fix cloud sql PSA after module upgrade (#2226)

* fix cloud sql PSA after module upgrade
add proxy subnet for ILB
* fix cloud run service accessible from public url in case the service is privately deployed
* add deletion_policy variable in psa_configs for net-vpc module
fix destroy issue with phpIPAM blueprint

blueprints/third-party-solutions/phpipam/README.md

@@ -193,8 +193,8 @@ billable charges made afterwards.
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [prefix](variables.tf#L116) | Prefix used for resource names. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L135) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ |  |
+| [prefix](variables.tf#L118) | Prefix used for resource names. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L137) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ |  |
 | [admin_principals](variables.tf#L19) | Users, groups and/or service accounts that are assigned roles, in IAM format (`group:foo@example.com`). | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
 | [cloud_run_invoker](variables.tf#L25) | IAM member authorized to access the end-point (for example, 'user:YOUR_IAM_USER' for only you or 'allUsers' for everyone). | <code>string</code> |  | <code>&#34;allUsers&#34;</code> |
 | [cloudsql_password](variables.tf#L31) | CloudSQL password (will be randomly generated by default). | <code>string</code> |  | <code>null</code> |
@@ -203,14 +203,14 @@ billable charges made afterwards.
 | [custom_domain](variables.tf#L49) | Cloud Run service custom domain for GLB. | <code>string</code> |  | <code>null</code> |
 | [deletion_protection](variables.tf#L55) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | <code>bool</code> |  | <code>false</code> |
 | [iap](variables.tf#L62) | Identity-Aware Proxy for Cloud Run in the LB. | <code title="object&#40;&#123;&#10;  enabled            &#61; optional&#40;bool, false&#41;&#10;  app_title          &#61; optional&#40;string, &#34;Cloud Run Explore Application&#34;&#41;&#10;  oauth2_client_name &#61; optional&#40;string, &#34;Test Client&#34;&#41;&#10;  email              &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [ip_ranges](variables.tf#L74) | CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC. | <code title="object&#40;&#123;&#10;  connector &#61; string&#10;  psa       &#61; string&#10;  ilb       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  connector &#61; &#34;10.8.0.0&#47;28&#34;&#10;  psa       &#61; &#34;10.60.0.0&#47;24&#34;&#10;  ilb       &#61; &#34;10.128.0.0&#47;28&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [phpipam_config](variables.tf#L88) | PHPIpam configuration. | <code title="object&#40;&#123;&#10;  image &#61; optional&#40;string, &#34;phpipam&#47;phpipam-www:latest&#34;&#41;&#10;  port  &#61; optional&#40;number, 80&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  image &#61; &#34;phpipam&#47;phpipam-www:latest&#34;&#10;  port  &#61; 80&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [phpipam_exposure](variables.tf#L100) | Whether to expose the application publicly via GLB or internally via ILB, default GLB. | <code>string</code> |  | <code>&#34;EXTERNAL&#34;</code> |
-| [phpipam_password](variables.tf#L110) | Password for the phpipam user (will be randomly generated by default). | <code>string</code> |  | <code>null</code> |
-| [project_create](variables.tf#L126) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object&#40;&#123;&#10;  billing_account_id &#61; string&#10;  parent             &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [region](variables.tf#L140) | Region for the created resources. | <code>string</code> |  | <code>&#34;europe-west4&#34;</code> |
