From c91802f501324d1f203bfb723291c9e22b712cf7 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Tue, 15 Feb 2022 08:24:27 +0000 Subject: [PATCH] Change psa type in net-vpc, fix psa in fast net stages (#545) * change psn type in net-vpc, fix psa in fast net stages * fix doc examples * psn ---> psa --- fast/stages/02-networking-nva/README.md | 4 ++-- fast/stages/02-networking-nva/spoke-dev.tf | 12 +--------- fast/stages/02-networking-nva/spoke-prod.tf | 12 +--------- fast/stages/02-networking-vpn/README.md | 4 ++-- fast/stages/02-networking-vpn/spoke-dev.tf | 12 +--------- fast/stages/02-networking-vpn/spoke-prod.tf | 12 +--------- modules/cloudsql-instance/README.md | 2 +- modules/net-vpc/README.md | 6 ++--- modules/net-vpc/main.tf | 22 +++++++++---------- modules/net-vpc/outputs.tf | 8 +++---- modules/net-vpc/variables.tf | 10 ++++----- tests/modules/net_vpc/fixture/main.tf | 2 +- tests/modules/net_vpc/fixture/variables.tf | 4 ++-- .../{test_plan_psn.py => test_plan_psa.py} | 13 ++++++----- 14 files changed, 42 insertions(+), 81 deletions(-) rename tests/modules/net_vpc/{test_plan_psn.py => test_plan_psa.py} (72%) diff --git a/fast/stages/02-networking-nva/README.md b/fast/stages/02-networking-nva/README.md index 014a07367..ef61af089 100644 --- a/fast/stages/02-networking-nva/README.md +++ b/fast/stages/02-networking-nva/README.md @@ -353,8 +353,8 @@ Don't forget to add a peering zone in the landing project and point it to the ne | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | | [nva.tf](./nva.tf) | None | compute-mig · compute-vm · net-ilb | | | [outputs.tf](./outputs.tf) | Module outputs. | | local_file | -| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-address · net-vpc · net-vpc-firewall · net-vpc-peering · project | | -| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-address · net-vpc · net-vpc-firewall · net-vpc-peering · project | | +| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | +| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | | | [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf index 628b64901..ced773f49 100644 --- a/fast/stages/02-networking-nva/spoke-dev.tf +++ b/fast/stages/02-networking-nva/spoke-dev.tf @@ -50,6 +50,7 @@ module "dev-spoke-vpc" { mtu = 1500 data_folder = "${var.data_dir}/subnets/dev" delete_default_routes_on_create = true + psa_ranges = var.psa_ranges.dev subnets_l7ilb = local.l7ilb_subnets.dev # Set explicit routes for googleapis; send everything else to NVAs routes = { @@ -110,17 +111,6 @@ module "dev-spoke-firewall" { cidr_template_file = "${var.data_dir}/cidrs.yaml" } -module "dev-spoke-psa-addresses" { - source = "../../../modules/net-address" - project_id = module.dev-spoke-project.project_id - psa_addresses = { for r, v in var.psa_ranges.dev : r => { - address = cidrhost(v, 0) - network = module.dev-spoke-vpc.self_link - prefix_length = split("/", v)[1] - } - } -} - module "peering-dev" { source = "../../../modules/net-vpc-peering" prefix = "dev-peering-0" diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf index f05552635..8ce177afc 100644 --- a/fast/stages/02-networking-nva/spoke-prod.tf +++ b/fast/stages/02-networking-nva/spoke-prod.tf @@ -50,6 +50,7 @@ module "prod-spoke-vpc" { mtu = 1500 data_folder = "${var.data_dir}/subnets/prod" delete_default_routes_on_create = true + psa_ranges = var.psa_ranges.prod subnets_l7ilb = local.l7ilb_subnets.prod # Set explicit routes for googleapis; send everything else to NVAs routes = { @@ -110,17 +111,6 @@ module "prod-spoke-firewall" { cidr_template_file = "${var.data_dir}/cidrs.yaml" } -module "prod-spoke-psa-addresses" { - source = "../../../modules/net-address" - project_id = module.prod-spoke-project.project_id - psa_addresses = { for r, v in var.psa_ranges.prod : r => { - address = cidrhost(v, 0) - network = module.prod-spoke-vpc.self_link - prefix_length = split("/", v)[1] - } - } -} - module "peering-prod" { source = "../../../modules/net-vpc-peering" prefix = "prod-peering-0" diff --git a/fast/stages/02-networking-vpn/README.md b/fast/stages/02-networking-vpn/README.md index 4b96eba8b..f8cc210c3 100644 --- a/fast/stages/02-networking-vpn/README.md +++ b/fast/stages/02-networking-vpn/README.md @@ -296,8 +296,8 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res | [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder | | | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard | | [outputs.tf](./outputs.tf) | Module outputs. | | local_file | -| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-address · net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding | -| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-address · net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding | +| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding | +| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding | | [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf index 4a3f0f25c..255142bff 