From d2015b0bc31cabd4eb70cd5f1c23c928d26c5500 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Sat, 10 Dec 2022 15:40:15 +0100 Subject: [PATCH] Assorted module fixes (#1045) * net-ilb-l7 use both neg types in backends * run example tests on cloud-config-container modules * streamline nginx-tls cos module * add tests for cos modules * tfdoc * onprem needs fixing, links * disable test * test --- blueprints/README.md | 2 +- .../unmanaged-instances-healthcheck/main.tf | 40 ++++--- blueprints/networking/README.md | 7 +- .../{_deprecated => __need_fixing}/README.md | 0 .../nginx-reverse-proxy-cluster/Dockerfile | 0 .../nginx-reverse-proxy-cluster/README.md | 0 .../nginx-reverse-proxy-cluster/main.tf | 0 .../nginx-reverse-proxy-cluster/outputs.tf | 0 .../reverse-proxy.png | Bin .../nginx-reverse-proxy-cluster/variables.tf | 0 .../nginx-reverse-proxy-cluster/versions.tf | 0 .../onprem-google-access-dns/README.md | 6 +- .../onprem-google-access-dns/assets/Corefile | 0 .../backend.tf.sample | 0 .../onprem-google-access-dns/diagram.png | Bin .../onprem-google-access-dns/main.tf | 0 .../onprem-google-access-dns/outputs.tf | 0 .../onprem-google-access-dns/variables.tf | 0 .../onprem-google-access-dns/versions.tf | 0 modules/cloud-config-container/README.md | 6 +- .../{ => __need_fixing}/onprem/Corefile | 0 .../{ => __need_fixing}/onprem/README.md | 48 +++++---- .../onprem/cloud-config.yaml | 0 .../onprem/docker-images/README.md | 0 .../docker-images/strongswan/Dockerfile | 0 .../onprem/docker-images/strongswan/README.md | 0 .../docker-images/strongswan/cloudbuild.yaml | 0 .../docker-images/strongswan/entrypoint.sh | 0 .../docker-images/strongswan/ipsec-vti.sh | 0 .../onprem/docker-images/toolbox/Dockerfile | 0 .../onprem/docker-images/toolbox/README.md | 0 .../docker-images/toolbox/cloudbuild.yaml | 0 .../docker-images/toolbox/entrypoint.sh | 0 .../{ => __need_fixing}/onprem/main.tf | 0 .../{ => __need_fixing}/onprem/outputs.tf | 0 .../onprem/static-vpn-gw-cloud-init.yaml | 0 .../{ => __need_fixing}/onprem/variables.tf | 6 +- .../{ => __need_fixing}/onprem/versions.tf | 0 .../cloud-config-container/coredns/README.md | 42 ++++---- .../coredns/instance.tf | 1 - .../coredns/outputs-instance.tf | 1 - .../coredns/variables-instance.tf | 1 - .../cos-generic-metadata/README.md | 25 ++--- .../envoy-traffic-director/README.md | 21 ++-- modules/cloud-config-container/instance.tf | 101 ------------------ .../cloud-config-container/mysql/README.md | 46 ++++---- .../cloud-config-container/mysql/instance.tf | 1 - .../mysql/outputs-instance.tf | 1 - .../mysql/variables-instance.tf | 1 - .../nginx-tls/README.md | 35 ++---- .../nginx-tls/assets/cloud-config.yaml | 63 +++++++++++ .../nginx-tls/{files => assets}/customize.sh | 8 +- .../nginx-tls/assets/default.conf | 24 +++++ .../nginx-tls/files/default.conf | 20 ---- .../cloud-config-container/nginx-tls/main.tf | 70 ------------ .../nginx-tls/outputs.tf | 20 +++- .../nginx-tls/variables.tf | 40 +++---- .../cloud-config-container/nginx/README.md | 38 +++---- .../cloud-config-container/nginx/instance.tf | 1 - .../nginx/outputs-instance.tf | 1 - .../nginx/variables-instance.tf | 1 - .../cloud-config-container/onprem/instance.tf | 1 - .../onprem/outputs-instance.tf | 1 - .../onprem/variables-instance.tf | 1 - .../outputs-instance.tf | 28 ----- .../simple-nva/README.md | 49 ++++----- .../simple-nva/instance.tf | 1 - .../simple-nva/outputs-instance.tf | 1 - .../simple-nva/variables-instance.tf | 1 - .../cloud-config-container/squid/README.md | 42 +++----- .../cloud-config-container/squid/instance.tf | 1 - .../squid/outputs-instance.tf | 1 - .../squid/variables-instance.tf | 1 - .../variables-instance.tf | 54 ---------- modules/net-ilb-l7/backend-service.tf | 3 + .../test_plan.py | 2 +- .../{test_plan.py => test_plan.py.disabled} | 0 tests/examples/conftest.py | 6 +- 78 files changed, 309 insertions(+), 561 deletions(-) rename blueprints/networking/{_deprecated => __need_fixing}/README.md (100%) rename blueprints/networking/{_deprecated => __need_fixing}/nginx-reverse-proxy-cluster/Dockerfile (100%) rename blueprints/networking/{_deprecated => __need_fixing}/nginx-reverse-proxy-cluster/README.md (100%) rename blueprints/networking/{_deprecated => __need_fixing}/nginx-reverse-proxy-cluster/main.tf (100%) rename blueprints/networking/{_deprecated => __need_fixing}/nginx-reverse-proxy-cluster/outputs.tf (100%) rename blueprints/networking/{_deprecated => __need_fixing}/nginx-reverse-proxy-cluster/reverse-proxy.png (100%) rename blueprints/networking/{_deprecated => __need_fixing}/nginx-reverse-proxy-cluster/variables.tf (100%) rename blueprints/networking/{_deprecated => __need_fixing}/nginx-reverse-proxy-cluster/versions.tf (100%) rename blueprints/networking/{ => __need_fixing}/onprem-google-access-dns/README.md (95%) rename blueprints/networking/{ => __need_fixing}/onprem-google-access-dns/assets/Corefile (100%) rename blueprints/networking/{ => __need_fixing}/onprem-google-access-dns/backend.tf.sample (100%) rename blueprints/networking/{ => __need_fixing}/onprem-google-access-dns/diagram.png (100%) rename blueprints/networking/{ => __need_fixing}/onprem-google-access-dns/main.tf (100%) rename blueprints/networking/{ => __need_fixing}/onprem-google-access-dns/outputs.tf (100%) rename blueprints/networking/{ => __need_fixing}/onprem-google-access-dns/variables.tf (100%) rename blueprints/networking/{ => __need_fixing}/onprem-google-access-dns/versions.tf (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/Corefile (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/README.md (57%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/cloud-config.yaml (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/README.md (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/strongswan/Dockerfile (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/strongswan/README.md (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/strongswan/cloudbuild.yaml (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/strongswan/entrypoint.sh (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/strongswan/ipsec-vti.sh (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/toolbox/Dockerfile (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/toolbox/README.md (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/toolbox/cloudbuild.yaml (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/docker-images/toolbox/entrypoint.sh (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/main.tf (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/outputs.tf (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/static-vpn-gw-cloud-init.yaml (100%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/variables.tf (94%) rename modules/cloud-config-container/{ => __need_fixing}/onprem/versions.tf (100%) delete mode 120000 modules/cloud-config-container/coredns/instance.tf delete mode 120000 modules/cloud-config-container/coredns/outputs-instance.tf delete mode 120000 modules/cloud-config-container/coredns/variables-instance.tf delete mode 100644 modules/cloud-config-container/instance.tf delete mode 120000 modules/cloud-config-container/mysql/instance.tf delete mode 120000 modules/cloud-config-container/mysql/outputs-instance.tf delete mode 120000 modules/cloud-config-container/mysql/variables-instance.tf create mode 100644 modules/cloud-config-container/nginx-tls/assets/cloud-config.yaml rename modules/cloud-config-container/nginx-tls/{files => assets}/customize.sh (72%) create mode 100644 modules/cloud-config-container/nginx-tls/assets/default.conf delete mode 100644 modules/cloud-config-container/nginx-tls/files/default.conf delete mode 100644 modules/cloud-config-container/nginx-tls/main.tf delete mode 120000 modules/cloud-config-container/nginx/instance.tf delete mode 120000 modules/cloud-config-container/nginx/outputs-instance.tf delete mode 120000 modules/cloud-config-container/nginx/variables-instance.tf delete mode 120000 modules/cloud-config-container/onprem/instance.tf delete mode 120000 modules/cloud-config-container/onprem/outputs-instance.tf delete mode 120000 modules/cloud-config-container/onprem/variables-instance.tf delete mode 100644 modules/cloud-config-container/outputs-instance.tf delete mode 120000 modules/cloud-config-container/simple-nva/instance.tf delete mode 120000 modules/cloud-config-container/simple-nva/outputs-instance.tf delete mode 120000 modules/cloud-config-container/simple-nva/variables-instance.tf delete mode 120000 modules/cloud-config-container/squid/instance.tf delete mode 120000 modules/cloud-config-container/squid/outputs-instance.tf delete mode 120000 modules/cloud-config-container/squid/variables-instance.tf delete mode 100644 modules/cloud-config-container/variables-instance.tf rename tests/blueprints/networking/onprem_google_access_dns/{test_plan.py => test_plan.py.disabled} (100%) diff --git a/blueprints/README.md b/blueprints/README.md index 49bf16ab7..e0c42a979 100644 --- a/blueprints/README.md +++ b/blueprints/README.md @@ -8,7 +8,7 @@ Currently available blueprints: - **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground) - **factories** - [The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory) - **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/) -- **networking** - [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [On-prem DNS and Google Private Access](./networking/onprem-google-access-dns), [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke) +- **networking** - [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), On-prem DNS and Google Private Access, [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke) - **serverless** - [Creating multi-region deployments for API Gateway](./serverless/api-gateway) - **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun) diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf b/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf index d69dddf2b..19f2d467b 100644 --- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf +++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf @@ -146,13 +146,11 @@ module "cf-healthchecker" { name = "cf-healthchecker" region = var.region bucket_name = module.cf-restarter.bucket_name - bundle_config = { source_dir = "${path.module}/function/healthchecker" output_path = "healthchecker.zip" } service_account = module.service-account-healthchecker.email - function_config = { entry_point = "HealthCheck" ingress_settings = null @@ -161,7 +159,6 @@ module "cf-healthchecker" { runtime = "go116" timeout = 300 } - environment_variables = { FILTER = "name = nginx-*" GRACE_PERIOD = var.grace_period @@ -171,7 +168,6 @@ module "cf-healthchecker" { TCP_PORT = var.tcp_port TIMEOUT = var.timeout } - vpc_connector = { create = true name = "hc-connector" @@ -230,23 +226,25 @@ resource "google_cloud_scheduler_job" "healthcheck-job" { module "cos-nginx" { source = "../../../modules/cloud-config-container/nginx" - test_instance = { - project_id = module.project.project_id - zone = "${var.region}-b" - name = "nginx-test" - type = "f1-micro" +} + +module "test-vm" { + source = "../../../modules/compute-vm" + project_id = module.project.project_id + zone = "${var.region}-b" + name = "nginx-test" + boot_disk = { + image = "projects/cos-cloud/global/images/family/cos-stable" + type = "pd-ssd" + size = 10 + } + metadata = { + user-data = module.cos-nginx.cloud_config + google-logging-enabled = true + } + network_interfaces = [{ network = module.vpc.self_link subnetwork = module.vpc.subnet_self_links["${var.region}/apps"] - } - test_instance_defaults = { - disks = {} - image = null - metadata = {} - nat = false - service_account_roles = [ - "roles/logging.logWriter", - "roles/monitoring.metricWriter" - ] - tags = ["ssh"] - } + }] + tags = ["ssh"] } diff --git a/blueprints/networking/README.md b/blueprints/networking/README.md index ef3932689..ec510d564 100644 --- a/blueprints/networking/README.md +++ b/blueprints/networking/README.md @@ -49,19 +49,20 @@ The blueprint shows how to implement spoke transitivity via BGP advertisements, ### DNS and Private Access for On-premises - This [blueprint](./onprem-google-access-dns/) uses an emulated on-premises environment running in Docker containers inside a GCE instance, to allow testing specific features like DNS policies, DNS forwarding zones across VPN, and Private Access for On-premises hosts. + This [blueprint](./onprem-google-access-dns/) uses an emulated on-premises environment running in Docker containers inside a GCE instance, to allow testing specific features like DNS policies, DNS forwarding zones across VPN, and Private Access for On-premises hosts. The emulated on-premises environment can be used to test access to different services from outside Google Cloud, by implementing a VPN connection and BGP to Google CLoud via Strongswan and Bird.
+--> + ### Calling a private Cloud Function from on-premises This [blueprint](./private-cloud-function-from-onprem/) shows how to invoke a [private Google Cloud Function](https://cloud.google.com/functions/docs/networking/network-settings) from the on-prem environment via a [Private Service Connect endpoint](https://cloud.google.com/vpc/docs/private-service-connect#benefits-apis). diff --git a/blueprints/networking/_deprecated/README.md b/blueprints/networking/__need_fixing/README.md similarity index 100% rename from blueprints/networking/_deprecated/README.md rename to blueprints/networking/__need_fixing/README.md diff --git a/blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/Dockerfile b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile similarity index 100% rename from blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/Dockerfile rename to blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile diff --git a/blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/README.md b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/README.md similarity index 100% rename from blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/README.md rename to blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/README.md diff --git a/blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/main.tf b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf similarity index 100% rename from blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/main.tf rename to blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf diff --git a/blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/outputs.tf b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/outputs.tf similarity index 100% rename from blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/outputs.tf rename to blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/outputs.tf diff --git a/blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/reverse-proxy.png b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/reverse-proxy.png similarity index 100% rename from blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/reverse-proxy.png rename to blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/reverse-proxy.png diff --git a/blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/variables.tf b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/variables.tf similarity index 100% rename from blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/variables.tf rename to blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/variables.tf diff --git a/blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/versions.tf b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/versions.tf similarity index 100% rename from blueprints/networking/_deprecated/nginx-reverse-proxy-cluster/versions.tf rename to blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/versions.tf diff --git a/blueprints/networking/onprem-google-access-dns/README.md b/blueprints/networking/__need_fixing/onprem-google-access-dns/README.md similarity index 95% rename from blueprints/networking/onprem-google-access-dns/README.md rename to blueprints/networking/__need_fixing/onprem-google-access-dns/README.md index fae563986..deb3593f7 100644 --- a/blueprints/networking/onprem-google-access-dns/README.md +++ b/blueprints/networking/__need_fixing/onprem-google-access-dns/README.md @@ -1,6 +1,6 @@ # On-prem DNS and Google Private Access -This blueprint leverages the [on prem in a box](../../../modules/cloud-config-container/onprem) module to bootstrap an emulated on-premises environment on GCP, then connects it via VPN and sets up BGP and DNS so that several specific features can be tested: +This blueprint leverages the on prem in a box module to bootstrap an emulated on-premises environment on GCP, then connects it via VPN and sets up BGP and DNS so that several specific features can be tested: - [Cloud DNS forwarding zone](https://cloud.google.com/dns/docs/overview#fz-targets) to on-prem - DNS forwarding from on-prem via a [Cloud DNS inbound policy](https://cloud.google.com/dns/docs/policies#create-in) @@ -30,7 +30,7 @@ The Cloud DNS inbound policy reserves an IP address in the VPC, which is used by ### Find out the forwarder entry point address -Run this gcloud command to (find out the address assigned to the inbound forwarder)[https://cloud.google.com/dns/docs/policies#list-in-entrypoints]: +Run this gcloud command to [find out the address assigned to the inbound forwarder](https://cloud.google.com/dns/docs/policies#list-in-entrypoints): ```bash gcloud compute addresses list --project [your project id] @@ -199,7 +199,7 @@ curl www.onprem.example.org -s |grep h1 A single pre-existing project is used in this blueprint to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project. -The VPN-s used to connect to the on-premises environment do