From 4626dafcc8409e46c44d7c1ace82bd3484facabe Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Tue, 1 Sep 2020 12:38:25 +0200 Subject: [PATCH 1/3] Make VPN Gateway creation optional for the module. --- CHANGELOG.md | 2 ++ modules/net-vpn-ha/README.md | 10 ++++++---- modules/net-vpn-ha/main.tf | 20 ++++++++++++-------- modules/net-vpn-ha/outputs.tf | 25 ++++++++++++++++++------- modules/net-vpn-ha/variables.tf | 16 ++++++++++++++-- 5 files changed, 52 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 07a5a7bf7..b4e2805b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +- **incompatible change** make HA VPN Gateway creation optional for `net-vpn-ha` module. Now an existing HA VPN Gateway can be used. Updating to the new version of the module will cause VPN Gateway recreation which can be handled by `terraform state rm/terraform import` operations. + ## [3.1.0] - 2020-08-16 - **incompatible change** add support for specifying a different project id in the GKE cluster module; if using the `peering_config` variable, `peering_config.project_id` now needs to be explicitly set, a `null` value will reuse the `project_id` variable for the peering diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md index 2357fb6b7..959f7fa79 100644 --- a/modules/net-vpn-ha/README.md +++ b/modules/net-vpn-ha/README.md @@ -136,7 +136,7 @@ module "vpn_ha" { | name | description | type | required | default | |---|---|:---: |:---:|:---:| -| name | VPN gateway name, and prefix used for dependent resources. | string | ✓ | | +| name | VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. | string | ✓ | | | network | VPC used for the gateway and routes. | string | ✓ | | | project_id | Project where resources will be created. | string | ✓ | | | region | Region used for resources. | string | ✓ | | @@ -146,16 +146,18 @@ module "vpn_ha" { | *router_advertise_config* | Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. | object({...}) | | null | | *router_asn* | Router ASN used for auto-created router. | number | | 64514 | | *router_create* | Create router. | bool | | true | -| *router_name* | Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router. | string | | | +| *router_name* | Router name used for auto created router, or to specify an existing router to use if `router_create` is set to `true`. Leave blank to use VPN name for auto created router. | string | | | | *tunnels* | VPN tunnel configurations, bgp_peer_options is usually null. | map(object({...})) | | {} | +| *vpn_gateway* | HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if `vpn_gateway_create` is set to `true`. | string | | null | +| *vpn_gateway_create* | Create HA VPN Gateway. | bool | | true | ## Outputs | name | description | sensitive | |---|---|:---:| | external_gateway | External VPN gateway resource. | | -| gateway | HA VPN gateway resource. | | -| name | VPN gateway name. | | +| gateway | VPN gateway resource (only if auto-created). | | +| name | VPN gateway name (only if auto-created). | | | random_secret | Generated secret. | ✓ | | router | Router resource (only if auto-created). | | | router_name | Router name. | | diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf index 141bffc73..7f6e4fa00 100644 --- a/modules/net-vpn-ha/main.tf +++ b/modules/net-vpn-ha/main.tf @@ -27,11 +27,17 @@ locals { ? try(google_compute_router.router[0].name, null) : var.router_name ) + vpn_gateway = ( + var.vpn_gateway_create + ? try(google_compute_ha_vpn_gateway.ha_gateway[0].self_link, null) + : var.vpn_gateway + ) secret = random_id.secret.b64_url } resource "google_compute_ha_vpn_gateway" "ha_gateway" { provider = google-beta + count = var.vpn_gateway_create ? 1 : 0 name = var.name project = var.project_id region = var.region @@ -55,12 +61,11 @@ resource "google_compute_external_vpn_gateway" "external_gateway" { } resource "google_compute_router" "router" { - provider = google-beta - count = var.router_create ? 1 : 0 - name = var.router_name == "" ? "vpn-${var.name}" : var.router_name - project = var.project_id - region = var.region - network = var.network + count = var.router_create ? 