From 441bbfa68493a6aab1e0ce41bab7a5a13e5d39f9 Mon Sep 17 00:00:00 2001 From: Miren Esnaola Date: Mon, 5 Jun 2023 17:02:38 +0200 Subject: [PATCH] Move net-dedicated-vlan-attachment module to net-vlan-attachment and added support for Partner interconnect --- README.md | 2 +- .../ha-vpn-over-interconnect/underlay.tf | 4 +- modules/net-ipsec-over-interconnect/README.md | 2 +- .../README.md | 249 ++++++++++++++++-- .../main.tf | 8 +- .../output.tf | 5 + .../variables.tf | 16 +- .../versions.tf | 0 8 files changed, 249 insertions(+), 37 deletions(-) rename modules/{net-dedicated-vlan-attachment => net-vlan-attachment}/README.md (51%) rename modules/{net-dedicated-vlan-attachment => net-vlan-attachment}/main.tf (91%) rename modules/{net-dedicated-vlan-attachment => net-vlan-attachment}/output.tf (84%) rename modules/{net-dedicated-vlan-attachment => net-vlan-attachment}/variables.tf (85%) rename modules/{net-dedicated-vlan-attachment => net-vlan-attachment}/versions.tf (100%) diff --git a/README.md b/README.md index 1737fbd4e8..9573257fcf 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ The current list of modules supports most of the core foundational and networkin Currently available modules: - **foundational** - [billing budget](./modules/billing-budget), [Cloud Identity group](./modules/cloud-identity-group/), [folder](./modules/folder), [service accounts](./modules/iam-service-account), [logging bucket](./modules/logging-bucket), [organization](./modules/organization), [project](./modules/project), [projects-data-source](./modules/projects-data-source) -- **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [Dedicated VLAN Attachment](./modules/net-dedicated-vlan-attachment/), [Global Load Balancer (classic)](./modules/net-glb/), [L4 ILB](./modules/net-ilb), [L7 ILB](./modules/net-ilb-l7), [IPSec over Interconnect](./modules/net-ipsec-over-interconnect), [Network LB](./modules/net-nlb), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC firewall policy](./modules/net-vpc-firewall-policy), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory) +- **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [VLAN Attachment](./modules/net-vlan-attachment/), [Global Load Balancer (classic)](./modules/net-glb/), [L4 ILB](./modules/net-ilb), [L7 ILB](./modules/net-ilb-l7), [IPSec over Interconnect](./modules/net-ipsec-over-interconnect), [Network LB](./modules/net-nlb), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC firewall policy](./modules/net-vpc-firewall-policy), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory) - **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool) - **data** - [AlloyDB instance](./modules/alloydb-instance), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Cloud Dataplex](./modules/cloud-dataplex), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub) - **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository) diff --git a/blueprints/networking/ha-vpn-over-interconnect/underlay.tf b/blueprints/networking/ha-vpn-over-interconnect/underlay.tf index 065d9c7c46..b9675e8636 100644 --- a/blueprints/networking/ha-vpn-over-interconnect/underlay.tf +++ b/blueprints/networking/ha-vpn-over-interconnect/underlay.tf @@ -27,7 +27,7 @@ resource "google_compute_router" "encrypted-interconnect-underlay-router" { } module "va-a" { - source = "../../../modules/net-dedicated-vlan-attachment" + source = "../../../modules/net-vlan-attachment" project_id = var.project_id network = var.network region = var.region @@ -46,7 +46,7 @@ module "va-a" { } module "va-b" { - source = "../../../modules/net-dedicated-vlan-attachment" + source = "../../../modules/net-vlan-attachment" project_id = var.project_id network = var.network region = var.region diff --git a/modules/net-ipsec-over-interconnect/README.md b/modules/net-ipsec-over-interconnect/README.md index cfe1dfd378..507c7e5481 100644 --- a/modules/net-ipsec-over-interconnect/README.md +++ b/modules/net-ipsec-over-interconnect/README.md @@ -2,7 +2,7 @@ This module allows for the provisioning of [HA VPN over Interconnect](https://cloud.google.com/network-connectivity/docs/interconnect/concepts/ha-vpn-interconnect?hl=it). Specifically, this module creates a VPN gateway, a configurable number of tunnels, and all the resources required to established IPSec and BGP with the peer routers. -The required pair of encrypted VLAN