From c16d1ea4dc6e15e46ae3ff230ad6f614064ca0f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Thu, 23 May 2024 09:09:36 +0000 Subject: [PATCH 1/2] Internet NEG for net-lb-proxy-int --- modules/net-lb-proxy-int/README.md | 79 +++++++++++++++---- modules/net-lb-proxy-int/backend-service.tf | 4 + modules/net-lb-proxy-int/main.tf | 78 ++++++++++++++++++ modules/net-lb-proxy-int/outputs.tf | 12 +++ modules/net-lb-proxy-int/variables.tf | 26 ++++++ .../examples/internet-neg.yaml | 69 ++++++++++++++++ 6 files changed, 251 insertions(+), 17 deletions(-) create mode 100644 tests/modules/net_lb_proxy_int/examples/internet-neg.yaml diff --git a/modules/net-lb-proxy-int/README.md b/modules/net-lb-proxy-int/README.md index 0e03635371..b11e6cbf87 100644 --- a/modules/net-lb-proxy-int/README.md +++ b/modules/net-lb-proxy-int/README.md @@ -15,6 +15,7 @@ Due to the complexity of the underlying resources, changes to the configuration - [Zonal NEG creation](#zonal-neg-creation) - [Hybrid NEG creation](#hybrid-neg-creation) - [Private Service Connect NEG creation](#private-service-connect-neg-creation) + - [Internet NEG creation](#internet-neg-creation) - [Files](#files) - [Variables](#variables) - [Outputs](#outputs) @@ -271,6 +272,47 @@ module "int-tcp-proxy" { # tftest modules=1 resources=5 ``` +#### Internet NEG creation + +This example shows how to create and manage internet NEGs: + +```hcl +module "ilb-l7" { + source = "./fabric/modules/net-lb-proxy-int" + project_id = var.project_id + name = "ilb-test" + region = var.region + backend_service_config = { + backends = [ + { group = "neg-0" } + ] + # with a single internet NEG the implied default health check is optional + health_checks = [] + } + port = 80 + neg_configs = { + neg-0 = { + internet = { + region = var.region + use_fqdn = true + endpoints = { + e-0 = { + destination = "www.example.org" + port = 80 + } + } + } + } + } + vpc_config = { + network = var.vpc.self_link + subnetwork = var.subnet.self_link + } +} +# tftest modules=1 resources=6 inventory=internet-neg.yaml e2e +``` + + ## Files @@ -280,7 +322,7 @@ module "int-tcp-proxy" { | [backend-service.tf](./backend-service.tf) | Backend service resources. | google_compute_region_backend_service | | [groups.tf](./groups.tf) | None | google_compute_instance_group | | [health-check.tf](./health-check.tf) | Health check resource. | google_compute_region_health_check | -| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_forwarding_rule · google_compute_network_endpoint · google_compute_network_endpoint_group · google_compute_region_network_endpoint_group · google_compute_region_target_tcp_proxy | +| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_forwarding_rule · google_compute_network_endpoint · google_compute_network_endpoint_group · google_compute_region_network_endpoint · google_compute_region_network_endpoint_group · google_compute_region_target_tcp_proxy · google_compute_service_attachment | | [outputs.tf](./outputs.tf) | Module outputs. | | | [variables.tf](./variables.tf) | Module variables. | | | [versions.tf](./versions.tf) | Version pins. | | @@ -290,9 +332,9 @@ module "int-tcp-proxy" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [name](variables.tf#L198) | Load balancer name. | string | ✓ | | -| [project_id](variables.tf#L256) | Project id. | string | ✓ | | -| [region](variables.tf#L261) | The region where to allocate the ILB resources. | string | ✓ | | -| [vpc_config](variables.tf#L266) | VPC-level configuration. | object({…}) | ✓ | | +| [project_id](variables.tf#L267) | Project id. | string | ✓ | | +| [region](variables.tf#L272) | The region where to allocate the ILB resources. | string | ✓ | | +| [vpc_config](variables.tf#L292) | VPC-level