-
Notifications
You must be signed in to change notification settings - Fork 910
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for
iam_additive and simplify factory interface in net …
…VPC module (#1259) * initial implementation, no tests * change interface, align tests * add examples ToC * fix variable type, test module-level variable
- Loading branch information
Showing
4 changed files
with
93 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,20 @@ | ||
| # Minimalistic VPC module | ||
| # VPC module | ||
|
|
||
| This module allows creation and management of VPC networks including subnetworks and subnetwork IAM bindings, Shared VPC activation and service project registration, and one-to-one peering. | ||
| This module allows creation and management of VPC networks including subnetworks and subnetwork IAM bindings, and most features and options related to VPCs and subnets. | ||
|
|
||
| ## Examples | ||
|
|
||
| The module allows for several different VPC configurations, some of the most common are shown below. | ||
| - [Simple VPC](#simple-vpc) | ||
| - [Subnet Options](#subnet-options) | ||
| - [Subnet IAM](#subnet-iam) | ||
| - [Peering](#peering) | ||
| - [Shared VPC](#shared-vpc) | ||
| - [Private Service Networking](#private-service-networking) | ||
| - [Private Service Networking with Peering Routes](#private-service-networking-with-peering-routes) | ||
| - [Subnets for Private Service Connect, Proxy-only subnets](#subnets-for-private-service-connect-proxy-only-subnets) | ||
| - [DNS Policies](#dns-policies) | ||
| - [Subnet Factory](#subnet-factory) | ||
| - [Custom Routes](#custom-routes) | ||
|
|
||
| ### Simple VPC | ||
|
|
||
|
|
@@ -105,14 +115,16 @@ module "vpc" { | |
| "user:[email protected]", "group:[email protected]" | ||
| ] | ||
| } | ||
| } | ||
| subnet_iam_additive = { | ||
| "europe-west1/subnet-2" = { | ||
| "roles/compute.networkUser" = [ | ||
| "user:[email protected]", "group:[email protected]" | ||
| ] | ||
| } | ||
| } | ||
| } | ||
| # tftest modules=1 resources=5 inventory=subnet-iam.yaml | ||
| # tftest modules=1 resources=6 inventory=subnet-iam.yaml | ||
| ``` | ||
|
|
||
| ### Peering | ||
|
|
@@ -315,7 +327,7 @@ module "vpc" { | |
| name = "my-network" | ||
| data_folder = "config/subnets" | ||
| } | ||
| # tftest modules=1 resources=7 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml | ||
| # tftest modules=1 resources=9 files=subnet-simple,subnet-simple-2,subnet-detailed,subnet-proxy,subnet-psc inventory=factory.yaml | ||
| ``` | ||
|
|
||
| ```yaml | ||
|
|
@@ -338,13 +350,17 @@ region: europe-west1 | |
| description: Sample description | ||
| ip_cidr_range: 10.0.0.0/24 | ||
| # optional attributes | ||
| enable_private_access: false # defaults to true | ||
| iam_users: ["[email protected]"] # grant compute/networkUser to users | ||
| iam_groups: ["[email protected]"] # grant compute/networkUser to groups | ||
| iam_service_accounts: ["[email protected]"] | ||
| secondary_ip_ranges: # map of secondary ip ranges | ||
| enable_private_access: false # defaults to true | ||
| iam: # grant roles/compute.networkUser | ||
| - group:[email protected] | ||
| - serviceAccount:[email protected] | ||
| - user:[email protected] | ||
| iam_additive: # grant roles/compute.networkUser | ||
| - user:[email protected] | ||
| - serviceAccount:[email protected] | ||
| secondary_ip_ranges: # map of secondary ip ranges | ||
| secondary-range-a: 192.168.0.0/24 | ||
| flow_logs: # enable, set to empty map to use defaults | ||
| flow_logs: # enable, set to empty map to use defaults | ||
| aggregation_interval: "INTERVAL_5_SEC" | ||
| flow_sampling: 0.5 | ||
| metadata: "INCLUDE_ALL_METADATA" | ||
|
|
@@ -402,6 +418,7 @@ module "vpc" { | |
| } | ||
| # tftest modules=5 resources=15 inventory=routes.yaml | ||
| ``` | ||
| <!-- BEGIN TFDOC --> | ||
|
