From 2c10853744bc77c3c8e3969fdde702015d70b908 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Sun, 5 Mar 2023 17:08:43 +0100 Subject: [PATCH] add support for proxy and psc subnets to module factory (#1211) --- fast/stages/2-networking-a-peering/README.md | 17 ++++++----- .../2-networking-a-peering/spoke-dev.tf | 26 ++++------------- .../2-networking-a-peering/spoke-prod.tf | 26 ++++------------- .../2-networking-a-peering/variables.tf | 24 ---------------- fast/stages/2-networking-b-vpn/README.md | 17 ++++++----- fast/stages/2-networking-b-vpn/spoke-dev.tf | 26 ++++------------- fast/stages/2-networking-b-vpn/spoke-prod.tf | 26 ++++------------- fast/stages/2-networking-b-vpn/variables.tf | 24 ---------------- fast/stages/2-networking-c-nva/README.md | 19 ++++++------- fast/stages/2-networking-c-nva/main.tf | 6 ---- fast/stages/2-networking-c-nva/spoke-dev.tf | 14 ---------- fast/stages/2-networking-c-nva/spoke-prod.tf | 14 ---------- fast/stages/2-networking-c-nva/variables.tf | 18 ------------ .../2-networking-d-separate-envs/README.md | 17 ++++++----- .../2-networking-d-separate-envs/main.tf | 13 --------- .../2-networking-d-separate-envs/spoke-dev.tf | 13 ++++----- .../spoke-prod.tf | 13 ++++----- .../2-networking-d-separate-envs/variables.tf | 16 ----------- modules/net-vpc/README.md | 20 +++++++++++-- modules/net-vpc/subnets.tf | 28 +++++++++---------- tests/modules/net_vpc/examples/factory.yaml | 10 ++++++- tools/plan_summary.py | 1 - 22 files changed, 109 insertions(+), 279 deletions(-) diff --git a/fast/stages/2-networking-a-peering/README.md b/fast/stages/2-networking-a-peering/README.md index ac282c8d32..293a768ecc 100644 --- a/fast/stages/2-networking-a-peering/README.md +++ b/fast/stages/2-networking-a-peering/README.md @@ -347,20 +347,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables.tf#L126) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L142) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [organization](variables.tf#L102) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | map(string) | | {…} | | | [custom_roles](variables.tf#L55) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L64) | Onprem DNS resolvers. | map(list(string)) | | {…} | | | [factories_config](variables.tf#L72) | Configuration for network resource factories. | object({…}) | | {…} | | -| [l7ilb_subnets](variables.tf#L102) | Subnets used for L7 ILBs. | object({…}) | | {…} | | -| [outputs_location](variables.tf#L136) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [peering_configs](variables-peerings.tf#L19) | Peering configurations. | map(object({…})) | | {…} | | -| [psa_ranges](variables.tf#L153) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | -| [regions](variables.tf#L190) | Region definitions. | object({…}) | | {…} | | -| [router_onprem_configs](variables.tf#L202) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | -| [service_accounts](variables.tf#L220) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_configs](variables.tf#L234) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | +| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | +| [regions](variables.tf#L166) | Region definitions. | object({…}) | | {…} | | +| [router_onprem_configs](variables.tf#L178) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | +| [service_accounts](variables.tf#L196) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_configs](variables.tf#L210) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | ## Outputs diff --git a/fast/stages/2-networking-a-peering/spoke-dev.tf b/fast/stages/2-networking-a-peering/spoke-dev.tf index ed7d13cb0b..17b4a87a08 100644 --- a/fast/stages/2-networking-a-peering/spoke-dev.tf +++ b/fast/stages/2-networking-a-peering/spoke-dev.tf @@ -16,19 +16,6 @@ # tfdoc:file:description Dev spoke VPC and related resources. -locals { - _l7ilb_subnets_dev = [ - for v in var.l7ilb_subnets.dev : merge(v, { - active = true - region = lookup(var.regions, v.region, v.region) - })] - l7ilb_subnets_dev = [ - for v in local._l7ilb_subnets_dev : merge(v, { - name = "dev-l7ilb-${local.region_shortnames[v.region]}" - }) - ] -} - module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id @@ -57,13 +44,12 @@ module "dev-spoke-project" { } module "dev-spoke-vpc" { - source = "../../../modules/net-vpc" - project_id = module.dev-spoke-project.project_id - name = "dev-spoke-0" - mtu = 1500 - data_folder = "${var.factories_config.data_dir}/subnets/dev" - psa_config = try(var.psa_ranges.dev, null) - subnets_proxy_only = local.l7ilb_subnets_dev + source = "../../../modules/net-vpc" + project_id = module.dev-spoke-project.project_id + name = "dev-spoke-0" + mtu = 1500 + data_folder = "${var.factories_config.data_dir}/subnets/dev" + psa_config = try(var.psa_ranges.dev, null) # set explicit routes for googleapis in case the default route is deleted routes = { private-googleapis = { diff --git a/fast/stages/2-networking-a-peering/spoke-prod.tf b/fast/stages/2-networking-a-peering/spoke-prod.tf index f584b32da8..927c74afe2 100644 --- a/fast/stages/2-networking-a-peering/spoke-prod.tf +++ b/fast/stages/2-networking-a-peering/spoke-prod.tf @@ -16,19 +16,6 @@ # tfdoc:file:description Production spoke VPC and related resources. -locals { - _l7ilb_subnets_prod = [ - for v in var.l7ilb_subnets.prod : merge(v, { - active = true - region = lookup(var.regions, v.region, v.region) - })] - l7ilb_subnets_prod = [ - for v in local._l7ilb_subnets_prod : merge(v, { - name = "prod-l7ilb-${local.region_shortnames[v.region]}" - }) - ] -} - module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id @@ -57,13 +44,12 @@ module "prod-spoke-project" { } module "prod-spoke-vpc" { - source = "../../../modules/net-vpc" - project_id = module.prod-spoke-project.project_id - name = "prod-spoke-0" - mtu = 1500 - data_folder = "${var.factories_config.data_dir}/subnets/prod" - psa_config = try(var.psa_ranges.prod, null) - subnets_proxy_only = local.l7ilb_subnets_prod + source = "../../../modules/net-vpc" + project_id = module.prod-spoke-project.project_id + name = "prod-spoke-0" + mtu = 1500 + data_folder = "${var.factories_config.data_dir}/subnets/prod" + psa_config = try(var.psa_ranges.prod, null) # set explicit routes for googleapis in case the default route is deleted routes = { private-googleapis = { diff --git a/fast/stages/2-networking-a-peering/variables.tf b/fast/stages/2-networking-a-peering/variables.tf index f0443dc0b2..93ba2bea31 100644 --- a/fast/stages/2-networking-a-peering/variables.tf +++ b/fast/stages/2-networking-a-peering/variables.tf @@ -99,30 +99,6 @@ variable "folder_ids" { }) } -variable "l7ilb_subnets" { - description = "Subnets used for L7 ILBs." - type = object({ - dev = optional(list(object({ - ip_cidr_range = string - region = string - })), []) - prod = optional(list(object({ - ip_cidr_range = string - region = string - })), []) - }) - default = { - dev = [ - { ip_cidr_range = "10.128.60.0/24", region = "primary" }, - { ip_cidr_range = "10.128.61.0/24", region = "secondary" } - ] - prod = [ - { ip_cidr_range = "10.128.92.0/24", region = "primary" }, - { ip_cidr_range = "10.128.93.0/24", region = "secondary" } - ] - } -} - variable "organization" { # tfdoc:variable:source 0-bootstrap description = "Organization details." diff --git a/fast/stages/2-networking-b-vpn/README.md b/fast/stages/2-networking-b-vpn/README.md index a34b41355d..b2f345679c 100644 --- a/fast/stages/2-networking-b-vpn/README.md +++ b/fast/stages/2-networking-b-vpn/README.md @@ -372,20 +372,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables.tf#L126) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L142) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [organization](variables.tf#L102) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | map(string) | | {…} | | | [custom_roles](variables.tf#L55) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L64) | Onprem DNS resolvers. | map(list(string)) | | {…} | | | [factories_config](variables.tf#L72) | Configuration for network resource factories. | object({…}) | | {…} | | -| [l7ilb_subnets](variables.tf#L102) | Subnets used for L7 