diff --git a/blueprints/data-solutions/sqlserver-alwayson/instances.tf b/blueprints/data-solutions/sqlserver-alwayson/instances.tf
index 89f39a6118..ab9f121718 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/instances.tf
+++ b/blueprints/data-solutions/sqlserver-alwayson/instances.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -68,7 +68,6 @@ module "nodes" {
nat = false
addresses = {
internal = module.ip-addresses.internal_addresses[each.value].address
- external = null
}
}]
@@ -122,7 +121,6 @@ module "witness" {
nat = false
addresses = {
internal = module.ip-addresses.internal_addresses[each.value].address
- external = null
}
}]
diff --git a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml
index 2c682405c5..4e5690c0f2 100644
--- a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -4,5 +4,5 @@ region: europe-west1
description: Default subnet for dev Data Platform
ip_cidr_range: 10.128.48.0/24
secondary_ip_ranges:
- pods: 100.128.48.0/20
- services: 100.255.48.0/24
+ pods: 100.64.48.0/20
+ services: 100.64.64.0/24
diff --git a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml
index 2c682405c5..4e5690c0f2 100644
--- a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -4,5 +4,5 @@ region: europe-west1
description: Default subnet for dev Data Platform
ip_cidr_range: 10.128.48.0/24
secondary_ip_ranges:
- pods: 100.128.48.0/20
- services: 100.255.48.0/24
+ pods: 100.64.48.0/20
+ services: 100.64.64.0/24
diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml
index 2c682405c5..4e5690c0f2 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -4,5 +4,5 @@ region: europe-west1
description: Default subnet for dev Data Platform
ip_cidr_range: 10.128.48.0/24
secondary_ip_ranges:
- pods: 100.128.48.0/20
- services: 100.255.48.0/24
+ pods: 100.64.48.0/20
+ services: 100.64.64.0/24
diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml
index 2c682405c5..4e5690c0f2 100644
--- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -4,5 +4,5 @@ region: europe-west1
description: Default subnet for dev Data Platform
ip_cidr_range: 10.128.48.0/24
secondary_ip_ranges:
- pods: 100.128.48.0/20
- services: 100.255.48.0/24
+ pods: 100.64.48.0/20
+ services: 100.64.64.0/24
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml
index 2c682405c5..4e5690c0f2 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -4,5 +4,5 @@ region: europe-west1
description: Default subnet for dev Data Platform
ip_cidr_range: 10.128.48.0/24
secondary_ip_ranges:
- pods: 100.128.48.0/20
- services: 100.255.48.0/24
+ pods: 100.64.48.0/20
+ services: 100.64.64.0/24
diff --git a/fast/stages/2-networking-e-nva-bgp/nva.tf b/fast/stages/2-networking-e-nva-bgp/nva.tf
index baf6018a53..66ede6fd99 100644
--- a/fast/stages/2-networking-e-nva-bgp/nva.tf
+++ b/fast/stages/2-networking-e-nva-bgp/nva.tf
@@ -152,7 +152,6 @@ module "nva" {
subnetwork = module.landing-untrusted-vpc.subnet_self_links["${each.value.region}/landing-untrusted-default-${each.value.shortname}"]
nat = false
addresses = {
- external = null
internal = google_compute_address.nva_static_ip_untrusted[each.key].address
}
},
@@ -161,7 +160,6 @@ module "nva" {
subnetwork = module.landing-trusted-vpc.subnet_self_links["${each.value.region}/landing-trusted-default-${each.value.shortname}"]
nat = false
addresses = {
- external = null
internal = google_compute_address.nva_static_ip_trusted[each.key].address
}
}
diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md
index c4badae306..1e22e8ddd7 100644
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@@ -215,7 +215,7 @@ module "vm-internal-ip" {
network_interfaces = [{
network = var.vpc.self_link
subnetwork = var.subnet.self_link
- addresses = { external = null, internal = "10.0.0.2" }
+ addresses = { internal = "10.0.0.2" }
}]
}
@@ -228,7 +228,7 @@ module "vm-external-ip" {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
nat = true
- addresses = { external = "8.8.8.8", internal = null }
+ addresses = { external = "8.8.8.8" }
}]
}
