E2E and examples tests for net-vpc module

modules/net-vpc/README.md

@@ -29,7 +29,7 @@ This module allows creation and management of VPC networks including subnetworks
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network"
   subnets = [
     {
@@ -48,15 +48,15 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=5 inventory=simple.yaml
+# tftest modules=1 resources=5 inventory=simple.yaml e2e
 ```
 
 ### Subnet Options
 
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network"
   subnets = [
     # simple subnet
@@ -95,7 +95,7 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=7 inventory=subnet-options.yaml
+# tftest modules=1 resources=7 inventory=subnet-options.yaml e2e
 ```
 
 ### Subnet IAM
@@ -105,7 +105,7 @@ Subnet IAM variables follow our general interface, with extra keys/members for t
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network"
   subnets = [
     {
@@ -114,12 +114,12 @@ module "vpc" {
       ip_cidr_range = "10.0.1.0/24"
       iam = {
         "roles/compute.networkUser" = [
-          "user:[email protected]", "group:[email protected]"
+          "group:${var.group_email}"
         ]
       }
       iam_bindings = {
         subnet-1-iam = {
-          members = ["group:[email protected]"]
+          members = ["group:${var.group_email}"]
           role    = "roles/compute.networkUser"
           condition = {
             expression = "resource.matchTag('123456789012/env', 'prod')"
@@ -131,18 +131,18 @@ module "vpc" {
     {
       name          = "subnet-2"
       region        = "europe-west1"
-      ip_cidr_range = "10.0.1.0/24"
+      ip_cidr_range = "10.0.2.0/24"
       iam_bindings_additive = {
         subnet-2-iam = {
-          member = "user:[email protected]"
+          member = "group:${var.group_email}"
           role   = "roles/compute.networkUser"
           subnet = "europe-west1/subnet-2"
         }
       }
     }
   ]
 }
-# tftest modules=1 resources=8 inventory=subnet-iam.yaml
+# tftest modules=1 resources=8 inventory=subnet-iam.yaml e2e
 ```
 
 ### Peering
@@ -154,7 +154,7 @@ If you only want to create the "local" side of the peering, use `peering_create_
 ```hcl
 module "vpc-hub" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "hub"
+  project_id = var.project_id
   name       = "vpc-hub"
   subnets = [{
     ip_cidr_range = "10.0.0.0/24"
@@ -165,7 +165,7 @@ module "vpc-hub" {
 
 module "vpc-spoke-1" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "spoke1"
+  project_id = var.project_id
   name       = "vpc-spoke1"
   subnets = [{
     ip_cidr_range = "10.0.1.0/24"
@@ -185,20 +185,24 @@ module "vpc-spoke-1" {
 [Shared VPC](https://cloud.google.com/vpc/docs/shared-vpc) is a project-level functionality which enables a project to share its VPCs with other projects. The `shared_vpc_host` variable is here to help with rapid prototyping, we recommend leveraging the project module for production usage.
 
 ```hcl
-locals {
-  service_project_1 = {
-    project_id                     = "project1"
-    gke_service_account            = "serviceAccount:gke"
-    cloud_services_service_account = "serviceAccount:cloudsvc"
-  }
-  service_project_2 = {
-    project_id = "project2"
-  }
+
+module "service-project" {
+  source          = "./fabric/modules/project"
+  billing_account = var.billing_account_id
+  name            = "prj1"
+  prefix          = var.prefix
+  parent          = var.folder_id
+  services = [
+    "cloudresourcemanager.googleapis.com",
+    "compute.googleapis.com",
+    "iam.googleapis.com",
+    "serviceusage.googleapis.com"
+  ]
 }
 
 module "vpc-host" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-host-network"
   subnets = [
     {
@@ -211,30 +215,28 @@ module "vpc-host" {
       }
       iam = {
         "roles/compute.networkUser" = [
-          local.service_project_1.cloud_services_service_account,
-          local.service_project_1.gke_service_account
+          "serviceAccount:${var.service_account.email}"
         ]
         "roles/compute.securityAdmin" = [
-          local.service_project_1.gke_service_account
+          "serviceAccount:${var.service_account.email}"
         ]
       }
     }
   ]
   shared_vpc_host = true
   shared_vpc_service_projects = [
-    local.service_project_1.project_id,
-    local.service_project_2.project_id
+    module.service-project.project_id
   ]
 }
-# tftest modules=1 resources=9 inventory=shared-vpc.yaml
+# tftest modules=2 resources=13 inventory=shared-vpc.yaml e2e
 ```
 
 ### Private Service Networking
 
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network"
   subnets = [
     {
@@ -247,7 +249,7 @@ module "vpc" {
     ranges = { myrange = "10.0.1.0/24" }
   }
 }
-# tftest modules=1 resources=7 inventory=psa.yaml
+# tftest modules=1 resources=7 inventory=psa.yaml e2e
 ```
 
 ### Private Service Networking with peering routes and peered Cloud DNS domains
@@ -257,7 +259,7 @@ Custom routes can be optionally exported/imported through the peering formed wit
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network"
   subnets = [
     {
@@ -273,7 +275,7 @@ module "vpc" {
     peered_domains = ["gcp.example.com."]
   }
 }
-# tftest modules=1 resources=8 inventory=psa-routes.yaml
+# tftest modules=1 resources=8 inventory=psa-routes.yaml e2e
 ```
 
