diff --git a/fast/stages/02-networking-nva/README.md b/fast/stages/02-networking-nva/README.md
index 225fc9e30..57985273a 100644
--- a/fast/stages/02-networking-nva/README.md
+++ b/fast/stages/02-networking-nva/README.md
@@ -376,10 +376,10 @@ Don't forget to add a peering zone in the landing project and point it to the ne
| [l7ilb_subnets](variables.tf#L81) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | |
| [onprem_cidr](variables.tf#L99) | Onprem addresses in name => range format. | map(string) | | {…} | |
| [outputs_location](variables.tf#L117) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L134) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {…} | |
-| [router_configs](variables.tf#L192) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | |
-| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L227) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [psa_ranges](variables.tf#L134) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {…} | |
+| [router_configs](variables.tf#L174) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | |
+| [service_accounts](variables.tf#L197) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
+| [vpn_onprem_configs](variables.tf#L209) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-nva/variables.tf b/fast/stages/02-networking-nva/variables.tf
index daad7bd8a..6f87fa62e 100644
--- a/fast/stages/02-networking-nva/variables.tf
+++ b/fast/stages/02-networking-nva/variables.tf
@@ -134,57 +134,39 @@ variable "prefix" {
variable "psa_ranges" {
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
type = object({
- dev = map(object({
- ranges = list(string)
+ dev = object({
+ ranges = map(string)
routes = object({
export = bool
import = bool
})
- }))
- prod = map(object({
- ranges = list(string)
+ })
+ prod = object({
+ ranges = map(string)
routes = object({
export = bool
import = bool
})
- }))
+ })
})
default = {
dev = {
- cloudsql-mysql-ew1 = {
- ranges = ["10.128.157.0/24"]
- routes = null
- }
- cloudsql-mysql-ew4 = {
- ranges = ["10.128.189.0/24"]
- routes = null
- }
- cloudsql-sqlserver-ew1 = {
- ranges = ["10.128.158.0/24"]
- routes = null
- }
- cloudsql-sqlserver-ew4 = {
- ranges = ["10.128.190.0/24"]
- routes = null
+ ranges = {
+ cloudsql-mysql-ew1 = "10.128.157.0/24"
+ cloudsql-mysql-ew4 = "10.128.189.0/24"
+ cloudsql-sqlserver-ew1 = "10.128.158.0/24"
+ cloudsql-sqlserver-ew4 = "10.128.190.0/24"
}
+ routes = null
}
prod = {
- cloudsql-mysql-ew1 = {
- ranges = ["10.128.221.0/24"]
- routes = null
- }
- cloudsql-mysql-ew4 = {
- ranges = ["10.128.253.0/24"]
- routes = null
- }
- cloudsql-sqlserver-ew1 = {
- ranges = ["10.128.222.0/24"]
- routes = null
- }
- cloudsql-sqlserver-ew4 = {
- ranges = ["10.128.254.0/24"]
- routes = null
+ ranges = {
+ cloudsql-mysql-ew1 = "10.128.221.0/24"
+ cloudsql-mysql-ew4 = "10.128.253.0/24"
+ cloudsql-sqlserver-ew1 = "10.128.222.0/24"
+ cloudsql-sqlserver-ew4 = "10.128.254.0/24"
}
+ routes = null
}
}
}
diff --git a/fast/stages/02-networking-peering/README.md b/fast/stages/02-networking-peering/README.md
index 9adc8ce1d..f99a0f348 100644
--- a/fast/stages/02-networking-peering/README.md
+++ b/fast/stages/02-networking-peering/README.md
@@ -298,10 +298,10 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
| [l7ilb_subnets](variables.tf#L76) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | |
| [outputs_location](variables.tf#L104) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | map(object({…})) | | {…} | |
-| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {…} | |
-| [router_onprem_configs](variables.tf#L163) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
-| [service_accounts](variables.tf#L181) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L193) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {…} | |
+| [router_onprem_configs](variables.tf#L157) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
+| [service_accounts](variables.tf#L175) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
+| [vpn_onprem_configs](variables.tf#L187) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-peering/variables.tf b/fast/stages/02-networking-peering/variables.tf
