From 8ca3bc390f4d5226a34341554e74881e5950035c Mon Sep 17 00:00:00 2001 From: jamesdalf <97752590+jamesdalf@users.noreply.github.com> Date: Fri, 30 Aug 2024 07:10:28 +0200 Subject: [PATCH] Module net-vpc fix for reserved ranges (#2538) * fix the reserved ranges * updated readme * formatting * fix example test --------- Co-authored-by: Ludovico Magnocavallo --- modules/net-vpc/README.md | 36 ++++ modules/net-vpc/psa.tf | 13 +- .../net_vpc/examples/psa-prefix-services.yaml | 160 ++++++++++++++++++ 3 files changed, 201 insertions(+), 8 deletions(-) create mode 100644 tests/modules/net_vpc/examples/psa-prefix-services.yaml diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index c89670a66c..2214d9f7f1 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -277,6 +277,42 @@ module "vpc" { # tftest modules=1 resources=7 inventory=psa-prefix.yaml e2e ``` +Each PSA service can set a different prefix. Ranges will be allocated to the service they are defined in, as in the following example: + +```hcl +module "vpc" { + source = "./fabric/modules/net-vpc" + project_id = var.project_id + name = "my-network" + subnets = [ + { + ip_cidr_range = "10.0.0.0/24" + name = "production" + region = "europe-west1" + } + ] + psa_configs = [ + { + ranges = { myrange = "10.0.1.0/24" } + range_prefix = "" + }, + { + ranges = { netapp = "10.0.2.0/24" } + service_producer = "netapp.servicenetworking.goog" + range_prefix = "" + }, + { + ranges = { + example = "10.0.3.0/24", + example2 = "10.0.4.0/24" + } + service_producer = "example.servicenetworking.goog" + } + ] +} +# tftest modules=1 resources=14 inventory=psa-prefix-services.yaml e2e +``` + ### Private Service Networking with peering routes and peered Cloud DNS domains Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC. diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf index 86f836f98f..e32b0b56a9 100644 --- a/modules/net-vpc/psa.tf +++ b/modules/net-vpc/psa.tf @@ -63,14 +63,11 @@ resource "google_compute_global_address" "psa_ranges" { } resource "google_service_networking_connection" "psa_connection" { - for_each = local.psa_configs - network = local.network.id - service = each.key - reserved_peering_ranges = [ - for k, v in google_compute_global_address.psa_ranges : - v.name if startswith(k, each.value.key) - ] - deletion_policy = each.value.deletion_policy + for_each = local.psa_configs + network = local.network.id + service = each.key + reserved_peering_ranges = formatlist("${each.value.key}%s", keys(each.value.ranges)) + deletion_policy = each.value.deletion_policy } resource "google_compute_network_peering_routes_config" "psa_routes" { diff --git a/tests/modules/net_vpc/examples/psa-prefix-services.yaml b/tests/modules/net_vpc/examples/psa-prefix-services.yaml new file mode 100644 index 0000000000..6da9cdffc1 --- /dev/null +++ b/tests/modules/net_vpc/examples/psa-prefix-services.yaml @@ -0,0 +1,160 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.vpc.google_compute_global_address.psa_ranges["example-servicenetworking-goog-example"]: + address: 10.0.3.0 + address_type: INTERNAL + description: null + ip_version: null + labels: null + name: example-servicenetworking-goog-example + prefix_length: 24 + project: project-id + purpose: VPC_PEERING + timeouts: null + module.vpc.google_compute_global_address.psa_ranges["example-servicenetworking-goog-example2"]: + address: 10.0.4.0 + address_type: INTERNAL + description: null + ip_version: null + labels: null + name: example-servicenetworking-goog-example2 + prefix_length: 24 + project: project-id + purpose: VPC_PEERING + timeouts: null + module.vpc.google_compute_global_address.psa_ranges["myrange"]: + address: 10.0.1.0 + address_type: INTERNAL + description: null + ip_version: null + labels: null + name: myrange + prefix_length: 24 + project: project-id + purpose: VPC_PEERING + timeouts: null + module.vpc.google_compute_global_address.psa_ranges["netapp"]: + address: 10.0.2.0 + address_type: INTERNAL + description: null + ip_version: null + labels: null + name: netapp + prefix_length: 24 + project: project-id + purpose: VPC_PEERING + timeouts: null + module.vpc.google_compute_network.network[0]: + auto_create_subnetworks: false + delete_default_routes_on_create: false + description: Terraform-managed. + enable_ula_internal_ipv6: null + name: my-network + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL + project: project-id + routing_mode: GLOBAL + timeouts: null + module.vpc.google_compute_network_peering_routes_config.psa_routes["example.servicenetworking.goog"]: + export_custom_routes: false + import_custom_routes: false + network: my-network + project: project-id + timeouts: null + module.vpc.google_compute_network_peering_routes_config.psa_routes["netapp.servicenetworking.goog"]: + export_custom_routes: false + import_custom_routes: false + network: my-network + project: project-id + timeouts: null + module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]: + export_custom_routes: false + import_custom_routes: false + network: my-network + project: project-id + timeouts: null + module.vpc.google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: my-network-private-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: project-id + tags: null + timeouts: null + module.vpc.google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: my-network-restricted-googleapis + network: my-network + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + priority: 1000 + project: project-id + tags: null + timeouts: null + module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]: + description: Terraform-managed. + ip_cidr_range: 10.0.0.0/24 + ipv6_access_type: null + log_config: [] + name: production + network: my-network + private_ip_google_access: true + project: project-id + region: europe-west1 + role: null + send_secondary_ip_range_if_empty: true + timeouts: null + module.vpc.google_service_networking_connection.psa_connection["example.servicenetworking.goog"]: + deletion_policy: null + reserved_peering_ranges: + - example-servicenetworking-goog-example + - example-servicenetworking-goog-example2 + service: example.servicenetworking.goog + timeouts: null + update_on_creation_fail: null + module.vpc.google_service_networking_connection.psa_connection["netapp.servicenetworking.goog"]: + deletion_policy: null + reserved_peering_ranges: + - netapp + service: netapp.servicenetworking.goog + timeouts: null + update_on_creation_fail: null + module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]: + deletion_policy: null + reserved_peering_ranges: + - myrange + service: servicenetworking.googleapis.com + timeouts: null + update_on_creation_fail: null + +counts: + google_compute_global_address: 4 + google_compute_network: 1 + google_compute_network_peering_routes_config: 3 + google_compute_route: 2 + google_compute_subnetwork: 1 + google_service_networking_connection: 3 + modules: 1 + resources: 14 + +outputs: {}