Skip to content

Commit

Permalink
Module net-vpc fix for reserved ranges (#2538)
Browse files Browse the repository at this point in the history
* fix the reserved ranges

* updated readme

* formatting

* fix example test

---------

Co-authored-by: Ludovico Magnocavallo <[email protected]>
  • Loading branch information
jamesdalf and ludoo authored Aug 30, 2024
1 parent dc0a27b commit 8ca3bc3
Show file tree
Hide file tree
Showing 3 changed files with 201 additions and 8 deletions.
36 changes: 36 additions & 0 deletions modules/net-vpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,42 @@ module "vpc" {
# tftest modules=1 resources=7 inventory=psa-prefix.yaml e2e
```

Each PSA service can set a different prefix. Ranges will be allocated to the service they are defined in, as in the following example:

```hcl
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = var.project_id
name = "my-network"
subnets = [
{
ip_cidr_range = "10.0.0.0/24"
name = "production"
region = "europe-west1"
}
]
psa_configs = [
{
ranges = { myrange = "10.0.1.0/24" }
range_prefix = ""
},
{
ranges = { netapp = "10.0.2.0/24" }
service_producer = "netapp.servicenetworking.goog"
range_prefix = ""
},
{
ranges = {
example = "10.0.3.0/24",
example2 = "10.0.4.0/24"
}
service_producer = "example.servicenetworking.goog"
}
]
}
# tftest modules=1 resources=14 inventory=psa-prefix-services.yaml e2e
```

### Private Service Networking with peering routes and peered Cloud DNS domains

Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC.
Expand Down
13 changes: 5 additions & 8 deletions modules/net-vpc/psa.tf
Original file line number Diff line number Diff line change
Expand Up @@ -63,14 +63,11 @@ resource "google_compute_global_address" "psa_ranges" {
}

resource "google_service_networking_connection" "psa_connection" {
for_each = local.psa_configs
network = local.network.id
service = each.key
reserved_peering_ranges = [
for k, v in google_compute_global_address.psa_ranges :
v.name if startswith(k, each.value.key)
]
deletion_policy = each.value.deletion_policy
for_each = local.psa_configs
network = local.network.id
service = each.key
reserved_peering_ranges = formatlist("${each.value.key}%s", keys(each.value.ranges))
deletion_policy = each.value.deletion_policy
}

resource "google_compute_network_peering_routes_config" "psa_routes" {
Expand Down
160 changes: 160 additions & 0 deletions tests/modules/net_vpc/examples/psa-prefix-services.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

values:
module.vpc.google_compute_global_address.psa_ranges["example-servicenetworking-goog-example"]:
address: 10.0.3.0
address_type: INTERNAL
description: null
ip_version: null
labels: null
name: example-servicenetworking-goog-example
prefix_length: 24
project: project-id
purpose: VPC_PEERING
timeouts: null
module.vpc.google_compute_global_address.psa_ranges["example-servicenetworking-goog-example2"]:
address: 10.0.4.0
address_type: INTERNAL
description: null
ip_version: null
labels: null
name: example-servicenetworking-goog-example2
prefix_length: 24
project: project-id
purpose: VPC_PEERING
timeouts: null
module.vpc.google_compute_global_address.psa_ranges["myrange"]:
address: 10.0.1.0
address_type: INTERNAL
description: null
ip_version: null
labels: null
name: myrange
prefix_length: 24
project: project-id
purpose: VPC_PEERING
timeouts: null
module.vpc.google_compute_global_address.psa_ranges["netapp"]:
address: 10.0.2.0
address_type: INTERNAL
description: null
ip_version: null
labels: null
name: netapp
prefix_length: 24
project: project-id
purpose: VPC_PEERING
timeouts: null
module.vpc.google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
description: Terraform-managed.
enable_ula_internal_ipv6: null
name: my-network
network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
project: project-id
routing_mode: GLOBAL
timeouts: null
module.vpc.google_compute_network_peering_routes_config.psa_routes["example.servicenetworking.goog"]:
export_custom_routes: false
import_custom_routes: false
network: my-network
project: project-id
timeouts: null
module.vpc.google_compute_network_peering_routes_config.psa_routes["netapp.servicenetworking.goog"]:
export_custom_routes: false
import_custom_routes: false
network: my-network
project: project-id
timeouts: null
module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
export_custom_routes: false
import_custom_routes: false
network: my-network
project: project-id
timeouts: null
module.vpc.google_compute_route.gateway["private-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.8/30
name: my-network-private-googleapis
network: my-network
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: project-id
tags: null
timeouts: null
module.vpc.google_compute_route.gateway["restricted-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.4/30
name: my-network-restricted-googleapis
network: my-network
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: project-id
tags: null
timeouts: null
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
description: Terraform-managed.
ip_cidr_range: 10.0.0.0/24
ipv6_access_type: null
log_config: []
name: production
network: my-network
private_ip_google_access: true
project: project-id
region: europe-west1
role: null
send_secondary_ip_range_if_empty: true
timeouts: null
module.vpc.google_service_networking_connection.psa_connection["example.servicenetworking.goog"]:
deletion_policy: null
reserved_peering_ranges:
- example-servicenetworking-goog-example
- example-servicenetworking-goog-example2
service: example.servicenetworking.goog
timeouts: null
update_on_creation_fail: null
module.vpc.google_service_networking_connection.psa_connection["netapp.servicenetworking.goog"]:
deletion_policy: null
reserved_peering_ranges:
- netapp
service: netapp.servicenetworking.goog
timeouts: null
update_on_creation_fail: null
module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
deletion_policy: null
reserved_peering_ranges:
- myrange
service: servicenetworking.googleapis.com
timeouts: null
update_on_creation_fail: null

counts:
google_compute_global_address: 4
google_compute_network: 1
google_compute_network_peering_routes_config: 3
google_compute_route: 2
google_compute_subnetwork: 1
google_service_networking_connection: 3
modules: 1
resources: 14

outputs: {}

0 comments on commit 8ca3bc3

Please sign in to comment.