index 4093739e0..3701303f0 100644
--- a/fast/stages/02-networking-peering/variables.tf
+++ b/fast/stages/02-networking-peering/variables.tf
@@ -121,41 +121,35 @@ variable "prefix" {
variable "psa_ranges" {
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
type = object({
- dev = map(object({
- ranges = list(string)
+ dev = object({
+ ranges = map(string)
routes = object({
export = bool
import = bool
})
- }))
- prod = map(object({
- ranges = list(string)
+ })
+ prod = object({
+ ranges = map(string)
routes = object({
export = bool
import = bool
})
- }))
+ })
})
default = {
dev = {
- cloudsql-mysql = {
- ranges = ["10.128.62.0/24"]
- routes = null
- }
- cloudsql-sqlserver = {
- ranges = ["10.128.63.0/24"]
- routes = null
+ ranges = {
+ cloudsql-mysql = "10.128.62.0/24"
+ cloudsql-sqlserver = "10.128.63.0/24"
}
+ routes = null
}
prod = {
- cloudsql-mysql = {
- ranges = ["10.128.94.0/24"]
- routes = null
- }
- cloudsql-sqlserver = {
- ranges = ["10.128.95.0/24"]
- routes = null
+ ranges = {
+ cloudsql-mysql = "10.128.94.0/24"
+ cloudsql-sqlserver = "10.128.95.0/24"
}
+ routes = null
}
}
}
diff --git a/fast/stages/02-networking-vpn/README.md b/fast/stages/02-networking-vpn/README.md
index b856aec0b..6d950cda4 100644
--- a/fast/stages/02-networking-vpn/README.md
+++ b/fast/stages/02-networking-vpn/README.md
@@ -321,11 +321,11 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
| [dns](variables.tf#L58) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
| [l7ilb_subnets](variables.tf#L76) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | |
| [outputs_location](variables.tf#L104) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {…} | |
-| [router_onprem_configs](variables.tf#L163) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
+| [psa_ranges](variables.tf#L121) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {…} | |
+| [router_onprem_configs](variables.tf#L157) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | map(object({…})) | | {…} | |
-| [service_accounts](variables.tf#L181) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L193) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [service_accounts](variables.tf#L175) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
+| [vpn_onprem_configs](variables.tf#L187) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-vpn/variables.tf b/fast/stages/02-networking-vpn/variables.tf
index 4093739e0..3701303f0 100644
--- a/fast/stages/02-networking-vpn/variables.tf
+++ b/fast/stages/02-networking-vpn/variables.tf
@@ -121,41 +121,35 @@ variable "prefix" {
variable "psa_ranges" {
description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
type = object({
- dev = map(object({
- ranges = list(string)
+ dev = object({
+ ranges = map(string)
routes = object({
export = bool
import = bool
})
- }))
- prod = map(object({
- ranges = list(string)
+ })
+ prod = object({
+ ranges = map(string)
routes = object({
export = bool
import = bool
})
- }))
+ })
})
default = {
dev = {
- cloudsql-mysql = {
- ranges = ["10.128.62.0/24"]
- routes = null
- }
- cloudsql-sqlserver = {
- ranges = ["10.128.63.0/24"]
- routes = null
+ ranges = {
+ cloudsql-mysql = "10.128.62.0/24"
+ cloudsql-sqlserver = "10.128.63.0/24"
}
+ routes = null
}
prod = {
- cloudsql-mysql = {
- ranges = ["10.128.94.0/24"]
- routes = null
- }
- cloudsql-sqlserver = {
- ranges = ["10.128.95.0/24"]
- routes = null
+ ranges = {
+ cloudsql-mysql = "10.128.94.0/24"
+ cloudsql-sqlserver = "10.128.95.0/24"
}
+ routes = null
}
}
}
diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md
index fc8d334b4..31fe49162 100644
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@@ -25,7 +25,10 @@ module "vpc" {
source = "./modules/net-vpc"
project_id = module.project.project_id
name = "my-network"
- psa_config = {cloudsql-ew1-0 = {ranges = ["10.60.0.0/16"], routes = null}}
+ psa_config = {
+ ranges = { cloud-sql = "10.60.0.0/16" }
+ routes = null
+ }
}
module "db" {
@@ -37,7 +40,7 @@ module "db" {
database_version = "POSTGRES_13"
