diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index a5cb7362c..b4016f30e 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -409,10 +409,19 @@ module "vpc" {
ip_cidr_range = "10.0.3.0/24"
name = "psc"
region = "europe-west1"
+ },
+ {
+ ip_cidr_range = "10.0.5.0/24"
+ name = "psc-log"
+ region = "europe-west1",
+ flow_logs_config = {
+ flow_sampling = 0.5
+ aggregation_interval = "INTERVAL_10_MIN"
+ }
}
]
}
-# tftest modules=1 resources=7 inventory=proxy-only-subnets.yaml e2e
+# tftest modules=1 inventory=proxy-only-subnets.yaml e2e
```
### PSC Network Attachments
@@ -496,7 +505,7 @@ module "vpc" {
subnets_folder = "config/subnets"
}
}
-# tftest modules=1 resources=11 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-proxy-global,subnet-psc inventory=factory.yaml
+# tftest files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-proxy-global,subnet-psc,subnet-psc-detailed inventory=factory.yaml
```
```yaml
@@ -562,6 +571,18 @@ psc: true
# tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml schema=subnet.schema.json
```
+```yaml
+region: europe-west4
+ip_cidr_range: 10.2.0.0/24
+psc: true
+flow_logs_config: # enable, set to empty map to use defaults
+ aggregation_interval: "INTERVAL_5_SEC"
+ flow_sampling: 0.5
+ metadata: "INCLUDE_ALL_METADATA"
+
+# tftest-file id=subnet-psc-detailed path=config/subnets/subnet-psc-detailed.yaml schema=subnet.schema.json
+```
+
### Custom Routes
VPC routes can be configured through the `routes` variable.
@@ -924,8 +945,8 @@ secondary_ip_ranges:
| [subnets](variables.tf#L341) | Subnet configuration. | list(object({…})) | | [] |
| [subnets_private_nat](variables.tf#L421) | List of private NAT subnets. | list(object({…})) | | [] |
| [subnets_proxy_only](variables.tf#L433) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] |
-| [subnets_psc](variables.tf#L467) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] |
-| [vpc_reuse](variables.tf#L499) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | object({…}) | | null |
+| [subnets_psc](variables.tf#L467) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] |
+| [vpc_reuse](variables.tf#L507) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | object({…}) | | null |
## Outputs
diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf
index 6d6f5891e..a9ba1b046 100644
--- a/modules/net-vpc/subnets.tf
+++ b/modules/net-vpc/subnets.tf
@@ -297,6 +297,20 @@ resource "google_compute_subnetwork" "psc" {
: each.value.description
)
purpose = "PRIVATE_SERVICE_CONNECT"
+ dynamic "log_config" {
+ for_each = each.value.flow_logs_config != null ? [""] : []
+ content {
+ aggregation_interval = each.value.flow_logs_config.aggregation_interval
+ filter_expr = each.value.flow_logs_config.filter_expression
+ flow_sampling = each.value.flow_logs_config.flow_sampling
+ metadata = each.value.flow_logs_config.metadata
+ metadata_fields = (
+ each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
+ ? each.value.flow_logs_config.metadata_fields
+ : null
+ )
+ }
+ }
}
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index 075c24a59..1e4b4d1da 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -471,6 +471,14 @@ variable "subnets_psc" {
ip_cidr_range = string
region = string
description = optional(string)
+ flow_logs_config = optional(object({
+ aggregation_interval = optional(string)
+ filter_expression = optional(string)
+ flow_sampling = optional(number)
+ metadata = optional(string)
+ # only if metadata == "CUSTOM_METADATA"
+ metadata_fields = optional(list(string))
+ }))
iam = optional(map(list(string)), {})
iam_bindings = optional(map(object({
diff --git a/tests/modules/net_vpc/examples/factory.yaml b/tests/modules/net_vpc/examples/factory.yaml
index 519f6ae18..32d406eb7 100644
--- a/tests/modules/net_vpc/examples/factory.yaml
+++ b/tests/modules/net_vpc/examples/factory.yaml
@@ -59,8 +59,8 @@ values:
region: europe-west4
role: ACTIVE
timeouts: null
- ? module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/subnet-proxy-global"]
- : description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
+ module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/subnet-proxy-global"]:
+ description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
ip_cidr_range: 10.4.0.0/24
ipv6_access_type: null
log_config: []
@@ -81,8 +81,24 @@ values:
region: europe-west4
role: null
timeouts: null
- ? module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-detailed"]
- : description: Sample description
+ module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc-detailed"]:
+ description: Terraform-managed subnet for Private Service Connect (PSC NAT).
+ ip_cidr_range: 10.2.0.0/24
+ ipv6_access_type: null
+ log_config:
+ - aggregation_interval: INTERVAL_5_SEC
+ filter_expr: "true"
+ flow_sampling: 0.5
+ metadata: INCLUDE_ALL_METADATA
+ metadata_fields: null
+ name: subnet-psc-detailed
+ project: project-id
+ purpose: PRIVATE_SERVICE_CONNECT
+ region: europe-west4
+ role: null
+ timeouts: null
+ module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-detailed"]:
+ description: Sample description
ip_cidr_range: 10.0.0.0/24
ipv6_access_type: null
name: subnet-detailed
@@ -116,8 +132,8 @@ values:
region: europe-west8
role: null
timeouts: null
- ? module.vpc.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-detailed.roles/compute.networkUser"]
- : condition: []
+ module.vpc.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-detailed.roles/compute.networkUser"]:
+ condition: []
members:
- group:lorem@example.com
- serviceAccount:fbz@prj.iam.gserviceaccount.com
@@ -130,9 +146,9 @@ values:
counts:
google_compute_network: 1
google_compute_route: 3
- google_compute_subnetwork: 6
+ google_compute_subnetwork: 7
google_compute_subnetwork_iam_binding: 1
modules: 1
- resources: 11
+ resources: 12
outputs: {}
diff --git a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml
index f36b6429e..a0731d858 100644
--- a/tests/modules/net_vpc/examples/proxy-only-subnets.yaml
+++ b/tests/modules/net_vpc/examples/proxy-only-subnets.yaml
@@ -44,7 +44,29 @@ values:
purpose: PRIVATE_SERVICE_CONNECT
region: europe-west1
role: null
+ module.vpc.google_compute_subnetwork.psc["europe-west1/psc-log"]:
+ description: Terraform-managed subnet for Private Service Connect (PSC NAT).
+ ip_cidr_range: 10.0.5.0/24
+ ip_collection: null
+ ipv6_access_type: null
+ log_config:
+ - aggregation_interval: INTERVAL_10_MIN
+ filter_expr: 'true'
+ flow_sampling: 0.5
+ metadata: INCLUDE_ALL_METADATA
+ metadata_fields: null
+ name: psc-log
+ network: my-network
+ params: []
+ project: project-id
+ purpose: PRIVATE_SERVICE_CONNECT
+ region: europe-west1
+ reserved_internal_range: null
+ role: null
counts:
google_compute_network: 1
- google_compute_subnetwork: 3
+ google_compute_route: 3
+ google_compute_subnetwork: 4
+ modules: 1
+ resources: 8