Add support to VPC flow logs for PSC subnet (#3639)
This commit is contained in:
Vannick Trinquier
committed by
GitHub
GitHub
parent
6a2a80786f
commit
ca413b8aa8
@@ -409,10 +409,19 @@ module "vpc" {
|
|||||||
ip_cidr_range = "10.0.3.0/24"
|
ip_cidr_range = "10.0.3.0/24"
|
||||||
name = "psc"
|
name = "psc"
|
||||||
region = "europe-west1"
|
region = "europe-west1"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
ip_cidr_range = "10.0.5.0/24"
|
||||||
|
name = "psc-log"
|
||||||
|
region = "europe-west1",
|
||||||
|
flow_logs_config = {
|
||||||
|
flow_sampling = 0.5
|
||||||
|
aggregation_interval = "INTERVAL_10_MIN"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=7 inventory=proxy-only-subnets.yaml e2e
|
# tftest modules=1 inventory=proxy-only-subnets.yaml e2e
|
||||||
```
|
```
|
||||||
|
|
||||||
### PSC Network Attachments
|
### PSC Network Attachments
|
||||||
@@ -496,7 +505,7 @@ module "vpc" {
|
|||||||
subnets_folder = "config/subnets"
|
subnets_folder = "config/subnets"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=11 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-proxy-global,subnet-psc inventory=factory.yaml
|
# tftest files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-proxy-global,subnet-psc,subnet-psc-detailed inventory=factory.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
@@ -562,6 +571,18 @@ psc: true
|
|||||||
# tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml schema=subnet.schema.json
|
# tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml schema=subnet.schema.json
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
region: europe-west4
|
||||||
|
ip_cidr_range: 10.2.0.0/24
|
||||||
|
psc: true
|
||||||
|
flow_logs_config: # enable, set to empty map to use defaults
|
||||||
|
aggregation_interval: "INTERVAL_5_SEC"
|
||||||
|
flow_sampling: 0.5
|
||||||
|
metadata: "INCLUDE_ALL_METADATA"
|
||||||
|
|
||||||
|
# tftest-file id=subnet-psc-detailed path=config/subnets/subnet-psc-detailed.yaml schema=subnet.schema.json
|
||||||
|
```
|
||||||
|
|
||||||
### Custom Routes
|
### Custom Routes
|
||||||
|
|
||||||
VPC routes can be configured through the `routes` variable.
|
VPC routes can be configured through the `routes` variable.
|
||||||
@@ -924,8 +945,8 @@ secondary_ip_ranges:
|
|||||||
| [subnets](variables.tf#L341) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = optional(string) region = string description = optional(string) enable_private_access = optional(bool, true) allow_subnet_cidr_routes_overlap = optional(bool, null) reserved_internal_range = optional(string) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string, "INTERNAL") ipv6_only = optional(bool, false) })) ip_collection = optional(string, null) secondary_ip_ranges = optional(map(object({ ip_cidr_range = optional(string) reserved_internal_range = optional(string) }))) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
| [subnets](variables.tf#L341) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = optional(string) region = string description = optional(string) enable_private_access = optional(bool, true) allow_subnet_cidr_routes_overlap = optional(bool, null) reserved_internal_range = optional(string) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string, "INTERNAL") ipv6_only = optional(bool, false) })) ip_collection = optional(string, null) secondary_ip_ranges = optional(map(object({ ip_cidr_range = optional(string) reserved_internal_range = optional(string) }))) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||||
| [subnets_private_nat](variables.tf#L421) | List of private NAT subnets. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
| [subnets_private_nat](variables.tf#L421) | List of private NAT subnets. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||||
| [subnets_proxy_only](variables.tf#L433) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = optional(bool, true) global = optional(bool, false) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
| [subnets_proxy_only](variables.tf#L433) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = optional(bool, true) global = optional(bool, false) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||||
| [subnets_psc](variables.tf#L467) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
| [subnets_psc](variables.tf#L467) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||||
| [vpc_reuse](variables.tf#L499) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | <code title="object({ use_data_source = optional(bool, true) attributes = optional(object({ network_id = number })) })">object({…})</code> | | <code>null</code> |
|
| [vpc_reuse](variables.tf#L507) | Reuse existing VPC if not null. If the network_id number is not passed in, a data source is used. | <code title="object({ use_data_source = optional(bool, true) attributes = optional(object({ network_id = number })) })">object({…})</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|||||||
@@ -297,6 +297,20 @@ resource "google_compute_subnetwork" "psc" {
|
|||||||
: each.value.description
|
: each.value.description
|
||||||
)
|
)
|
||||||
purpose = "PRIVATE_SERVICE_CONNECT"
|
purpose = "PRIVATE_SERVICE_CONNECT"
|
||||||
|
dynamic "log_config" {
|
||||||
|
for_each = each.value.flow_logs_config != null ? [""] : []
|
||||||
|
content {
|
||||||
|
aggregation_interval = each.value.flow_logs_config.aggregation_interval
|
||||||
|
filter_expr = each.value.flow_logs_config.filter_expression
|
||||||
|
flow_sampling = each.value.flow_logs_config.flow_sampling
|
||||||
|
metadata = each.value.flow_logs_config.metadata
|
||||||
|
metadata_fields = (
|
||||||
|
each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
|
||||||
|
? each.value.flow_logs_config.metadata_fields
|
||||||
|
: null
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -471,6 +471,14 @@ variable "subnets_psc" {
|
|||||||
ip_cidr_range = string
|
ip_cidr_range = string
|
||||||
region = string
|
region = string
|
||||||
description = optional(string)
|
description = optional(string)
|
||||||
|
flow_logs_config = optional(object({
|
||||||
|
aggregation_interval = optional(string)
|
||||||
|
filter_expression = optional(string)
|
||||||
|
flow_sampling = optional(number)
|
||||||
|
metadata = optional(string)
|
||||||
|
# only if metadata == "CUSTOM_METADATA"
|
||||||
|
metadata_fields = optional(list(string))
|
||||||
|
}))
|
||||||
|
|
||||||
iam = optional(map(list(string)), {})
|
iam = optional(map(list(string)), {})
|
||||||
iam_bindings = optional(map(object({
|
iam_bindings = optional(map(object({
|
||||||
|
|||||||
@@ -59,8 +59,8 @@ values:
|
|||||||
region: europe-west4
|
region: europe-west4
|
||||||
role: ACTIVE
|
role: ACTIVE
|
||||||
timeouts: null
|
timeouts: null
|
||||||
? module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/subnet-proxy-global"]
|
module.vpc.google_compute_subnetwork.proxy_only["australia-southeast2/subnet-proxy-global"]:
|
||||||
: description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
|
description: Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB.
