Add support for PSC network attachments and interfaces in modules #2125
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements support for PSC network attachments and interfaces. The design moves from Fabric principles, and
net-vpcmodule, to allow network owners to directly define themnet-addressmodule, to allow the use case of creating attachments from Shared VPC service projectscompute-vmmoduleAt a lower level, the design choice on where and how to implement support (apart from the obvious choice of the vm module), moves from a few simple considerations.
The
net-vpcvariable design uses a separate variable, as network attachments have a 1:1 relationship with subnets (single subnet per attachment), and subnets have a 1:n relationship with attachments (multiple attachments possible per subnet).Implementing support directly in the subnets variable would have made it overly verbose; using a separate variable for attachments keeps the variable types simpler, and follows the same design principle used for proxy only and psc subnets, which allows to clearly identify a family of resources in variables at a glance (as opposed to IAM which we consider a resource configuration).
The choice of implementing support for attachment creation in service projects in the
net-addressmodule moves from the fact that at a high level, a network attachment is not entirely dissimilar from reserving subnet addresses ("If a network attachment accepts a connection from a Private Service Connect interface, Google Cloud allocates to the interface an internal IP address from a consumer subnet that's specified by the network attachment" from the GCP docs). Implementing the same in thenet-vpcmodule would have resulted in weird configurations, where the project passed to the module did not match the one where the resource needs to be created (host vs service), and subnets would still have to be specified by full URL without being internally referenced by the module who would not be managing them.The
compute-vmmodule support for attached interfaces has been implemented via a dedicated variable, as the type is radically different from regular network interfaces, and would have resulted in a very intricate variable with lots of corner cases to be addressed in validation. This choice also makes it obvious that at least one regular network interface is still required even when attached interfaces are used.The module changes have been tested with actual apply commands in my own setup.