tier = "db-g1-small"
}
-# tftest modules=3 resources=6
+# tftest modules=3 resources=9
```
## Cross-regional read replica
diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index 909f08d26..4102d92ed 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -139,17 +139,15 @@ module "vpc" {
}
]
psa_config = {
- my_service = {
- ranges = [
- "10.0.1.0/24"
- ],
- routes = null
- }
+ ranges = { myrange = "10.0.1.0/24" }
+ routes = null
}
}
-# tftest modules=1 resources=4
+# tftest modules=1 resources=5
```
+### Private Service Networking with peering routes
+
Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC.
```hcl
@@ -166,15 +164,8 @@ module "vpc" {
}
]
psa_config = {
- my_service = {
- ranges = [
- "10.0.1.0/24"
- ],
- routes = {
- export=true,
- import=true
- }
- }
+ ranges = { myrange = "10.0.1.0/24" }
+ routes = { export=true, import=true }
}
}
# tftest modules=1 resources=5
@@ -257,7 +248,7 @@ flow_logs: # enable, set to empty map to use defaults
| [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | null |
| [peering_config](variables.tf#L90) | VPC peering configuration. | object({…}) | | null |
| [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | bool | | true |
-| [psa_config](variables.tf#L111) | The Private Service Access configuration. | map(object({…})) | | null |
+| [psa_config](variables.tf#L111) | The Private Service Access configuration for Service Networking. | object({…}) | | null |
| [routes](variables.tf#L123) | Network routes, keyed by name. | map(object({…})) | | {} |
| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" |
| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | bool | | false |
diff --git a/modules/net-vpc/main.tf b/modules/net-vpc/main.tf
index 7e750c45e..b5aa7b6a0 100644
--- a/modules/net-vpc/main.tf
+++ b/modules/net-vpc/main.tf
@@ -52,17 +52,7 @@ locals {
secondary_ip_range = try(v.secondary_ip_range, {})
}
}
- _iam = var.iam == null ? {} : var.iam
- _psa_ranges = flatten([
- for k, v in coalesce(var.psa_config, {}) : [
- for r in v.ranges : {
- key = "${k}:${index(v.ranges, r)}"
- name = "${k}-${index(v.ranges, r)}"
- address = try(split("/", r)[0], null)
- prefix_length = try(split("/", r)[1], null)
- }
- ]
- ])
+ _iam = var.iam == null ? {} : var.iam
_routes = var.routes == null ? {} : var.routes
_subnet_flow_logs = {
for k, v in var.subnet_flow_logs : k => merge(
@@ -88,7 +78,11 @@ locals {
? null
: element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0)
)
- psa_ranges = { for e in local._psa_ranges : e.key => e }
+ psa_config = (
+ var.psa_config == null
+ ? { ranges = {}, routes = null }
+ : var.psa_config
+ )
routes = {
gateway = { for k, v in local._routes : k => v if v.next_hop_type == "gateway" }
ilb = { for k, v in local._routes : k => v if v.next_hop_type == "ilb" }
@@ -333,31 +327,30 @@ resource "google_dns_policy" "default" {
}
resource "google_compute_global_address" "psa_ranges" {
- for_each = local.psa_ranges
+ for_each = local.psa_config.ranges
project = var.project_id
- name = each.value.name
+ name = each.key
purpose = "VPC_PEERING"
address_type = "INTERNAL"
- address = each.value.address
- prefix_length = each.value.prefix_length
+ address = split("/", each.value)[0]
+ prefix_length = split("/", each.value)[1]
network = local.network.id
}
resource "google_service_networking_connection" "psa_connection" {
- for_each = coalesce(var.psa_config, {})
+ for_each = var.psa_config == null ? {} : { 1 = 1 }
network = local.network.id
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = [
- for k, v in google_compute_global_address.psa_ranges :
- v.name if try(split(":", k)[0], null) == each.key
+ for k, v in google_compute_global_address.psa_ranges : v.name
]
}
resource "google_compute_network_peering_routes_config" "psa_routes" {
- for_each = { for k, v in coalesce(var.psa_config, {}) : k => v if try(v.routes) != null }
+ for_each = var.psa_config == null ? {} : { 1 = 1 }
project = var.project_id
- peering = google_service_networking_connection.psa_connection[each.key].peering
+ peering = google_service_networking_connection.psa_connection["1"].peering