|
||||||
ip_cidr_range: 10.4.0.0/24
|
ip_cidr_range: 10.4.0.0/24
|
||||||
ipv6_access_type: null
|
ipv6_access_type: null
|
||||||
log_config: []
|
log_config: []
|
||||||
@@ -81,8 +81,24 @@ values:
|
|||||||
region: europe-west4
|
region: europe-west4
|
||||||
role: null
|
role: null
|
||||||
timeouts: null
|
timeouts: null
|
||||||
? module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-detailed"]
|
module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc-detailed"]:
|
||||||
: description: Sample description
|
description: Terraform-managed subnet for Private Service Connect (PSC NAT).
|
||||||
|
ip_cidr_range: 10.2.0.0/24
|
||||||
|
ipv6_access_type: null
|
||||||
|
log_config:
|
||||||
|
- aggregation_interval: INTERVAL_5_SEC
|
||||||
|
filter_expr: "true"
|
||||||
|
flow_sampling: 0.5
|
||||||
|
metadata: INCLUDE_ALL_METADATA
|
||||||
|
metadata_fields: null
|
||||||
|
name: subnet-psc-detailed
|
||||||
|
project: project-id
|
||||||
|
purpose: PRIVATE_SERVICE_CONNECT
|
||||||
|
region: europe-west4
|
||||||
|
role: null
|
||||||
|
timeouts: null
|
||||||
|
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-detailed"]:
|
||||||
|
description: Sample description
|
||||||
ip_cidr_range: 10.0.0.0/24
|
ip_cidr_range: 10.0.0.0/24
|
||||||
ipv6_access_type: null
|
ipv6_access_type: null
|
||||||
name: subnet-detailed
|
name: subnet-detailed
|
||||||
@@ -116,8 +132,8 @@ values:
|
|||||||
region: europe-west8
|
region: europe-west8
|
||||||
role: null
|
role: null
|
||||||
timeouts: null
|
timeouts: null
|
||||||
? module.vpc.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-detailed.roles/compute.networkUser"]
|
module.vpc.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-detailed.roles/compute.networkUser"]:
|
||||||
: condition: []
|
condition: []
|
||||||
members:
|
members:
|
||||||
- group:lorem@example.com
|
- group:lorem@example.com
|
||||||
- serviceAccount:fbz@prj.iam.gserviceaccount.com
|
- serviceAccount:fbz@prj.iam.gserviceaccount.com
|
||||||
@@ -130,9 +146,9 @@ values:
|
|||||||
counts:
|
counts:
|
||||||
google_compute_network: 1
|
google_compute_network: 1
|
||||||
google_compute_route: 3
|
google_compute_route: 3
|
||||||
google_compute_subnetwork: 6
|
google_compute_subnetwork: 7
|
||||||
google_compute_subnetwork_iam_binding: 1
|
google_compute_subnetwork_iam_binding: 1
|
||||||
modules: 1
|
modules: 1
|
||||||
resources: 11
|
resources: 12
|
||||||
|
|
||||||
outputs: {}
|
outputs: {}
|
||||||
|
|||||||
@@ -44,7 +44,29 @@ values:
|
|||||||
purpose: PRIVATE_SERVICE_CONNECT
|
purpose: PRIVATE_SERVICE_CONNECT
|
||||||
region: europe-west1
|
region: europe-west1
|
||||||
role: null
|
role: null
|
||||||
|
module.vpc.google_compute_subnetwork.psc["europe-west1/psc-log"]:
|
||||||
|
description: Terraform-managed subnet for Private Service Connect (PSC NAT).
|
||||||
|
ip_cidr_range: 10.0.5.0/24
|
||||||
|
ip_collection: null
|
||||||
|
ipv6_access_type: null
|
||||||
|
log_config:
|
||||||
|
- aggregation_interval: INTERVAL_10_MIN
|
||||||
|
filter_expr: 'true'
|
||||||
|
flow_sampling: 0.5
|
||||||
|
metadata: INCLUDE_ALL_METADATA
|
||||||
|
metadata_fields: null
|
||||||
|
name: psc-log
|
||||||
|
network: my-network
|
||||||
|
params: []
|
||||||
|
project: project-id
|
||||||
|
purpose: PRIVATE_SERVICE_CONNECT
|
||||||
|
region: europe-west1
|
||||||
|
reserved_internal_range: null
|
||||||
|
role: null
|
||||||
|
|
||||||
counts:
|
counts:
|
||||||
google_compute_network: 1
|
google_compute_network: 1
|
||||||
google_compute_subnetwork: 3
|
google_compute_route: 3
|
||||||
|
google_compute_subnetwork: 4
|
||||||
|
modules: 1
|
||||||
|
resources: 8
|
||||||
|
|||||||
Reference in New Issue
Block a user