Added a PSC GCLB example

blueprints/networking/psc-glb-and-armor/README.md

@@ -99,16 +99,11 @@ The above command will delete the associated resources so there will be no billa
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [prefix](variables.tf#L23) | Prefix used for resource names. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L41) | Identifier of the project. | <code>string</code> | ✓ |  |
-| [enforce_security_policy](variables.tf#L17) | Enforce security policy. | <code>bool</code> |  | <code>true</code> |
-| [project_create](variables.tf#L32) | Parameters for the creation of the new project. | <code title="object&#40;&#123;&#10;  billing_account_id &#61; string&#10;  parent             &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-
-## Outputs
-
-| name | description | sensitive |
-|---|---|:---:|
-| [glb_ip_address](outputs.tf#L18) | Load balancer IP address. |  |
-| [vm_siege_external_ip](outputs.tf#L23) | Siege VM external IP address. |  |
+| [consumer_project_id](variables.tf#L32) | The consumer project, in which the GCLB and Cloud Armor should be created. | <code></code> | ✓ |  |
+| [prefix](variables.tf#L17) | Prefix used for resource names. | <code>string</code> | ✓ |  |
+| [producer_project_id](variables.tf#L36) | The producer project, in which the ILB, PSC Service Attachment and Cloud Run service should be created | <code></code> | ✓ |  |
+| [project_create](variables.tf#L26) | Create project instead of using an existing one. | <code>bool</code> |  | <code>false</code> |
+| [region](variables.tf#L40) | The GCP region in which the resources should be deployed. | <code></code> |  | <code>europe-west1</code> |
+| [zone](variables.tf#L45) | The GCP zone for the VM. | <code></code> |  | <code>europe-west1-b</code> |
 
 <!-- END TFDOC -->

blueprints/networking/psc-glb-and-armor/consumer.tf

@@ -14,26 +14,20 @@
  * limitations under the License.
  */
 
-locals {
-  consumer_apis = ["iam.googleapis.com", "compute.googleapis.com"]
-}
-
-data "google_project" "consumer" {
-  project_id = var.consumer_project_id
-}
-
-resource "google_project_service" "consumer" {
-  for_each = toset(local.consumer_apis)
-  project  = data.google_project.consumer.project_id
-  service  = each.key
-
-  disable_on_destroy = false
+module "consumer_project" {
+  source         = "../../../modules/project"
+  name           = var.consumer_project_id
+  project_create = var.project_create
+  services = [
+    "iam.googleapis.com",
+    "compute.googleapis.com",
+  ]
 }
 
 resource "google_compute_region_network_endpoint_group" "psc_neg" {
   name                  = "psc-neg"
   region                = var.region
-  project               = var.consumer_project_id
+  project               = module.consumer_project.project_id
   network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
   psc_target_service    = google_compute_service_attachment.psc_ilb_service_attachment.self_link
 
@@ -42,7 +36,7 @@ resource "google_compute_region_network_endpoint_group" "psc_neg" {
 }
 
 resource "google_compute_global_forwarding_rule" "default" {
-  project               = var.consumer_project_id
+  project               = module.consumer_project.project_id
   name                  = "global-rule"
   load_balancing_scheme = "EXTERNAL_MANAGED"
   target                = google_compute_target_http_proxy.default.id
@@ -54,14 +48,14 @@ output "lb_ip" {
 }
 
 resource "google_compute_target_http_proxy" "default" {
-  project     = var.consumer_project_id
+  project     = module.consumer_project.project_id
   name        = "target-proxy"
   description = "a description"
   url_map     = google_compute_url_map.default.id
 }
 
 resource "google_compute_url_map" "default" {
-  project         = var.consumer_project_id
+  project         = module.consumer_project.project_id
   name            = "url-map-target-proxy"
   description     = "A simple URL Map, routing all traffic to the PSC NEG"
   default_service = google_compute_backend_service.default.id
@@ -84,21 +78,18 @@ resource "google_compute_url_map" "default" {
 
 resource "google_compute_security_policy" "policy" {
   provider = google-beta
-  project  = var.consumer_project_id
+  project  = module.consumer_project.project_id
   name     = "ddos-protection"
   adaptive_protection_config {
     layer_7_ddos_defense_config {
       enable = true
     }
   }
-  depends_on = [
-    google_project_service.consumer
-  ]
 }
 
