fix cloud sql PSA after module upgrade (#2226)
* fix cloud sql PSA after module upgrade add proxy subnet for ILB * fix cloud run service accessible from public url in case the service is privately deployed * add deletion_policy variable in psa_configs for net-vpc module fix destroy issue with phpIPAM blueprint
This commit is contained in:
simonebruzzechesse
committed by
GitHub
GitHub
parent
024d3255e6
commit
b6771ae7ad
@@ -193,8 +193,8 @@ billable charges made afterwards.
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [prefix](variables.tf#L116) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L135) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L118) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L137) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||
| [admin_principals](variables.tf#L19) | Users, groups and/or service accounts that are assigned roles, in IAM format (`group:foo@example.com`). | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [cloud_run_invoker](variables.tf#L25) | IAM member authorized to access the end-point (for example, 'user:YOUR_IAM_USER' for only you or 'allUsers' for everyone). | <code>string</code> | | <code>"allUsers"</code> |
|
||||
| [cloudsql_password](variables.tf#L31) | CloudSQL password (will be randomly generated by default). | <code>string</code> | | <code>null</code> |
|
||||
@@ -203,14 +203,14 @@ billable charges made afterwards.
|
||||
| [custom_domain](variables.tf#L49) | Cloud Run service custom domain for GLB. | <code>string</code> | | <code>null</code> |
|
||||
| [deletion_protection](variables.tf#L55) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | <code>bool</code> | | <code>false</code> |
|
||||
| [iap](variables.tf#L62) | Identity-Aware Proxy for Cloud Run in the LB. | <code title="object({ enabled = optional(bool, false) app_title = optional(string, "Cloud Run Explore Application") oauth2_client_name = optional(string, "Test Client") email = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [ip_ranges](variables.tf#L74) | CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC. | <code title="object({ connector = string psa = string ilb = string })">object({…})</code> | | <code title="{ connector = "10.8.0.0/28" psa = "10.60.0.0/24" ilb = "10.128.0.0/28" }">{…}</code> |
|
||||
| [phpipam_config](variables.tf#L88) | PHPIpam configuration. | <code title="object({ image = optional(string, "phpipam/phpipam-www:latest") port = optional(number, 80) })">object({…})</code> | | <code title="{ image = "phpipam/phpipam-www:latest" port = 80 }">{…}</code> |
|
||||
| [phpipam_exposure](variables.tf#L100) | Whether to expose the application publicly via GLB or internally via ILB, default GLB. | <code>string</code> | | <code>"EXTERNAL"</code> |
|
||||
| [phpipam_password](variables.tf#L110) | Password for the phpipam user (will be randomly generated by default). | <code>string</code> | | <code>null</code> |
|
||||
| [project_create](variables.tf#L126) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L140) | Region for the created resources. | <code>string</code> | | <code>"europe-west4"</code> |
|
||||
| [security_policy](variables.tf#L146) | Security policy (Cloud Armor) to enforce in the LB. | <code title="object({ enabled = optional(bool, false) ip_blacklist = optional(list(string), ["*"]) path_blocked = optional(string, "/login.html") })">object({…})</code> | | <code>{}</code> |
|
||||
| [vpc_config](variables.tf#L156) | VPC Network and subnetwork self links for internal LB setup. | <code title="object({ network = string subnetwork = string })">object({…})</code> | | <code>null</code> |
|
||||
| [ip_ranges](variables.tf#L74) | CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC. | <code title="object({ connector = string proxy = string psa = string ilb = string })">object({…})</code> | | <code title="{ connector = "10.8.0.0/28" proxy = "10.10.0.0/26" psa = "10.60.0.0/24" ilb = "10.128.0.0/28" }">{…}</code> |
|
||||
| [phpipam_config](variables.tf#L90) | PHPIpam configuration. | <code title="object({ image = optional(string, "phpipam/phpipam-www:latest") port = optional(number, 80) })">object({…})</code> | | <code title="{ image = "phpipam/phpipam-www:latest" port = 80 }">{…}</code> |
|
||||
| [phpipam_exposure](variables.tf#L102) | Whether to expose the application publicly via GLB or internally via ILB, default GLB. | <code>string</code> | | <code>"EXTERNAL"</code> |
|
||||
| [phpipam_password](variables.tf#L112) | Password for the phpipam user (will be randomly generated by default). | <code>string</code> | | <code>null</code> |
|
||||
| [project_create](variables.tf#L128) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L142) | Region for the created resources. | <code>string</code> | | <code>"europe-west4"</code> |
|
||||
| [security_policy](variables.tf#L148) | Security policy (Cloud Armor) to enforce in the LB. | <code title="object({ enabled = optional(bool, false) ip_blacklist = optional(list(string), ["*"]) path_blocked = optional(string, "/login.html") })">object({…})</code> | | <code>{}</code> |
|
||||
| [vpc_config](variables.tf#L158) | VPC Network and subnetwork self links for internal LB setup. | <code title="object({ network = string subnetwork = string })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
@@ -236,5 +236,5 @@ module "test" {
|
||||
}
|
||||
project_id = "test-prj"
|
||||
}
|
||||
# tftest modules=8 resources=46
|
||||
# tftest modules=8 resources=47
|
||||
```
|
||||
|
||||
@@ -25,9 +25,9 @@ module "cloudsql" {
|
||||
databases = [local.cloudsql_conf.db]
|
||||
network_config = {
|
||||
connectivity = {
|
||||
psa_configs = [{
|
||||
psa_config = {
|
||||
private_network = local.network
|
||||
}]
|
||||
}
|
||||
}
|
||||
}
|
||||
prefix = var.prefix
|
||||
|
||||
@@ -76,6 +76,7 @@ module "vpc" {
|
||||
project_id = module.project.project_id
|
||||
name = "${var.prefix}-sql-vpc"
|
||||
psa_configs = [{
|
||||
deletion_policy = "ABANDON"
|
||||
ranges = {
|
||||
cloud-sql = var.ip_ranges.psa
|
||||
}
|
||||
@@ -87,6 +88,14 @@ module "vpc" {
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
subnets_proxy_only = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.proxy
|
||||
name = "regional-proxy"
|
||||
region = var.region
|
||||
active = true
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
resource "random_password" "phpipam_password" {
|
||||
@@ -99,7 +108,7 @@ module "cloud_run" {
|
||||
project_id = module.project.project_id
|
||||
name = "${var.prefix}-cr-phpipam"
|
||||
prefix = var.prefix
|
||||
ingress_settings = "all"
|
||||
ingress_settings = "internal-and-cloud-load-balancing"
|
||||
region = var.region
|
||||
|
||||
containers = {
|
||||
|
||||
@@ -75,11 +75,13 @@ variable "ip_ranges" {
|
||||
description = "CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC."
