kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
hunfabric/modules/net-vpc-factory
History

README.md

Net VPC Factory

This module implements the creation of VPCs, subnets, and firewall rules via YAML configurations. It is designed to be embedded in other factories such as the FAST networking stage.

It supports:

  • VPCs and Subnets leveraging the net-vpc module.
  • Firewall rules leveraging the net-vpc-firewall module.
  • Context-based interpolation for referring to resources dynamically (e.g., project IDs, IAM principals, Locations).

The factory is implemented as a thin data translation layer over the underlying modules, ensuring transparency and ease of debugging.

The factory is implemented as a thin data translation layer over the underlying modules, so that no "magic" or hidden side effects are implemented in code, and debugging or integration of new features are simple.

The code is meant to be executed by a principal with permissions over the network infrastructure across the projects where VPCs are defined:

  • Network Admin (roles/compute.networkAdmin): to manage VPCs, subnets, routes, and firewall rules.
  • DNS Admin (roles/dns.admin): to manage DNS policies.
  • Security Admin (roles/compute.securityAdmin): to manage firewall policies.

Contents

VPC Factory

The VPC factory is configured via the factories_config.vpcs variable, which sets the path containing the YAML definitions for VPCs, where each VPC and their dependent resources are defined in a dedicated directory.

Each VPC directory contains a .config.yaml file. The structure of the YAML file mirrors the variables of the net-vpc module.

project_id: $project_ids:my-project # Or use the project id directly
description: "My VPC"
routing_mode: GLOBAL

Defaults

In addition to the YAML-based VPC configurations, the factory accepts three additional sets of inputs via Terraform variables to control defaults:

  • data_defaults: defaults for specific VPC attributes, used if not present in YAML.
  • data_overrides: overrides that take precedence over YAML values.
  • factories_config.paths.defaults: path to a YAML file containing global context and VPC defaults (defaults to defaults.yaml in the path set by factories_config.basepath)
module "net-vpc-factory" {
  source = "./modules/net-vpc-factory"
  data_defaults = {
    routing_mode = "REGIONAL"
  }
  factories_config = {
    basepath = "data"
  }
}

Subnets

Subnets can be defined in separate files within a subnets subdirectory in the VPC's folder.

data/vpcs/
└── my-vpc/
    ├── .config.yaml
    └── subnets/
        ├── subnet-a.yaml
        └── subnet-b.yaml

This allows splitting complex subnet configurations (like those with massive secondary ranges or specialized IAM bindings) into manageable files.

Firewall rules

Firewall rules are managed via a firewall-rules subdirectory in the VPC's folder. The factory uses the net-vpc-firewall module to provision these rules - the YAML format for firewall rules follows the structure expected by the module itself.

data/vpcs/
└── my-vpc/
    ├── .config.yaml
    └── firewall-rules/
        ├── allow-ssh.yaml
        └── allow-internal.yaml

Context-based interpolation

Interpolation allows referring to resources which are external or created at runtime via short aliases. This is particularly useful for Project IDs, which might be generated by the Project Factory.

Contexts are passed via the context variable or the factories_config.defaults file.

Project context ids

Project IDs use the $project_ids: namespace. This allows decoupling the VPC definition from the actual Project ID string.

# data/vpcs/vpc-0/.config.yaml
project_id: $project_ids:data-project
name: vpc-0

module "net-vpc-factory" {
  # ...
  context = {
    project_ids = {
      data-project = "prefix-prod-data-app-0"
    }
  }
}

Other context ids

Other contexts can be defined freely. Common uses include:

  • $locations: for GCP regions.
  • $iam_principals: for IAM principals.

Example

module "net-vpc-factory" {
  source = "./fabric/modules/net-vpc-factory"
  context = {
    project_ids = {
      net-project = "my-host-project-id"
    }
    locations = {
      primary = "europe-west1"
    }
  }
  factories_config = {
    basepath = "data"
  }
}
# tftest files=vpc,fw,subnet modules=3 inventory=example.yaml

# data/vpcs/shared-vpc/.config.yaml
project_id: $project_ids:net-project
name: data-vpc-0
# tftest-file id=vpc path=data/vpcs/data-vpc-0/.config.yaml schema=vpc-factory.schema.json

# data/vpcs/data-vpc-0/subnets/primary-subnet.yaml
name: primary-subnet
region: $locations:primary
ip_cidr_range: 10.10.0.0/24
description: Primary subnet for data-vpc-0
# tftest-file id=subnet path=data/vpcs/data-vpc-0/subnets/primary-subnet.yaml schema=subnet.schema.json

# data/vpcs/data-vpc-0/firewall-rules/allow-iap.yaml
ingress:
  allow-iap:
    description: Allow IAP for SSH
    source_ranges:
      - 35.235.240.0/20
    rules:
      - protocol: tcp
        ports: [22]
    targets: ["ssh"]
# tftest-file id=fw path=data/vpcs/data-vpc-0/firewall-rules/allow-iap.yaml schema=firewall-rules.schema.json

Variables

name description type required default
factories_config Path to folder with YAML resource description data files. object({…})
context Context-specific interpolations. object({…}) {}
data_defaults Optional default values used when corresponding vpc data from files are missing. object({…}) {}
data_overrides Optional values that override corresponding data from files. Takes precedence over file data and data_defaults. object({…}) {}

Outputs

name description sensitive
firewall_rules Firewall rules.
vpcs VPCs.
vpcs_config Processed VPC configuration data.