kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eaa420534b9b5fca4723aa110494e1718ff451e6
hunfabric/modules/cloud-config-container/simple-nva
History
Hemanand eaa420534b Add agent engine BYOC support (#3885) 
* feat(agent-engine): add support for container and custom image specs

- Add container_config to deployment_files.
- Add image_spec with build_args to source_config.
- Make agent_framework optional and document supported values.
- Implement dynamic specs for container and source deployments.
- Add examples and automated tests for new deployment types.

* chore: update Google provider version to 7.28.0 across modules

Mechanical update of versions.tf and versions.tofu files using tools/versions.py.

* feat(agent-engine): refactor for container deployments and API alignment

- Group deployment settings under 'deployment_config' (renamed from 'deployment_files').
- Support container-based deployments via 'container_config' and 'image_spec'.
- Refactor 'source_files_config' (renamed from 'source_config') to include mutually exclusive 'python_spec' and 'image_spec'.
- Support 'developer_connect_config' as a source code type.
- Group engine settings (framework, env, secrets) under 'agent_engine_config'.
- Add support for 'memory_bank_config' persistent memory.
- Overhaul reasoning engine resources with dynamic blocks to match provider schema.
- Update all documentation examples, add TOC, and refresh test inventories.

* Update dynamic python_spec block and related example yamls

* Ignore changes setting for developer_connect_source under lifecycle management

* fixing review comments for `try` and default path for `source_path`

---------

Co-authored-by: Hemanand <hemr@google.com>
Co-authored-by: Julio Castillo <jccb@google.com>
2026-04-21 17:46:20 +00:00
..
files
Fix pre-commit hook (#3882)
2026-04-18 10:07:14 +02:00
cloud-config.yaml
Make Simple NVA route IAP traffic through NIC 0 (#2262)
2024-05-09 18:29:25 +02:00
main.tf
outputs.tf
README.md
Add toggle to tfdoc to remove type hints (#3842)
2026-04-08 11:08:18 +00:00
variables.tf
versions.tf
Add agent engine BYOC support (#3885)
2026-04-21 17:46:20 +00:00
versions.tofu
Add agent engine BYOC support (#3885)
2026-04-21 17:46:20 +00:00

README.md

Google Simple NVA Module

The module allows you to create Network Virtual Appliances (NVAs) as a stub for future appliances deployments.

This NVAs can be used to interconnect up to 8 VPCs.

The NVAs run Container-Optimized OS (COS). COS is a Linux-based OS designed for running containers. By default, it only allows SSH ingress connections. To see the exact host firewall configuration, run sudo iptables -L -v. More info available in the official documentation.

To configure the firewall, you can either

  • use the open_ports variable
  • for a thinner grain control, pass a custom bash script at startup with iptables commands

Examples

Simple example

locals {
  network_interfaces = [
    {
      addresses  = null
      name       = "dev"
      nat        = false
      network    = "dev_vpc_self_link"
      routes     = ["10.128.0.0/9"]
      subnetwork = "dev_vpc_nva_subnet_self_link"
    },
    {
      addresses  = null
      name       = "prod"
      nat        = false
      network    = "prod_vpc_self_link"
      routes     = ["10.0.0.0/9"]
      subnetwork = "prod_vpc_nva_subnet_self_link"
    }
  ]
}

module "cos-nva" {
  source               = "./fabric/modules/cloud-config-container/simple-nva"
  enable_health_checks = true
  network_interfaces   = local.network_interfaces
  # files = {
  #   "/var/lib/cloud/scripts/per-boot/firewall-rules.sh" = {
  #     content     = file("./your_path/to/firewall-rules.sh")
  #     owner       = "root"
  #     permissions = 0700
  #   }
  # }
}

module "vm" {
  source             = "./fabric/modules/compute-vm"
  project_id         = "my-project"
  zone               = "europe-west8-b"
  name               = "cos-nva"
  network_interfaces = local.network_interfaces
  can_ip_forward     = true
  metadata = {
    user-data              = module.cos-nva.cloud_config
    google-logging-enabled = true
  }
  boot_disk = {
    source = {
      image = "projects/cos-cloud/global/images/family/cos-stable"
    }
    initialize_params = {
      type = "pd-ssd"
      size = 10
    }
  }
  tags = ["nva", "ssh"]
}
# tftest modules=1 resources=1

Example with advanced routing capabilities (FRR)

The sample code brings up FRRouting container.

# tftest-file id=frr_conf path=./frr.conf
# Example frr.conf file

log syslog informational
no ipv6 forwarding
router bgp 65001
 neighbor 10.128.0.2 remote-as 65002
line vty

Following code assumes a file in the same folder named frr.conf exists.

locals {
  network_interfaces = [
    {
      addresses           = null
      name                = "dev"
      nat                 = false
      network             = "dev_vpc_self_link"
      routes              = ["10.128.0.0/9"]
      subnetwork          = "dev_vpc_nva_subnet_self_link"
      enable_masquerading = true
      non_masq_cidrs      = ["10.0.0.0/8"]
    },
    {
      addresses  = null
      name       = "prod"
      nat        = false
      network    = "prod_vpc_self_link"
      routes     = ["10.0.0.0/9"]
      subnetwork = "prod_vpc_nva_subnet_self_link"
    }
  ]
}

module "cos-nva" {
  source               = "./fabric/modules/cloud-config-container/simple-nva"
  enable_health_checks = true
  network_interfaces   = local.network_interfaces
  frr_config           = { config_file = "./frr.conf", daemons_enabled = ["bgpd"] }
  run_cmds             = ["ls -l"]
}

module "vm" {
  source             = "./fabric/modules/compute-vm"
  project_id         = "my-project"
  zone               = "europe-west8-b"
  name               = "cos-nva"
  network_interfaces = local.network_interfaces
  can_ip_forward     = true
  metadata = {
    user-data              = module.cos-nva.cloud_config
    google-logging-enabled = true
  }
  boot_disk = {
    source = {
      image = "projects/cos-cloud/global/images/family/cos-stable"
    }
    initialize_params = {
      type = "pd-ssd"
      size = 10
    }
  }
  tags = ["nva", "ssh"]
}
# tftest modules=1 resources=1 files=frr_conf

The FRR container is managed as a systemd service. To interact with the service, use the standard systemd commands: sudo systemctl {start|stop|restart} frr.

To interact with the FRR CLI run:

# get the container ID
CONTAINER_ID =`sudo docker ps -a -q`
sudo docker exec -it $CONTAINER_ID vtysh

Check FRR running configuration with show running-config from vtysh. Please always refer to the official documentation for more information how to deal with vtysh and useful commands.

Sample frr.conf file is based on the documentation available here. It configures a BGP service with ASN 65001 on FRR container establishing a BGP session with a remote neighbor with IP address 10.128.0.2 and ASN 65002. Check BGP status for FRR with show bgp summary from vtysh.

Variables

name description type required default
network_interfaces Network interfaces configuration. list(object({…}))
cloud_config Cloud config template path. If null default will be used. string null
enable_health_checks Configures routing to enable responses to health check probes. bool false
files Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. map(object({…})) {}
frr_config FRR configuration for container running on the NVA. object({…}) null
open_ports Optional firewall ports to open. object({…}) {…}
run_cmds Optional cloud init run commands to execute. list(string) []

Outputs

name description sensitive
cloud_config Rendered cloud-config file to be passed as user-data instance metadata.