1 : 0 + name = var.router_name == "" ? "vpn-${var.name}" : var.router_name + project = var.project_id + region = var.region + network = var.network bgp { advertise_mode = ( var.router_advertise_config == null @@ -135,7 +140,6 @@ resource "google_compute_router_peer" "bgp_peer" { } resource "google_compute_router_interface" "router_interface" { - provider = google-beta for_each = var.tunnels project = var.project_id region = var.region @@ -162,7 +166,7 @@ resource "google_compute_vpn_tunnel" "tunnels" { ? local.secret : each.value.shared_secret ) - vpn_gateway = google_compute_ha_vpn_gateway.ha_gateway.self_link + vpn_gateway = local.vpn_gateway } resource "random_id" "secret" { diff --git a/modules/net-vpn-ha/outputs.tf b/modules/net-vpn-ha/outputs.tf index 942693772..7227e8f33 100644 --- a/modules/net-vpn-ha/outputs.tf +++ b/modules/net-vpn-ha/outputs.tf @@ -1,4 +1,3 @@ - /** * Copyright 2019 Google LLC * @@ -16,8 +15,12 @@ */ output "gateway" { - description = "HA VPN gateway resource." - value = google_compute_ha_vpn_gateway.ha_gateway + description = "VPN gateway resource (only if auto-created)." + value = ( + var.vpn_gateway_create + ? google_compute_ha_vpn_gateway.ha_gateway[0] + : null + ) } output "external_gateway" { @@ -30,13 +33,21 @@ output "external_gateway" { } output "name" { - description = "VPN gateway name." - value = google_compute_ha_vpn_gateway.ha_gateway.name + description = "VPN gateway name (only if auto-created). " + value = ( + var.vpn_gateway_create + ? google_compute_ha_vpn_gateway.ha_gateway[0].name + : null + ) } output "router" { description = "Router resource (only if auto-created)." - value = var.router_name == "" ? google_compute_router.router[0] : null + value = ( + var.router_name == "" + ? google_compute_router.router[0] + : null + ) } output "router_name" { @@ -46,7 +57,7 @@ output "router_name" { output "self_link" { description = "HA VPN gateway self link." - value = google_compute_ha_vpn_gateway.ha_gateway.self_link + value = local.vpn_gateway } output "tunnels" { diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf index 55f4ec899..81016addf 100644 --- a/modules/net-vpn-ha/variables.tf +++ b/modules/net-vpn-ha/variables.tf @@ -15,10 +15,22 @@ */ variable "name" { - description = "VPN gateway name, and prefix used for dependent resources." + description = "VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources." type = string } +variable "vpn_gateway_create" { + description = "Create HA VPN Gateway." + type = bool + default = true +} + +variable "vpn_gateway" { + description = "HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if `vpn_gateway_create` is set to `true`." + type = string + default = null +} + variable "network" { description = "VPC used for the gateway and routes." type = string @@ -81,7 +93,7 @@ variable "router_create" { } variable "router_name" { - description = "Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router." + description = "Router name used for auto created router, or to specify an existing router to use if `router_create` is set to `true`. Leave blank to use VPN name for auto created router." type = string default = "" } From 931af3e94359f5a7ffdf522043eeddb00a612062 Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Tue, 1 Sep 2020 14:18:37 +0200 Subject: [PATCH 2/3] Fix subnet logging test --- tests/modules/net_vpc/test_plan_subnets.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/modules/net_vpc/test_plan_subnets.py b/tests/modules/net_vpc/test_plan_subnets.py index 473a1c343..37be4e5c6 100644 --- a/tests/modules/net_vpc/test_plan_subnets.py +++ b/tests/modules/net_vpc/test_plan_subnets.py @@ -58,7 +58,8 @@ def test_subnet_log_configs(plan_runner): for r in resources: if r['type'] != 'google_compute_subnetwork': continue - flow_logs[r['values']['name']] = r['values']['log_config'] + flow_logs[r['values']['name']] = {key: r['values']['log_config'][key] for key in r['values']['log_config'].keys() + & {'aggregation_interval', 'flow_sampling', 'metadata'}} assert flow_logs == { # enable, override one default option 'a': [{ From aacb570ac8b14cff12efc6f3802fe2e37b91d4bc Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Tue, 1 Sep 2020 15:00:16 +0200 Subject: [PATCH 3/3] Fix list of log config attributes to be tested --- tests/modules/net_vpc/test_plan_subnets.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/modules/net_vpc/test_plan_subnets.py b/tests/modules/net_vpc/test_plan_subnets.py index 37be4e5c6..2d14f6f53 100644 --- a/tests/modules/net_vpc/test_plan_subnets.py +++ b/tests/modules/net_vpc/test_plan_subnets.py @@ -58,8 +58,9 @@ def test_subnet_log_configs(plan_runner): for r in resources: if r['type'] != 'google_compute_subnetwork': continue - flow_logs[r['values']['name']] = {key: r['values']['log_config'][key] for key in r['values']['log_config'].keys() - & {'aggregation_interval', 'flow_sampling', 'metadata'}} + flow_logs[r['values']['name']] = [{key: config[key] for key in config.keys() + & {'aggregation_interval', 'flow_sampling', 'metadata'}} + for config in r['values']['log_config']] assert flow_logs == { # enable, override one default option 'a': [{