Allow customizable prefix in net-vpc module PSA configs (#2535)
* allow customizable prefix in net-vpc module PSA configs * fix peered domain key
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
864a41cb20
commit
cecce6b3a0
@@ -255,6 +255,28 @@ module "vpc" {
|
||||
# tftest modules=1 resources=7 inventory=psa.yaml e2e
|
||||
```
|
||||
|
||||
The module prefixes the PSA service to address range names, to disable this behaviour just set the `range_prefix` attribute in the PSA configuration:
|
||||
|
||||
```hcl
|
||||
module "vpc" {
|
||||
source = "./fabric/modules/net-vpc"
|
||||
project_id = var.project_id
|
||||
name = "my-network"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = "10.0.0.0/24"
|
||||
name = "production"
|
||||
region = "europe-west1"
|
||||
}
|
||||
]
|
||||
psa_configs = [{
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
range_prefix = ""
|
||||
}]
|
||||
}
|
||||
# tftest modules=1 resources=7 inventory=psa-prefix.yaml e2e
|
||||
```
|
||||
|
||||
### Private Service Networking with peering routes and peered Cloud DNS domains
|
||||
|
||||
Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC.
|
||||
@@ -670,16 +692,16 @@ module "vpc" {
|
||||
| [network_attachments](variables.tf#L103) | PSC network attachments, names as keys. | <code title="map(object({ subnet = string automatic_connection = optional(bool, false) description = optional(string, "Terraform-managed.") producer_accept_lists = optional(list(string)) producer_reject_lists = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [peering_config](variables.tf#L116) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string create_remote_peer = optional(bool, true) export_routes = optional(bool) import_routes = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||
| [policy_based_routes](variables.tf#L127) | Policy based routes, keyed by name. | <code title="map(object({ description = optional(string, "Terraform-managed.") labels = optional(map(string)) priority = optional(number) next_hop_ilb_ip = optional(string) use_default_routing = optional(bool, false) filter = optional(object({ ip_protocol = optional(string) dest_range = optional(string) src_range = optional(string) }), {}) target = optional(object({ interconnect_attachment = optional(string) tags = optional(list(string)) }), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psa_configs](variables.tf#L180) | The Private Service Access configuration. | <code title="list(object({ deletion_policy = optional(string, null) ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) service_producer = optional(string, "servicenetworking.googleapis.com") }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [routes](variables.tf#L210) | Network routes, keyed by name. | <code title="map(object({ description = optional(string, "Terraform-managed.") dest_range = string next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string priority = optional(number) tags = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L231) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L241) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L247) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnets](variables.tf#L253) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) allow_subnet_cidr_routes_overlap = optional(bool, null) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string, "INTERNAL") })) secondary_ip_ranges = optional(map(string)) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_private_nat](variables.tf#L300) | List of private NAT subnets. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L312) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = optional(bool, true) global = optional(bool, false) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L346) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L378) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
| [psa_configs](variables.tf#L180) | The Private Service Access configuration. | <code title="list(object({ deletion_policy = optional(string, null) ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) range_prefix = optional(string) service_producer = optional(string, "servicenetworking.googleapis.com") }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [routes](variables.tf#L211) | Network routes, keyed by name. | <code title="map(object({ description = optional(string, "Terraform-managed.") dest_range = string next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string priority = optional(number) tags = optional(list(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L232) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L242) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L248) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnets](variables.tf#L254) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) allow_subnet_cidr_routes_overlap = optional(bool, null) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string, "INTERNAL") })) secondary_ip_ranges = optional(map(string)) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_private_nat](variables.tf#L301) | List of private NAT subnets. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_proxy_only](variables.tf#L313) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = optional(bool, true) global = optional(bool, false) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_psc](variables.tf#L347) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L379) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@ locals {
