ values: module.vpc.google_compute_network.network[0]: name: my-network project: my-project - module.vpc.google_compute_network_peering_routes_config.psa_routes["1"]: + module.vpc.google_compute_network_peering_routes_config.psa_routes[0]: export_custom_routes: false import_custom_routes: false project: my-project @@ -31,7 +31,7 @@ values: ip_cidr_range: 10.0.0.0/24 name: production project: my-project - module.vpc.google_service_networking_connection.psa_connection["1"]: + module.vpc.google_service_networking_connection.psa_connection[0]: reserved_peering_ranges: - myrange service: servicenetworking.googleapis.com diff --git a/tests/modules/net_vpc/psa_routes_export.yaml b/tests/modules/net_vpc/psa_routes_export.yaml index fd9239e81..a2ca40ea2 100644 --- a/tests/modules/net_vpc/psa_routes_export.yaml +++ b/tests/modules/net_vpc/psa_routes_export.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,11 +30,11 @@ values: name: test project: test-project routing_mode: GLOBAL - google_compute_network_peering_routes_config.psa_routes["1"]: + google_compute_network_peering_routes_config.psa_routes[0]: export_custom_routes: true import_custom_routes: false project: test-project - google_service_networking_connection.psa_connection["1"]: + google_service_networking_connection.psa_connection[0]: reserved_peering_ranges: - bar service: servicenetworking.googleapis.com diff --git a/tests/modules/net_vpc/psa_routes_import.yaml b/tests/modules/net_vpc/psa_routes_import.yaml index dc0e5704b..5d7708ae2 100644 --- a/tests/modules/net_vpc/psa_routes_import.yaml +++ b/tests/modules/net_vpc/psa_routes_import.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,11 +30,11 @@ values: name: test project: test-project routing_mode: GLOBAL - google_compute_network_peering_routes_config.psa_routes["1"]: + google_compute_network_peering_routes_config.psa_routes[0]: export_custom_routes: false import_custom_routes: true project: test-project - google_service_networking_connection.psa_connection["1"]: + google_service_networking_connection.psa_connection[0]: reserved_peering_ranges: - bar service: servicenetworking.googleapis.com diff --git a/tests/modules/net_vpc/psa_routes_import_export.yaml b/tests/modules/net_vpc/psa_routes_import_export.yaml index 23db6b26b..42b8460d1 100644 --- a/tests/modules/net_vpc/psa_routes_import_export.yaml +++ b/tests/modules/net_vpc/psa_routes_import_export.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,11 +30,11 @@ values: name: test project: test-project routing_mode: GLOBAL - google_compute_network_peering_routes_config.psa_routes["1"]: + google_compute_network_peering_routes_config.psa_routes[0]: export_custom_routes: true import_custom_routes: true project: test-project - google_service_networking_connection.psa_connection["1"]: + google_service_networking_connection.psa_connection[0]: reserved_peering_ranges: - bar service: servicenetworking.googleapis.com