Fix missing service networking identity in project, PSA (#585)
* test * test * test * fix * tfdoc * fix tests * fix tests
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
976eb9fe48
commit
fef3ed8c93
@@ -139,17 +139,15 @@ module "vpc" {
|
||||
}
|
||||
]
|
||||
psa_config = {
|
||||
my_service = {
|
||||
ranges = [
|
||||
"10.0.1.0/24"
|
||||
],
|
||||
routes = null
|
||||
}
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
routes = null
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
# tftest modules=1 resources=5
|
||||
```
|
||||
|
||||
### Private Service Networking with peering routes
|
||||
|
||||
Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC.
|
||||
|
||||
```hcl
|
||||
@@ -166,15 +164,8 @@ module "vpc" {
|
||||
}
|
||||
]
|
||||
psa_config = {
|
||||
my_service = {
|
||||
ranges = [
|
||||
"10.0.1.0/24"
|
||||
],
|
||||
routes = {
|
||||
export=true,
|
||||
import=true
|
||||
}
|
||||
}
|
||||
ranges = { myrange = "10.0.1.0/24" }
|
||||
routes = { export=true, import=true }
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5
|
||||
@@ -257,7 +248,7 @@ flow_logs: # enable, set to empty map to use defaults
|
||||
| [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code></code> | | <code>null</code> |
|
||||
| [peering_config](variables.tf#L90) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string export_routes = bool import_routes = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config. | <code>bool</code> | | <code>true</code> |
|
||||
| [psa_config](variables.tf#L111) | The Private Service Access configuration. | <code title="map(object({ ranges = list(string) # CIDRs in the format x.x.x.x/yy routes = object({ export = bool import = bool }) }))">map(object({…}))</code> | | <code>null</code> |
|
||||
| [psa_config](variables.tf#L111) | The Private Service Access configuration for Service Networking. | <code title="object({ ranges = map(string) routes = object({ export = bool import = bool }) })">object({…})</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L123) | Network routes, keyed by name. | <code title="map(object({ dest_range = string priority = number tags = list(string) next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L135) | The network routing mode (default 'GLOBAL'). | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L145) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
|
||||
@@ -52,17 +52,7 @@ locals {
|
||||
secondary_ip_range = try(v.secondary_ip_range, {})
|
||||
}
|
||||
}
|
||||
_iam = var.iam == null ? {} : var.iam
|
||||
_psa_ranges = flatten([
|
||||
for k, v in coalesce(var.psa_config, {}) : [
|
||||
for r in v.ranges : {
|
||||
key = "${k}:${index(v.ranges, r)}"
|
||||
name = "${k}-${index(v.ranges, r)}"
|
||||
address = try(split("/", r)[0], null)
|
||||
prefix_length = try(split("/", r)[1], null)
|
||||
}
|
||||
]
|
||||
])
|
||||
_iam = var.iam == null ? {} : var.iam
|
||||
_routes = var.routes == null ? {} : var.routes
|
||||
_subnet_flow_logs = {
|
||||
for k, v in var.subnet_flow_logs : k => merge(
|
||||
@@ -88,7 +78,11 @@ locals {
|
||||
? null
|
||||
: element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0)
|
||||
)
|
||||
psa_ranges = { for e in local._psa_ranges : e.key => e }
|
||||
psa_config = (
|
||||
var.psa_config == null
|
||||
? { ranges = {}, routes = null }
|
||||
: var.psa_config
|
||||
)
|
||||
routes = {
|
||||
gateway = { for k, v in local._routes : k => v if v.next_hop_type == "gateway" }
|
||||
ilb = { for k, v in local._routes : k => v if v.next_hop_type == "ilb" }
|
||||
@@ -333,31 +327,30 @@ resource "google_dns_policy" "default" {
|
||||
}
|
||||
|
||||
resource "google_compute_global_address" "psa_ranges" {
|
||||
for_each = local.psa_ranges
|
||||
for_each = local.psa_config.ranges
|
||||
project = var.project_id
|
||||
name = each.value.name
|
||||
name = each.key
|
||||
purpose = "VPC_PEERING"
|
||||
address_type = "INTERNAL"
|
||||
address = each.value.address
|
||||
prefix_length = each.value.prefix_length
|
||||
address = split("/", each.value)[0]
|
||||
prefix_length = split("/", each.value)[1]
|
||||
network = local.network.id
|
||||
}
|
||||
|
||||
resource "google_service_networking_connection" "psa_connection" {
|
||||
for_each = coalesce(var.psa_config, {})
|
||||
for_each = var.psa_config == null ? {} : { 1 = 1 }
|
||||
network = local.network.id
|
||||
service = "servicenetworking.googleapis.com"
|
||||
reserved_peering_ranges = [
|
||||
for k, v in google_compute_global_address.psa_ranges :
|
||||
v.name if try(split(":", k)[0], null) == each.key
|
||||
for k, v in google_compute_global_address.psa_ranges : v.name
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_compute_network_peering_routes_config" "psa_routes" {
|
||||
for_each = { for k, v in coalesce(var.psa_config, {}) : k => v if try(v.routes) != null }
|
||||
for_each = var.psa_config == null ? {} : { 1 = 1 }
|
||||
project = var.project_id
|
||||
peering = google_service_networking_connection.psa_connection[each.key].peering
|
||||
peering = google_service_networking_connection.psa_connection["1"].peering
|
||||
network = local.network.id
|
||||
export_custom_routes = coalesce(each.value.routes.export, false)
|
||||
import_custom_routes = coalesce(each.value.routes.import, false)
|
||||
export_custom_routes = try(var.psa_config.routes.export, false)
|
||||
import_custom_routes = try(var.psa_config.routes.import, false)
|
||||
}
|
||||
|
||||
@@ -109,14 +109,14 @@ variable "project_id" {
|
||||
}
|
||||
|
||||
variable "psa_config" {
|
||||
description = "The Private Service Access configuration."
|
||||
type = map(object({
|
||||
ranges = list(string) # CIDRs in the format x.x.x.x/yy
|
||||
description = "The Private Service Access configuration for Service Networking."
|
||||
type = object({
|
||||
ranges = map(string)
|
||||
routes = object({
|
||||
export = bool
|
||||
import = bool
|
||||
})
|
||||
}))
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user