network = local.network.id
- export_custom_routes = coalesce(each.value.routes.export, false)
- import_custom_routes = coalesce(each.value.routes.import, false)
+ export_custom_routes = try(var.psa_config.routes.export, false)
+ import_custom_routes = try(var.psa_config.routes.import, false)
}
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index 32f7e77a7..464ccfa03 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -109,14 +109,14 @@ variable "project_id" {
}
variable "psa_config" {
- description = "The Private Service Access configuration."
- type = map(object({
- ranges = list(string) # CIDRs in the format x.x.x.x/yy
+ description = "The Private Service Access configuration for Service Networking."
+ type = object({
+ ranges = map(string)
routes = object({
export = bool
import = bool
})
- }))
+ })
default = null
}
diff --git a/modules/project/README.md b/modules/project/README.md
index e4f213912..42d435d9e 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -250,7 +250,7 @@ module "project" {
| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_project_metadata_item · google_essential_contacts_contact · google_monitoring_monitored_project · google_project · google_project_service · google_resource_manager_lien |
| [organization-policies.tf](./organization-policies.tf) | Project-level organization policies. | google_project_organization_policy |
| [outputs.tf](./outputs.tf) | Module outputs. | |
-| [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | google_kms_crypto_key_iam_member · google_project_service_identity |
+| [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | google_kms_crypto_key_iam_member · google_project_iam_member · google_project_service_identity |
| [shared-vpc.tf](./shared-vpc.tf) | Shared VPC project-level configuration. | google_compute_shared_vpc_host_project · google_compute_shared_vpc_service_project · google_project_iam_member |
| [tags.tf](./tags.tf) | None | google_tags_tag_binding |
| [variables.tf](./variables.tf) | Module variables. | |
@@ -302,7 +302,7 @@ module "project" {
| [name](outputs.tf#L25) | Project name. | |
| [number](outputs.tf#L38) | Project number. | |
| [project_id](outputs.tf#L51) | Project id. | |
-| [service_accounts](outputs.tf#L66) | Product robot service accounts in project. | |
-| [sink_writer_identities](outputs.tf#L82) | Writer identities created for each sink. | |
+| [service_accounts](outputs.tf#L68) | Product robot service accounts in project. | |
+| [sink_writer_identities](outputs.tf#L84) | Writer identities created for each sink. | |
diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf
index 10d0e5585..4644e1b72 100644
--- a/modules/project/outputs.tf
+++ b/modules/project/outputs.tf
@@ -59,7 +59,9 @@ output "project_id" {
google_project_service.project_services,
google_compute_shared_vpc_service_project.service_projects,
google_project_iam_member.shared_vpc_host_robots,
- google_kms_crypto_key_iam_member.service_identity_cmek
+ google_kms_crypto_key_iam_member.service_identity_cmek,
+ google_project_service_identity.servicenetworking,
+ google_project_iam_member.servicenetworking
]
}
diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf
index 34235245b..eae98e237 100644
--- a/modules/project/service-accounts.tf
+++ b/modules/project/service-accounts.tf
@@ -84,6 +84,21 @@ data "google_bigquery_default_service_account" "bq_sa" {
depends_on = [google_project_service.project_services]
}
+resource "google_project_service_identity" "servicenetworking" {
+ provider = google-beta
+ count = contains(var.services, "servicenetworking.googleapis.com") ? 1 : 0
+ project = local.project.project_id
+ service = "servicenetworking.googleapis.com"
+ depends_on = [google_project_service.project_services]
+}
+
+resource "google_project_iam_member" "servicenetworking" {
+ count = contains(var.services, "servicenetworking.googleapis.com") ? 1 : 0
+ project = local.project.project_id
+ role = "roles/servicenetworking.serviceAgent"
+ member = "serviceAccount:${google_project_service_identity.servicenetworking.0.email}"
