Add support for routes and tests to net-vpc module

modules/net-vpc/README.md

@@ -113,8 +113,9 @@ module "vpc-host" {
 | *log_config_defaults* | Default configuration for flow logs when enabled. | <code title="object&#40;&#123;&#10;aggregation_interval &#61; string&#10;flow_sampling        &#61; number&#10;metadata             &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;aggregation_interval &#61; &#34;INTERVAL_5_SEC&#34;&#10;flow_sampling        &#61; 0.5&#10;metadata             &#61; &#34;INCLUDE_ALL_METADATA&#34;&#10;&#125;">...</code> |
 | *log_configs* | Map of per-subnet optional configurations for flow logs when enabled. | <code title="map&#40;map&#40;string&#41;&#41;">map(map(string))</code> |  | <code title="">{}</code> |
 | *peering_config* | VPC peering configuration. | <code title="object&#40;&#123;&#10;peer_vpc_self_link &#61; string&#10;export_routes      &#61; bool&#10;import_routes      &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
+| *routes* | Network routes, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;dest_range    &#61; string&#10;priority      &#61; number&#10;tags          &#61; list&#40;string&#41;&#10;next_hop_type &#61; string &#35; gateway, instance, ip, vpn_tunnel, ilb&#10;next_hop      &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *routing_mode* | The network routing mode (default 'GLOBAL') | <code title="">string</code> |  | <code title="">GLOBAL</code> |
-| *shared_vpc_host* | Makes this project a Shared VPC host if 'true' (default 'false') | <code title="">bool</code> |  | <code title="">false</code> |
+| *shared_vpc_host* | Enable shared VPC for this project. | <code title="">bool</code> |  | <code title="">false</code> |
 | *shared_vpc_service_projects* | Shared VPC service projects to register with this host | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 | *subnet_descriptions* | Optional map of subnet descriptions, keyed by subnet name. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *subnet_flow_logs* | Optional map of boolean to control flow logs (default is disabled), keyed by subnet name. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |

modules/net-vpc/main.tf

@@ -15,26 +15,54 @@
  */
 
 locals {
-  log_configs = {
-    for name, attrs in var.subnets : name => (
+  iam_members = var.iam_members == null ? {} : var.iam_members
+  iam_pairs = var.iam_roles == null ? [] : flatten([
+    for subnet, roles in var.iam_roles :
+    [for role in roles : { subnet = subnet, role = role }]
+  ])
+  iam_keypairs = {
+    for pair in local.iam_pairs :
+    "${pair.subnet}-${pair.role}" => pair
+  }
+  log_configs = var.log_configs == null ? {} : var.log_configs
+  peer_network = (
+    var.peering_config == null
+    ? null
+    : element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0)
+  )
+  routes = var.routes == null ? {} : var.routes
+  routes_gateway = {
+    for name, data in local.routes :
+    name => data if data.next_hop_type == "gateway"
+  }
+  routes_ilb = {
+    for name, data in local.routes :
+    name => data if data.next_hop_type == "ilb"
+  }
+  routes_instance = {
+    for name, data in local.routes :
+    name => data if data.next_hop_type == "instance"
+  }
+  routes_ip = {
+    for name, data in local.routes :
+    name => data if data.next_hop_type == "ip"
+  }
+  routes_vpn_tunnel = {
+    for name, data in local.routes :
+    name => data if data.next_hop_type == "vpn_tunnel"
+  }
+  subnet_log_configs = {
+    for name, attrs in local.subnets : name => (
       lookup(var.subnet_flow_logs, name, false)
       ? [{
         for key, value in var.log_config_defaults : key => lookup(
-          lookup(var.log_configs, name, {}), key, value
+          lookup(local.log_configs, name, {}), key, value
         )
       }]
       : []
     )
   }
-  iam_pairs = flatten([
-    for subnet, roles in var.iam_roles :
-    [for role in roles : { subnet = subnet, role = role }]
-  ])
-  iam_keypairs = {
-    for pair in local.iam_pairs :
-    "${pair.subnet}-${pair.role}" => pair
-  }
-  peer_network = var.peering_config == null ? null : element(reverse(split("/", var.peering_config.peer_vpc_self_link)), 0)
+  subnets = var.subnets == null ? {} : var.subnets
 }
 
 resource "google_compute_network" "network" {
@@ -73,31 +101,36 @@ resource "google_compute_shared_vpc_host_project" "shared_vpc_host" {
 }
 
 resource "google_compute_shared_vpc_service_project" "service_projects" {
-  for_each        = var.shared_vpc_host ? toset(var.shared_vpc_service_projects) : toset([])
+  for_each = (
+    var.shared_vpc_host && var.shared_vpc_service_projects != null
+    ? toset(var.shared_vpc_service_projects)
+    : toset([])
+  )
   host_project    = var.project_id
   service_project = each.value
   depends_on      = [google_compute_shared_vpc_host_project.shared_vpc_host]
 }
 