-| [security_policy](variables.tf#L146) | Security policy (Cloud Armor) to enforce in the LB. | <code title="object&#40;&#123;&#10;  enabled      &#61; optional&#40;bool, false&#41;&#10;  ip_blacklist &#61; optional&#40;list&#40;string&#41;, &#91;&#34;&#42;&#34;&#93;&#41;&#10;  path_blocked &#61; optional&#40;string, &#34;&#47;login.html&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [vpc_config](variables.tf#L156) | VPC Network and subnetwork self links for internal LB setup. | <code title="object&#40;&#123;&#10;  network    &#61; string&#10;  subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [ip_ranges](variables.tf#L74) | CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC. | <code title="object&#40;&#123;&#10;  connector &#61; string&#10;  proxy     &#61; string&#10;  psa       &#61; string&#10;  ilb       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  connector &#61; &#34;10.8.0.0&#47;28&#34;&#10;  proxy     &#61; &#34;10.10.0.0&#47;26&#34;&#10;  psa       &#61; &#34;10.60.0.0&#47;24&#34;&#10;  ilb       &#61; &#34;10.128.0.0&#47;28&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [phpipam_config](variables.tf#L90) | PHPIpam configuration. | <code title="object&#40;&#123;&#10;  image &#61; optional&#40;string, &#34;phpipam&#47;phpipam-www:latest&#34;&#41;&#10;  port  &#61; optional&#40;number, 80&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  image &#61; &#34;phpipam&#47;phpipam-www:latest&#34;&#10;  port  &#61; 80&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [phpipam_exposure](variables.tf#L102) | Whether to expose the application publicly via GLB or internally via ILB, default GLB. | <code>string</code> |  | <code>&#34;EXTERNAL&#34;</code> |
+| [phpipam_password](variables.tf#L112) | Password for the phpipam user (will be randomly generated by default). | <code>string</code> |  | <code>null</code> |
+| [project_create](variables.tf#L128) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object&#40;&#123;&#10;  billing_account_id &#61; string&#10;  parent             &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [region](variables.tf#L142) | Region for the created resources. | <code>string</code> |  | <code>&#34;europe-west4&#34;</code> |
+| [security_policy](variables.tf#L148) | Security policy (Cloud Armor) to enforce in the LB. | <code title="object&#40;&#123;&#10;  enabled      &#61; optional&#40;bool, false&#41;&#10;  ip_blacklist &#61; optional&#40;list&#40;string&#41;, &#91;&#34;&#42;&#34;&#93;&#41;&#10;  path_blocked &#61; optional&#40;string, &#34;&#47;login.html&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [vpc_config](variables.tf#L158) | VPC Network and subnetwork self links for internal LB setup. | <code title="object&#40;&#123;&#10;  network    &#61; string&#10;  subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
@@ -236,5 +236,5 @@ module "test" {
   }
   project_id = "test-prj"
 }
-# tftest modules=8 resources=46
+# tftest modules=8 resources=47
 ```

blueprints/third-party-solutions/phpipam/cloudsql.tf

@@ -25,9 +25,9 @@ module "cloudsql" {
   databases                     = [local.cloudsql_conf.db]
   network_config = {
     connectivity = {
-      psa_configs = [{
+      psa_config = {
         private_network = local.network
-      }]
+      }
     }
   }
   prefix = var.prefix

blueprints/third-party-solutions/phpipam/main.tf

@@ -76,6 +76,7 @@ module "vpc" {
   project_id = module.project.project_id
   name       = "${var.prefix}-sql-vpc"
   psa_configs = [{
+    deletion_policy = "ABANDON"
     ranges = {
       cloud-sql = var.ip_ranges.psa
     }
@@ -87,6 +88,14 @@ module "vpc" {
       region        = var.region
     }
   ]
+  subnets_proxy_only = [
+    {
+      ip_cidr_range = var.ip_ranges.proxy
+      name          = "regional-proxy"
+      region        = var.region
+      active        = true
+    }
+  ]
 }
 
 resource "random_password" "phpipam_password" {
@@ -99,7 +108,7 @@ module "cloud_run" {
   project_id       = module.project.project_id
   name             = "${var.prefix}-cr-phpipam"
   prefix           = var.prefix
-  ingress_settings = "all"
+  ingress_settings = "internal-and-cloud-load-balancing"
   region           = var.region
 
   containers = {

blueprints/third-party-solutions/phpipam/variables.tf

@@ -75,11 +75,13 @@ variable "ip_ranges" {
   description = "CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC."
   type = object({
     connector = string
+    proxy     = string
     psa       = string
     ilb       = string
   })
   default = {
     connector = "10.8.0.0/28"
+    proxy     = "10.10.0.0/26"
     psa       = "10.60.0.0/24"
     ilb       = "10.128.0.0/28"
   }