+}
+
# Secret Manager SA created just in time, we need to trigger the creation.
resource "google_project_service_identity" "jit_si" {
for_each = setintersection(var.services, local.service_accounts_jit_services)
diff --git a/tests/examples/data_solutions/cmek_via_centralized_kms/test_plan.py b/tests/examples/data_solutions/cmek_via_centralized_kms/test_plan.py
index 5d3093c0e..22d474b43 100644
--- a/tests/examples/data_solutions/cmek_via_centralized_kms/test_plan.py
+++ b/tests/examples/data_solutions/cmek_via_centralized_kms/test_plan.py
@@ -16,4 +16,4 @@ def test_resources(e2e_plan_runner):
"Test that plan works and the numbers of resources is as expected."
modules, resources = e2e_plan_runner()
assert len(modules) == 7
- assert len(resources) == 23
+ assert len(resources) == 27
diff --git a/tests/examples/data_solutions/data_platform_foundations/test_plan.py b/tests/examples/data_solutions/data_platform_foundations/test_plan.py
index b000b126f..4857bf9f1 100644
--- a/tests/examples/data_solutions/data_platform_foundations/test_plan.py
+++ b/tests/examples/data_solutions/data_platform_foundations/test_plan.py
@@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
"Test that plan works and the numbers of resources is as expected."
modules, resources = e2e_plan_runner(FIXTURES_DIR)
assert len(modules) == 40
- assert len(resources) == 282
+ assert len(resources) == 296
diff --git a/tests/examples/data_solutions/gcs_to_bq_with_least_privileges/test_plan.py b/tests/examples/data_solutions/gcs_to_bq_with_least_privileges/test_plan.py
index 37ea4e8a9..9a5bbe168 100644
--- a/tests/examples/data_solutions/gcs_to_bq_with_least_privileges/test_plan.py
+++ b/tests/examples/data_solutions/gcs_to_bq_with_least_privileges/test_plan.py
@@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
"Test that plan works and the numbers of resources is as expected."
modules, resources = e2e_plan_runner(FIXTURES_DIR)
assert len(modules) == 11
- assert len(resources) == 44
+ assert len(resources) == 46
diff --git a/tests/modules/net_vpc/fixture/variables.tf b/tests/modules/net_vpc/fixture/variables.tf
index 459e3770d..8cf433760 100644
--- a/tests/modules/net_vpc/fixture/variables.tf
+++ b/tests/modules/net_vpc/fixture/variables.tf
@@ -35,16 +35,12 @@ variable "iam" {
}
variable "log_configs" {
- type = map(map(string))
+ type = any
default = null
}
variable "log_config_defaults" {
- type = object({
- aggregation_interval = string
- flow_sampling = number
- metadata = string
- })
+ type = any
default = {
aggregation_interval = "INTERVAL_5_SEC"
flow_sampling = 0.5
@@ -63,24 +59,12 @@ variable "peering_config" {
variable "psa_config" {
description = "The Private Service Access configuration."