|
||||
type = object({
|
||||
connector = string
|
||||
proxy = string
|
||||
psa = string
|
||||
ilb = string
|
||||
})
|
||||
default = {
|
||||
connector = "10.8.0.0/28"
|
||||
proxy = "10.10.0.0/26"
|
||||
psa = "10.60.0.0/24"
|
||||
ilb = "10.128.0.0/28"
|
||||
}
|
||||
|
||||
@@ -656,15 +656,15 @@ module "vpc" {
|
||||
| [network_attachments](variables.tf#L100) | PSC network attachments, names as keys. | <code title="map(object({ subnet = string automatic_connection = optional(bool, false) description = optional(string, "Terraform-managed.") producer_accept_lists = optional(list(string)) producer_reject_lists = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [peering_config](variables.tf#L113) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string create_remote_peer = optional(bool, true) export_routes = optional(bool) import_routes = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||
| [policy_based_routes](variables.tf#L124) | Policy based routes, keyed by name. | <code title="map(object({ description = optional(string, "Terraform-managed.") labels = optional(map(string)) priority = optional(number) next_hop_ilb_ip = optional(string) use_default_routing = optional(bool, false) filter = optional(object({ ip_protocol = optional(string) dest_range = optional(string) src_range = optional(string) }), {}) target = optional(object({ interconnect_attachment = optional(string) tags = optional(list(string)) }), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psa_configs](variables.tf#L177) | The Private Service Access configuration. | <code title="list(object({ ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) service_producer = optional(string, "servicenetworking.googleapis.com") }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [routes](variables.tf#L198) | Network routes, keyed by name. | <code title="map(object({ description = optional(string, "Terraform-managed.") dest_range = string next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string priority = optional(number) tags = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L219) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L229) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L235) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnets](variables.tf#L241) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string, "INTERNAL") })) secondary_ip_ranges = optional(map(string)) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L288) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = optional(bool, true) global = optional(bool, false) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L322) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L354) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
| [psa_configs](variables.tf#L177) | The Private Service Access configuration. | <code title="list(object({ deletion_policy = optional(string, null) ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) service_producer = optional(string, "servicenetworking.googleapis.com") }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [routes](variables.tf#L207) | Network routes, keyed by name. | <code title="map(object({ description = optional(string, "Terraform-managed.") dest_range = string next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string priority = optional(number) tags = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L228) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L238) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L244) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnets](variables.tf#L250) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string, "INTERNAL") })) secondary_ip_ranges = optional(map(string)) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L297) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = optional(bool, true) global = optional(bool, false) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L331) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L363) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -66,6 +66,7 @@ resource "google_service_networking_connection" "psa_connection" {
|
||||
for k, v in google_compute_global_address.psa_ranges :
|
||||
v.name if startswith(k, each.value.key)
|
||||
]
|
||||
deletion_policy = each.value.deletion_policy
|
||||
}
|
||||
|
||||
resource "google_compute_network_peering_routes_config" "psa_routes" {
|
||||
|
||||
@@ -177,6 +177,7 @@ variable "project_id" {
|
||||
variable "psa_configs" {
|
||||
description = "The Private Service Access configuration."
|
||||
type = list(object({
|
||||
deletion_policy = optional(string, null)
|
||||
ranges = map(string)
|
||||
export_routes = optional(bool, false)
|
||||
import_routes = optional(bool, false)
|
||||
@@ -193,6 +194,14 @@ variable "psa_configs" {
|
||||
)
|
||||
error_message = "At most one configuration is possible for each service producer."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue([
|
||||
for v in var.psa_configs : (
|
||||
v.deletion_policy == null || v.deletion_policy == "ABANDON"
|
||||
)
|
||||
])
|
||||
error_message = "Deletion policy supports only ABANDON."
|
||||
}
|
||||
}
|
||||
|
||||
variable "routes" {
|
||||
|
||||
Reference in New Issue
Block a user