ILBs. | object({…}) | | {…} | | -| [outputs_location](variables.tf#L136) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L153) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | -| [regions](variables.tf#L190) | Region definitions. | object({…}) | | {…} | | -| [router_onprem_configs](variables.tf#L202) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | +| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | +| [regions](variables.tf#L166) | Region definitions. | object({…}) | | {…} | | +| [router_onprem_configs](variables.tf#L178) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | | [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | map(object({…})) | | {…} | | -| [service_accounts](variables.tf#L220) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_configs](variables.tf#L234) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | +| [service_accounts](variables.tf#L196) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_configs](variables.tf#L210) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | | [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | map(object({…})) | | {…} | | ## Outputs diff --git a/fast/stages/2-networking-b-vpn/spoke-dev.tf b/fast/stages/2-networking-b-vpn/spoke-dev.tf index ed7d13cb0b..17b4a87a08 100644 --- a/fast/stages/2-networking-b-vpn/spoke-dev.tf +++ b/fast/stages/2-networking-b-vpn/spoke-dev.tf @@ -16,19 +16,6 @@ # tfdoc:file:description Dev spoke VPC and related resources. -locals { - _l7ilb_subnets_dev = [ - for v in var.l7ilb_subnets.dev : merge(v, { - active = true - region = lookup(var.regions, v.region, v.region) - })] - l7ilb_subnets_dev = [ - for v in local._l7ilb_subnets_dev : merge(v, { - name = "dev-l7ilb-${local.region_shortnames[v.region]}" - }) - ] -} - module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id @@ -57,13 +44,12 @@ module "dev-spoke-project" { } module "dev-spoke-vpc" { - source = "../../../modules/net-vpc" - project_id = module.dev-spoke-project.project_id - name = "dev-spoke-0" - mtu = 1500 - data_folder = "${var.factories_config.data_dir}/subnets/dev" - psa_config = try(var.psa_ranges.dev, null) - subnets_proxy_only = local.l7ilb_subnets_dev + source = "../../../modules/net-vpc" + project_id = module.dev-spoke-project.project_id + name = "dev-spoke-0" + mtu = 1500 + data_folder = "${var.factories_config.data_dir}/subnets/dev" + psa_config = try(var.psa_ranges.dev, null) # set explicit routes for googleapis in case the default route is deleted routes = { private-googleapis = { diff --git a/fast/stages/2-networking-b-vpn/spoke-prod.tf b/fast/stages/2-networking-b-vpn/spoke-prod.tf index f584b32da8..927c74afe2 100644 --- a/fast/stages/2-networking-b-vpn/spoke-prod.tf +++ b/fast/stages/2-networking-b-vpn/spoke-prod.tf @@ -16,19 +16,6 @@ # tfdoc:file:description Production spoke VPC and related resources. -locals { - _l7ilb_subnets_prod = [ - for v in var.l7ilb_subnets.prod : merge(v, { - active = true - region = lookup(var.regions, v.region, v.region) - })] - l7ilb_subnets_prod = [ - for v in local._l7ilb_subnets_prod : merge(v, { - name = "prod-l7ilb-${local.region_shortnames[v.region]}" - }) - ] -} - module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id @@ -57,13 +44,12 @@ module "prod-spoke-project" { } module "prod-spoke-vpc" { - source = "../../../modules/net-vpc" - project_id = module.prod-spoke-project.project_id - name = "prod-spoke-0" - mtu = 1500 - data_folder = "${var.factories_config.data_dir}/subnets/prod" - psa_config = try(var.psa_ranges.prod, null) - subnets_proxy_only = local.l7ilb_subnets_prod + source = "../../../modules/net-vpc" + project_id = module.prod-spoke-project.project_id + name = "prod-spoke-0" + mtu = 1500 + data_folder = "${var.factories_config.data_dir}/subnets/prod" + psa_config = try(var.psa_ranges.prod, null) # set explicit routes for googleapis in case the default route is deleted routes = { private-googleapis = { diff --git a/fast/stages/2-networking-b-vpn/variables.tf b/fast/stages/2-networking-b-vpn/variables.tf index f0443dc0b2..93ba2bea31 100644 --- a/fast/stages/2-networking-b-vpn/variables.tf +++ b/fast/stages/2-networking-b-vpn/variables.tf @@ -99,30 +99,6 @@ variable "folder_ids" { }) } -variable "l7ilb_subnets" { - description = "Subnets used for L7 ILBs." - type = object({ - dev = optional(list(object({ - ip_cidr_range = string - region = string - })), []) - prod = optional(list(object({ - ip_cidr_range = string - region = string - })), []) - }) - default = { - dev = [ - { ip_cidr_range = "10.128.60.0/24", region = "primary" }, - { ip_cidr_range = "10.128.61.0/24", region = "secondary" } - ] - prod = [ - { ip_cidr_range = "10.128.92.0/24", region = "primary" }, - { ip_cidr_range = "10.128.93.0/24", region = "secondary" } - ] - } -} - variable "organization" { # tfdoc:variable:source 0-bootstrap description = "Organization details." diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md index 33501984d9..02cee13297 100644 --- a/fast/stages/2-networking-c-nva/README.md +++ b/fast/stages/2-networking-c-nva/README.md @@ -421,20 +421,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [folder_ids](variables.tf#L97) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables.tf#L133) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L149) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [organization](variables.tf#L115) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables.tf#L131) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | map(string) | | {…} | | | [custom_roles](variables.tf#L60) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L69) | Onprem DNS resolvers. | map(list(string)) | | {…} | | | [factories_config](variables.tf#L77) | Configuration for network resource factories. | object({…}) | | {…} | | -| [l7ilb_subnets](variables.tf#L107) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | | -| [onprem_cidr](variables.tf#L125) | Onprem addresses in name => range format. | map(string) | | {…} | | -| [outputs_location](variables.tf#L143) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L160) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | | -| [regions](variables.tf#L181) | Region definitions. | object({…}) | | {…} | | -| [router_configs](variables.tf#L193) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | | -| [service_accounts](variables.tf#L216) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_configs](variables.tf#L230) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | +| [onprem_cidr](variables.tf#L107) | Onprem addresses in name => range format. | map(string) | | {…} | | +| [outputs_location](variables.tf#L125) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L142) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | | +| [regions](variables.tf#L163) | Region definitions. | object({…}) | | {…} | | +| [router_configs](variables.tf#L175) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | | +| [service_accounts](variables.tf#L198) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_configs](variables.tf#L212) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | ## Outputs diff --git a/fast/stages/2-networking-c-nva/main.tf b/fast/stages/2-networking-c-nva/main.tf index e4066ba351..0a56396ecd 100644 --- a/fast/stages/2-networking-c-nva/main.tf +++ b/fast/stages/2-networking-c-nva/main.tf @@ -18,12 +18,6 @@ locals { custom_roles = coalesce(var.custom_roles, {}) - l7ilb_subnets = { for env, v in var.l7ilb_subnets : env => [ - for s in v : merge(s, { - active = true - name = "${env}-l7ilb-${s.region}" - })] - } # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), diff --git a/fast/stages/2-networking-c-nva/spoke-dev.tf b/fast/stages/2-networking-c-nva/spoke-dev.tf index b229381314..f7866783cb 100644 --- a/fast/stages/2-networking-c-nva/spoke-dev.tf +++ b/fast/stages/2-networking-c-nva/spoke-dev.tf @@ -16,19 +16,6 @@ # tfdoc:file:description Dev spoke VPC and related resources. -locals { - _l7ilb_subnets_dev = [ - for v in var.l7ilb_subnets.dev : merge(v, { - active = true - region = lookup(var.regions, v.region, v.region) - })] - l7ilb_subnets_dev = [ - for v in local._l7ilb_subnets_dev : merge(v, { - name = "dev-l7ilb-${local.region_shortnames[v.region]}" - }) - ] -} - module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id @@ -63,7 +50,6 @@ module "dev-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/dev" delete_default_routes_on_create = true psa_config = try(var.psa_ranges.dev, null) - subnets_proxy_only = local.l7ilb_subnets_dev # Set explicit routes for googleapis; send everything else to NVAs routes = { private-googleapis = { diff --git a/fast/stages/2-networking-c-nva/spoke-prod.tf b/fast/stages/2-networking-c-nva/spoke-prod.tf index 51ad297455..f1b79a12c5 100644 --- a/fast/stages/2-networking-c-nva/spoke-prod.tf +++ b/fast/stages/2-networking-c-nva/spoke-prod.tf @@ -16,19 +16,6 @@ # tfdoc:file:description Production spoke VPC and related resources. -locals { - _l7ilb_subnets_prod = [ - for v in var.l7ilb_subnets.prod : merge(v, { - active = true - region = lookup(var.regions, v.region, v.region) - })] - l7ilb_subnets_prod = [ - for v in local._l7ilb_subnets_prod : merge(v, { - name = "prod-l7ilb-${local.region_shortnames[v.region]}" - }) - ] -} - module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id @@ -63,7 +50,6 @@ module "prod-spoke-vpc" { data_folder = "${var.factories_config.data_dir}/subnets/prod" delete_default_routes_on_create = true psa_config = try(var.psa_ranges.prod, null) - subnets_proxy_only = local.l7ilb_subnets_prod # Set explicit routes for googleapis; send everything else to NVAs routes = { private-googleapis = { diff --git a/fast/stages/2-networking-c-nva/variables.tf b/fast/stages/2-networking-c-nva/variables.tf index 5049300765..5104afcecf 100644 --- a/fast/stages/2-networking-c-nva/variables.tf +++ b/fast/stages/2-networking-c-nva/variables.tf @@ -104,24 +104,6 @@ variable "folder_ids" { }) } -variable "l7ilb_subnets" { - description = "Subnets used for L7 ILBs." - type = map(list(object({ - ip_cidr_range = string - region = string - }))) - default = { - dev = [ - { ip_cidr_range = "10.128.159.0/24", region = "primary" }, - { ip_cidr_range = "10.128.191.0/24", region = "secondary" } - ] - prod = [ - { ip_cidr_range = "10.128.223.0/24", region = "primary" }, - { ip_cidr_range = "10.128.255.0/24", region = "secondary" } - ] - } -} - variable "onprem_cidr" { description = "Onprem addresses in name => range format." type = map(string) diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md index 3a3b70e7ec..4c0aa1e8b5 100644 --- a/fast/stages/2-networking-d-separate-envs/README.md +++ b/fast/stages/2-networking-d-separate-envs/README.md @@ -291,19 +291,18 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [folder_ids](variables.tf#L92) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables.tf#L118) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L134) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [organization](variables.tf#L102) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [custom_adv](variables.tf#L38) | Custom advertisement definitions in name => range format. | map(string) | | {…} | | | [custom_roles](variables.tf#L54) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L63) | Onprem DNS resolvers. | map(list(string)) | | {…} | | | [factories_config](variables.tf#L72) | Configuration for network resource factories. | object({…}) | | {…} | | -| [l7ilb_subnets](variables.tf#L102) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | | -| [outputs_location](variables.tf#L128) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L145) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | -| [regions](variables.tf#L182) | Region definitions. | object({…}) | | {…} | | -| [router_onprem_configs](variables.tf#L192) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | -| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_configs](variables.tf#L227) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | +| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | +| [regions](variables.tf#L166) | Region definitions. | object({…}) | | {…} | | +| [router_onprem_configs](variables.tf#L176) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | +| [service_accounts](variables.tf#L199) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_configs](variables.tf#L211) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | ## Outputs