From f919a8dba063e06bc613953d0583463649c7fbdd Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Mon, 26 Oct 2020 23:17:25 +0100 Subject: [PATCH 1/4] Update GKE SVPC example to prevent -target usage --- networking/shared-vpc-gke/README.md | 13 ------------- networking/shared-vpc-gke/main.tf | 15 ++++++++++----- tests/networking/shared_vpc_gke/test_plan.py | 9 +++------ 3 files changed, 13 insertions(+), 24 deletions(-) diff --git a/networking/shared-vpc-gke/README.md b/networking/shared-vpc-gke/README.md index 2215d7658..2bc72fdae 100644 --- a/networking/shared-vpc-gke/README.md +++ b/networking/shared-vpc-gke/README.md @@ -6,19 +6,6 @@ The sample has been purposefully kept simple so that it can be used as a basis f ![High-level diagram](diagram.png "High-level diagram") -## Applying the example - -The example cannot be applied from scratch with a single `terraform apply` command, as Terraform is unable to manage Shared VPC project registration for multiple projects, before those are created and exist in state. To apply the example from scratch, follow this order: - -```bash -tf apply \ - -target module.project-svc-gce \ - -target module.project-svc-gke -tf apply -``` - -Once the first command has run successfully, the service projects exist in state and can be referenced by the multiple resource in the host project module that manages project registration. - ## Accessing the bastion instance and GKE cluster The bastion VM has no public address so access is mediated via [IAP](https://cloud.google.com/iap/docs), which is supported transparently in the `gcloud compute ssh` command. Authentication is via OS Login set as a project default. diff --git a/networking/shared-vpc-gke/main.tf b/networking/shared-vpc-gke/main.tf index 2e0296e26..8b7d05346 100644 --- a/networking/shared-vpc-gke/main.tf +++ b/networking/shared-vpc-gke/main.tf @@ -27,11 +27,8 @@ module "project-host" { name = "net" services = concat(var.project_services, ["dns.googleapis.com"]) shared_vpc_host_config = { - enabled = true - service_projects = [ - module.project-svc-gce.project_id, - module.project-svc-gke.project_id - ] + enabled = true + service_projects = [] # defined later } iam_roles = [ "roles/container.hostServiceAgentUser", "roles/owner" @@ -53,6 +50,10 @@ module "project-svc-gce" { services = var.project_services oslogin = true oslogin_admins = var.owners_gce + shared_vpc_service_config = { + attach = true + host_project = module.project-host.project_id + } iam_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter", @@ -75,6 +76,10 @@ module "project-svc-gke" { prefix = var.prefix name = "gke" services = var.project_services + shared_vpc_service_config = { + attach = true + host_project = module.project-host.project_id + } iam_roles = [ "roles/container.developer", "roles/logging.logWriter", diff --git a/tests/networking/shared_vpc_gke/test_plan.py b/tests/networking/shared_vpc_gke/test_plan.py index 41e5f7c01..c0c0b1c6b 100644 --- a/tests/networking/shared_vpc_gke/test_plan.py +++ b/tests/networking/shared_vpc_gke/test_plan.py @@ -22,9 +22,6 @@ FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture') def test_resources(e2e_plan_runner): "Test that plan works and the numbers of resources is as expected." - modules, resources = e2e_plan_runner(FIXTURES_DIR, targets=[ - "module.test.module.project-svc-gce", - "module.test.module.project-svc-gke" - ]) - assert len(modules) == 4 - assert len(resources) == 16 + modules, resources = e2e_plan_runner(FIXTURES_DIR) + assert len(modules) == 11 + assert len(resources) == 43 From 9fa08ddb1e210d2a29d11b6009c8f1ebcc1a2330 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Tue, 27 Oct 2020 00:15:11 +0100 Subject: [PATCH 2/4] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 13297f544..808bacaee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file. - add examples of alias IPs in `compute-vm` module - fix support for creating disks from images in `compute-vm` - allow creating single-sided peerings in `net-vpc` and `net-vpc-peering` +- use service project registration to Shared VPC in GKE example to remove need for two-step apply ## [3.4.0] - 2020-09-24 From 89ea69f1ce5280c2702e8e470ce6d10b164d8be6 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Tue, 27 Oct 2020 00:16:29 +0100 Subject: [PATCH 3/4] Update CHANGELOG.md --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 808bacaee..87ec9ddfe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +## [3.5.0] - 2020-10-27 + - end to end example for scheduled Cloud Asset Inventory export to Bigquery - decouple Cloud Run from Istio in GKE cluster module - depend views on tables in bigquery dataset module @@ -208,7 +210,8 @@ All notable changes to this project will be documented in this file. - merge development branch with suite of new modules and end-to-end examples -[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v3.4.0...HEAD +[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v3.5.0...HEAD +[3.5.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v3.4.0...v3.5.0 [3.4.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v3.3.0...v3.4.0 [3.3.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v3.2.0...v3.3.0 [3.2.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v3.1.1...v3.2.0 From 846bd29d77ab5da18f20039bd04ef8b1f50a77f3 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 29 Oct 2020 07:00:56 +0100 Subject: [PATCH 4/4] Fix typo in ilb-next-hop README --- networking/ilb-next-hop/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/networking/ilb-next-hop/README.md b/networking/ilb-next-hop/README.md index 4124d7833..961ec81c8 100644 --- a/networking/ilb-next-hop/README.md +++ b/networking/ilb-next-hop/README.md @@ -6,7 +6,7 @@ The following diagram shows the resources created by this example ![High-level diagram](diagram.png "High-level diagram") -Two ILBs are configured on the primary and secondary interfaces of gateway VMs with active health checks, but only the single one is used as next hop by default to simplify testing. The second (right-side) VPC has default routes that point to the gateway VMs, to also use the right-side ILB as next hop set the `ilb_right_enable` variable to `true`. +Two ILBs are configured on the primary and secondary interfaces of gateway VMs with active health checks, but only a single one is used as next hop by default to simplify testing. The second (right-side) VPC has default routes that point to the gateway VMs, to also use the right-side ILB as next hop set the `ilb_right_enable` variable to `true`. ## Testing