Attachments can be created leveraging the [net-dedicated-vlan-attachment](../net-dedicated-vlan-attachment/) module, as shown in the [IoIC Blueprint](../../blueprints/networking/ha-vpn-over-interconnect/). +The required pair of encrypted VLAN Attachments can be created leveraging the [net-vlan-attachment](../net-vlan-attachment/) module, as shown in the [IoIC Blueprint](../../blueprints/networking/ha-vpn-over-interconnect/). ## Examples diff --git a/modules/net-dedicated-vlan-attachment/README.md b/modules/net-vlan-attachment/README.md similarity index 51% rename from modules/net-dedicated-vlan-attachment/README.md rename to modules/net-vlan-attachment/README.md index d3df845779..775aeace4b 100644 --- a/modules/net-dedicated-vlan-attachment/README.md +++ b/modules/net-vlan-attachment/README.md @@ -1,10 +1,10 @@ # VLAN Attachment module -This module allows for the provisioning of [VLAN Attachments](https://cloud.google.com/network-connectivity/docs/interconnect/how-to/dedicated/creating-vlan-attachments?hl=it) created from [Dedicated Interconnect](https://cloud.google.com/network-connectivity/docs/interconnect/concepts/dedicated-overview?hl=en) connections. +This module allows for the provisioning of VLAN Attachments for [Dedicated Interconnect](https://cloud.google.com/network-connectivity/docs/interconnect/how-to/dedicated/creating-vlan-attachments) or [Partner Interconnect](https://cloud.google.com/network-connectivity/docs/interconnect/how-to/partner/creating-vlan-attachments). ## Examples -### Single VLAN Attachment (No SLA) +### Dedicated Interconnect - Single VLAN Attachment (No SLA) ```hcl resource "google_compute_router" "interconnect-router" { @@ -26,7 +26,7 @@ resource "google_compute_router" "interconnect-router" { } module "example-va" { - source = "./fabric/modules/net-dedicated-vlan-attachment" + source = "./fabric/modules/net-vlan-attachment" network = "mynet" project_id = "myproject" region = "europe-west8" @@ -45,7 +45,45 @@ module "example-va" { # tftest modules=1 resources=4 ``` -### Two VLAN Attachments on a single region (99.9% SLA) +### Partner Interconnect - Single VLAN Attachment (No SLA) + +```hcl +resource "google_compute_router" "interconnect-router" { + name = "interconnect-router" + network = "mynet" + project = "myproject" + region = "europe-west8" + bgp { + advertise_mode = "CUSTOM" + asn = 64514 + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges { + range = "10.255.255.0/24" + } + advertised_ip_ranges { + range = "192.168.255.0/24" + } + } +} + +module "example-va" { + source = "./fabric/modules/net-vlan-attachment" + network = "mynet" + project_id = "myproject" + region = "europe-west8" + name = "vlan-attachment" + bgp_range = "169.254.0.0/30" + description = "Example vlan attachment" + peer_asn = "65000" + router_config = { + create = false + name = google_compute_router.interconnect-router.id + } +} +# tftest modules=1 resources=4 +``` + +### Dedicated Interconnect - Two VLAN Attachments on a single region (99.9% SLA) ```hcl resource "google_compute_router" "interconnect-router" { @@ -67,7 +105,7 @@ resource "google_compute_router" "interconnect-router" { } module "example-va-a" { - source = "./fabric/modules/net-dedicated-vlan-attachment" + source = "./fabric/modules/net-vlan-attachment" network = "mynet" project_id = "myproject" region = "europe-west8" @@ -85,7 +123,7 @@ module "example-va-a" { } module "example-va-b" { - source = "./fabric/modules/net-dedicated-vlan-attachment" + source = "./fabric/modules/net-vlan-attachment" network = "mynet" project_id = "myproject" region = "europe-west8" @@ -104,7 +142,62 @@ module "example-va-b" { # tftest modules=2 resources=7 ``` -### Four VLAN Attachments on two regions (99.99% SLA) +### Partner Interconnect - Two VLAN Attachments on a single region (99.9% SLA) + +```hcl +resource "google_compute_router" "interconnect-router" { + name = "interconnect-router" + network = "mynet" + project = "myproject" + region = "europe-west8" + bgp { + asn = 64514 + advertise_mode = "CUSTOM" + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges { + range = "10.255.255.0/24" + } + advertised_ip_ranges { + range = "192.168.255.0/24" + } + } +} + +module "example-va-a" { + source = "./fabric/modules/net-vlan-attachment" + network = "mynet" + project_id = "myproject" + region = "europe-west8" + name = "vlan-attachment-a" + bgp_range = "169.254.0.0/30" + description = "interconnect-a vlan attachment 0" + peer_asn = "65000" + edge_availability_domain = "AVAILABILITY_DOMAIN_1" + router_config = { + create = false + name = google_compute_router.interconnect-router.id + } +} + +module "example-va-b" { + source = "./fabric/modules/net-vlan-attachment" + network = "mynet" + project_id = "myproject" + region = "europe-west8" + name = "vlan-attachment-b" + bgp_range = "169.254.0.4/30" + description = "interconnect-b vlan attachment 0" + peer_asn = "65000" + edge_availability_domain = "AVAILABILITY_DOMAIN_2" + router_config = { + create = false + name = google_compute_router.interconnect-router.id + } +} +# tftest modules=2 resources=7 +``` + +### Dedicated Interconnect - Four VLAN Attachments on two regions (99.99% SLA) ```hcl @@ -145,7 +238,7 @@ resource "google_compute_router" "interconnect-router-ew12" { } module "example-va-a-ew8" { - source = "./fabric/modules/net-dedicated-vlan-attachment" + source = "./fabric/modules/net-vlan-attachment" network = "mynet" project_id = "myproject" region = "europe-west8" @@ -163,7 +256,7 @@ module "example-va-a-ew8" { } module "example-va-b-ew8" { - source = "./fabric/modules/net-dedicated-vlan-attachment" + source = "./fabric/modules/net-vlan-attachment" network = "mynet" project_id = "myproject" region = "europe-west8" @@ -181,7 +274,7 @@ module "example-va-b-ew8" { } module "example-va-a-ew12" { - source = "./fabric/modules/net-dedicated-vlan-attachment" + source = "./fabric/modules/net-vlan-attachment" network = "mynet" project_id = "myproject" region = "europe-west12" @@ -199,7 +292,7 @@ module "example-va-a-ew12" { } module "example-va-b-ew12" { - source = "./fabric/modules/net-dedicated-vlan-attachment" + source = "./fabric/modules/net-vlan-attachment" network = "mynet" project_id = "myproject" region = "europe-west12" @@ -218,6 +311,111 @@ module "example-va-b-ew12" { # tftest modules=4 resources=14 ``` +### Partner Interconnect - Four VLAN Attachments on two regions (99.99% SLA) + +```hcl +resource "google_compute_router" "interconnect-router-ew8" { + name = "interconnect-router-ew8" + network = "mynet" + project = "myproject" + region = "europe-west8" + bgp { + asn = 64514 + advertise_mode = "CUSTOM" + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges { + range = "10.255.255.0/24" + } + advertised_ip_ranges { + range = "192.168.255.0/24" + } + } +} + +resource "google_compute_router" "interconnect-router-ew12" { + name = "interconnect-router-ew12" + network = "mynet" + project = "myproject" + region = "europe-west12" + bgp { + asn = 64514 + advertise_mode = "CUSTOM" + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges { + range = "10.255.255.0/24" + } + advertised_ip_ranges { + range = "192.168.255.0/24" + } + } +} + +module "example-va-a-ew8" { + source = "./fabric/modules/net-vlan-attachment" + network = "mynet" + project_id = "myproject" + region = "europe-west8" + name = "vlan-attachment-a-ew8" + bgp_range = "169.254.0.0/30" + description = "interconnect-a-ew8 vlan attachment 0" + peer_asn = "65000" + edge_availability_domain = "AVAILABILITY_DOMAIN_1" + router_config = { + create = false + name = google_compute_router.interconnect-router-ew8.id + } +} + +module "example-va-b-ew8" { + source = "./fabric/modules/net-vlan-attachment" + network = "mynet" + project_id = "myproject" + region = "europe-west8" + name = "vlan-attachment-b-ew8" + bgp_range = "169.254.0.4/30" + description = "interconnect-b-ew8 vlan attachment 0" + peer_asn = "65000" + edge_availability_domain = "AVAILABILITY_DOMAIN_2" + router_config = { + create = false + name = google_compute_router.interconnect-router-ew8.id + } +} + +module "example-va-a-ew12" { + source = "./fabric/modules/net-vlan-attachment" + network = "mynet" + project_id = "myproject" + region = "europe-west12" + name = "vlan-attachment-a-ew12" + bgp_range = "169.254.1.0/30" + description = "interconnect-a-ew12 vlan attachment 0" + peer_asn = "65000" + edge_availability_domain = "AVAILABILITY_DOMAIN_1" + router_config = { + create = false + name = google_compute_router.interconnect-router-ew12.id + } +} + +module "example-va-b-ew12" { + source = "./fabric/modules/net-vlan-attachment" + network = "mynet" + project_id = "myproject" + region = "europe-west12" + name = "vlan-attachment-b-ew12" + bgp_range = "169.254.1.4/30" + description = "interconnect-b-ew12 vlan attachment 0" + peer_asn = "65000" + edge_availability_domain = "AVAILABILITY_DOMAIN_2" + router_config = { + create = false + name = google_compute_router.interconnect-router-ew12.id + } +} +# tftest modules=4 resources=14 +``` + ### IPSec over Interconnect enabled setup Refer to the [HA VPN over Interconnect Blueprint](../../blueprints/networking/ha-vpn-over-interconnect/) for an all-encompassing example. @@ -236,7 +434,7 @@ resource "google_compute_router" "encrypted-interconnect-underlay-router-ew8" { } module "example-va-a" { - source = "./fabric/modules/net-dedicated-vlan-attachment" + source = "./fabric/modules/net-vlan-attachment" project_id = "myproject" network = "mynet" region = "europe-west8" @@ -255,7 +453,7 @@ module "example-va-a" { } module "example-va-b" { - source = "./fabric/modules/net-dedicated-vlan-attachment" + source = "./fabric/modules/net-vlan-attachment" project_id = "myproject" network = "mynet" region = "europe-west8" @@ -281,19 +479,20 @@ module "example-va-b" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [description](variables.tf#L36) | VLAN attachment description. | string | ✓ | | -| [interconnect](variables.tf#L41) | The identifier of the interconnect the VLAN attachment binds to. | string | ✓ | | -| [name](variables.tf#L58) | The common resources name, used after resource type prefix and suffix. | string | ✓ | | -| [network](variables.tf#L63) | The VPC name to which resources are associated to. | string | ✓ | | -| [peer_asn](variables.tf#L68) | The on-premises underlay router ASN. | string | ✓ | | -| [project_id](variables.tf#L73) | The project id where resources are created. | string | ✓ | | -| [region](variables.tf#L78) | The region where resources are created. | string | ✓ | | -| [router_config](variables.tf#L83) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | -| [vlan_tag](variables.tf#L104) | The VLAN id to be used for this VLAN attachment. | number | ✓ | | +| [name](variables.tf#L65) | The common resources name, used after resource type prefix and suffix. | string | ✓ | | +| [network](variables.tf#L70) | The VPC name to which resources are associated to. | string | ✓ | | +| [peer_asn](variables.tf#L75) | The on-premises underlay router ASN. | string | ✓ | | +| [project_id](variables.tf#L80) | The project id where resources are created. | string | ✓ | | +| [region](variables.tf#L85) | The region where resources are created. | string | ✓ | | +| [router_config](variables.tf#L90) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | | [admin_enabled](variables.tf#L17) | Whether the VLAN attachment is enabled. | bool | | true | -| [bandwidth](variables.tf#L23) | The bandwidth assigned to the VLAN attachment (e.g. BPS_10G). | string | | "BPS_10G" | +| [bandwidth](variables.tf#L23) | The bandwidth assigned to the VLAN attachment (e.g. BPS_10G). Only applicable for Dedicated Interconnect. | string | | null | | [bgp_range](variables.tf#L30) | The underlay link-local IP range (in CIDR notation). | string | | "169.254.128.0/29" | -| [ipsec_gateway_ip_ranges](variables.tf#L46) | IPSec Gateway IP Ranges. | map(string) | | {} | -| [mtu](variables.tf#L52) | The MTU associated to the VLAN attachment (1440 / 1500). | number | | 1500 | -| [vpn_gateways_ip_range](variables.tf#L109) | The IP range (cidr notation) to be used for the GCP VPN gateways. If null IPSec over Interconnect is not enabled. | string | | null | +| [edge_availability_domain](variables.tf#L41) | Desired availability domain for the attachment. Only applicable for Partner Interconnect. | string | | null | +| [interconnect](variables.tf#L47) | The identifier of the interconnect the VLAN attachment binds to. Only required for Dedicated Interconnect. | string | | null | +| [ipsec_gateway_ip_ranges](variables.tf#L53) | IPSec Gateway IP Ranges. | map(string) | | {} | +| [mtu](variables.tf#L59) | The MTU associated to the VLAN attachment (1440 / 1500). | number | | 1500 | +| [vlan_tag](variables.tf#L111) | The VLAN id to be used for this VLAN attachment. Only applicable for Dedicated Interconnect. | number | | null | +| [vpn_gateways_ip_range](variables.tf#L117) | The IP range (cidr notation) to be used for the GCP VPN gateways. If null IPSec over Interconnect is not enabled. | string | | null | diff --git a/modules/net-dedicated-vlan-attachment/main.tf