# tftest modules=2 resources=2 inventory=ips.yaml
@@ -507,7 +507,7 @@ module "instance-group" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L182) | Instance name. | string
| ✓ | |
-| [network_interfaces](variables.tf#L187) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | list(object({…}))
| ✓ | |
+| [network_interfaces](variables.tf#L187) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | list(object({…}))
| ✓ | |
| [project_id](variables.tf#L224) | Project id. | string
| ✓ | |
| [zone](variables.tf#L283) | Compute zone. | string
| ✓ | |
| [attached_disk_defaults](variables.tf#L17) | Defaults for attached disks options. | object({…})
| | {…}
|
diff --git a/modules/compute-vm/variables.tf b/modules/compute-vm/variables.tf
index bda754388d..8ec1e7163d 100644
--- a/modules/compute-vm/variables.tf
+++ b/modules/compute-vm/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -191,8 +191,8 @@ variable "network_interfaces" {
network = string
subnetwork = string
addresses = optional(object({
- internal = string
- external = string
+ internal = optional(string)
+ external = optional(string)
}), null)
alias_ips = optional(map(string), {})
nic_type = optional(string)
diff --git a/modules/net-ilb-l7/README.md b/modules/net-ilb-l7/README.md
index 64d476237a..597d580c96 100644
--- a/modules/net-ilb-l7/README.md
+++ b/modules/net-ilb-l7/README.md
@@ -225,7 +225,9 @@ module "ilb-l7" {
# tftest modules=1 resources=5
```
-Similarly to instance groups, NEGs can also be managed by this module which supports GCE, hybrid, and serverless NEGs:
+Similarly to instance groups, NEGs can also be managed by this module which supports GCE, hybrid, serverless and Private Service Connect NEGs:
+
+#### Zonal NEG creation
```hcl
resource "google_compute_address" "test" {
@@ -273,7 +275,7 @@ module "ilb-l7" {
# tftest modules=1 resources=8
```
-Hybrid NEGs are also supported:
+#### Hybrid NEG creation
```hcl
module "ilb-l7" {
@@ -283,11 +285,7 @@ module "ilb-l7" {
region = "europe-west1"
backend_service_configs = {
default = {
- backends = [{
- balancing_mode = "RATE"
- group = "my-neg"
- max_rate = { per_endpoint = 1 }
- }]
+ backends = [{ group = "my-neg" }]
}
}
neg_configs = {
@@ -311,7 +309,7 @@ module "ilb-l7" {
# tftest modules=1 resources=7
```
-As are serverless NEGs for Cloud Run:
+#### Serverless NEG creation
```hcl
module "ilb-l7" {
@@ -348,6 +346,39 @@ module "ilb-l7" {
# tftest modules=1 resources=5
```
+#### Private Service Connect NEG creation
+
+```hcl
+module "ilb-l7" {
+ source = "./fabric/modules/net-ilb-l7"
+ name = "ilb-test"
+ project_id = var.project_id
+ region = "europe-west1"
+ backend_service_configs = {
+ default = {
+ backends = [{
+ group = "my-neg"
+ }]
+ health_checks = []
+ }
+ }
+ health_check_configs = {}
+ neg_configs = {
+ my-neg = {
+ psc = {
+ region = "europe-west1"
+ target_service = "europe-west1-cloudkms.googleapis.com"
+ }
+ }
+ }
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ }
+}
+# tftest modules=1 resources=5
+```
+
### URL Map
The module exposes the full URL map resource configuration, with some minor changes to the interface to decrease verbosity, and support for aliasing backend services via keys.
@@ -606,9 +637,9 @@ module "ilb-l7" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L54) | Load balancer name. | string
| ✓ | |
-| [project_id](variables.tf#L132) | Project id. | string
| ✓ | |
-| [region](variables.tf#L150) | The region where to allocate the ILB resources. | string
| ✓ | |
-| [vpc_config](variables.tf#L177) | VPC-level configuration. | object({…})
| ✓ | |
+| [project_id](variables.tf#L138) | Project id. | string
| ✓ | |
+| [region](variables.tf#L156) | The region where to allocate the ILB resources. | string
| ✓ | |
+| [vpc_config](variables.tf#L183) | VPC-level configuration. | object({…})
| ✓ | |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string
| | null
|
| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…}))
| | {}
|
| [description](variables.tf#L23) | Optional description used for resources. | string
| | "Terraform managed."