configuration. | object({…}) | ✓ | | | [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null | | [backend_service_config](variables.tf#L23) | Backend service level configuration. | object({…}) | | {} | | [description](variables.tf#L75) | Optional description used for resources. | string | | "Terraform managed." | @@ -301,22 +343,25 @@ module "int-tcp-proxy" { | [health_check](variables.tf#L100) | Name of existing health check to use, disables auto-created health check. | string | | null | | [health_check_config](variables.tf#L106) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | object({…}) | | {…} | | [labels](variables.tf#L192) | Labels set on resources. | map(string) | | {} | -| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} | -| [port](variables.tf#L250) | Port. | number | | 80 | +| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} | +| [port](variables.tf#L261) | Port. | number | | 80 | +| [service_attachment](variables.tf#L277) | PSC service attachment. | object({…}) | | null | ## Outputs | name | description | sensitive | |---|---|:---:| -| [backend_service](outputs.tf#L17) | Backend resource. | | -| [backend_service_id](outputs.tf#L22) | Backend id. | | -| [backend_service_self_link](outputs.tf#L27) | Backend self link. | | -| [forwarding_rule](outputs.tf#L32) | Forwarding rule resource. | | -| [group_self_links](outputs.tf#L37) | Optional unmanaged instance group self links. | | -| [groups](outputs.tf#L44) | Optional unmanaged instance group resources. | | -| [health_check](outputs.tf#L49) | Auto-created health-check resource. | | -| [health_check_id](outputs.tf#L54) | Auto-created health-check id. | | -| [health_check_self_link](outputs.tf#L59) | Auto-created health-check self link. | | -| [id](outputs.tf#L64) | Fully qualified forwarding rule id. | | -| [neg_ids](outputs.tf#L69) | Autogenerated network endpoint group ids. | | +| [address](outputs.tf#L17) | Forwarding rule address. | | +| [backend_service](outputs.tf#L22) | Backend resource. | | +| [backend_service_id](outputs.tf#L27) | Backend id. | | +| [backend_service_self_link](outputs.tf#L32) | Backend self link. | | +| [forwarding_rule](outputs.tf#L37) | Forwarding rule resource. | | +| [group_self_links](outputs.tf#L42) | Optional unmanaged instance group self links. | | +| [groups](outputs.tf#L49) | Optional unmanaged instance group resources. | | +| [health_check](outputs.tf#L54) | Auto-created health-check resource. | | +| [health_check_id](outputs.tf#L59) | Auto-created health-check id. | | +| [health_check_self_link](outputs.tf#L64) | Auto-created health-check self link. | | +| [id](outputs.tf#L69) | Fully qualified forwarding rule id. | | +| [neg_ids](outputs.tf#L74) | Autogenerated network endpoint group ids. | | +| [service_attachment_id](outputs.tf#L81) | Id of the service attachment. | | diff --git a/modules/net-lb-proxy-int/backend-service.tf b/modules/net-lb-proxy-int/backend-service.tf index 7e7af78e17..e6aa07a28d 100644 --- a/modules/net-lb-proxy-int/backend-service.tf +++ b/modules/net-lb-proxy-int/backend-service.tf @@ -26,7 +26,11 @@ locals { }, { for k, v in google_compute_region_network_endpoint_group.psc : k => v.id + }, + { + for k, v in google_compute_region_network_endpoint_group.internet : k => v.id } + ) } diff --git a/modules/net-lb-proxy-int/main.tf b/modules/net-lb-proxy-int/main.tf index 6f123f8443..404b4f4bc2 100644 --- a/modules/net-lb-proxy-int/main.tf +++ b/modules/net-lb-proxy-int/main.tf @@ -122,3 +122,81 @@ resource "google_compute_region_network_endpoint_group" "psc" { network = each.value.psc.network subnetwork = each.value.psc.subnetwork } + +# Internet NEG +locals { + _neg_endpoints_internet = flatten([ + for k, v in