not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../../modules/net-vpn-ha). +The VPN-s used to connect to the on-premises environment do not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../../../modules/net-vpn-ha). ## Variables diff --git a/blueprints/networking/onprem-google-access-dns/assets/Corefile b/blueprints/networking/__need_fixing/onprem-google-access-dns/assets/Corefile similarity index 100% rename from blueprints/networking/onprem-google-access-dns/assets/Corefile rename to blueprints/networking/__need_fixing/onprem-google-access-dns/assets/Corefile diff --git a/blueprints/networking/onprem-google-access-dns/backend.tf.sample b/blueprints/networking/__need_fixing/onprem-google-access-dns/backend.tf.sample similarity index 100% rename from blueprints/networking/onprem-google-access-dns/backend.tf.sample rename to blueprints/networking/__need_fixing/onprem-google-access-dns/backend.tf.sample diff --git a/blueprints/networking/onprem-google-access-dns/diagram.png b/blueprints/networking/__need_fixing/onprem-google-access-dns/diagram.png similarity index 100% rename from blueprints/networking/onprem-google-access-dns/diagram.png rename to blueprints/networking/__need_fixing/onprem-google-access-dns/diagram.png diff --git a/blueprints/networking/onprem-google-access-dns/main.tf b/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf similarity index 100% rename from blueprints/networking/onprem-google-access-dns/main.tf rename to blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf diff --git a/blueprints/networking/onprem-google-access-dns/outputs.tf b/blueprints/networking/__need_fixing/onprem-google-access-dns/outputs.tf similarity index 100% rename from blueprints/networking/onprem-google-access-dns/outputs.tf rename to blueprints/networking/__need_fixing/onprem-google-access-dns/outputs.tf diff --git a/blueprints/networking/onprem-google-access-dns/variables.tf b/blueprints/networking/__need_fixing/onprem-google-access-dns/variables.tf similarity index 100% rename from blueprints/networking/onprem-google-access-dns/variables.tf rename to blueprints/networking/__need_fixing/onprem-google-access-dns/variables.tf diff --git a/blueprints/networking/onprem-google-access-dns/versions.tf b/blueprints/networking/__need_fixing/onprem-google-access-dns/versions.tf similarity index 100% rename from blueprints/networking/onprem-google-access-dns/versions.tf rename to blueprints/networking/__need_fixing/onprem-google-access-dns/versions.tf diff --git a/modules/cloud-config-container/README.md b/modules/cloud-config-container/README.md index 7ee53bdc1..713ffa883 100644 --- a/modules/cloud-config-container/README.md +++ b/modules/cloud-config-container/README.md @@ -1,6 +1,6 @@ # Instance Configuration via `cloud-config` -This set of modules creates specialized [cloud-config](https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config) configurations, which are designed for use with [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs) (the [onprem module](./onprem/) is the only exception) but can also be used as a basis for other image types or cloud providers. +This set of modules creates specialized [cloud-config](https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config) configurations, which are designed for use with [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs) (the onprem module is the only exception) but can also be used as a basis for other image types or cloud providers. These modules are designed for several use cases: @@ -14,8 +14,8 @@ These modules are designed for several use cases: - [CoreDNS](./coredns) - [MySQL](./mysql) - [Nginx](./nginx) -- [On-prem in Docker](./onprem) - [Squid forward proxy](./squid) +- On-prem in Docker (*needs fixing*) ## Using the modules @@ -23,8 +23,6 @@ All modules are designed to be as lightweight as possible, so that specialized m To use the modules with instances or instance templates, simply set use their `cloud_config` output for the `user-data` metadata. When updating the metadata after a variable change remember to manually restart the instances that use a module's output, or the changes won't effect the running system. -For convenience when developing or prototyping infrastructure, an optional test instance is included in all modules. If it's not needed, the linked `*instance.tf` files can be removed from the modules without harm. - ## TODO - [ ] convert all `xxx_config` variables to use file content instead of path diff --git a/modules/cloud-config-container/onprem/Corefile b/modules/cloud-config-container/__need_fixing/onprem/Corefile similarity index 100% rename from modules/cloud-config-container/onprem/Corefile rename to modules/cloud-config-container/__need_fixing/onprem/Corefile diff --git a/modules/cloud-config-container/onprem/README.md b/modules/cloud-config-container/__need_fixing/onprem/README.md similarity index 57% rename from modules/cloud-config-container/onprem/README.md rename to modules/cloud-config-container/__need_fixing/onprem/README.md index 1a668a8d1..bc81f437e 100644 --- a/modules/cloud-config-container/onprem/README.md +++ b/modules/cloud-config-container/__need_fixing/onprem/README.md @@ -10,18 +10,14 @@ The emulated on-premises infrastructure is composed of: - an Nginx container serving a simple static web page - a [generic Linux container](./docker-images/toolbox) used as a jump host inside the on-premises network -A [complete scenario using this module](../../../blueprints/networking/onprem-google-access-dns) is available in the networking blueprints. +A complete scenario using this module is available in the networking blueprints. The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata. -For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../README.md) for more details on the included instance. - ## Examples ### Static VPN -The test instance is optional, as described above. - ```hcl module "cloud-vpn" { source = "./fabric/modules/net-vpn-static" @@ -32,29 +28,43 @@ module "cloud-vpn" { remote_ranges = ["192.168.192.0/24"] tunnels = { remote-0 = { - peer_ip = module.on-prem.external_address + peer_ip = module.vm.external_ip traffic_selectors = { local = ["0.0.0.0/0"], remote = null } } } } module "on-prem" { - source = "./fabric/modules/cos-container/on-prem" - name = "onprem" + source = "./fabric/modules/cloud-config-container/onprem" vpn_config = { type = "static" peer_ip = module.cloud-vpn.address shared_secret = module.cloud-vpn.random_secret } - test_instance = { - project_id = "my-project" - zone = "europe-west1-b" - name = "cos-coredns" - type = "f1-micro" - network = "default" - subnetwork = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west1/subnetworks/my-subnet" - } } + +module "vm" { + source = "./fabric/modules/compute-vm" + project_id = "my-project" + zone = "europe-west8-b" + name = "cos-nginx-tls" + network_interfaces = [{ + nat = true + network = "default" + subnetwork = "gce" + }] + metadata = { + user-data = module.on-prem.cloud_config + google-logging-enabled = true + } + boot_disk = { + image = "projects/cos-cloud/global/images/family/cos-stable" + type = "pd-ssd" + size = 10 + } + tags = ["ssh"] +} +# tftest skip ``` @@ -62,12 +72,10 @@ module "on-prem" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [vpn_config](variables.tf#L35) | VPN configuration, type must be one of 'dynamic' or 'static'. | object({…}) | ✓ | | +| [vpn_config](variables.tf#L35) | VPN configuration, type must be one of 'dynamic' or 'static'. | object({…}) | ✓ | | | [config_variables](variables.tf#L17) | Additional variables used to render the cloud-config and CoreDNS templates. | map(any) | | {} | | [coredns_config](variables.tf#L23) | CoreDNS configuration path, if null default will be used. | string | | null | | [local_ip_cidr_range](variables.tf#L29) | IP CIDR range used for the Docker onprem network. | string | | "192.168.192.0/24" | -| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | object({…}) | | null | -| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | object({…}) | | {…} | | [vpn_dynamic_config](variables.tf#L46) | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | object({…}) | | {…} | | [vpn_static_ranges](variables.tf#L70) | Remote CIDR ranges for static VPN, ignored if VPN type is 'dynamic'. | list(string) | | ["10.0.0.0/8"] | @@ -76,7 +84,5 @@ module "on-prem" { | name | description | sensitive | |---|---|:---:| | [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | | -| [test_instance](outputs-instance.tf#L17) | Optional test instance name and address. | | - diff --git a/modules/cloud-config-container/onprem/cloud-config.yaml b/modules/cloud-config-container/__need_fixing/onprem/cloud-config.yaml similarity index 100% rename from modules/cloud-config-container/onprem/cloud-config.yaml rename to modules/cloud-config-container/__need_fixing/onprem/cloud-config.yaml