b/modules/net-vlan-attachment/main.tf similarity index 91% rename from modules/net-dedicated-vlan-attachment/main.tf rename to modules/net-vlan-attachment/main.tf index 38d4426f1f..4caba5da3f 100644 --- a/modules/net-dedicated-vlan-attachment/main.tf +++ b/modules/net-vlan-attachment/main.tf @@ -48,7 +48,7 @@ resource "google_compute_interconnect_attachment" "default" { vlan_tag8021q = var.vlan_tag admin_enabled = var.admin_enabled encryption = local.ipsec_enabled ? "IPSEC" : null - type = "DEDICATED" + edge_availability_domain = var.edge_availability_domain ipsec_internal_addresses = local.ipsec_enabled ? [google_compute_address.default[0].self_link] : null } @@ -99,8 +99,8 @@ resource "google_compute_router_interface" "default" { region = var.region name = "${var.name}-intf" router = local.router - ip_range = "${cidrhost(var.bgp_range, 1)}/${split("/", var.bgp_range)[1]}" - interconnect_attachment = google_compute_interconnect_attachment.default.name + ip_range = google_compute_interconnect_attachment.default.cloud_router_ip_address + interconnect_attachment = google_compute_interconnect_attachment.default.self_link } resource "google_compute_router_peer" "default" { @@ -108,7 +108,7 @@ resource "google_compute_router_peer" "default" { project = var.project_id router = local.router region = var.region - peer_ip_address = cidrhost(var.bgp_range, 2) + peer_ip_address = split("/", google_compute_interconnect_attachment.default.customer_router_ip_address)[0] peer_asn = var.peer_asn interface = "${var.name}-intf" advertised_route_priority = 100 diff --git a/modules/net-dedicated-vlan-attachment/output.tf b/modules/net-vlan-attachment/output.tf similarity index 84% rename from modules/net-dedicated-vlan-attachment/output.tf rename to modules/net-vlan-attachment/output.tf index 9e55eb09be..8085fe300c 100644 --- a/modules/net-dedicated-vlan-attachment/output.tf +++ b/modules/net-vlan-attachment/output.tf @@ -29,6 +29,11 @@ output "name" { value = google_compute_interconnect_attachment.default.name } +output "pairing_key" { + description = "Opaque identifier of an PARTNER attachment used to initiate provisioning with a selected partner." + value = google_compute_interconnect_attachment.default.pairing_key +} + output "router" { description = "Router resource (only if auto-created)." value = local.ipsec_enabled ? one(google_compute_router.encrypted[*]) : one(google_compute_router.unencrypted[*]) diff --git a/modules/net-dedicated-vlan-attachment/variables.tf b/modules/net-vlan-attachment/variables.tf similarity index 85% rename from modules/net-dedicated-vlan-attachment/variables.tf rename to modules/net-vlan-attachment/variables.tf index 10e771addf..507a2e49a2 100644 --- a/modules/net-dedicated-vlan-attachment/variables.tf +++ b/modules/net-vlan-attachment/variables.tf @@ -22,9 +22,9 @@ variable "admin_enabled" { variable "bandwidth" { # Possible values @ https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_interconnect_attachment#bandwidth - description = "The bandwidth assigned to the VLAN attachment (e.g. BPS_10G)." + description = "The bandwidth assigned to the VLAN attachment (e.g. BPS_10G). Only applicable for Dedicated Interconnect." type = string - default = "BPS_10G" + default = null } variable "bgp_range" { @@ -38,9 +38,16 @@ variable "description" { type = string } +variable "edge_availability_domain" { + description = "Desired availability domain for the attachment. Only applicable for Partner Interconnect." + type = string + default = null +} + variable "interconnect" { - description = "The identifier of the interconnect the VLAN attachment binds to." + description = "The identifier of the interconnect the VLAN attachment binds to. Only required for Dedicated Interconnect." type = string + default = null } variable "ipsec_gateway_ip_ranges" { @@ -102,8 +109,9 @@ variable "router_config" { } variable "vlan_tag" { - description = "The VLAN id to be used for this VLAN attachment." + description = "The VLAN id to be used for this VLAN attachment. Only applicable for Dedicated Interconnect." type = number + default = null } variable "vpn_gateways_ip_range" { diff --git a/modules/net-dedicated-vlan-attachment/versions.tf b/modules/net-vlan-attachment/versions.tf similarity index 100% rename from modules/net-dedicated-vlan-attachment/versions.tf rename to modules/net-vlan-attachment/versions.tf