diff --git a/fast/stages/2-networking-d-separate-envs/main.tf b/fast/stages/2-networking-d-separate-envs/main.tf index dda1c252e5..7e9ddc2614 100644 --- a/fast/stages/2-networking-d-separate-envs/main.tf +++ b/fast/stages/2-networking-d-separate-envs/main.tf @@ -18,19 +18,6 @@ locals { custom_roles = coalesce(var.custom_roles, {}) - _l7ilb_subnets = { - for k, v in var.l7ilb_subnets : k => [ - for s in v : merge(s, { - active = true - region = lookup(var.regions, s.region, s.region) - })] - } - l7ilb_subnets = { - for k, v in local._l7ilb_subnets : k => [ - for s in v : merge(s, { - name = "${k}-l7ilb-${local.region_shortnames[s.region]}" - })] - } # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), diff --git a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf index ecd0b07368..de52b42834 100644 --- a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf +++ b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf @@ -43,13 +43,12 @@ module "dev-spoke-project" { } module "dev-spoke-vpc" { - source = "../../../modules/net-vpc" - project_id = module.dev-spoke-project.project_id - name = "dev-spoke-0" - mtu = 1500 - data_folder = "${var.factories_config.data_dir}/subnets/dev" - psa_config = try(var.psa_ranges.dev, null) - subnets_proxy_only = local.l7ilb_subnets.dev + source = "../../../modules/net-vpc" + project_id = module.dev-spoke-project.project_id + name = "dev-spoke-0" + mtu = 1500 + data_folder = "${var.factories_config.data_dir}/subnets/dev" + psa_config = try(var.psa_ranges.dev, null) # set explicit routes for googleapis in case the default route is deleted routes = { private-googleapis = { diff --git a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf index 2e95a09e1b..1321b2c141 100644 --- a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf +++ b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf @@ -43,13 +43,12 @@ module "prod-spoke-project" { } module "prod-spoke-vpc" { - source = "../../../modules/net-vpc" - project_id = module.prod-spoke-project.project_id - name = "prod-spoke-0" - mtu = 1500 - data_folder = "${var.factories_config.data_dir}/subnets/prod" - psa_config = try(var.psa_ranges.prod, null) - subnets_proxy_only = local.l7ilb_subnets.prod + source = "../../../modules/net-vpc" + project_id = module.prod-spoke-project.project_id + name = "prod-spoke-0" + mtu = 1500 + data_folder = "${var.factories_config.data_dir}/subnets/prod" + psa_config = try(var.psa_ranges.prod, null) # set explicit routes for googleapis in case the default route is deleted routes = { private-googleapis = { diff --git a/fast/stages/2-networking-d-separate-envs/variables.tf b/fast/stages/2-networking-d-separate-envs/variables.tf index 03d5651396..fde3691b09 100644 --- a/fast/stages/2-networking-d-separate-envs/variables.tf +++ b/fast/stages/2-networking-d-separate-envs/variables.tf @@ -99,22 +99,6 @@ variable "folder_ids" { }) } -variable "l7ilb_subnets" { - description = "Subnets used for L7 ILBs." - type = map(list(object({ - ip_cidr_range = string - region = string - }))) - default = { - prod = [ - { ip_cidr_range = "10.128.92.0/24", region = "europe-west1" }, - ] - dev = [ - { ip_cidr_range = "10.128.60.0/24", region = "europe-west1" }, - ] - } -} - variable "organization" { # tfdoc:variable:source 0-bootstrap description = "Organization details." diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index 25dfaa58fd..2ef8b1b5ea 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -34,6 +34,7 @@ module "vpc" { ``` ### Subnet Options + ```hcl module "vpc" { source = "./fabric/modules/net-vpc" @@ -305,7 +306,7 @@ module "vpc" { ### Subnet Factory -The `net-vpc` module includes a subnet factory (see [Resource Factories](../../blueprints/factories/)) for the massive creation of subnets leveraging one configuration file per subnet. +The `net-vpc` module includes a subnet factory (see [Resource Factories](../../blueprints/factories/)) for the massive creation of subnets leveraging one configuration file per