local.neg_internet : [ + for kk, vv in v.internet.endpoints : merge(vv, { + key = "${k}-${kk}", neg = k, region = v.internet.region, use_fqdn = v.internet.use_fqdn + }) + ] + ]) + neg_endpoints_internet = { + for v in local._neg_endpoints_internet : (v.key) => v + } + neg_internet = { + for k, v in var.neg_configs : + k => v if v.internet != null + } +} + +resource "google_compute_region_network_endpoint_group" "internet" { + for_each = local.neg_internet + project = var.project_id + name = "${var.name}-${each.key}" + region = each.value.internet.region + # re-enable once provider properly supports this + # default_port = each.value.default_port + # description = coalesce(each.value.description, var.description) + network_endpoint_type = ( + each.value.internet.use_fqdn ? "INTERNET_FQDN_PORT" : "INTERNET_IP_PORT" + ) + network = var.vpc_config.network +} + +resource "google_compute_region_network_endpoint" "internet" { + for_each = local.neg_endpoints_internet + project = ( + google_compute_region_network_endpoint_group.internet[each.value.neg].project + ) + region = each.value.region + region_network_endpoint_group = ( + google_compute_region_network_endpoint_group.internet[each.value.neg].name + ) + fqdn = each.value.use_fqdn ? each.value.destination : null + ip_address = each.value.use_fqdn ? null : each.value.destination + port = each.value.port +} + +# PSC Procuder Service attachments +resource "google_compute_service_attachment" "default" { + count = var.service_attachment == null ? 0 : 1 + project = var.project_id + region = var.region + name = var.name + description = var.description + target_service = google_compute_forwarding_rule.default.id + nat_subnets = var.service_attachment.nat_subnets + connection_preference = ( + var.service_attachment.automatic_connection + ? "ACCEPT_AUTOMATIC" + : "ACCEPT_MANUAL" + ) + consumer_reject_lists = var.service_attachment.consumer_reject_lists + domain_names = ( + var.service_attachment.domain_name == null + ? null + : [var.service_attachment.domain_name] + ) + enable_proxy_protocol = var.service_attachment.enable_proxy_protocol + reconcile_connections = var.service_attachment.reconcile_connections + dynamic "consumer_accept_lists" { + for_each = var.service_attachment.consumer_accept_lists + iterator = accept + content { + project_id_or_num = accept.key + connection_limit = accept.value + } + } +} diff --git a/modules/net-lb-proxy-int/outputs.tf b/modules/net-lb-proxy-int/outputs.tf index 101c6af141..7f37aa7e66 100644 --- a/modules/net-lb-proxy-int/outputs.tf +++ b/modules/net-lb-proxy-int/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "address" { + description = "Forwarding rule address." + value = google_compute_forwarding_rule.default.ip_address +} + output "backend_service" { description = "Backend resource." value = google_compute_region_backend_service.default @@ -72,3 +77,10 @@ output "neg_ids" { for k, v in google_compute_network_endpoint_group.default : k => v.id } } + +output "service_attachment_id" { + description = "Id of the service attachment." + value = try( + google_compute_service_attachment.default[0].id, null + ) +} diff --git a/modules/net-lb-proxy-int/variables.tf b/modules/net-lb-proxy-int/variables.tf index cd1a6e81db..119265d241 100644 --- a/modules/net-lb-proxy-int/variables.tf +++ b/modules/net-lb-proxy-int/variables.tf @@ -226,6 +226,16 @@ variable "neg_configs" { port = number }))) })) + internet = optional(object({ + region = string + use_fqdn = optional(bool, true) + # re-enable once provider properly support this + # default_port = optional(number) + endpoints = optional(map(object({ + destination = string + port = number + }))) + })) psc = optional(object({ region = string target_service = string @@ -240,6 +250,7 @@ variable "neg_configs" { for k, v in var.neg_configs : ( (try(v.gce, null) == null ? 