From cecce6b3a0898c518e640b0d98bea409313b162d Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Wed, 28 Aug 2024 11:24:13 +0200 Subject: [PATCH] Allow customizable prefix in net-vpc module PSA configs (#2535) * allow customizable prefix in net-vpc module PSA configs * fix peered domain key --- modules/net-vpc/README.md | 42 ++++++-- modules/net-vpc/psa.tf | 10 +- modules/net-vpc/variables.tf | 1 + .../modules/net_vpc/examples/psa-prefix.yaml | 97 +++++++++++++++++++ 4 files changed, 137 insertions(+), 13 deletions(-) create mode 100644 tests/modules/net_vpc/examples/psa-prefix.yaml diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 5820afe5e..c89670a66 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -255,6 +255,28 @@ module "vpc" { # tftest modules=1 resources=7 inventory=psa.yaml e2e ``` +The module prefixes the PSA service to address range names, to disable this behaviour just set the `range_prefix` attribute in the PSA configuration: + +```hcl +module "vpc" { + source = "./fabric/modules/net-vpc" + project_id = var.project_id + name = "my-network" + subnets = [ + { + ip_cidr_range = "10.0.0.0/24" + name = "production" + region = "europe-west1" + } + ] + psa_configs = [{ + ranges = { myrange = "10.0.1.0/24" } + range_prefix = "" + }] +} +# tftest modules=1 resources=7 inventory=psa-prefix.yaml e2e +``` + ### Private Service Networking with peering routes and peered Cloud DNS domains Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC. @@ -670,16 +692,16 @@ module "vpc" { | [network_attachments](variables.tf#L103) | PSC network attachments, names as keys. | map(object({…})) | | {} | | [peering_config](variables.tf#L116) | VPC peering configuration. | object({…}) | | null | | [policy_based_routes](variables.tf#L127) | Policy based routes, keyed by name. | map(object({…})) | | {} | -| [psa_configs](variables.tf#L180) | The Private Service Access configuration. | list(object({…})) | | [] | -| [routes](variables.tf#L210) | Network routes, keyed by name. | map(object({…})) | | {} | -| [routing_mode](variables.tf#L231) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | -| [shared_vpc_host](variables.tf#L241) | Enable shared VPC for this project. | bool | | false | -| [shared_vpc_service_projects](variables.tf#L247) | Shared VPC service projects to register with this host. | list(string) | | [] | -| [subnets](variables.tf#L253) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_private_nat](variables.tf#L300) | List of private NAT subnets. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L312) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L346) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L378) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [psa_configs](variables.tf#L180) | The Private Service Access configuration. | list(object({…})) | | [] | +| [routes](variables.tf#L211) | Network routes, keyed by name. | map(object({…})) | | {} | +| [routing_mode](variables.tf#L232) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | +| [shared_vpc_host](variables.tf#L242) | Enable shared VPC for this project. | bool | | false | +| [shared_vpc_service_projects](variables.tf#L248) | Shared VPC service projects to register with this host. | list(string) | | [] | +| [subnets](variables.tf#L254) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_private_nat](variables.tf#L301) | List of private NAT subnets. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L313) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L347) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L379) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf index 913cebfb3..86f836f98 100644 --- a/modules/net-vpc/psa.tf +++ b/modules/net-vpc/psa.tf @@ -20,7 +20,7 @@ locals { _psa_configs_ranges = flatten([ for config in local.psa_configs : [ for k, v in config.ranges : { - key = "${config.key}-${k}" + key = "${config.key}${k}" value = v } ] @@ -28,7 +28,7 @@ locals { _psa_peered_domains = flatten([ for config in local.psa_configs : [ for v in config.peered_domains : { - key = "${config.key}-${trimsuffix(replace(v, ".", "-"), "-")}" + key = "${config.key}${trimsuffix(replace(v, ".", "-"), "-")}" dns_suffix = v service_producer = config.service_producer } @@ -36,7 +36,11 @@ locals { ]) psa_configs = { for v in var.psa_configs : v.service_producer => merge(v, { - key = replace(v.service_producer, ".", "-") + key = ( + v.range_prefix != null + ? (v.range_prefix == "" ? "" : "${v.range_prefix}-") + : format("%s-", replace(v.service_producer, ".", "-")) + ) }) } psa_configs_ranges = { diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index f866ed8f3..fcbc7843f 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -185,6 +185,7 @@ variable "psa_configs" { export_routes = optional(bool, false) import_routes = optional(bool, false) peered_domains = optional(list(string), []) + range_prefix = optional(string) service_producer = optional(string, "servicenetworking.googleapis.com") })) nullable = false diff --git a/tests/modules/net_vpc/examples/psa-prefix.yaml b/tests/modules/net_vpc/examples/psa-prefix.yaml new file mode 100644 index 000000000..d939cd177 --- /dev/null +++ b/tests/modules/net_vpc/examples/psa-prefix.yaml @@ -0,0 +1,97 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + ? module.vpc.google_compute_global_address.psa_ranges["myrange"] + : address: 10.0.1.0 + address_type: INTERNAL + description: null + ip_version: null + name: myrange + prefix_length: 24 + project: project-id + purpose: VPC_PEERING + timeouts: null + module.vpc.google_compute_network.network[0]: + auto_create_subnetworks: false + delete_default_routes_on_create: false + description: Terraform-managed. + enable_ula_internal_ipv6: null + name: my-network + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL + project: project-id + routing_mode: GLOBAL + timeouts: null + ? module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"] + : export_custom_routes: false + import_custom_routes: false + network: my-network + project: project-id + timeouts: null + module.vpc.google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: my-network-private-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: project-id + tags: null + timeouts: null + module.vpc.google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: my-network-restricted-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: project-id + tags: null + timeouts: null + module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]: + description: Terraform-managed. + ip_cidr_range: 10.0.0.0/24 + ipv6_access_type: null + log_config: [] + name: production + network: my-network + private_ip_google_access: true + project: project-id + region: europe-west1 + role: null + timeouts: null + ? module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"] + : deletion_policy: null + reserved_peering_ranges: + - myrange + service: servicenetworking.googleapis.com + timeouts: null + +counts: + google_compute_global_address: 1 + google_compute_network: 1 + google_compute_network_peering_routes_config: 1 + google_compute_route: 2 + google_compute_subnetwork: 1 + google_service_networking_connection: 1 + modules: 1 + resources: 7 + +outputs: {}