Add PSA peered domains support to net-vpc (#1741)
* Add PSA peered domains support to `net-vpc` * Fix tests
This commit is contained in:
Julio Castillo
@@ -12,7 +12,7 @@ This module allows creation and management of VPC networks including subnetworks
|
||||
- [Peering](#peering)
|
||||
- [Shared VPC](#shared-vpc)
|
||||
- [Private Service Networking](#private-service-networking)
|
||||
- [Private Service Networking with peering routes](#private-service-networking-with-peering-routes)
|
||||
- [Private Service Networking with peering routes and peered Cloud DNS domains](#private-service-networking-with-peering-routes-and-peered-cloud-dns-domains)
|
||||
- [Subnets for Private Service Connect, Proxy-only subnets](#subnets-for-private-service-connect-proxy-only-subnets)
|
||||
- [DNS Policies](#dns-policies)
|
||||
- [Subnet Factory](#subnet-factory)
|
||||
@@ -247,10 +247,10 @@ module "vpc" {
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=7 inventory=psc.yaml
|
||||
# tftest modules=1 resources=7 inventory=psa.yaml
|
||||
```
|
||||
|
||||
### Private Service Networking with peering routes
|
||||
### Private Service Networking with peering routes and peered Cloud DNS domains
|
||||
|
||||
Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC.
|
||||
|
||||
@@ -267,12 +267,13 @@ module "vpc" {
|
||||
}
|
||||
]
|
||||
psa_config = {
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
export_routes = true
|
||||
import_routes = true
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
export_routes = true
|
||||
import_routes = true
|
||||
peered_domains = ["gcp.example.com."]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=7 inventory=psc-routes.yaml
|
||||
# tftest modules=1 resources=8 inventory=psa-routes.yaml
|
||||
```
|
||||
|
||||
### Subnets for Private Service Connect, Proxy-only subnets
|
||||
@@ -549,15 +550,15 @@ module "vpc" {
|
||||
| [ipv6_config](variables.tf#L79) | Optional IPv6 configuration for this network. | <code title="object({ enable_ula_internal = optional(bool) internal_range = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [mtu](variables.tf#L89) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 (the default) and the maximum value is 1500 bytes. | <code>number</code> | | <code>null</code> |
|
||||
| [peering_config](variables.tf#L100) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string create_remote_peer = optional(bool, true) export_routes = optional(bool) import_routes = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||
| [psa_config](variables.tf#L116) | The Private Service Access configuration for Service Networking. | <code title="object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) })">object({…})</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L126) | Network routes, keyed by name. | <code title="map(object({ description = optional(string, "Terraform-managed.") dest_range = string next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string priority = optional(number) tags = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L147) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L157) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L163) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnets](variables.tf#L169) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string, "INTERNAL") })) secondary_ip_ranges = optional(map(string)) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L216) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = optional(bool, true) global = optional(bool, false) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L250) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L282) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
| [psa_config](variables.tf#L116) | The Private Service Access configuration for Service Networking. | <code title="object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) })">object({…})</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L127) | Network routes, keyed by name. | <code title="map(object({ description = optional(string, "Terraform-managed.") dest_range = string next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string priority = optional(number) tags = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L148) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L158) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L164) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnets](variables.tf#L170) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string, "INTERNAL") })) secondary_ip_ranges = optional(map(string)) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L217) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = optional(bool, true) global = optional(bool, false) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L251) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L283) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -31,20 +31,40 @@ resource "google_compute_global_address" "psa_ranges" {
|
||||
network = local.network.id
|
||||
}
|
||||
|
||||
moved {
|
||||
from = google_service_networking_connection.psa_connection["1"]
|
||||
to = google_service_networking_connection.psa_connection[0]
|
||||
}
|
||||
|
||||
resource "google_service_networking_connection" "psa_connection" {
|
||||
for_each = var.psa_config != null ? { 1 = 1 } : {}
|
||||
network = local.network.id
|
||||
service = "servicenetworking.googleapis.com"
|
||||
count = var.psa_config != null ? 1 : 0
|
||||
network = local.network.id
|
||||
service = "servicenetworking.googleapis.com"
|
||||
reserved_peering_ranges = [
|
||||
for k, v in google_compute_global_address.psa_ranges : v.name
|
||||
]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = google_compute_network_peering_routes_config.psa_routes["1"]
|
||||
to = google_compute_network_peering_routes_config.psa_routes[0]
|
||||
}
|
||||
|
||||
resource "google_compute_network_peering_routes_config" "psa_routes" {
|
||||
for_each = var.psa_config != null ? { 1 = 1 } : {}
|
||||
count = var.psa_config != null ? 1 : 0
|
||||
project = var.project_id
|
||||
peering = google_service_networking_connection.psa_connection["1"].peering
|
||||
peering = google_service_networking_connection.psa_connection[0].peering
|
||||
network = local.network.name
|
||||
export_custom_routes = var.psa_config.export_routes
|
||||
import_custom_routes = var.psa_config.import_routes
|
||||
}
|
||||
|
||||
resource "google_service_networking_peered_dns_domain" "name" {
|
||||
for_each = toset(try(var.psa_config.peered_domains, []))
|
||||
project = var.project_id
|
||||
name = trimsuffix(replace(each.value, ".", "-"), "-")
|
||||
network = local.network.name
|
||||
dns_suffix = each.value
|
||||
service = "servicenetworking.googleapis.com"
|
||||
depends_on = [google_service_networking_connection.psa_connection]
|
||||
}
|
||||
|
||||
@@ -116,9 +116,10 @@ variable "project_id" {
|
||||
variable "psa_config" {
|
||||
description = "The Private Service Access configuration for Service Networking."
|
||||
type = object({
|
||||
ranges = map(string)
|
||||
export_routes = optional(bool, false)
|
||||
import_routes = optional(bool, false)
|
||||
ranges = map(string)
|
||||
export_routes = optional(bool, false)
|
||||
import_routes = optional(bool, false)
|
||||
peered_domains = optional(list(string), [])
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user