diff --git a/modules/cloud-config-container/onprem/docker-images/README.md b/modules/cloud-config-container/__need_fixing/onprem/docker-images/README.md similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/README.md rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/README.md diff --git a/modules/cloud-config-container/onprem/docker-images/strongswan/Dockerfile b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/strongswan/Dockerfile rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile diff --git a/modules/cloud-config-container/onprem/docker-images/strongswan/README.md b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/README.md similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/strongswan/README.md rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/README.md diff --git a/modules/cloud-config-container/onprem/docker-images/strongswan/cloudbuild.yaml b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/cloudbuild.yaml similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/strongswan/cloudbuild.yaml rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/cloudbuild.yaml diff --git a/modules/cloud-config-container/onprem/docker-images/strongswan/entrypoint.sh b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/entrypoint.sh similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/strongswan/entrypoint.sh rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/entrypoint.sh diff --git a/modules/cloud-config-container/onprem/docker-images/strongswan/ipsec-vti.sh b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/strongswan/ipsec-vti.sh rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh diff --git a/modules/cloud-config-container/onprem/docker-images/toolbox/Dockerfile b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/toolbox/Dockerfile rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile diff --git a/modules/cloud-config-container/onprem/docker-images/toolbox/README.md b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/README.md similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/toolbox/README.md rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/README.md diff --git a/modules/cloud-config-container/onprem/docker-images/toolbox/cloudbuild.yaml b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/cloudbuild.yaml similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/toolbox/cloudbuild.yaml rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/cloudbuild.yaml diff --git a/modules/cloud-config-container/onprem/docker-images/toolbox/entrypoint.sh b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/entrypoint.sh similarity index 100% rename from modules/cloud-config-container/onprem/docker-images/toolbox/entrypoint.sh rename to modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/entrypoint.sh diff --git a/modules/cloud-config-container/onprem/main.tf b/modules/cloud-config-container/__need_fixing/onprem/main.tf similarity index 100% rename from modules/cloud-config-container/onprem/main.tf rename to modules/cloud-config-container/__need_fixing/onprem/main.tf diff --git a/modules/cloud-config-container/onprem/outputs.tf b/modules/cloud-config-container/__need_fixing/onprem/outputs.tf similarity index 100% rename from modules/cloud-config-container/onprem/outputs.tf rename to modules/cloud-config-container/__need_fixing/onprem/outputs.tf diff --git a/modules/cloud-config-container/onprem/static-vpn-gw-cloud-init.yaml b/modules/cloud-config-container/__need_fixing/onprem/static-vpn-gw-cloud-init.yaml similarity index 100% rename from modules/cloud-config-container/onprem/static-vpn-gw-cloud-init.yaml rename to modules/cloud-config-container/__need_fixing/onprem/static-vpn-gw-cloud-init.yaml diff --git a/modules/cloud-config-container/onprem/variables.tf b/modules/cloud-config-container/__need_fixing/onprem/variables.tf similarity index 94% rename from modules/cloud-config-container/onprem/variables.tf rename to modules/cloud-config-container/__need_fixing/onprem/variables.tf index 3b09e2366..06eb27603 100644 --- a/modules/cloud-config-container/onprem/variables.tf +++ b/modules/cloud-config-container/__need_fixing/onprem/variables.tf @@ -37,9 +37,9 @@ variable "vpn_config" { type = object({ peer_ip = string shared_secret = string - type = string - peer_ip2 = string - shared_secret2 = string + type = optional(string, "static") + peer_ip2 = optional(string) + shared_secret2 = optional(string) }) } diff --git a/modules/cloud-config-container/onprem/versions.tf b/modules/cloud-config-container/__need_fixing/onprem/versions.tf similarity index 100% rename from modules/cloud-config-container/onprem/versions.tf rename to modules/cloud-config-container/__need_fixing/onprem/versions.tf diff --git a/modules/cloud-config-container/coredns/README.md b/modules/cloud-config-container/coredns/README.md index f5a51a389..91e49592c 100644 --- a/modules/cloud-config-container/coredns/README.md +++ b/modules/cloud-config-container/coredns/README.md @@ -27,14 +27,27 @@ module "cos-coredns" { source = "./fabric/modules/cloud-config-container/coredns" } -# use it as metadata in a compute instance or template -module "vm-coredns" { - source = "./fabric/modules/compute-vm" +module "vm" { + source = "./fabric/modules/compute-vm" + project_id = "my-project" + zone = "europe-west8-b" + name = "cos-coredns" + network_interfaces = [{ + network = "default" + subnetwork = "gce" + }] metadata = { user-data = module.cos-coredns.cloud_config google-logging-enabled = true } + boot_disk = { + image = "projects/cos-cloud/global/images/family/cos-stable" + type = "pd-ssd" + size = 10 + } + tags = ["dns", "ssh"] } +# tftest modules=1 resources=1 ``` ### Custom CoreDNS configuration @@ -51,25 +64,9 @@ module "cos-coredns" { owner = null permissions = "0644" } + } } -``` - -### CoreDNS instance - -This example shows how to create the single instance optionally managed by the module, providing all required attributes in the `test_instance` variable. The instance is purposefully kept simple and should only be used in development, or when designing infrastructures. - -```hcl -module "cos-coredns" { - source = "./fabric/modules/cloud-config-container/coredns" - test_instance = { - project_id = "my-project" - zone = "europe-west1-b" - name = "cos-coredns" - type = "f1-micro" - network = "default" - subnetwork = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west1/subnetworks/my-subnet" - } -} +# tftest modules=0 resources=0 ``` @@ -82,14 +79,11 @@ module "cos-coredns" { | [coredns_config](variables.tf#L29) | CoreDNS configuration path, if null default will be used. | string | | null | | [file_defaults](variables.tf#L35) | Default owner and permissions for files. | object({…}) | | {…} | | [files](variables.tf#L47) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | map(object({…})) | | {} | -| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | object({…}) | | null | -| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | object({…}) | | {…} | ## Outputs | name | description | sensitive | |---|---|:---:| | [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | | -| [test_instance](outputs-instance.tf#L17) | Optional test instance name and address. | | diff --git a/modules/cloud-config-container/coredns/instance.tf b/modules/cloud-config-container/coredns/instance.tf deleted file mode 120000 index bdef596b6..000000000 --- a/modules/cloud-config-container/coredns/instance.tf +++ /dev/null @@ -1 +0,0 @@ -../instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/coredns/outputs-instance.tf b/modules/cloud-config-container/coredns/outputs-instance.tf deleted file mode 120000 index ea9e24045..000000000 --- a/modules/cloud-config-container/coredns/outputs-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../outputs-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/coredns/variables-instance.tf b/modules/cloud-config-container/coredns/variables-instance.tf deleted file mode 120000 index 94af61e4d..000000000 --- a/modules/cloud-config-container/coredns/variables-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../variables-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/cos-generic-metadata/README.md b/modules/cloud-config-container/cos-generic-metadata/README.md index 16d1935ed..3b9898541 100644 --- a/modules/cloud-config-container/cos-generic-metadata/README.md +++ b/modules/cloud-config-container/cos-generic-metadata/README.md @@ -12,31 +12,27 @@ This example will create a `cloud-config` that starts [Envoy Proxy](https://www. ```hcl module "cos-envoy" { - source = "./fabric/modules/cos-generic-metadata" - + source = "./fabric/modules/cloud-config-container/cos-generic-metadata" container_image = "envoyproxy/envoy:v1.14.1" container_name = "envoy" container_args = "-c /etc/envoy/envoy.yaml --log-level info --allow-unknown-static-fields" - container_volumes = [ { host = "/etc/envoy/envoy.yaml", container = "/etc/envoy/envoy.yaml" } ] - docker_args = "--network host --pid host" - + # file paths are mocked to run this example in tests files = { "/var/run/envoy/customize.sh" = { - content = file("customize.sh") + content = file("/dev/null") # file("customize.sh") owner = "root" permissions = "0744" } "/etc/envoy/envoy.yaml" = { - content = file("envoy.yaml") + content = file("/dev/null") # file("envoy.yaml") owner = "root" permissions = "0644" } } - run_commands = [ "iptables -t nat -N ENVOY_IN_REDIRECT", "iptables -t nat -A ENVOY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001", @@ -46,14 +42,13 @@ module "cos-envoy" { "systemctl daemon-reload", "systemctl start envoy", ] - - users = [ - { - username = "envoy", - uid = 1337 - } - ] + users = [{ + username = "envoy", + uid = 1337 + }] } + +# tftest modules=0 resources=0 ``` diff --git a/modules/cloud-config-container/envoy-traffic-director/README.md b/modules/cloud-config-container/envoy-traffic-director/README.md index 593cfa83c..caa0ec5ec 100644 --- a/modules/cloud-config-container/envoy-traffic-director/README.md +++ b/modules/cloud-config-container/envoy-traffic-director/README.md @@ -11,38 +11,31 @@ This module depends on the [`cos-generic-metadata` module](../cos-generic-metada ### Default configuration ```hcl -# Envoy TD config module "cos-envoy-td" { source = "./fabric/modules/cloud-config-container/envoy-traffic-director" } -# COS VM -module "vm-cos" { +module "vm" { source = "./fabric/modules/compute-vm" - project_id = local.project_id - zone = local.zone + project_id = "my-project" + zone = "europe-west8-b" name = "cos-envoy-td" network_interfaces = [{ - network = local.vpc.self_link, - subnetwork = local.vpc.subnet_self_link, - nat = false, - addresses = null + network = "default" + subnetwork = "gce" }] - tags = ["ssh", "http"] - metadata = { user-data = module.cos-envoy-td.cloud_config google-logging-enabled = true } - boot_disk = { image = "projects/cos-cloud/global/images/family/cos-stable" type = "pd-ssd" size = 10 } - - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + tags = ["http-server", "ssh"] } +# tftest modules=1 resources=1 ``` diff --git a/modules/cloud-config-container/instance.tf b/modules/cloud-config-container/instance.tf deleted file mode 100644 index 7f76f2183..000000000 --- a/modules/cloud-config-container/instance.tf +++ /dev/null @@ -1,101 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -resource "google_service_account" "default" { - count = var.test_instance == null ? 0 : 1 - project = var.test_instance.project_id - account_id = "fabric-container-${var.test_instance.name}" - display_name = "Managed by the cos Terraform module." -} - -resource "google_project_iam_member" "default" { - for_each = ( - var.test_instance == null - ? toset([]) - : toset(var.test_instance_defaults.service_account_roles) - ) - project = var.test_instance.project_id - role = each.value - member = "serviceAccount:${google_service_account.default[0].email}" -} - -resource "google_compute_disk" "disks" { - for_each = ( - var.test_instance == null - ? {} - : var.test_instance_defaults.disks - ) - project = var.test_instance.project_id - zone = var.test_instance.zone - name = each.key - type = "pd-ssd" - size = each.value.size -} - -resource "google_compute_instance" "default" { - count = var.test_instance == null ? 0 : 1 - project = var.test_instance.project_id - zone = var.test_instance.zone - name = var.test_instance.name - description = "Managed by the cos Terraform module." - tags = var.test_instance_defaults.tags - machine_type = ( - var.test_instance.type == null ? "f1-micro" : var.test_instance.type - ) - metadata = merge(var.test_instance_defaults.metadata, { - user-data = local.cloud_config - }) - - dynamic "attached_disk" { - for_each = var.test_instance_defaults.disks - iterator = disk - content { - device_name = disk.key - mode = disk.value.read_only ? "READ_ONLY" : "READ_WRITE" - source = google_compute_disk.disks[disk.key].name - } - } - - boot_disk { - initialize_params { - type = "pd-ssd" - image = ( - var.test_instance_defaults.image == null - ? "projects/cos-cloud/global/images/family/cos-stable" - : var.test_instance_defaults.image - ) - size = 10 - } - } - - network_interface { - network = var.test_instance.network - subnetwork = var.test_instance.subnetwork - dynamic "access_config" { - for_each = var.test_instance_defaults.nat ? [""] : [] - iterator = config - content { - nat_ip = null - } - } - } - - service_account { - email = google_service_account.default[0].email - scopes = ["https://www.googleapis.com/auth/cloud-platform"] - } - -} diff --git a/modules/cloud-config-container/mysql/README.md b/modules/cloud-config-container/mysql/README.md index 535a77afe..e0c0f44a9 100644 --- a/modules/cloud-config-container/mysql/README.md +++ b/modules/cloud-config-container/mysql/README.md @@ -26,18 +26,31 @@ This example will create a `cloud-config` that uses the container's default conf ```hcl module "cos-mysql" { - source = "./fabric/modules/cos-container/mysql" + source = "./fabric/modules/cloud-config-container/mysql" mysql_password = "foo" } -# use it as metadata in a compute instance or template -module "vm-mysql" { - source = "./fabric/modules/compute-vm" +module "vm" { + source = "./fabric/modules/compute-vm" + project_id = "my-project" + zone = "europe-west8-b" + name = "cos-mysql" + network_interfaces = [{ + network = "default" + subnetwork = "gce" + }] metadata = { user-data = module.cos-mysql.cloud_config google-logging-enabled = true } + boot_disk = { + image = "projects/cos-cloud/global/images/family/cos-stable" + type = "pd-ssd" + size = 10 + } + tags = ["mysql", "ssh"] } +# tftest modules=1 resources=1 ``` ### Custom MySQL configuration and KMS encrypted password @@ -46,7 +59,7 @@ This example will create a `cloud-config` that uses a custom MySQL configuration ```hcl module "cos-mysql" { - source = "./fabric/modules/cos-container/mysql" + source = "./fabric/modules/cloud-config-container/mysql" mysql_config = "./my.cnf" mysql_password = "CiQAsd7WY==" kms_config = { @@ -56,25 +69,7 @@ module "cos-mysql" { key = "mysql" } } -``` - -### MySQL instance - -This example shows how to create the single instance optionally managed by the module, providing all required attributes in the `test_instance` variable. The instance is purposefully kept simple and should only be used in development, or when designing infrastructures. - -```hcl -module "cos-mysql" { - source = "./fabric/modules/cos-container/mysql" - mysql_password = "foo" - test_instance = { - project_id = "my-project" - zone = "europe-west1-b" - name = "cos-mysql" - type = "n1-standard-1" - network = "default" - subnetwork = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west1/subnetworks/my-subnet" - } -} +# tftest modules=0 resources=0 ``` @@ -89,14 +84,11 @@ module "cos-mysql" { | [kms_config](variables.tf#L35) | Optional KMS configuration to decrypt passed-in password. Leave null if a plaintext password is used. | object({…}) | | null | | [mysql_config](variables.tf#L46) | MySQL configuration file content, if null container default will be used. | string | | null | | [mysql_data_disk](variables.tf#L52) | MySQL data disk name in /dev/disk/by-id/ including the google- prefix. If null the boot disk will be used for data. | string | | null | -| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | object({…}) | | null | -| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | object({…}) | | {…} | ## Outputs | name | description | sensitive | |---|---|:---:| | [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | | -| [test_instance](outputs-instance.tf#L17) | Optional test instance name and address. | | diff --git a/modules/cloud-config-container/mysql/instance.tf b/modules/cloud-config-container/mysql/instance.tf deleted file mode 120000 index bdef596b6..000000000 --- a/modules/cloud-config-container/mysql/instance.tf +++ /dev/null @@ -1 +0,0 @@ -../instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/mysql/outputs-instance.tf b/modules/cloud-config-container/mysql/outputs-instance.tf deleted file mode 120000 index ea9e24045..000000000 --- a/modules/cloud-config-container/mysql/outputs-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../outputs-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/mysql/variables-instance.tf b/modules/cloud-config-container/mysql/variables-instance.tf deleted file mode 120000 index 94af61e4d..000000000 --- a/modules/cloud-config-container/mysql/variables-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../variables-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/nginx-tls/README.md b/modules/cloud-config-container/nginx-tls/README.md index d5790cf23..9dfe9b061 100644 --- a/modules/cloud-config-container/nginx-tls/README.md +++ b/modules/cloud-config-container/nginx-tls/README.md @@ -1,48 +1,37 @@ # Containerized Nginx with self-signed TLS on Container Optimized OS -This module manages a `cloud-config` configuration that starts a containerized Nginx with a self-signed TLS cert on Container Optimized OS. -This can be useful if you need quickly a VM or instance group answering HTTPS for prototyping. +This module manages a `cloud-config` configuration that starts a containerized Nginx with a self-signed TLS cert on Container Optimized OS. This can be useful if you need quickly a VM or instance group answering HTTPS for prototyping. The generated cloud config is rendered in the `cloud_config` output, and is meant to be used in instances or instance templates via the `user-data` metadata. -This module depends on the [`cos-generic-metadata` module](../cos-generic-metadata) being in the parent folder. If you change its location be sure to adjust the `source` attribute in `main.tf`. - -## Examples - -### Default configuration +## Example ```hcl -# Nginx with self-signed TLS config module "cos-nginx-tls" { source = "./fabric/modules/cloud-config-container/nginx-tls" } -# COS VM module "vm-nginx-tls" { source = "./fabric/modules/compute-vm" - project_id = local.project_id - zone = local.zone + project_id = "my-project" + zone = "europe-west8-b" name = "cos-nginx-tls" network_interfaces = [{ - network = local.vpc.self_link, - subnetwork = local.vpc.subnet_self_link, - nat = false, - addresses = null + network = "default" + subnetwork = "gce" }] - metadata = { user-data = module.cos-nginx-tls.cloud_config google-logging-enabled = true } - boot_disk = { image = "projects/cos-cloud/global/images/family/cos-stable" type = "pd-ssd" size = 10 } - - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + tags = ["http-server", "https-server", "ssh"] } +# tftest modules=1 resources=1 ``` @@ -50,11 +39,9 @@ module "vm-nginx-tls" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [files](variables.tf#L17) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | map(object({…})) | | null | -| [nginx_image](variables.tf#L27) | Nginx container image to use. | string | | "nginx:1.23.1" | -| [runcmd_post](variables.tf#L33) | Extra commands to run after starting nginx. | list(string) | | [] | -| [runcmd_pre](variables.tf#L39) | Extra commands to run before starting nginx. | list(string) | | [] | -| [users](variables.tf#L45) | Additional list of usernames to be created. | list(object({…})) | | […] | +| [files](variables.tf#L17) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | map(object({…})) | | {} | +| [hello](variables.tf#L28) | Behave like the nginx hello image by returning plain text informative responses. | bool | | true | +| [image](variables.tf#L35) | Nginx container image to use. | string | | "nginx:1.23.1" | ## Outputs diff --git a/modules/cloud-config-container/nginx-tls/assets/cloud-config.yaml b/modules/cloud-config-container/nginx-tls/assets/cloud-config.yaml new file mode 100644 index 000000000..2b7ebe847 --- /dev/null +++ b/modules/cloud-config-container/nginx-tls/assets/cloud-config.yaml @@ -0,0 +1,63 @@ +#cloud-config + +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +users: + - name: nginx + uid: 2000 + +write_files: + - path: /var/lib/docker/daemon.json + permissions: "0644" + owner: root + content: | + { + "live-restore": true, + "storage-driver": "overlay2", + "log-opts": { + "max-size": "1024m" + } + } + # nginx container service + - path: /etc/systemd/system/nginx.service + permissions: "0644" + owner: root + content: | + [Unit] + Description=Start nginx container + After=gcr-online.target docker.socket + Wants=gcr-online.target docker.socket docker-events-collector.service + [Service] + Environment="HOME=/home/nginx" + ExecStart=/usr/bin/docker run --rm --name=nginx \ + --network host --pid host \ + -v /etc/nginx/conf.d:/etc/nginx/conf.d \ + -v /etc/ssl:/etc/ssl \ + ${image} + ExecStop=/usr/bin/docker stop nginx +%{ for k, v in files ~} + - path: ${k} + owner: ${v.owner} + permissions: "${v.permissions}" + content: | + ${indent(6, v.content)} +%{ endfor ~} + +runcmd: + - iptables -I INPUT 1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + - iptables -I INPUT 1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT + - /var/run/nginx/customize.sh + - systemctl daemon-reload + - systemctl start nginx diff --git a/modules/cloud-config-container/nginx-tls/files/customize.sh b/modules/cloud-config-container/nginx-tls/assets/customize.sh similarity index 72% rename from modules/cloud-config-container/nginx-tls/files/customize.sh rename to modules/cloud-config-container/nginx-tls/assets/customize.sh index afbf56db9..22b40064b 100644 --- a/modules/cloud-config-container/nginx-tls/files/customize.sh +++ b/modules/cloud-config-container/nginx-tls/assets/customize.sh @@ -13,8 +13,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -FQDN=$(curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/hostname) +FQDN=$(\ + curl -s -H "Metadata-Flavor: Google" \ + http://metadata/computeMetadata/v1/instance/hostname) HOSTNAME=$(echo $FQDN | cut -d"." -f1) -openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj /CN=$HOSTNAME/ -addext "subjectAltName = DNS:$FQDN" -keyout /etc/ssl/self-signed.key -out /etc/ssl/self-signed.crt +openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \ + -subj /CN=$HOSTNAME/ -addext "subjectAltName = DNS:$FQDN" \ + -keyout /etc/ssl/self-signed.key -out /etc/ssl/self-signed.crt chgrp nginx /etc/ssl/self-signed.key -out /etc/ssl/self-signed.crt sed -i "s/HOSTNAME/${HOSTNAME}/" /etc/nginx/conf.d/default.conf \ No newline at end of file diff --git a/modules/cloud-config-container/nginx-tls/assets/default.conf b/modules/cloud-config-container/nginx-tls/assets/default.conf new file mode 100644 index 000000000..2be98ff27 --- /dev/null +++ b/modules/cloud-config-container/nginx-tls/assets/default.conf @@ -0,0 +1,24 @@ +server { + listen 80; + listen 443 ssl; + server_name HOSTNAME; + ssl_certificate /etc/ssl/self-signed.crt; + ssl_certificate_key /etc/ssl/self-signed.key; + + location / { + {% if hello %} + default_type text/plain; + expires -1; + return 200 'Server address: $server_addr:$server_port\nServer name: $hostname\nDate: $time_local\nURI: $request_uri\nRequest ID: $request_id\n'; + {% else %} + root /usr/share/nginx/html; + index index.html index.htm; + {% endif %} + } + + error_page 500 502 503 504 /50x.html; + + location = /50x.html { + root /usr/share/nginx/html; + } +} \ No newline at end of file diff --git a/modules/cloud-config-container/nginx-tls/files/default.conf b/modules/cloud-config-container/nginx-tls/files/default.conf deleted file mode 100644 index b928902a0..000000000 --- a/modules/cloud-config-container/nginx-tls/files/default.conf +++ /dev/null @@ -1,20 +0,0 @@ -server { - listen 80; - listen 443 ssl; - server_name HOSTNAME; - ssl_certificate /etc/ssl/self-signed.crt; - ssl_certificate_key /etc/ssl/self-signed.key; - - - location / { - root /usr/share/nginx/html; - index index.html index.htm; - } - - error_page 500 502 503 504 /50x.html; - - location = /50x.html { - root /usr/share/nginx/html; - } - -} \ No newline at end of file diff --git a/modules/cloud-config-container/nginx-tls/main.tf b/modules/cloud-config-container/nginx-tls/main.tf deleted file mode 100644 index 809e9a8aa..000000000 --- a/modules/cloud-config-container/nginx-tls/main.tf +++ /dev/null @@ -1,70 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - default_files = { - "/var/run/nginx/customize.sh" = { - content = file("${path.module}/files/customize.sh") - owner = "root" - permissions = "0744" - } - "/etc/nginx/conf.d/default.conf" = { - content = file("${path.module}/files/default.conf") - owner = "root" - permissions = "0644" - } - } - files = var.files != null ? merge(local.default_files, var.files) : local.default_files -} - -module "cos-envoy-td" { - source = "../cos-generic-metadata" - - authenticate_gcr = true - users = concat([ - { - username = "nginx" - uid = 2000 - } - ], var.users) - run_as_first_user = false - - boot_commands = [ - "systemctl start node-problem-detector", - ] - - container_image = var.nginx_image - container_name = "nginx" - container_args = "" - - container_volumes = [ - { host = "/etc/nginx/conf.d", container = "/etc/nginx/conf.d" }, - { host = "/etc/ssl", container = "/etc/ssl" }, - ] - - docker_args = "--network host --pid host" - - files = local.files - - run_commands = concat(var.runcmd_pre, [ - "iptables -I INPUT 1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT", - "iptables -I INPUT 1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT", - "/var/run/nginx/customize.sh", - "systemctl daemon-reload", - "systemctl start nginx", - ], var.runcmd_post) - -} diff --git a/modules/cloud-config-container/nginx-tls/outputs.tf b/modules/cloud-config-container/nginx-tls/outputs.tf