0 : 1) + (try(v.hybrid, null) == null ? 0 : 1) + + (try(v.internet, null) == null ? 0 : 1) + (try(v.psc, null) == null ? 0 : 1) == 1 ) ]) @@ -263,6 +274,21 @@ variable "region" { type = string } +variable "service_attachment" { + description = "PSC service attachment." + type = object({ + nat_subnets = list(string) + automatic_connection = optional(bool, false) + consumer_accept_lists = optional(map(string), {}) # map of `project_id` => `connection_limit` + consumer_reject_lists = optional(list(string)) + description = optional(string) + domain_name = optional(string) + enable_proxy_protocol = optional(bool, false) + reconcile_connections = optional(bool) + }) + default = null +} + variable "vpc_config" { description = "VPC-level configuration." type = object({ diff --git a/tests/modules/net_lb_proxy_int/examples/internet-neg.yaml b/tests/modules/net_lb_proxy_int/examples/internet-neg.yaml new file mode 100644 index 0000000000..ed08342630 --- /dev/null +++ b/tests/modules/net_lb_proxy_int/examples/internet-neg.yaml @@ -0,0 +1,69 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +values: + module.ilb-l7.google_compute_forwarding_rule.default: + description: Terraform managed. + ip_protocol: TCP + load_balancing_scheme: INTERNAL_MANAGED + name: ilb-test + network: projects/xxx/global/networks/aaa + port_range: '80' + project: project-id + region: europe-west8 + subnetwork: subnet_self_link + module.ilb-l7.google_compute_region_backend_service.default: + backend: + - balancing_mode: UTILIZATION + capacity_scaler: 1 + description: Terraform managed. + description: Terraform managed. + load_balancing_scheme: INTERNAL_MANAGED + name: ilb-test + project: project-id + protocol: TCP + region: europe-west8 + session_affinity: NONE + module.ilb-l7.google_compute_region_network_endpoint.internet["neg-0-e-0"]: + fqdn: www.example.org + ip_address: null + port: 80 + project: project-id + region: europe-west8 + region_network_endpoint_group: ilb-test-neg-0 + module.ilb-l7.google_compute_region_network_endpoint_group.internet["neg-0"]: + name: ilb-test-neg-0 + network: projects/xxx/global/networks/aaa + network_endpoint_type: INTERNET_FQDN_PORT + project: project-id + region: europe-west8 + subnetwork: null + module.ilb-l7.google_compute_region_target_tcp_proxy.default: + description: Terraform managed. + name: ilb-test + project: project-id + proxy_header: NONE + region: europe-west8 + timeouts: null + +counts: + google_compute_forwarding_rule: 1 + google_compute_region_backend_service: 1 + google_compute_region_health_check: 1 + google_compute_region_network_endpoint: 1 + google_compute_region_network_endpoint_group: 1 + google_compute_region_target_tcp_proxy: 1 + modules: 1 + resources: 6 From c5ee37470a7f33c776208820e9e93b0e013ac7ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Fri, 24 May 2024 09:26:17 +0000 Subject: [PATCH 2/2] Add regional PSC addresses to output --- modules/net-address/outputs.tf | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/net-address/outputs.tf b/modules/net-address/outputs.tf index cf6641bdaf..95ab38b114 100644 --- a/modules/net-address/outputs.tf +++ b/modules/net-address/outputs.tf @@ -64,8 +64,14 @@ output "psa_addresses" { output "psc_addresses" { description = "Allocated internal addresses for PSC endpoints." - value = { - for address in google_compute_global_address.psc : - address.name => address - } + value = merge( + { + for address in google_compute_global_address.psc : + address.name => address + }, + { + for address in google_compute_address.psc : + address.name => address + } + ) }