subnet. The factory also supports proxy-only and PSC subnets via the `purpose` attribute. ```hcl module "vpc" { @@ -314,7 +315,7 @@ module "vpc" { name = "my-network" data_folder = "config/subnets" } -# tftest modules=1 resources=4 files=subnet-simple,subnet-detailed inventory=factory.yaml +# tftest modules=1 resources=6 files=subnet-simple,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml ``` ```yaml @@ -342,6 +343,20 @@ flow_logs: # enable, set to empty map to use defaults filter_expression: null ``` +```yaml +# tftest-file id=subnet-proxy path=config/subnets/subnet-proxy.yaml +region: europe-west4 +ip_cidr_range: 10.1.0.0/24 +purpose: REGIONAL_MANAGED_PROXY +``` + +```yaml +# tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml +region: europe-west4 +ip_cidr_range: 10.2.0.0/24 +purpose: PRIVATE_SERVICE_CONNECT +``` + ### Custom Routes VPC routes can be configured through the `routes` variable. @@ -380,7 +395,6 @@ module "vpc" { # tftest modules=5 resources=15 inventory=routes.yaml ``` - ## Variables | name | description | type | required | default | diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index 7c03bfca3b..5a6eeb545c 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -34,6 +34,8 @@ locals { iam_groups = try(v.iam_groups, []) iam_users = try(v.iam_users, []) iam_service_accounts = try(v.iam_service_accounts, []) + purpose = try(v.purpose, null) + active = try(v.active, null) } } _factory_subnets_iam = [ @@ -45,7 +47,7 @@ locals { formatlist("user:%s", lookup(v, "iam_users", [])), formatlist("serviceAccount:%s", lookup(v, "iam_service_accounts", [])) ) - } + } if v.purpose == null ] _subnet_iam_members = flatten([ for subnet, roles in(var.subnet_iam == null ? {} : var.subnet_iam) : [ @@ -61,17 +63,17 @@ locals { local._subnet_iam_members ) subnets = merge( - { for subnet in var.subnets : "${subnet.region}/${subnet.name}" => subnet }, - local._factory_subnets + { for s in var.subnets : "${s.region}/${s.name}" => s }, + { for k, v in local._factory_subnets : k => v if v.purpose == null } + ) + subnets_proxy_only = merge( + { for s in var.subnets_proxy_only : "${s.region}/${s.name}" => s }, + { for k, v in local._factory_subnets : k => v if v.purpose == "REGIONAL_MANAGED_PROXY" } + ) + subnets_psc = merge( + { for s in var.subnets_psc : "${s.region}/${s.name}" => s }, + { for k, v in local._factory_subnets : k => v if v.purpose == "PRIVATE_SERVICE_CONNECT" } ) - subnets_proxy_only = { - for subnet in var.subnets_proxy_only : - "${subnet.region}/${subnet.name}" => subnet - } - subnets_psc = { - for subnet in var.subnets_psc : - "${subnet.region}/${subnet.name}" => subnet - } } resource "google_compute_subnetwork" "subnetwork" { @@ -120,9 +122,7 @@ resource "google_compute_subnetwork" "proxy_only" { : each.value.description ) purpose = "REGIONAL_MANAGED_PROXY" - role = ( - each.value.active || each.value.active == null ? "ACTIVE" : "BACKUP" - ) + role = each.value.active != false ? "ACTIVE" : "BACKUP" } resource "google_compute_subnetwork" "psc" { diff --git a/tests/modules/net_vpc/examples/factory.yaml b/tests/modules/net_vpc/examples/factory.yaml index 0724b5970e..5cd7481258 100644 --- a/tests/modules/net_vpc/examples/factory.yaml +++ b/tests/modules/net_vpc/examples/factory.yaml @@ -54,8 +54,16 @@ values: region: europe-west1 role: roles/compute.networkUser subnetwork: subnet-detailed + module.vpc.google_compute_subnetwork.proxy_only["europe-west4/subnet-proxy"]: + region: europe-west4 + ip_cidr_range: 10.1.0.0/24 + purpose: REGIONAL_MANAGED_PROXY + module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc"]: + region: europe-west4 + ip_cidr_range: 10.2.0.0/24 + purpose: PRIVATE_SERVICE_CONNECT counts: google_compute_network: 1 - google_compute_subnetwork: 2 + google_compute_subnetwork: 4 google_compute_subnetwork_iam_binding: 1 diff --git a/tools/plan_summary.py b/tools/plan_summary.py index ae52c86cf2..441c638c6e 100755 --- a/tools/plan_summary.py +++ b/tools/plan_summary.py @@ -15,7 +15,6 @@ # limitations under the License. import click -import os import sys import tempfile import yaml