Add support to VPC flow logs for PSC subnet (#3639)

modules/net-vpc/README.md

@@ -409,10 +409,19 @@ module "vpc" {
       ip_cidr_range = "10.0.3.0/24"
       name          = "psc"
       region        = "europe-west1"
+    },
+    {
+      ip_cidr_range = "10.0.5.0/24"
+      name          = "psc-log"
+      region        = "europe-west1",
+      flow_logs_config = {
+        flow_sampling        = 0.5
+        aggregation_interval = "INTERVAL_10_MIN"
+      }
     }
   ]
 }
-# tftest modules=1 resources=7 inventory=proxy-only-subnets.yaml e2e
+# tftest modules=1 inventory=proxy-only-subnets.yaml e2e
 ```
 
 ### PSC Network Attachments
@@ -496,7 +505,7 @@ module "vpc" {
     subnets_folder = "config/subnets"
   }
 }
-# tftest modules=1 resources=11 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-proxy-global,subnet-psc inventory=factory.yaml
+# tftest files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-proxy-global,subnet-psc,subnet-psc-detailed inventory=factory.yaml
 ```
 
 ```yaml
@@ -562,6 +571,18 @@ psc: true
 # tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml schema=subnet.schema.json
 ```
 
+```yaml
+region: europe-west4
+ip_cidr_range: 10.2.0.0/24
+psc: true
+flow_logs_config:             # enable, set to empty map to use defaults
+  aggregation_interval: "INTERVAL_5_SEC"
+  flow_sampling: 0.5
+  metadata: "INCLUDE_ALL_METADATA"
+
+# tftest-file id=subnet-psc-detailed path=config/subnets/subnet-psc-detailed.yaml schema=subnet.schema.json
+```
+
 ### Custom Routes
 
 VPC routes can be configured through the `routes` variable.
@@ -924,8 +945,8 @@ secondary_ip_ranges:
 | [subnets](variables.tf#L341) | Subnet configuration. | <code title="list&#40;object&#40;&#123;&#10;  name                             &#61; string&#10;  ip_cidr_range                    &#61; optional&#40;string&#41;&#10;  region                           &#61; string&#10;  description                      &#61; optional&#40;string&#41;&#10;  enable_private_access            &#61; optional&#40;bool, true&#41;&#10;  allow_subnet_cidr_routes_overlap &#61; optional&#40;bool, null&#41;&#10;  reserved_internal_range          &#61; optional&#40;string&#41;&#10;  flow_logs_config &#61; optional&#40;object&#40;&#123;&#10;    aggregation_interval &#61; optional&#40;string&#41;&#10;    filter_expression    &#61; optional&#40;string&#41;&#10;    flow_sampling        &#61; optional&#40;number&#41;&#10;    metadata             &#61; optional&#40;string&#41;&#10;    metadata_fields &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ipv6 &#61; optional&#40;object&#40;&#123;&#10;    access_type &#61; optional&#40;string, &#34;INTERNAL&#34;&#41;&#10;    ipv6_only &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  ip_collection &#61; optional&#40;string, null&#41;&#10;  secondary_ip_ranges &#61; optional&#40;map&#40;object&#40;&#123;&#10;    ip_cidr_range           &#61; optional&#40;string&#41;&#10;    reserved_internal_range &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
 | [subnets_private_nat](variables.tf#L421) | List of private NAT subnets. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
 | [subnets_proxy_only](variables.tf#L433) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;  active        &#61; optional&#40;bool, true&#41;&#10;  global        &#61; optional&#40;bool, false&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnets_psc](variables.tf#L467) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [vpc_reuse](variables.tf#L499) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | <code title="object&#40;&#123;&#10;  use_data_source &#61; optional&#40;bool, true&#41;&#10;  attributes &#61; optional&#40;object&#40;&#123;&#10;    network_id &#61; number&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [subnets_psc](variables.tf#L467) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;  flow_logs_config &#61; optional&#40;object&#40;&#123;&#10;    aggregation_interval &#61; optional&#40;string&#41;&#10;    filter_expression    &#61; optional&#40;string&#41;&#10;    flow_sampling        &#61; optional&#40;number&#41;&#10;    metadata             &#61; optional&#40;string&#41;&#10;    metadata_fields &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [vpc_reuse](variables.tf#L507) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | <code title="object&#40;&#123;&#10;  use_data_source &#61; optional&#40;bool, true&#41;&#10;  attributes &#61; optional&#40;object&#40;&#123;&#10;    network_id &#61; number&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 

