kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apigee x foundations certificate manager (#2585)

Browse Source 
* Added forward_proxy_uri to apigee environments in apigee-x-foundations blueprint

* Update to create required certificate-manager resources for cross-region LB in the blueprint using module, added more outputs and ability to pass IP addresses for LB forwarding rules

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
This commit is contained in:
apichick
2024-09-24 08:49:35 +02:00
committed by GitHub
parent 7cf83842a7
commit bb9a085b10
5 changed files with 109 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
blueprints/apigee/apigee-x-foundations/README.md
View File

@@ -206,12 +206,19 @@ module "apigee-x-foundations" {
}
}
int_cross_region_lb_config = {
certificate_manager_certificates = [
"projects/myprj/locations/global/certificates/certificate"
]
certificate_manager_config = {
certificates = {
my-certificate-1 = {
self_managed = {
pem_certificate = "PEM-Encoded certificate string"
pem_private_key = "PEM-Encoded private key string"
}
}
}
}
}
}
# tftest modules=7 resources=58
# tftest modules=8 resources=62
```
### Apigee X in service project with peering disabled and exposed using Global LB
@@ -460,7 +467,7 @@ module "apigee-x-foundations" {
| [kms.tf](./kms.tf) | None | <code>kms</code> | <code>random_id</code> |
| [main.tf](./main.tf) | Module-level locals and resources. | <code>net-vpc</code> · <code>project</code> | |
| [monitoring.tf](./monitoring.tf) | None | <code>cloud-function-v2</code> | |
| [northbound.tf](./northbound.tf) | None | <code>net-lb-app-ext</code> · <code>net-lb-app-int</code> · <code>net-lb-app-int-cross-region</code> | <code>google_compute_region_network_endpoint_group</code> · <code>google_compute_security_policy</code> |
| [northbound.tf](./northbound.tf) | None | <code>certificate-manager</code> · <code>net-lb-app-ext</code> · <code>net-lb-app-int</code> · <code>net-lb-app-int-cross-region</code> | <code>google_compute_region_network_endpoint_group</code> · <code>google_compute_security_policy</code> |
| [outputs.tf](./outputs.tf) | Module outputs. | | |
| [variables.tf](./variables.tf) | Module variables. | | |
@@ -469,21 +476,25 @@ module "apigee-x-foundations" {
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
| [apigee_config](variables.tf#L17) | Apigee configuration. | <code title="object&#40;&#123;&#10; addons_config &#61; optional&#40;object&#40;&#123;&#10; advanced_api_ops &#61; optional&#40;bool, false&#41;&#10; api_security &#61; optional&#40;bool, false&#41;&#10; connectors_platform &#61; optional&#40;bool, false&#41;&#10; integration &#61; optional&#40;bool, false&#41;&#10; monetization &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;&#10; organization &#61; object&#40;&#123;&#10; analytics_region &#61; optional&#40;string&#41;&#10; api_consumer_data_encryption_key_config &#61; optional&#40;object&#40;&#123;&#10; auto_create &#61; optional&#40;bool, false&#41;&#10; id &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; api_consumer_data_location &#61; optional&#40;string&#41;&#10; billing_type &#61; optional&#40;string&#41;&#10; control_plane_encryption_key_config &#61; optional&#40;object&#40;&#123;&#10; auto_create &#61; optional&#40;bool, false&#41;&#10; id &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; database_encryption_key_config &#61; optional&#40;object&#40;&#123;&#10; auto_create &#61; optional&#40;bool, false&#41;&#10; id &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; description &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10; disable_vpc_peering &#61; optional&#40;bool, false&#41;&#10; display_name &#61; optional&#40;string&#41;&#10; properties &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; retention &#61; optional&#40;string&#41;&#10; &#125;&#41;&#10; envgroups &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; environments &#61; optional&#40;map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; display_name &#61; optional&#40;string&#41;&#10; envgroups &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; forward_proxy_uri &#61; optional&#40;string&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; members &#61; list&#40;string&#41;&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; member &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; node_config &#61; optional&#40;object&#40;&#123;&#10; min_node_count &#61; optional&#40;number&#41;&#10; max_node_count &#61; optional&#40;number&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; type &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; instances &#61; optional&#40;map&#40;object&#40;&#123;&#10; disk_encryption_key_config &#61; optional&#40;object&#40;&#123;&#10; auto_create &#61; optional&#40;bool, false&#41;&#10; id &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; environments &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; external &#61; optional&#40;bool, true&#41;&#10; runtime_ip_cidr_range &#61; optional&#40;string&#41;&#10; troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; endpoint_attachments &#61; optional&#40;map&#40;object&#40;&#123;&#10; region &#61; string&#10; service_attachment &#61; string&#10; dns_names &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | |
| [project_config](variables.tf#L300) | Project configuration. | <code title="object&#40;&#123;&#10; billing_account_id &#61; optional&#40;string&#41;&#10; compute_metadata &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; contacts &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; custom_roles &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; default_service_account &#61; optional&#40;string, &#34;keep&#34;&#41;&#10; deletion_policy &#61; optional&#40;string&#41;&#10; descriptive_name &#61; optional&#40;string&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; group_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; members &#61; list&#40;string&#41;&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; member &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; lien_reason &#61; optional&#40;string&#41;&#10; logging_data_access &#61; optional&#40;map&#40;map&#40;list&#40;string&#41;&#41;&#41;, &#123;&#125;&#41;&#10; log_exclusions &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; logging_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10; bq_partitioned_table &#61; optional&#40;bool&#41;&#10; description &#61; optional&#40;string&#41;&#10; destination &#61; string&#10; disabled &#61; optional&#40;bool, false&#41;&#10; exclusions &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; filter &#61; string&#10; iam &#61; optional&#40;bool, true&#41;&#10; type &#61; string&#10; unique_writer &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; metric_scopes &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; name &#61; string&#10; org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10; inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10; reset &#61; optional&#40;bool&#41;&#10; rules &#61; optional&#40;list&#40;object&#40;&#123;&#10; allow &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; deny &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10; condition &#61; optional&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; expression &#61; optional&#40;string&#41;&#10; location &#61; optional&#40;string&#41;&#10; title &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; parent &#61; optional&#40;string&#41;&#10; prefix &#61; optional&#40;string&#41;&#10; project_create &#61; optional&#40;bool, true&#41;&#10; vpc_sc &#61; optional&#40;object&#40;&#123;&#10; perimeter_name &#61; string&#10; perimeter_bridges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; is_dry_run &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;&#10; services &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; shared_vpc_host_config &#61; optional&#40;object&#40;&#123;&#10; enabled &#61; bool&#10; service_projects &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;&#10; shared_vpc_service_config &#61; optional&#40;object&#40;&#123;&#10; host_project &#61; string&#10; service_agent_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; service_iam_grants &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;&#10; tag_bindings &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | |
| [project_config](variables.tf#L333) | Project configuration. | <code title="object&#40;&#123;&#10; billing_account_id &#61; optional&#40;string&#41;&#10; compute_metadata &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; contacts &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; custom_roles &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; default_service_account &#61; optional&#40;string, &#34;keep&#34;&#41;&#10; deletion_policy &#61; optional&#40;string&#41;&#10; descriptive_name &#61; optional&#40;string&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; group_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; members &#61; list&#40;string&#41;&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; member &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; lien_reason &#61; optional&#40;string&#41;&#10; logging_data_access &#61; optional&#40;map&#40;map&#40;list&#40;string&#41;&#41;&#41;, &#123;&#125;&#41;&#10; log_exclusions &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; logging_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10; bq_partitioned_table &#61; optional&#40;bool&#41;&#10; description &#61; optional&#40;string&#41;&#10; destination &#61; string&#10; disabled &#61; optional&#40;bool, false&#41;&#10; exclusions &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; filter &#61; string&#10; iam &#61; optional&#40;bool, true&#41;&#10; type &#61; string&#10; unique_writer &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; metric_scopes &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; name &#61; string&#10; org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10; inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10; reset &#61; optional&#40;bool&#41;&#10; rules &#61; optional&#40;list&#40;object&#40;&#123;&#10; allow &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; deny &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10; condition &#61; optional&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; expression &#61; optional&#40;string&#41;&#10; location &#61; optional&#40;string&#41;&#10; title &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; parent &#61; optional&#40;string&#41;&#10; prefix &#61; optional&#40;string&#41;&#10; project_create &#61; optional&#40;bool, true&#41;&#10; vpc_sc &#61; optional&#40;object&#40;&#123;&#10; perimeter_name &#61; string&#10; perimeter_bridges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; is_dry_run &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;&#10; services &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; shared_vpc_host_config &#61; optional&#40;object&#40;&#123;&#10; enabled &#61; bool&#10; service_projects &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;&#10; shared_vpc_service_config &#61; optional&#40;object&#40;&#123;&#10; host_project &#61; string&#10; service_agent_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; service_iam_grants &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;&#10; tag_bindings &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | |
| [enable_monitoring](variables.tf#L116) | Boolean flag indicating whether an custom metric to monitor instances should be created in Cloud monitoring. | <code>bool</code> | | <code>false</code> | |
| [ext_lb_config](variables.tf#L122) | External application load balancer configuration. | <code title="object&#40;&#123;&#10; log_sample_rate &#61; optional&#40;number&#41;&#10; outlier_detection &#61; optional&#40;object&#40;&#123;&#10; consecutive_errors &#61; optional&#40;number&#41;&#10; consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_consecutive_errors &#61; optional&#40;number&#41;&#10; enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_success_rate &#61; optional&#40;number&#41;&#10; max_ejection_percent &#61; optional&#40;number&#41;&#10; success_rate_minimum_hosts &#61; optional&#40;number&#41;&#10; success_rate_request_volume &#61; optional&#40;number&#41;&#10; success_rate_stdev_factor &#61; optional&#40;number&#41;&#10; base_ejection_time &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; interval &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; security_policy &#61; optional&#40;object&#40;&#123;&#10; advanced_options_config &#61; optional&#40;object&#40;&#123;&#10; json_parsing &#61; optional&#40;object&#40;&#123;&#10; enable &#61; optional&#40;bool, false&#41;&#10; content_types &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; log_level &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; adaptive_protection_config &#61; optional&#40;object&#40;&#123;&#10; layer_7_ddos_defense_config &#61; optional&#40;object&#40;&#123;&#10; enable &#61; optional&#40;bool, false&#41;&#10; rule_visibility &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; auto_deploy_config &#61; optional&#40;object&#40;&#123;&#10; load_threshold &#61; optional&#40;number&#41;&#10; confidence_threshold &#61; optional&#40;number&#41;&#10; impacted_baseline_threshold &#61; optional&#40;number&#41;&#10; expiration_sec &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; rate_limit_threshold &#61; optional&#40;object&#40;&#123;&#10; count &#61; number&#10; interval_sec &#61; number&#10; &#125;&#41;&#41;&#10; forbidden_src_ip_ranges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; forbidden_regions &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; preconfigured_waf_rules &#61; optional&#40;map&#40;object&#40;&#123;&#10; sensitivity &#61; optional&#40;number&#41;&#10; opt_in_rule_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; opt_out_rule_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; ssl_certificates &#61; object&#40;&#123;&#10; certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10; certificate &#61; string&#10; private_key &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; managed_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10; domains &#61; list&#40;string&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; self_signed_configs &#61; optional&#40;list&#40;string&#41;, null&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [int_cross_region_lb_config](variables.tf#L193) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10; log_sample_rate &#61; optional&#40;number&#41;&#10; outlier_detection &#61; optional&#40;object&#40;&#123;&#10; consecutive_errors &#61; optional&#40;number&#41;&#10; consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_consecutive_errors &#61; optional&#40;number&#41;&#10; enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_success_rate &#61; optional&#40;number&#41;&#10; max_ejection_percent &#61; optional&#40;number&#41;&#10; success_rate_minimum_hosts &#61; optional&#40;number&#41;&#10; success_rate_request_volume &#61; optional&#40;number&#41;&#10; success_rate_stdev_factor &#61; optional&#40;number&#41;&#10; base_ejection_time &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; interval &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; certificate_manager_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [int_lb_config](variables.tf#L221) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10; log_sample_rate &#61; optional&#40;number&#41;&#10; outlier_detection &#61; optional&#40;object&#40;&#123;&#10; consecutive_errors &#61; optional&#40;number&#41;&#10; consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_consecutive_errors &#61; optional&#40;number&#41;&#10; enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_success_rate &#61; optional&#40;number&#41;&#10; max_ejection_percent &#61; optional&#40;number&#41;&#10; success_rate_minimum_hosts &#61; optional&#40;number&#41;&#10; success_rate_request_volume &#61; optional&#40;number&#41;&#10; success_rate_stdev_factor &#61; optional&#40;number&#41;&#10; base_ejection_time &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; interval &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; ssl_certificates &#61; object&#40;&#123;&#10; certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10; certificate &#61; string&#10; private_key &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; self_signed_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [network_config](variables.tf#L257) | Network configuration. | <code title="object&#40;&#123;&#10; shared_vpc &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; subnets &#61; map&#40;string&#41;&#10; subnets_psc &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; apigee_vpc &#61; optional&#40;object&#40;&#123;&#10; name &#61; optional&#40;string&#41;&#10; auto_create &#61; optional&#40;bool, true&#41;&#10; subnets &#61; optional&#40;map&#40;object&#40;&#123;&#10; id &#61; optional&#40;string&#41;&#10; name &#61; optional&#40;string&#41;&#10; ip_cidr_range &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; subnets_proxy_only &#61; optional&#40;map&#40;object&#40;&#123;&#10; name &#61; optional&#40;string&#41;&#10; ip_cidr_range &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; subnets_psc &#61; optional&#40;map&#40;object&#40;&#123;&#10; id &#61; optional&#40;string&#41;&#10; name &#61; optional&#40;string&#41;&#10; ip_cidr_range &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
| [ext_lb_config](variables.tf#L122) | External application load balancer configuration. | <code title="object&#40;&#123;&#10; address &#61; optional&#40;string&#41;&#10; log_sample_rate &#61; optional&#40;number&#41;&#10; outlier_detection &#61; optional&#40;object&#40;&#123;&#10; consecutive_errors &#61; optional&#40;number&#41;&#10; consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_consecutive_errors &#61; optional&#40;number&#41;&#10; enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_success_rate &#61; optional&#40;number&#41;&#10; max_ejection_percent &#61; optional&#40;number&#41;&#10; success_rate_minimum_hosts &#61; optional&#40;number&#41;&#10; success_rate_request_volume &#61; optional&#40;number&#41;&#10; success_rate_stdev_factor &#61; optional&#40;number&#41;&#10; base_ejection_time &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; interval &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; security_policy &#61; optional&#40;object&#40;&#123;&#10; advanced_options_config &#61; optional&#40;object&#40;&#123;&#10; json_parsing &#61; optional&#40;object&#40;&#123;&#10; enable &#61; optional&#40;bool, false&#41;&#10; content_types &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; log_level &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; adaptive_protection_config &#61; optional&#40;object&#40;&#123;&#10; layer_7_ddos_defense_config &#61; optional&#40;object&#40;&#123;&#10; enable &#61; optional&#40;bool, false&#41;&#10; rule_visibility &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; auto_deploy_config &#61; optional&#40;object&#40;&#123;&#10; load_threshold &#61; optional&#40;number&#41;&#10; confidence_threshold &#61; optional&#40;number&#41;&#10; impacted_baseline_threshold &#61; optional&#40;number&#41;&#10; expiration_sec &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; rate_limit_threshold &#61; optional&#40;object&#40;&#123;&#10; count &#61; number&#10; interval_sec &#61; number&#10; &#125;&#41;&#41;&#10; forbidden_src_ip_ranges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; forbidden_regions &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; preconfigured_waf_rules &#61; optional&#40;map&#40;object&#40;&#123;&#10; sensitivity &#61; optional&#40;number&#41;&#10; opt_in_rule_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; opt_out_rule_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; ssl_certificates &#61; object&#40;&#123;&#10; certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10; certificate &#61; string&#10; private_key &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; managed_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10; domains &#61; list&#40;string&#41;&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; self_signed_configs &#61; optional&#40;list&#40;string&#41;, null&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [int_cross_region_lb_config](variables.tf#L194) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10; addresses &#61; optional&#40;map&#40;string&#41;&#41;&#10; log_sample_rate &#61; optional&#40;number&#41;&#10; outlier_detection &#61; optional&#40;object&#40;&#123;&#10; consecutive_errors &#61; optional&#40;number&#41;&#10; consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_consecutive_errors &#61; optional&#40;number&#41;&#10; enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_success_rate &#61; optional&#40;number&#41;&#10; max_ejection_percent &#61; optional&#40;number&#41;&#10; success_rate_minimum_hosts &#61; optional&#40;number&#41;&#10; success_rate_request_volume &#61; optional&#40;number&#41;&#10; success_rate_stdev_factor &#61; optional&#40;number&#41;&#10; base_ejection_time &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; interval &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; certificate_manager_config &#61; object&#40;&#123;&#10; certificates &#61; map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; location &#61; optional&#40;string&#41;&#10; scope &#61; optional&#40;string&#41;&#10; self_managed &#61; optional&#40;object&#40;&#123;&#10; pem_certificate &#61; string&#10; pem_private_key &#61; string&#10; &#125;&#41;&#41;&#10; managed &#61; optional&#40;object&#40;&#123;&#10; domains &#61; list&#40;string&#41;&#10; dns_authorizations &#61; optional&#40;list&#40;string&#41;&#41;&#10; issuance_config &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; dns_authorizations &#61; optional&#40;map&#40;object&#40;&#123;&#10; domain &#61; string&#10; description &#61; optional&#40;string&#41;&#10; location &#61; optional&#40;string&#41;&#10; type &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#41;&#10; issuance_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10; ca_pool &#61; string&#10; description &#61; optional&#40;string&#41;&#10; key_algorithm &#61; string&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; lifetime &#61; string&#10; rotation_window_percentage &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [int_lb_config](variables.tf#L254) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10; addresses &#61; optional&#40;map&#40;string&#41;&#41;&#10; log_sample_rate &#61; optional&#40;number&#41;&#10; outlier_detection &#61; optional&#40;object&#40;&#123;&#10; consecutive_errors &#61; optional&#40;number&#41;&#10; consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_consecutive_errors &#61; optional&#40;number&#41;&#10; enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10; enforcing_success_rate &#61; optional&#40;number&#41;&#10; max_ejection_percent &#61; optional&#40;number&#41;&#10; success_rate_minimum_hosts &#61; optional&#40;number&#41;&#10; success_rate_request_volume &#61; optional&#40;number&#41;&#10; success_rate_stdev_factor &#61; optional&#40;number&#41;&#10; base_ejection_time &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; interval &#61; optional&#40;object&#40;&#123;&#10; seconds &#61; number&#10; nanos &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; ssl_certificates &#61; object&#40;&#123;&#10; certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10; certificate &#61; string&#10; private_key &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [network_config](variables.tf#L290) | Network configuration. | <code title="object&#40;&#123;&#10; shared_vpc &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; subnets &#61; map&#40;string&#41;&#10; subnets_psc &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; apigee_vpc &#61; optional&#40;object&#40;&#123;&#10; name &#61; optional&#40;string&#41;&#10; auto_create &#61; optional&#40;bool, true&#41;&#10; subnets &#61; optional&#40;map&#40;object&#40;&#123;&#10; id &#61; optional&#40;string&#41;&#10; name &#61; optional&#40;string&#41;&#10; ip_cidr_range &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; subnets_proxy_only &#61; optional&#40;map&#40;object&#40;&#123;&#10; name &#61; optional&#40;string&#41;&#10; ip_cidr_range &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; subnets_psc &#61; optional&#40;map&#40;object&#40;&#123;&#10; id &#61; optional&#40;string&#41;&#10; name &#61; optional&#40;string&#41;&#10; ip_cidr_range &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