 ### Subnets for Private Service Connect, Proxy-only subnets
@@ -286,7 +288,7 @@ Along with common private subnets module supports creation more service specific
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network"
 
   subnets_proxy_only = [
@@ -312,15 +314,15 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=6 inventory=proxy-only-subnets.yaml
+# tftest modules=1 resources=6 inventory=proxy-only-subnets.yaml e2e
 ```
 
 ### DNS Policies
 
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network"
   dns_policy = {
     inbound = true
@@ -337,7 +339,7 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=5 inventory=dns-policies.yaml
+# tftest modules=1 resources=5 inventory=dns-policies.yaml e2e
 ```
 
 ### Subnet Factory
@@ -347,7 +349,7 @@ The `net-vpc` module includes a subnet factory (see [Resource Factories](../../b
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network"
   factories_config = {
     subnets_folder = "config/subnets"
@@ -430,7 +432,7 @@ locals {
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
   for_each   = local.route_types
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network-with-route-${replace(each.key, "_", "-")}"
   routes = {
     next-hop = {
@@ -460,7 +462,7 @@ By default the VPC module creates IPv4 routes for the [Private Google Access ran
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-vpc"
   create_googleapis_routes = {
     restricted   = false
@@ -469,15 +471,15 @@ module "vpc" {
     private-6    = true
   }
 }
-# tftest modules=1 resources=3 inventory=googleapis.yaml
+# tftest modules=1 resources=3 inventory=googleapis.yaml e2e
 ```
 
 ### Allow Firewall Policy to be evaluated before Firewall Rules
 
 ```hcl
 module "vpc" {
   source                            = "./fabric/modules/net-vpc"
-  project_id                        = "my-project"
+  project_id                        = var.project_id
   name                              = "my-network"
   firewall_policy_enforcement_order = "BEFORE_CLASSIC_FIREWALL"
   subnets = [
@@ -497,7 +499,7 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=5 inventory=firewall_policy_enforcement_order.yaml
+# tftest modules=1 resources=5 inventory=firewall_policy_enforcement_order.yaml e2e
 ```
 
 ### IPv6
@@ -507,12 +509,12 @@ A non-overlapping private IPv6 address space can be configured for the VPC via t
 ```hcl
 module "vpc" {
   source     = "./fabric/modules/net-vpc"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "my-network"
   ipv6_config = {
     # internal_range is optional
     enable_ula_internal = true
-    internal_range      = "fd20:6b2:27e5:0:0:0:0:0/48"
+    # internal_range      = "fd20:6b2:27e5::/48"
   }
   subnets = [
     {
@@ -531,7 +533,7 @@ module "vpc" {
     }
   ]
 }
-# tftest modules=1 resources=5 inventory=ipv6.yaml
+# tftest modules=1 resources=5 inventory=ipv6.yaml e2e
 ```
 <!-- BEGIN TFDOC -->
 ## Variables

modules/net-vpc/routes.tf

@@ -19,9 +19,9 @@
 locals {
   _googleapis_ranges = {
     private      = "199.36.153.8/30"
-    private-6    = "2600:2d00:0002:2000::/64"
+    private-6    = "2600:2d00:2:2000::/64"
     restricted   = "199.36.153.4/30"
-    restricted-6 = "2600:2d00:0002:1000::/64"
+    restricted-6 = "2600:2d00:2:1000::/64"
   }
   _googleapis_routes = {
     for k, v in local._googleapis_ranges : "${k}-googleapis" => {

tests/examples_e2e/setup_module/main.tf

@@ -26,10 +26,12 @@ locals {
     "cloudkms.googleapis.com",
     "cloudresourcemanager.googleapis.com",
     "compute.googleapis.com",
+    "dns.googleapis.com",
     "eventarc.googleapis.com",
     "iam.googleapis.com",
     "run.googleapis.com",
     "secretmanager.googleapis.com",
+    "servicenetworking.googleapis.com",
     "serviceusage.googleapis.com",
     "stackdriver.googleapis.com",
     "storage-component.googleapis.com",

tests/modules/net_vpc/examples/dns-policies.yaml

@@ -15,7 +15,7 @@
 values:
   module.vpc.google_compute_network.network[0]:
     name: my-network
-    project: my-project
+    project: project-id
   module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]: {}
   module.vpc.google_dns_policy.default[0]:
     alternative_name_server_config:
@@ -30,9 +30,9 @@ values:
     name: my-network
     networks:
     - {}
-    project: my-project
+    project: project-id
 
 counts:
   google_compute_network: 1
   google_compute_subnetwork: 1
-  google_dns_policy: 1
+  google_dns_policy: 1