modules/net-vpc/subnets.tf

@@ -297,6 +297,20 @@ resource "google_compute_subnetwork" "psc" {
     : each.value.description
   )
   purpose = "PRIVATE_SERVICE_CONNECT"
+  dynamic "log_config" {
+    for_each = each.value.flow_logs_config != null ? [""] : []
+    content {
+      aggregation_interval = each.value.flow_logs_config.aggregation_interval
+      filter_expr          = each.value.flow_logs_config.filter_expression
+      flow_sampling        = each.value.flow_logs_config.flow_sampling
+      metadata             = each.value.flow_logs_config.metadata
+      metadata_fields = (
+        each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
+        ? each.value.flow_logs_config.metadata_fields
+        : null
+      )
+    }
+  }
 }
 
 

modules/net-vpc/variables.tf

@@ -471,6 +471,14 @@ variable "subnets_psc" {
     ip_cidr_range = string
     region        = string
     description   = optional(string)
+    flow_logs_config = optional(object({
+      aggregation_interval = optional(string)
+      filter_expression    = optional(string)
+      flow_sampling        = optional(number)
+      metadata             = optional(string)
+      # only if metadata == "CUSTOM_METADATA"
+      metadata_fields = optional(list(string))
+    }))
 
     iam = optional(map(list(string)), {})
     iam_bindings = optional(map(object({

tests/modules/net_vpc/examples/factory.yaml

@@ -59,8 +59,8 @@ values:
     region: europe-west4
     role: ACTIVE
     timeouts: null
-  ? module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/subnet-proxy-global"]
-  : description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
+  module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/subnet-proxy-global"]:
+    description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
     ip_cidr_range: 10.4.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -81,8 +81,24 @@ values:
     region: europe-west4
     role: null
     timeouts: null
-  ? module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-detailed"]
-  : description: Sample description
+  module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc-detailed"]:
+    description: Terraform-managed subnet for Private Service Connect (PSC NAT).
+    ip_cidr_range: 10.2.0.0/24
+    ipv6_access_type: null
+    log_config:
+      - aggregation_interval: INTERVAL_5_SEC
+        filter_expr: "true"
+        flow_sampling: 0.5
+        metadata: INCLUDE_ALL_METADATA
+        metadata_fields: null
+    name: subnet-psc-detailed
+    project: project-id
+    purpose: PRIVATE_SERVICE_CONNECT
+    region: europe-west4
+    role: null
+    timeouts: null
+  module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-detailed"]:
+    description: Sample description
     ip_cidr_range: 10.0.0.0/24
     ipv6_access_type: null
     name: subnet-detailed
@@ -116,8 +132,8 @@ values:
     region: europe-west8
     role: null
     timeouts: null
-  ? module.vpc.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-detailed.roles/compute.networkUser"]
-  : condition: []
+  module.vpc.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-detailed.roles/compute.networkUser"]:
+    condition: []
     members:
       - group:lorem@example.com
       - serviceAccount:fbz@prj.iam.gserviceaccount.com
@@ -130,9 +146,9 @@ values:
 counts:
   google_compute_network: 1
   google_compute_route: 3
-  google_compute_subnetwork: 6
+  google_compute_subnetwork: 7
   google_compute_subnetwork_iam_binding: 1
   modules: 1
-  resources: 11
+  resources: 12
 
 outputs: {}

tests/modules/net_vpc/examples/proxy-only-subnets.yaml

@@ -44,7 +44,29 @@ values:
     purpose: PRIVATE_SERVICE_CONNECT
     region: europe-west1
     role: null
+  module.vpc.google_compute_subnetwork.psc["europe-west1/psc-log"]:
+    description: Terraform-managed subnet for Private Service Connect (PSC NAT).
+    ip_cidr_range: 10.0.5.0/24
+    ip_collection: null
+    ipv6_access_type: null
+    log_config:
+    - aggregation_interval: INTERVAL_10_MIN
+      filter_expr: 'true'
+      flow_sampling: 0.5
+      metadata: INCLUDE_ALL_METADATA
+      metadata_fields: null
+    name: psc-log
+    network: my-network
+    params: []
+    project: project-id
+    purpose: PRIVATE_SERVICE_CONNECT
+    region: europe-west1
+    reserved_internal_range: null
+    role: null
 
 counts:
   google_compute_network: 1
-  google_compute_subnetwork: 3
+  google_compute_route: 3
+  google_compute_subnetwork: 4
+  modules: 1
+  resources: 8