## Outputs
| name | description | sensitive | consumers |
|---|---|:---:|---|
| [endpoint_attachment_hosts](outputs.tf#L17) | Endpoint attachment hosts. | | |
| [ext_lb_ip_address](outputs.tf#L22) | External IP address. | | |
| [instance_service_attachments](outputs.tf#L27) | Instance service attachments. | | |
| [int_cross_region_lb_ip_addresses](outputs.tf#L32) | Internal IP addresses. | | |
| [int_lb_ip_addresses](outputs.tf#L37) | Internal IP addresses. | | |
| [project_id](outputs.tf#L42) | Project. | | |
| [apigee_vpc](outputs.tf#L17) | Apigee VPC. | | |
| [apigee_vpc_id](outputs.tf#L22) | Apigee VPC. | | |
| [apigee_vpc_self_link](outputs.tf#L27) | Apigee VPC. | | |
| [endpoint_attachment_hosts](outputs.tf#L31) | Endpoint attachment hosts. | | |
| [ext_lb_ip_address](outputs.tf#L36) | External IP address. | | |
| [instance_service_attachments](outputs.tf#L41) | Instance service attachments. | | |
| [int_cross_region_lb_ip_addresses](outputs.tf#L46) | Internal IP addresses. | | |
| [int_lb_ip_addresses](outputs.tf#L51) | Internal IP addresses. | | |
| [project](outputs.tf#L56) | Project. | | |
| [project_id](outputs.tf#L61) | Project id. | | |
<!-- END TFDOC -->

21
blueprints/apigee/apigee-x-foundations/main.tf
View File

@@ -42,13 +42,16 @@ module "project" {
"dns.googleapis.com",
"iam.googleapis.com",
"servicenetworking.googleapis.com",
], var.enable_monitoring ? [
"cloudbuild.googleapis.com",
"cloudfunctions.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"pubsub.googleapis.com",
"run.googleapis.com"
], var.int_cross_region_lb_config == null ?
[] : [
"certificatemanager.googleapis.com"
], var.enable_monitoring ? [
"cloudbuild.googleapis.com",
"cloudfunctions.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"pubsub.googleapis.com",
"run.googleapis.com"
] : []))
shared_vpc_service_config = var.project_config.shared_vpc_service_config
@@ -85,7 +88,7 @@ module "apigee_vpc" {
ip_cidr_range = v.ip_cidr_range
description = "Subnet in ${k} region"
}
if v.ip_cidr_range != null && (var.int_cross_region_lb_config != null || nonsensitive(var.int_lb_config != null))]
if v.ip_cidr_range != null && (nonsensitive(var.int_cross_region_lb_config != null) || nonsensitive(var.int_lb_config != null))]
subnets_proxy_only = [for k, v in var.network_config.apigee_vpc.subnets_proxy_only :
{
name = coalesce(v.name, "subnet-proxy-only-${k}")
@@ -94,7 +97,7 @@ module "apigee_vpc" {
description = "Proxy-only subnet in ${k} region"
global = var.int_cross_region_lb_config != null
}
if v.ip_cidr_range != null && (var.int_cross_region_lb_config != null || nonsensitive(var.int_lb_config != null))]
if v.ip_cidr_range != null && (nonsensitive(var.int_cross_region_lb_config != null) || nonsensitive(var.int_lb_config != null))]
subnets_psc = [for k, v in var.network_config.apigee_vpc.subnets_psc :
{
name = coalesce(v.name, "subnet-psc-${k}")

21
blueprints/apigee/apigee-x-foundations/northbound.tf
View File

@@ -62,6 +62,7 @@ module "ext_lb" {
name = "ext-lb"
project_id = module.project.project_id
protocol = "HTTPS"
address = var.ext_lb_config.address
use_classic_version = false
backend_service_configs = {
default = {
@@ -73,11 +74,6 @@ module "ext_lb" {
log_sample_rate = var.ext_lb_config.log_sample_rate
}
}
health_check_configs = {
default = {
https = { port_specification = "USE_SERVING_PORT" }
}
}
ssl_certificates = var.ext_lb_config.ssl_certificates
}
@@ -88,6 +84,7 @@ module "int_lb" {
project_id = module.project.project_id
region = each.key
protocol = "HTTPS"
address = try(var.int_lb_config.addresses[each.key], null)
backend_service_configs = {
default = {
backends = [{
@@ -105,12 +102,22 @@ module "int_lb" {
}
}
module "certificate_manager" {
count = length(local.int_cross_region_instances) > 0 ? 1 : 0
source = "../../../modules/certificate-manager"
project_id = module.project.project_id
certificates = var.int_cross_region_lb_config.certificate_manager_config.certificates
dns_authorizations = var.int_cross_region_lb_config.certificate_manager_config.dns_authorizations
issuance_configs = var.int_cross_region_lb_config.certificate_manager_config.issuance_configs
}
module "int_cross_region_lb" {
count = length(local.int_cross_region_instances) > 0 ? 1 : 0
source = "../../../modules/net-lb-app-int-cross-region"
name = "int-cross-region-lb"
project_id = module.project.project_id
protocol = "HTTPS"
addresses = var.int_cross_region_lb_config.addresses
backend_service_configs = {
default = {
backends = [for k, v in google_compute_region_network_endpoint_group.psc_negs : {
@@ -122,7 +129,9 @@ module "int_cross_region_lb" {
}
}
https_proxy_config = {
certificate_manager_certificates = var.int_cross_region_lb_config.certificate_manager_certificates
certificate_manager_certificates = (var.int_cross_region_lb_config == null ?