 resource "google_compute_backend_service" "default" {
   provider              = google-beta
-  project               = var.consumer_project_id
+  project               = module.consumer_project.project_id
   name                  = "backend"
   load_balancing_scheme = "EXTERNAL_MANAGED"
   protocol              = "HTTPS"

blueprints/networking/psc-glb-and-armor/producer.tf

@@ -14,36 +14,27 @@
  * limitations under the License.
  */
 
-locals {
-  producer_apis = ["iam.googleapis.com", "run.googleapis.com", "compute.googleapis.com"]
-}
-
-data "google_project" "producer" {
-  project_id = var.producer_project_id
-}
-
-resource "google_project_service" "producer" {
-  for_each = toset(local.producer_apis)
-  project  = data.google_project.producer.project_id
-  service  = each.key
-
-  disable_on_destroy = false
+module "producer_project" {
+  source         = "../../../modules/project"
+  name           = var.producer_project_id
+  project_create = var.project_create
+  services = [
+    "iam.googleapis.com",
+    "run.googleapis.com",
+    "compute.googleapis.com",
+  ]
 }
 
 resource "google_service_account" "app" {
-  project      = var.producer_project_id
+  project      = module.producer_project.project_id
   account_id   = "example-app"
   display_name = "Example App Service Account"
-
-  depends_on = [
-    google_project_service.producer
-  ]
 }
 
 resource "google_cloud_run_service" "app" {
   name     = "example-app"
   location = var.region
-  project  = var.producer_project_id
+  project  = module.producer_project.project_id
 
   template {
     spec {
@@ -67,17 +58,13 @@ resource "google_cloud_run_service" "app" {
       "run.googleapis.com/ingress" = "internal-and-cloud-load-balancing"
     }
   }
-
-  depends_on = [
-    google_project_service.producer
-  ]
 }
 
 resource "google_compute_region_network_endpoint_group" "neg" {
   name                  = "example-app-neg"
   network_endpoint_type = "SERVERLESS"
   region                = var.region
-  project               = var.producer_project_id
+  project               = module.producer_project.project_id
   cloud_run {
     service = google_cloud_run_service.app.name
   }
@@ -86,7 +73,7 @@ resource "google_compute_region_network_endpoint_group" "neg" {
 resource "google_compute_forwarding_rule" "psc_ilb_target_service" {
   name    = "producer-forwarding-rule"
   region  = var.region
-  project = var.producer_project_id
+  project = module.producer_project.project_id
 
   load_balancing_scheme = "INTERNAL_MANAGED"
   port_range            = "443"
@@ -101,14 +88,14 @@ resource "google_compute_region_target_https_proxy" "default" {
   name             = "l7-ilb-target-http-proxy"
   provider         = google-beta
   region           = var.region
-  project          = var.producer_project_id
+  project          = module.producer_project.project_id
   url_map          = google_compute_region_url_map.default.id
   ssl_certificates = [google_compute_region_ssl_certificate.default.id]
 }
 
 resource "google_compute_region_ssl_certificate" "default" {
   region      = var.region
-  project     = var.producer_project_id
+  project     = module.producer_project.project_id
   name        = "my-certificate"
   private_key = tls_private_key.example.private_key_pem
   certificate = tls_self_signed_cert.example.cert_pem
@@ -118,7 +105,7 @@ resource "google_compute_region_url_map" "default" {
   name            = "l7-ilb-regional-url-map"
   provider        = google-beta
   region          = var.region
-  project         = var.producer_project_id
+  project         = module.producer_project.project_id
   default_service = google_compute_region_backend_service.producer_service_backend.id
 }
 
@@ -146,7 +133,7 @@ resource "tls_self_signed_cert" "example" {
 resource "google_compute_region_backend_service" "producer_service_backend" {
   name                  = "producer-service"
   region                = var.region
-  project               = var.producer_project_id
+  project               = module.producer_project.project_id
   load_balancing_scheme = "INTERNAL_MANAGED"
   protocol              = "HTTPS"
 