100644 --- a/fast/stages/02-networking-vpn/spoke-dev.tf +++ b/fast/stages/02-networking-vpn/spoke-dev.tf @@ -52,6 +52,7 @@ module "dev-spoke-vpc" { name = "dev-spoke-0" mtu = 1500 data_folder = "${var.data_dir}/subnets/dev" + psa_ranges = var.psa_ranges.dev subnets_l7ilb = local.l7ilb_subnets.dev # set explicit routes for googleapis in case the default route is deleted routes = { @@ -96,17 +97,6 @@ module "dev-spoke-cloudnat" { logging_filter = "ERRORS_ONLY" } -module "dev-spoke-psa-addresses" { - source = "../../../modules/net-address" - project_id = module.dev-spoke-project.project_id - psa_addresses = { for r, v in var.psa_ranges.dev : r => { - address = cidrhost(v, 0) - network = module.dev-spoke-vpc.self_link - prefix_length = split("/", v)[1] - } - } -} - # Create delegated grants for stage3 service accounts resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" { project = module.dev-spoke-project.project_id diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf index 3be90c2e2..0ce38dc7d 100644 --- a/fast/stages/02-networking-vpn/spoke-prod.tf +++ b/fast/stages/02-networking-vpn/spoke-prod.tf @@ -52,6 +52,7 @@ module "prod-spoke-vpc" { name = "prod-spoke-0" mtu = 1500 data_folder = "${var.data_dir}/subnets/prod" + psa_ranges = var.psa_ranges.prod subnets_l7ilb = local.l7ilb_subnets.prod # set explicit routes for googleapis in case the default route is deleted routes = { @@ -96,17 +97,6 @@ module "prod-spoke-cloudnat" { logging_filter = "ERRORS_ONLY" } -module "prod-spoke-psa-addresses" { - source = "../../../modules/net-address" - project_id = module.prod-spoke-project.project_id - psa_addresses = { for r, v in var.psa_ranges.prod : r => { - address = cidrhost(v, 0) - network = module.prod-spoke-vpc.self_link - prefix_length = split("/", v)[1] - } - } -} - # Create delegated grants for stage3 service accounts resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" { project = module.prod-spoke-project.project_id diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md index 9880c2a46..7a3dc7f8a 100644 --- a/modules/cloudsql-instance/README.md +++ b/modules/cloudsql-instance/README.md @@ -25,7 +25,7 @@ module "vpc" { source = "./modules/net-vpc" project_id = module.project.project_id name = "my-network" - psn_ranges = ["10.60.0.0/16"] + psa_ranges = {cloudsql-ew1-0="10.60.0.0/16"} } module "db" { diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 17723006e..a5f1451b5 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -138,7 +138,7 @@ module "vpc" { secondary_ip_range = null } ] - psn_ranges = ["10.10.0.0/16"] + psa_ranges = {range-a = "10.10.0.0/16"} } # tftest modules=1 resources=4 ``` @@ -171,8 +171,8 @@ module "vpc" { ``` ### Subnet Factory -The `net-vpc` module includes a subnet factory (see [Resource Factories](../../examples/factories/)) for the massive creation of subnets leveraging one configuration file per subnet. +The `net-vpc` module includes a subnet factory (see [Resource Factories](../../examples/factories/)) for the massive creation of subnets leveraging one configuration file per subnet. ```hcl module "vpc" { @@ -220,7 +220,7 @@ flow_logs: # enable, set to empty map to use defaults | [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | | | null | | [peering_config](variables.tf#L90) | VPC peering configuration. | object({…}) | | null | | [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | bool | | true | -| [psn_ranges](variables.tf#L111) | CIDR ranges used for Google services that support Private Service Networking. | list(string) | | null | +| [psa_ranges](variables.tf#L111) | CIDR ranges used for Google services that support Private Service Networking. | map(string) | | null | | [routes](variables.tf#L124) | Network routes, keyed by name. | map(object({…})) | | {} | | [routing_mode](variables.tf#L136) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | | [shared_vpc_host](variables.tf#L146) | Enable shared VPC for this project. | bool | | false | diff --git a/modules/net-vpc/main.tf b/modules/net-vpc/main.tf index 676c52f94..540541b6a 100644 --- a/modules/net-vpc/main.tf +++ b/modules/net-vpc/main.tf @@ -78,11 +78,11 @@ locals { ? null : element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0) ) - psn_ranges = { - for r in(var.psn_ranges == null ? [] : var.psn_ranges) : r => { - address = split("/", r)[0] - name = replace(split("/", r)[0], ".", "-") - prefix_length = split("/", r)[1] + psa_ranges = { + for k, v in coalesce(var.psa_ranges, {}) : k => { + address = split("/", v)[0] + name = k + prefix_length = split("/", v)[1] } } routes = { @@ -328,10 +328,10 @@ resource "google_dns_policy" "default" { } } -resource "google_compute_global_address" "psn_ranges" { - for_each = local.psn_ranges +resource "google_compute_global_address" "psa_ranges" { + for_each = local.psa_ranges project = var.project_id - name = "${var.name}-psn-${each.value.name}" + name = "${var.name}-psa-${each.key}" purpose = "VPC_PEERING" address_type = "INTERNAL" address = each.value.address @@ -339,11 +339,11 @@ resource "google_compute_global_address" "psn_ranges" { network = local.network.id } -resource "google_service_networking_connection" "psn_connection" { - for_each = toset(local.psn_ranges == {} ? [] : [""]) +resource "google_service_networking_connection" "psa_connection" { + for_each = toset(local.psa_ranges == {} ? [] : [""]) network = local.network.id service = "servicenetworking.googleapis.com" reserved_peering_ranges = [ - for k, v in google_compute_global_address.psn_ranges : v.name + for k, v in google_compute_global_address.psa_ranges : v.name ] } diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf index 0118d7ec1..d1e68c343 100644 --- a/modules/net-vpc/outputs.tf +++ b/modules/net-vpc/outputs.tf @@ -27,7 +27,7 @@ output "name" { google_compute_network_peering.remote, google_compute_shared_vpc_host_project.shared_vpc_host, google_compute_shared_vpc_service_project.service_projects, - google_service_networking_connection.psn_connection + google_service_networking_connection.psa_connection ] } @@ -39,7 +39,7 @@ output "network" { google_compute_network_peering.remote, google_compute_shared_vpc_host_project.shared_vpc_host, google_compute_shared_vpc_service_project.service_projects, - google_service_networking_connection.psn_connection + google_service_networking_connection.psa_connection ] } @@ -52,7 +52,7 @@ output "project_id" { google_compute_network_peering.remote, google_compute_shared_vpc_host_project.shared_vpc_host, google_compute_shared_vpc_service_project.service_projects, - google_service_networking_connection.psn_connection + google_service_networking_connection.psa_connection ] } @@ -64,7 +64,7 @@ output "self_link" { google_compute_network_peering.remote, google_compute_shared_vpc_host_project.shared_vpc_host, google_compute_shared_vpc_service_project.service_projects, - google_service_networking_connection.psn_connection + google_service_networking_connection.psa_connection ] } diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 0dace3f17..9835fccd5 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -108,16 +108,16 @@ variable "project_id" { type = string } -variable "psn_ranges" { +variable "psa_ranges" { description = "CIDR ranges used for Google services that support Private Service Networking." - type = list(string) + type = map(string) default = null validation { condition = alltrue([ - for r in(var.psn_ranges == null ? [] : var.psn_ranges) : - can(cidrnetmask(r)) + for k, v in(var.psa_ranges == null ? {} : var.psa_ranges) : + can(cidrnetmask(v)) ]) - error_message = "Specify a valid RFC1918 CIDR range for Private Service Networking." + error_message = "Specify valid RFC1918 CIDR ranges for Private Service Networking." } } diff --git a/tests/modules/net_vpc/fixture/main.tf b/tests/modules/net_vpc/fixture/main.tf index 3c36af9a0..8a913a84c 100644 --- a/tests/modules/net_vpc/fixture/main.tf +++ b/tests/modules/net_vpc/fixture/main.tf @@ -30,6 +30,6 @@ module "test" { subnet_flow_logs = var.subnet_flow_logs subnet_private_access = var.subnet_private_access auto_create_subnetworks = var.auto_create_subnetworks - psn_ranges = var.psn_ranges + psa_ranges = var.psa_ranges data_folder = var.data_folder } diff --git a/tests/modules/net_vpc/fixture/variables.tf b/tests/modules/net_vpc/fixture/variables.tf index cd237e90e..c08e98d24 100644 --- a/tests/modules/net_vpc/fixture/variables.tf +++ b/tests/modules/net_vpc/fixture/variables.tf @@ -61,8 +61,8 @@ variable "peering_config" { default = null } -variable "psn_ranges" { - type = list(string) +variable "psa_ranges" { + type = map(string) default = null } diff --git a/tests/modules/net_vpc/test_plan_psn.py b/tests/modules/net_vpc/test_plan_psa.py similarity index 72% rename from tests/modules/net_vpc/test_plan_psn.py rename to tests/modules/net_vpc/test_plan_psa.py index 7c69b4337..2ea58d344 100644 --- a/tests/modules/net_vpc/test_plan_psn.py +++ b/tests/modules/net_vpc/test_plan_psa.py @@ -16,20 +16,21 @@ import tftest def test_single_range(plan_runner): - "Test single PSN range." - _, resources = plan_runner(psn_ranges='["172.16.100.0/24"]') + "Test single PSA range." + _, resources = plan_runner(psa_ranges='{foobar="172.16.100.0/24"}') assert len(resources) == 3 def test_multi_range(plan_runner): - "Test multiple PSN ranges." - _, resources = plan_runner(psn_ranges='["172.16.100.0/24", "172.16.101.0/24"]') + "Test multiple PSA ranges." + psa_ranges = '{foobar="172.16.100.0/24", frobniz="172.16.101.0/24"}' + _, resources = plan_runner(psa_ranges=psa_ranges) assert len(resources) == 4 def test_validation(plan_runner): - "Test PSN variable validation." + "Test PSA variable validation." try: - plan_runner(psn_ranges='["foobar"]') + plan_runner(psa_ranges='{foobar="foobar"}') except tftest.TerraformTestError as e: assert 'Invalid value for variable' in e.args[0]