null :
values(module.certificate_manager[0].certificate_ids))
}
vpc_config = {
network = local.network

22
blueprints/apigee/apigee-x-foundations/outputs.tf
View File

@@ -14,6 +14,20 @@
* limitations under the License.
*/
output "apigee_vpc" {
description = "Apigee VPC."
value = var.network_config.apigee_vpc == null ? null : module.apigee_vpc[0]
}
output "apigee_vpc_id" {
description = "Apigee VPC."
value = var.network_config.apigee_vpc == null ? null : module.apigee_vpc[0].id
}
output "apigee_vpc_self_link" {
description = "Apigee VPC."
value = var.network_config.apigee_vpc == null ? null : module.apigee_vpc[0].self_link
}
output "endpoint_attachment_hosts" {
description = "Endpoint attachment hosts."
value = module.apigee.endpoint_attachment_hosts
@@ -39,8 +53,12 @@ output "int_lb_ip_addresses" {
value = var.int_lb_config != null && length(local.int_instances) > 0 ? { for k, v in module.int_lb : k => v.address } : null
}
output "project_id" {
output "project" {
description = "Project."
value = module.project.project_id
value = module.project
}
output "project_id" {
description = "Project id."
value = module.project.project_id
}

37
blueprints/apigee/apigee-x-foundations/variables.tf
View File

@@ -122,6 +122,7 @@ variable "enable_monitoring" {
variable "ext_lb_config" {
description = "External application load balancer configuration."
type = object({
address = optional(string)
log_sample_rate = optional(number)
outlier_detection = optional(object({
consecutive_errors = optional(number)
@@ -193,6 +194,7 @@ variable "ext_lb_config" {
variable "int_cross_region_lb_config" {
description = "Internal application load balancer configuration."
type = object({
addresses = optional(map(string))
log_sample_rate = optional(number)
outlier_detection = optional(object({
consecutive_errors = optional(number)
@@ -213,7 +215,38 @@ variable "int_cross_region_lb_config" {
nanos = optional(number)
}))
}))
certificate_manager_certificates = optional(list(string))
certificate_manager_config = object({
certificates = map(object({
description = optional(string)
labels = optional(map(string), {})
location = optional(string)
scope = optional(string)
self_managed = optional(object({
pem_certificate = string
pem_private_key = string
}))
managed = optional(object({
domains = list(string)
dns_authorizations = optional(list(string))
issuance_config = optional(string)
}))
}))
dns_authorizations = optional(map(object({
domain = string
description = optional(string)
location = optional(string)
type = optional(string)
labels = optional(map(string))
})))
issuance_configs = optional(map(object({
ca_pool = string
description = optional(string)
key_algorithm = string
labels = optional(map(string), {})
lifetime = string
rotation_window_percentage = number
})))
})
})
default = null
}
@@ -221,6 +254,7 @@ variable "int_cross_region_lb_config" {
variable "int_lb_config" {
description = "Internal application load balancer configuration."
type = object({
addresses = optional(map(string))
log_sample_rate = optional(number)
outlier_detection = optional(object({
consecutive_errors = optional(number)
@@ -247,7 +281,6 @@ variable "int_lb_config" {
certificate = string
private_key = string
})), {})
self_signed_configs = optional(list(string), [])
})
})
default = null