@@ -160,16 +147,13 @@ resource "google_compute_region_backend_service" "producer_service_backend" {
 resource "google_compute_network" "psc_ilb_network" {
   name                    = "psc-ilb-network"
   auto_create_subnetworks = false
-  project                 = var.producer_project_id
-  depends_on = [
-    google_project_service.consumer
-  ]
+  project                 = module.producer_project.project_id
 }
 
 resource "google_compute_subnetwork" "ilb_subnetwork" {
   name    = "ilb-subnetwork"
   region  = var.region
-  project = var.producer_project_id
+  project = module.producer_project.project_id
 
   network       = google_compute_network.psc_ilb_network.id
   ip_cidr_range = "10.0.0.0/16"
@@ -180,7 +164,7 @@ resource "google_compute_subnetwork" "ilb_subnetwork" {
 resource "google_compute_subnetwork" "psc_private_subnetwork" {
   name    = "psc-private-subnetwork"
   region  = var.region
-  project = var.producer_project_id
+  project = module.producer_project.project_id
 
   network       = google_compute_network.psc_ilb_network.id
   ip_cidr_range = "10.3.0.0/16"
@@ -191,7 +175,7 @@ resource "google_compute_subnetwork" "psc_private_subnetwork" {
 resource "google_compute_subnetwork" "psc_ilb_nat" {
   name    = "psc-ilb-nat"
   region  = var.region
-  project = var.producer_project_id
+  project = module.producer_project.project_id
 
   network       = google_compute_network.psc_ilb_network.id
   purpose       = "PRIVATE_SERVICE_CONNECT"
@@ -201,44 +185,35 @@ resource "google_compute_subnetwork" "psc_ilb_nat" {
 resource "google_compute_subnetwork" "vms" {
   name    = "vms"
   region  = var.region
-  project = var.producer_project_id
+  project = module.producer_project.project_id
 
   network       = google_compute_network.psc_ilb_network.id
   ip_cidr_range = "10.4.0.0/16"
 }
 
-data "google_compute_zones" "available" {
-  region  = var.region
-  project = var.producer_project_id
-}
-
 resource "google_compute_service_attachment" "psc_ilb_service_attachment" {
   name        = "my-psc-ilb"
   region      = var.region
-  project     = var.producer_project_id
+  project     = module.producer_project.project_id
   description = "A service attachment configured with Terraform"
 
   enable_proxy_protocol = false
   connection_preference = "ACCEPT_AUTOMATIC"
   nat_subnets           = [google_compute_subnetwork.psc_ilb_nat.id]
   target_service        = google_compute_forwarding_rule.psc_ilb_target_service.id
-
-  depends_on = [
-    google_project_service.consumer
-  ]
 }
 
 resource "google_service_account" "noop" {
-  project      = var.producer_project_id
+  project      = module.producer_project.project_id
   account_id   = "noop-sa"
   display_name = "Service Account for NOOP VM"
 }
 
 resource "google_compute_instance" "noop-vm" {
-  project      = var.producer_project_id
+  project      = module.producer_project.project_id
   name         = "noop-ilb-vm"
   machine_type = "e2-medium"
-  zone         = data.google_compute_zones.available.names[0]
+  zone         = var.zone
   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-11"

blueprints/networking/psc-glb-and-armor/variables.tf

@@ -14,11 +14,35 @@
  * limitations under the License.
  */
 
+variable "prefix" {
+  description = "Prefix used for resource names."
+  type        = string
+  validation {
+    condition     = var.prefix != ""
+    error_message = "Prefix cannot be empty."
+  }
+}
+
+variable "project_create" {
+  description = "Create project instead of using an existing one."
+  type        = bool
+  default     = false
+}
+
 variable "consumer_project_id" {
+  description = "The consumer project, in which the GCLB and Cloud Armor should be created."
 }
+
 variable "producer_project_id" {
+  description = "The producer project, in which the ILB, PSC Service Attachment and Cloud Run service should be created"
 }
 
 variable "region" {
   default = "europe-west1"
+  description = "The GCP region in which the resources should be deployed."
+}
+
+variable "zone" {
+  default = "europe-west1-b"
+  description = "The GCP zone for the VM."
 }

tests/blueprints/networking/psc-glb-and-armor/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.