|
||||
_psa_configs_ranges = flatten([
|
||||
for config in local.psa_configs : [
|
||||
for k, v in config.ranges : {
|
||||
key = "${config.key}-${k}"
|
||||
key = "${config.key}${k}"
|
||||
value = v
|
||||
}
|
||||
]
|
||||
@@ -28,7 +28,7 @@ locals {
|
||||
_psa_peered_domains = flatten([
|
||||
for config in local.psa_configs : [
|
||||
for v in config.peered_domains : {
|
||||
key = "${config.key}-${trimsuffix(replace(v, ".", "-"), "-")}"
|
||||
key = "${config.key}${trimsuffix(replace(v, ".", "-"), "-")}"
|
||||
dns_suffix = v
|
||||
service_producer = config.service_producer
|
||||
}
|
||||
@@ -36,7 +36,11 @@ locals {
|
||||
])
|
||||
psa_configs = {
|
||||
for v in var.psa_configs : v.service_producer => merge(v, {
|
||||
key = replace(v.service_producer, ".", "-")
|
||||
key = (
|
||||
v.range_prefix != null
|
||||
? (v.range_prefix == "" ? "" : "${v.range_prefix}-")
|
||||
: format("%s-", replace(v.service_producer, ".", "-"))
|
||||
)
|
||||
})
|
||||
}
|
||||
psa_configs_ranges = {
|
||||
|
||||
@@ -185,6 +185,7 @@ variable "psa_configs" {
|
||||
export_routes = optional(bool, false)
|
||||
import_routes = optional(bool, false)
|
||||
peered_domains = optional(list(string), [])
|
||||
range_prefix = optional(string)
|
||||
service_producer = optional(string, "servicenetworking.googleapis.com")
|
||||
}))
|
||||
nullable = false
|
||||
|
||||
97
tests/modules/net_vpc/examples/psa-prefix.yaml
Normal file
97
tests/modules/net_vpc/examples/psa-prefix.yaml
Normal file
@@ -0,0 +1,97 @@
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
? module.vpc.google_compute_global_address.psa_ranges["myrange"]
|
||||
: address: 10.0.1.0
|
||||
address_type: INTERNAL
|
||||
description: null
|
||||
ip_version: null
|
||||
name: myrange
|
||||
prefix_length: 24
|
||||
project: project-id
|
||||
purpose: VPC_PEERING
|
||||
timeouts: null
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
auto_create_subnetworks: false
|
||||
delete_default_routes_on_create: false
|
||||
description: Terraform-managed.
|
||||
enable_ula_internal_ipv6: null
|
||||
name: my-network
|
||||
network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
|
||||
project: project-id
|
||||
routing_mode: GLOBAL
|
||||
timeouts: null
|
||||
? module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]
|
||||
: export_custom_routes: false
|
||||
import_custom_routes: false
|
||||
network: my-network
|
||||
project: project-id
|
||||
timeouts: null
|
||||
module.vpc.google_compute_route.gateway["private-googleapis"]:
|
||||
description: Terraform-managed.
|
||||
dest_range: 199.36.153.8/30
|
||||
name: my-network-private-googleapis
|
||||
network: my-network
|
||||
next_hop_gateway: default-internet-gateway
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 1000
|
||||
project: project-id
|
||||
tags: null
|
||||
timeouts: null
|
||||
module.vpc.google_compute_route.gateway["restricted-googleapis"]:
|
||||
description: Terraform-managed.
|
||||
dest_range: 199.36.153.4/30
|
||||
name: my-network-restricted-googleapis
|
||||
network: my-network
|
||||
next_hop_gateway: default-internet-gateway
|
||||
next_hop_ilb: null
|
||||
next_hop_instance: null
|
||||
next_hop_vpn_tunnel: null
|
||||
priority: 1000
|
||||
project: project-id
|
||||
tags: null
|
||||
timeouts: null
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
|
||||
description: Terraform-managed.
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
ipv6_access_type: null
|
||||
log_config: []
|
||||
name: production
|
||||
network: my-network
|
||||
private_ip_google_access: true
|
||||
project: project-id
|
||||
region: europe-west1
|
||||
role: null
|
||||
timeouts: null
|
||||
? module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]
|
||||
: deletion_policy: null
|
||||
reserved_peering_ranges:
|
||||
- myrange
|
||||
service: servicenetworking.googleapis.com
|
||||
timeouts: null
|
||||
|
||||
counts:
|
||||
google_compute_global_address: 1
|
||||
google_compute_network: 1
|
||||
google_compute_network_peering_routes_config: 1
|
||||
google_compute_route: 2
|
||||
google_compute_subnetwork: 1
|
||||
google_service_networking_connection: 1
|
||||
modules: 1
|
||||
resources: 7
|
||||
|
||||
outputs: {}
|
||||
Reference in New Issue
Block a user