- type = map(object({
- ranges = list(string)
- routes = object({
- export = bool
- import = bool
- })
- }))
- default = null
+ type = any
+ default = null
}
variable "routes" {
- type = map(object({
- dest_range = string
- priority = number
- tags = list(string)
- next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb
- next_hop = string
- }))
+ type = any
default = null
}
@@ -104,14 +88,8 @@ variable "shared_vpc_service_projects" {
variable "subnets" {
description = "The list of subnets being created."
- type = list(object({
- name = string
- ip_cidr_range = string
- name = string
- region = string
- secondary_ip_range = map(string)
- }))
- default = []
+ type = any
+ default = []
}
variable "subnet_descriptions" {
diff --git a/tests/modules/net_vpc/test_plan_psa.py b/tests/modules/net_vpc/test_plan_psa.py
index ef6dbc661..cec1fc040 100644
--- a/tests/modules/net_vpc/test_plan_psa.py
+++ b/tests/modules/net_vpc/test_plan_psa.py
@@ -12,90 +12,74 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-import tftest
-
def test_single_range(plan_runner):
"Test single PSA range."
psa_config = '''{
- foobar = {
- ranges = [
- "172.16.100.0/24"
- ],
- routes = null
- }
- }'''
- _, resources = plan_runner(psa_config=psa_config)
- assert len(resources) == 3
-
-
-def test_multi_range(plan_runner):
- "Test multiple PSA ranges."
- psa_config = '''{
- foobar = {
- ranges = [
- "172.16.100.0/24",
- "172.16.101.0/24"
- ],
- routes = null
+ ranges = {
+ bar = "172.16.100.0/24"
+ foo = "172.16.101.0/24"
},
- frobniz = {
- ranges = [
- "172.16.102.0/24"
- ],
- routes = null
- }
+ routes = null
}'''
_, resources = plan_runner(psa_config=psa_config)
- assert len(resources) == 6
+ assert len(resources) == 5
+ for r in resources:
+ if r['type'] == 'google_compute_network_peering_routes_config':
+ assert not r['values']['export_custom_routes']
+ assert not r['values']['import_custom_routes']
def test_routes_export(plan_runner):
"Test routes export."
psa_config = '''{
- foobar = {
- ranges = [
- "172.16.100.0/24"
- ],
- routes = {
- export = true
- import = false
- }
+ ranges = {
+ bar = "172.16.100.0/24"
+ },
+ routes = {
+ export = true
+ import = false
}
}'''
_, resources = plan_runner(psa_config=psa_config)
assert len(resources) == 4
+ for r in resources:
+ if r['type'] == 'google_compute_network_peering_routes_config':
+ assert r['values']['export_custom_routes']
+ assert not r['values']['import_custom_routes']
def test_routes_import(plan_runner):
"Test routes import."
psa_config = '''{
- foobar = {
- ranges = [
- "172.16.100.0/24"
- ],
- routes = {
- export = false
- import = true
- }
+ ranges = {
+ bar = "172.16.100.0/24"
+ },
+ routes = {
+ export = false
+ import = true
}
}'''
_, resources = plan_runner(psa_config=psa_config)
- assert len(resources) == 4
+ for r in resources:
+ if r['type'] == 'google_compute_network_peering_routes_config':
+ assert not r['values']['export_custom_routes']
+ assert r['values']['import_custom_routes']
def test_routes_export_import(plan_runner):
"Test routes export and import."
psa_config = '''{
- foobar = {
- ranges = [
- "172.16.100.0/24"
- ],
- routes = {
- export = true
- import = true
- }
+ ranges = {
+ bar = "172.16.100.0/24"
+ },
+ routes = {
+ export = true
+ import = true
}
}'''
_, resources = plan_runner(psa_config=psa_config)
- assert len(resources) == 4
+ for r in resources:
+ if r['type'] == 'google_compute_network_peering_routes_config':
+ assert r['values']['export_custom_routes']
+ assert r['values']['import_custom_routes']