index 4ce8d2473..2acd83f64 100644 --- a/modules/cloud-config-container/nginx-tls/outputs.tf +++ b/modules/cloud-config-container/nginx-tls/outputs.tf @@ -16,5 +16,23 @@ output "cloud_config" { description = "Rendered cloud-config file to be passed as user-data instance metadata." - value = module.cos-envoy-td.cloud_config + value = templatefile("${path.module}/assets/cloud-config.yaml", { + files = merge( + { + "/var/run/nginx/customize.sh" = { + content = file("${path.module}/assets/customize.sh") + owner = "root" + permissions = "0744" + } + "/etc/nginx/conf.d/default.conf" = { + content = templatefile( + "${path.module}/assets/default.conf", { hello = var.hello } + ) + owner = "root" + permissions = "0644" + } + }, var.files + ) + image = var.image + }) } diff --git a/modules/cloud-config-container/nginx-tls/variables.tf b/modules/cloud-config-container/nginx-tls/variables.tf index 9ca826266..f3cab5826 100644 --- a/modules/cloud-config-container/nginx-tls/variables.tf +++ b/modules/cloud-config-container/nginx-tls/variables.tf @@ -18,38 +18,22 @@ variable "files" { description = "Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null." type = map(object({ content = string - owner = string - permissions = string + owner = optional(string, "root") + permissions = optional(string, "0644") })) - default = null + default = {} + nullable = false } -variable "nginx_image" { +variable "hello" { + description = "Behave like the nginx hello image by returning plain text informative responses." + type = bool + default = true + nullable = false +} + +variable "image" { description = "Nginx container image to use." type = string default = "nginx:1.23.1" } - -variable "runcmd_post" { - description = "Extra commands to run after starting nginx." - type = list(string) - default = [] -} - -variable "runcmd_pre" { - description = "Extra commands to run before starting nginx." - type = list(string) - default = [] -} - -variable "users" { - description = "Additional list of usernames to be created." - type = list(object({ - username = string, - uid = number, - })) - default = [ - ] -} - - diff --git a/modules/cloud-config-container/nginx/README.md b/modules/cloud-config-container/nginx/README.md index 12ca3d5d0..225bc7a13 100644 --- a/modules/cloud-config-container/nginx/README.md +++ b/modules/cloud-config-container/nginx/README.md @@ -27,32 +27,27 @@ module "cos-nginx" { source = "./fabric/modules/cloud-config-container/nginx" } -# use it as metadata in a compute instance or template -module "vm-nginx" { - source = "./fabric/modules/compute-vm" +module "vm-nginx-tls" { + source = "./fabric/modules/compute-vm" + project_id = "my-project" + zone = "europe-west8-b" + name = "cos-nginx" + network_interfaces = [{ + network = "default" + subnetwork = "gce" + }] metadata = { user-data = module.cos-nginx.cloud_config google-logging-enabled = true } -} -``` - -### Nginx instance - -This example shows how to create the single instance optionally managed by the module, providing all required attributes in the `test_instance` variable. The instance is purposefully kept simple and should only be used in development, or when designing infrastructures. - -```hcl -module "cos-nginx" { - source = "./fabric/modules/cloud-config-container/nginx" - test_instance = { - project_id = "my-project" - zone = "europe-west1-b" - name = "cos-nginx" - type = "f1-micro" - network = "default" - subnetwork = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west1/subnetworks/my-subnet" + boot_disk = { + image = "projects/cos-cloud/global/images/family/cos-stable" + type = "pd-ssd" + size = 10 } + tags = ["http-server", "ssh"] } +# tftest modules=1 resources=1 ``` @@ -68,8 +63,6 @@ module "cos-nginx" { | [nginx_config](variables.tf#L57) | Nginx configuration path, if null container default will be used. | string | | null | | [runcmd_post](variables.tf#L63) | Extra commands to run after starting nginx. | list(string) | | [] | | [runcmd_pre](variables.tf#L69) | Extra commands to run before starting nginx. | list(string) | | [] | -| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | object({…}) | | null | -| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | object({…}) | | {…} | | [users](variables.tf#L75) | List of additional usernames to be created. | list(object({…})) | | […] | ## Outputs @@ -77,6 +70,5 @@ module "cos-nginx" { | name | description | sensitive | |---|---|:---:| | [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | | -| [test_instance](outputs-instance.tf#L17) | Optional test instance name and address. | | diff --git a/modules/cloud-config-container/nginx/instance.tf b/modules/cloud-config-container/nginx/instance.tf deleted file mode 120000 index bdef596b6..000000000 --- a/modules/cloud-config-container/nginx/instance.tf +++ /dev/null @@ -1 +0,0 @@ -../instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/nginx/outputs-instance.tf b/modules/cloud-config-container/nginx/outputs-instance.tf deleted file mode 120000 index ea9e24045..000000000 --- a/modules/cloud-config-container/nginx/outputs-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../outputs-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/nginx/variables-instance.tf b/modules/cloud-config-container/nginx/variables-instance.tf deleted file mode 120000 index 94af61e4d..000000000 --- a/modules/cloud-config-container/nginx/variables-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../variables-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/onprem/instance.tf b/modules/cloud-config-container/onprem/instance.tf deleted file mode 120000 index bdef596b6..000000000 --- a/modules/cloud-config-container/onprem/instance.tf +++ /dev/null @@ -1 +0,0 @@ -../instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/onprem/outputs-instance.tf b/modules/cloud-config-container/onprem/outputs-instance.tf deleted file mode 120000 index ea9e24045..000000000 --- a/modules/cloud-config-container/onprem/outputs-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../outputs-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/onprem/variables-instance.tf b/modules/cloud-config-container/onprem/variables-instance.tf deleted file mode 120000 index 94af61e4d..000000000 --- a/modules/cloud-config-container/onprem/variables-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../variables-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/outputs-instance.tf b/modules/cloud-config-container/outputs-instance.tf deleted file mode 100644 index 8c657eb05..000000000 --- a/modules/cloud-config-container/outputs-instance.tf +++ /dev/null @@ -1,28 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "test_instance" { - description = "Optional test instance name and address." - value = (var.test_instance == null ? {} : { - address = google_compute_instance.default[0].network_interface.0.network_ip - name = google_compute_instance.default[0].name - nat_address = try( - google_compute_instance.default[0].network_interface.0.access_config.0.nat_ip, - null - ) - service_account = google_service_account.default[0].email - }) -} diff --git a/modules/cloud-config-container/simple-nva/README.md b/modules/cloud-config-container/simple-nva/README.md index 0e495df5b..f70842e8c 100644 --- a/modules/cloud-config-container/simple-nva/README.md +++ b/modules/cloud-config-container/simple-nva/README.md @@ -9,7 +9,6 @@ This NVA can be used to interconnect up to 8 VPCs. ### Simple example ```hcl -# Interfaces configuration locals { network_interfaces = [ { @@ -28,41 +27,40 @@ locals { routes = ["10.0.0.0/9"] subnetwork = "prod_vpc_nva_subnet_self_link" } + ] } -# NVA config -module "nva-cloud-config" { - source = "../../../cloud-foundation-fabric/modules/cloud-config-container/simple-nva" +module "cos-nva" { + source = "./fabric/modules/cloud-config-container/simple-nva" enable_health_checks = true network_interfaces = local.network_interfaces - files = { - "/var/lib/cloud/scripts/per-boot/firewall-rules.sh" = { - content = file("./your_path/to/firewall-rules.sh") - owner = "root" - permissions = 0700 - } - } + # files = { + # "/var/lib/cloud/scripts/per-boot/firewall-rules.sh" = { + # content = file("./your_path/to/firewall-rules.sh") + # owner = "root" + # permissions = 0700 + # } + # } } -# COS VM -module "nva" { - source = "../../modules/compute-vm" - project_id = "myproject" - instance_type = "e2-standard-2" - name = "nva" - can_ip_forward = true - zone = "europe-west8-a" - tags = ["nva"] +module "vm" { + source = "./fabric/modules/compute-vm" + project_id = "my-project" + zone = "europe-west8-b" + name = "cos-nva" network_interfaces = local.network_interfaces + metadata = { + user-data = module.cos-nva.cloud_config + google-logging-enabled = true + } boot_disk = { image = "projects/cos-cloud/global/images/family/cos-stable" + type = "pd-ssd" size = 10 - type = "pd-balanced" - } - metadata = { - user-data = module.nva-cloud-config.cloud_config } + tags = ["nva", "ssh"] } +# tftest modules=1 resources=1 ``` @@ -74,14 +72,11 @@ module "nva" { | [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | string | | null | | [enable_health_checks](variables.tf#L23) | Configures routing to enable responses to health check probes. | bool | | false | | [files](variables.tf#L29) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | map(object({…})) | | {} | -| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | object({…}) | | null | -| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | object({…}) | | {…} | ## Outputs | name | description | sensitive | |---|---|:---:| | [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | | -| [test_instance](outputs-instance.tf#L17) | Optional test instance name and address. | | diff --git a/modules/cloud-config-container/simple-nva/instance.tf b/modules/cloud-config-container/simple-nva/instance.tf deleted file mode 120000 index bdef596b6..000000000 --- a/modules/cloud-config-container/simple-nva/instance.tf +++ /dev/null @@ -1 +0,0 @@ -../instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/simple-nva/outputs-instance.tf b/modules/cloud-config-container/simple-nva/outputs-instance.tf deleted file mode 120000 index ea9e24045..000000000 --- a/modules/cloud-config-container/simple-nva/outputs-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../outputs-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/simple-nva/variables-instance.tf b/modules/cloud-config-container/simple-nva/variables-instance.tf deleted file mode 120000 index 94af61e4d..000000000 --- a/modules/cloud-config-container/simple-nva/variables-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../variables-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/squid/README.md b/modules/cloud-config-container/squid/README.md index 1c866b25a..5bde38123 100644 --- a/modules/cloud-config-container/squid/README.md +++ b/modules/cloud-config-container/squid/README.md @@ -25,38 +25,31 @@ This example will create a `cloud-config` that allows any client in the 10.0.0.0 ```hcl module "cos-squid" { source = "./fabric/modules/cloud-config-container/squid" - whitelist = [".github.com"] + allow = [".github.com"] clients = ["10.0.0.0/8"] } -# use it as metadata in a compute instance or template -module "vm-squid" { - source = "./fabric/modules/compute-vm" +module "vm" { + source = "./fabric/modules/compute-vm" + project_id = "my-project" + zone = "europe-west8-b" + name = "cos-squid" + network_interfaces = [{ + network = "default" + subnetwork = "gce" + }] metadata = { user-data = module.cos-squid.cloud_config google-logging-enabled = true } -} -``` - -### Test Squid instance - -This example shows how to create the single instance optionally managed by the module, providing all required attributes in the `test_instance` variable. The instance is purposefully kept simple and should only be used in development, or when designing infrastructures. - -```hcl -module "cos-squid" { - source = "./fabric/modules/cloud-config-container/squid" - whitelist = ["github.com"] - clients = ["10.0.0.0/8"] - test_instance = { - project_id = "my-project" - zone = "europe-west1-b" - name = "cos-squid" - type = "f1-micro" - network = "default" - subnetwork = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west1/subnetworks/my-subnet" + boot_disk = { + image = "projects/cos-cloud/global/images/family/cos-stable" + type = "pd-ssd" + size = 10 } + tags = ["http-server", "ssh"] } +# tftest modules=1 resources=1 ``` @@ -73,14 +66,11 @@ module "cos-squid" { | [file_defaults](variables.tf#L58) | Default owner and permissions for files. | object({…}) | | {…} | | [files](variables.tf#L70) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | map(object({…})) | | {} | | [squid_config](variables.tf#L80) | Squid configuration path, if null default will be used. | string | | null | -| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | object({…}) | | null | -| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | object({…}) | | {…} | ## Outputs | name | description | sensitive | |---|---|:---:| | [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | | -| [test_instance](outputs-instance.tf#L17) | Optional test instance name and address. | | diff --git a/modules/cloud-config-container/squid/instance.tf b/modules/cloud-config-container/squid/instance.tf deleted file mode 120000 index bdef596b6..000000000 --- a/modules/cloud-config-container/squid/instance.tf +++ /dev/null @@ -1 +0,0 @@ -../instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/squid/outputs-instance.tf b/modules/cloud-config-container/squid/outputs-instance.tf deleted file mode 120000 index ea9e24045..000000000 --- a/modules/cloud-config-container/squid/outputs-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../outputs-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/squid/variables-instance.tf b/modules/cloud-config-container/squid/variables-instance.tf deleted file mode 120000 index 94af61e4d..000000000 --- a/modules/cloud-config-container/squid/variables-instance.tf +++ /dev/null @@ -1 +0,0 @@ -../variables-instance.tf \ No newline at end of file diff --git a/modules/cloud-config-container/variables-instance.tf b/modules/cloud-config-container/variables-instance.tf deleted file mode 100644 index 3697133ea..000000000 --- a/modules/cloud-config-container/variables-instance.tf +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "test_instance" { - description = "Test/development instance attributes, leave null to skip creation." - type = object({ - project_id = string - zone = string - name = string - type = string - network = string - subnetwork = string - }) - default = null -} - -variable "test_instance_defaults" { - description = "Test/development instance defaults used for optional configuration. If image is null, COS stable will be used." - type = object({ - disks = map(object({ - read_only = bool - size = number - })) - image = string - metadata = map(string) - nat = bool - service_account_roles = list(string) - tags = list(string) - }) - default = { - disks = {} - image = null - metadata = {} - nat = false - service_account_roles = [ - "roles/logging.logWriter", - "roles/monitoring.metricWriter" - ] - tags = ["ssh"] - } -} diff --git a/modules/net-ilb-l7/backend-service.tf b/modules/net-ilb-l7/backend-service.tf index e2d92299f..a517bd08c 100644 --- a/modules/net-ilb-l7/backend-service.tf +++ b/modules/net-ilb-l7/backend-service.tf @@ -23,6 +23,9 @@ locals { }, { for k, v in google_compute_network_endpoint_group.default : k => v.id + }, + { + for k, v in google_compute_region_network_endpoint_group.default : k => v.id } ) hc_ids = { diff --git a/tests/blueprints/cloud_operations/unmanaged_instances_healthcheck/test_plan.py b/tests/blueprints/cloud_operations/unmanaged_instances_healthcheck/test_plan.py index 3f6f34994..c79be049e 100644 --- a/tests/blueprints/cloud_operations/unmanaged_instances_healthcheck/test_plan.py +++ b/tests/blueprints/cloud_operations/unmanaged_instances_healthcheck/test_plan.py @@ -16,4 +16,4 @@ def test_resources(e2e_plan_runner): "Test that plan works and the numbers of resources is as expected." modules, resources = e2e_plan_runner() assert len(modules) == 10 - assert len(resources) == 34 + assert len(resources) == 31 diff --git a/tests/blueprints/networking/onprem_google_access_dns/test_plan.py b/tests/blueprints/networking/onprem_google_access_dns/test_plan.py.disabled similarity index 100% rename from tests/blueprints/networking/onprem_google_access_dns/test_plan.py rename to tests/blueprints/networking/onprem_google_access_dns/test_plan.py.disabled diff --git a/tests/examples/conftest.py b/tests/examples/conftest.py index b2b915ea1..c41132d4f 100644 --- a/tests/examples/conftest.py +++ b/tests/examples/conftest.py @@ -20,8 +20,9 @@ import marko import pytest FABRIC_ROOT = Path(__file__).parents[2] -MODULES_PATH = FABRIC_ROOT / 'modules/' BLUEPRINTS_PATH = FABRIC_ROOT / 'blueprints/' +MODULES_PATH = FABRIC_ROOT / 'modules/' +SUBMODULES_PATH = MODULES_PATH / 'cloud-config-container' FILE_TEST_RE = re.compile(r'# tftest file (\w+) ([\S]+)') @@ -32,6 +33,7 @@ File = collections.namedtuple('File', 'path content') def pytest_generate_tests(metafunc): if 'example' in metafunc.fixturenames: modules = [x for x in MODULES_PATH.iterdir() if x.is_dir()] + modules.extend(x for x in SUBMODULES_PATH.iterdir() if x.is_dir()) modules.extend(x for x in BLUEPRINTS_PATH.glob("*/*") if x.is_dir()) modules.sort() examples = [] @@ -46,7 +48,7 @@ def pytest_generate_tests(metafunc): last_header = None files = {} - #first pass: collect all tftest tagged files + # first pass: collect all tftest tagged files for child in doc.children: if isinstance(child, marko.block.FencedCode): code = child.children[0].children