|
@@ -616,12 +647,12 @@ module "ilb-l7" {
| [group_configs](variables.tf#L36) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…}))
| | {}
|
| [health_check_configs](variables-health-check.tf#L19) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | map(object({…}))
| | {…}
|
| [labels](variables.tf#L48) | Labels set on resources. | map(string)
| | {}
|
-| [neg_configs](variables.tf#L59) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…}))
| | {}
|
-| [network_tier_premium](variables.tf#L119) | Use premium network tier. Defaults to true. | bool
| | true
|
-| [ports](variables.tf#L126) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string)
| | null
|
-| [protocol](variables.tf#L137) | Protocol supported by this load balancer. | string
| | "HTTP"
|
-| [service_directory_registration](variables.tf#L155) | Service directory namespace and service used to register this load balancer. | object({…})
| | null
|
-| [ssl_certificates](variables.tf#L164) | SSL target proxy certificates (only if protocol is HTTPS). | object({…})
| | {}
|
+| [neg_configs](variables.tf#L59) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…}))
| | {}
|
+| [network_tier_premium](variables.tf#L125) | Use premium network tier. Defaults to true. | bool
| | true
|
+| [ports](variables.tf#L132) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string)
| | null
|
+| [protocol](variables.tf#L143) | Protocol supported by this load balancer. | string
| | "HTTP"
|
+| [service_directory_registration](variables.tf#L161) | Service directory namespace and service used to register this load balancer. | object({…})
| | null
|
+| [ssl_certificates](variables.tf#L170) | SSL target proxy certificates (only if protocol is HTTPS). | object({…})
| | {}
|
| [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…})
| | {…}
|
## Outputs
diff --git a/modules/net-ilb-l7/backend-service.tf b/modules/net-ilb-l7/backend-service.tf
index ea758835bd..669a291aff 100644
--- a/modules/net-ilb-l7/backend-service.tf
+++ b/modules/net-ilb-l7/backend-service.tf
@@ -26,6 +26,9 @@ locals {
},
{
for k, v in google_compute_region_network_endpoint_group.default : k => v.id
+ },
+ {
+ for k, v in google_compute_region_network_endpoint_group.psc : k => v.id
}
)
hc_ids = {
diff --git a/modules/net-ilb-l7/main.tf b/modules/net-ilb-l7/main.tf
index 2ca114aed8..9d5f71548b 100644
--- a/modules/net-ilb-l7/main.tf
+++ b/modules/net-ilb-l7/main.tf
@@ -49,6 +49,10 @@ locals {
zone = v.gce != null ? v.gce.zone : v.hybrid.zone
} if v.gce != null || v.hybrid != null
}
+ neg_regional_psc = {
+ for k, v in var.neg_configs :
+ k => v if v.psc != null
+ }
proxy_ssl_certificates = concat(
coalesce(var.ssl_certificates.certificate_ids, []),
[for k, v in google_compute_region_ssl_certificate.default : v.id]
@@ -187,3 +191,15 @@ resource "google_compute_region_network_endpoint_group" "default" {
url_mask = each.value.target_urlmask
}
}
+
+resource "google_compute_region_network_endpoint_group" "psc" {
+ for_each = local.neg_regional_psc
+ project = var.project_id
+ region = each.value.psc.region
+ name = "${var.name}-${each.key}"
+ //description = coalesce(each.value.description, var.description)
+ network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
+ psc_target_service = each.value.psc.target_service
+ network = each.value.psc.network
+ subnetwork = each.value.psc.subnetwork
+}
diff --git a/modules/net-ilb-l7/variables.tf b/modules/net-ilb-l7/variables.tf
index 09b3f7ac74..40158aca0f 100644
--- a/modules/net-ilb-l7/variables.tf
+++ b/modules/net-ilb-l7/variables.tf
@@ -90,7 +90,12 @@ variable "neg_configs" {
port = number
})))
}))
- # psc = optional(object({}))
+ psc = optional(object({
+ region = string
+ target_service = string
+ network = optional(string)
+ subnetwork = optional(string)
+ }))
}))
default = {}
nullable = false
@@ -99,7 +104,8 @@ variable "neg_configs" {
for k, v in var.neg_configs : (
(try(v.cloudrun, null) == null ? 0 : 1) +
(try(v.gce, null) == null ? 0 : 1) +
- (try(v.hybrid, null) == null ? 0 : 1) == 1
+ (try(v.hybrid, null) == null ? 0 : 1) +
+ (try(v.psc, null) == null ? 0 : 1) == 1
)
])
error_message = "Only one type of neg can be configured at a time."