|
||
| ## Variables | ||
|
|
||
|
|
@@ -422,10 +439,11 @@ module "vpc" { | |
| | [shared_vpc_host](variables.tf#L121) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> | | ||
| | [shared_vpc_service_projects](variables.tf#L127) | Shared VPC service projects to register with this host. | <code>list(string)</code> | | <code>[]</code> | | ||
| | [subnet_iam](variables.tf#L133) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> | | ||
| | [subnets](variables.tf#L139) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string) enable_private_access = optional(bool, true) })) secondary_ip_ranges = optional(map(string)) }))">list(object({…}))</code> | | <code>[]</code> | | ||
| | [subnets_proxy_only](variables.tf#L164) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = bool }))">list(object({…}))</code> | | <code>[]</code> | | ||
| | [subnets_psc](variables.tf#L176) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) }))">list(object({…}))</code> | | <code>[]</code> | | ||
| | [vpc_create](variables.tf#L187) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> | | ||
| | [subnet_iam_additive](variables.tf#L139) | Subnet IAM additive bindings in {REGION/NAME => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> | | ||
| | [subnets](variables.tf#L146) | Subnet configuration. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) enable_private_access = optional(bool, true) flow_logs_config = optional(object({ aggregation_interval = optional(string) filter_expression = optional(string) flow_sampling = optional(number) metadata = optional(string) metadata_fields = optional(list(string)) })) ipv6 = optional(object({ access_type = optional(string) enable_private_access = optional(bool, true) })) secondary_ip_ranges = optional(map(string)) }))">list(object({…}))</code> | | <code>[]</code> | | ||
| | [subnets_proxy_only](variables.tf#L171) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) active = bool }))">list(object({…}))</code> | | <code>[]</code> | | ||
| | [subnets_psc](variables.tf#L183) | List of subnets for Private Service Connect service producers. | <code title="list(object({ name = string ip_cidr_range = string region = string description = optional(string) }))">list(object({…}))</code> | | <code>[]</code> | | ||
| | [vpc_create](variables.tf#L194) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> | | ||
|
|
||
| ## Outputs | ||
|
|
||
|
|
@@ -445,4 +463,3 @@ module "vpc" { | |
| | [subnets_psc](outputs.tf#L112) | Private Service Connect subnet resources. | | | ||
|
|
||
| <!-- END TFDOC --> | ||
| The key format is `subnet_region/subnet_name`. For example `europe-west1/my_subnet`. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -34,11 +34,16 @@ values: | |
| region: europe-west1 | ||
| role: roles/compute.networkUser | ||
| subnetwork: subnet-1 | ||
| module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-2.roles/compute.networkUser"]: | ||
| module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.user:[email protected]"]: | ||
| condition: [] | ||
| members: | ||
| - group:[email protected] | ||
| - user:[email protected] | ||
| member: user:[email protected] | ||
| project: my-project | ||
| region: europe-west1 | ||
| role: roles/compute.networkUser | ||
| subnetwork: subnet-2 | ||
| module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.group:[email protected]"]: | ||
| condition: [] | ||
| member: group:[email protected] | ||
| project: my-project | ||
| region: europe-west1 | ||
| role: roles/compute.networkUser | ||
|
|
@@ -47,8 +52,7 @@ values: | |
| counts: | ||
| google_compute_network: 1 | ||
| google_compute_subnetwork: 2 | ||
| google_compute_subnetwork_iam_binding: 2 | ||
| modules: 1 | ||
| resources: 5 | ||
| google_compute_subnetwork_iam_binding: 1 | ||
| google_compute_subnetwork_iam_member: 2 | ||
|
|
||
| outputs: {} | ||