 resource "google_compute_subnetwork" "subnetwork" {
-  for_each      = var.subnets
+  for_each      = local.subnets
   project       = var.project_id
   network       = google_compute_network.network.name
   region        = each.value.region
   name          = "${var.name}-${each.key}"
   ip_cidr_range = each.value.ip_cidr_range
-  secondary_ip_range = [
+  secondary_ip_range = each.value.secondary_ip_range == null ? [] : [
     for name, range in each.value.secondary_ip_range :
     { range_name = name, ip_cidr_range = range }
   ]
   description              = lookup(var.subnet_descriptions, each.key, "Terraform-managed.")
   private_ip_google_access = lookup(var.subnet_private_access, each.key, true)
   dynamic "log_config" {
-    for_each = local.log_configs[each.key]
+    for_each = local.subnet_log_configs[each.key]
+    iterator = config
     content {
-      aggregation_interval = log_config.value.aggregation_interval
-      flow_sampling        = log_config.value.flow_sampling
-      metadata             = log_config.value.metadata
+      aggregation_interval = config.value.aggregation_interval
+      flow_sampling        = config.value.flow_sampling
+      metadata             = config.value.metadata
     }
   }
 }
@@ -109,6 +142,66 @@ resource "google_compute_subnetwork_iam_binding" "binding" {
   region     = google_compute_subnetwork.subnetwork[each.value.subnet].region
   role       = each.value.role
   members = lookup(
-    lookup(var.iam_members, each.value.subnet, {}), each.value.role, []
+    lookup(local.iam_members, each.value.subnet, {}), each.value.role, []
   )
 }
+
+resource "google_compute_route" "gateway" {
+  for_each         = local.routes_gateway
+  project          = var.project_id
+  network          = google_compute_network.network.name
+  name             = each.key
+  description      = "Terraform-managed."
+  dest_range       = each.value.dest_range
+  priority         = each.value.priority
+  tags             = each.value.tags
+  next_hop_gateway = each.value.next_hop
+}
+
+resource "google_compute_route" "ilb" {
+  for_each     = local.routes_ilb
+  project      = var.project_id
+  network      = google_compute_network.network.name
+  name         = each.key
+  description  = "Terraform-managed."
+  dest_range   = each.value.dest_range
+  priority     = each.value.priority
+  tags         = each.value.tags
+  next_hop_ilb = each.value.next_hop
+}
+
+resource "google_compute_route" "instance" {
+  for_each          = local.routes_instance
+  project           = var.project_id
+  network           = google_compute_network.network.name
+  name              = each.key
+  description       = "Terraform-managed."
+  dest_range        = each.value.dest_range
+  priority          = each.value.priority
+  tags              = each.value.tags
+  next_hop_instance = each.value.next_hop
+}
+
+resource "google_compute_route" "ip" {
+  for_each    = local.routes_ip
+  project     = var.project_id
+  network     = google_compute_network.network.name
+  name        = each.key
+  description = "Terraform-managed."
+  dest_range  = each.value.dest_range
+  priority    = each.value.priority
+  tags        = each.value.tags
+  next_hop_ip = each.value.next_hop
+}
+
+resource "google_compute_route" "vpn_tunnel" {
+  for_each            = local.routes_vpn_tunnel
+  project             = var.project_id
+  network             = google_compute_network.network.name
+  name                = each.key
+  description         = "Terraform-managed."
+  dest_range          = each.value.dest_range
+  priority            = each.value.priority
+  tags                = each.value.tags
+  next_hop_vpn_tunnel = each.value.next_hop
+}

modules/net-vpc/variables.tf

@@ -29,19 +29,19 @@ variable "description" {
 variable "iam_roles" {
   description = "List of IAM roles keyed by subnet."
   type        = map(list(string))
-  default     = {}
+  default     = null
 }
 
 variable "iam_members" {
   description = "List of IAM members keyed by subnet and role."
   type        = map(map(list(string)))
-  default     = {}
+  default     = null
 }
 
 variable "log_configs" {
   description = "Map of per-subnet optional configurations for flow logs when enabled."
   type        = map(map(string))
-  default     = {}
+  default     = null
 }
 
 variable "log_config_defaults" {
@@ -78,6 +78,18 @@ variable "project_id" {
   type        = string
 }
 
+variable "routes" {
+  description = "Network routes, keyed by name."
+  type = map(object({
+    dest_range    = string
+    priority      = number
+    tags          = list(string)
+    next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb
+    next_hop      = string
+  }))
+  default = null
+}
+
 variable "routing_mode" {
   description = "The network routing mode (default 'GLOBAL')"
   type        = string
@@ -103,7 +115,7 @@ variable "subnets" {
     region             = string
     secondary_ip_range = map(string)
   }))
-  default = {}
+  default = null
 }
 
 variable "subnet_descriptions" {

tests/modules/net-vpc/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

tests/modules/net-vpc/fixture/main.tf

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "test" {
+  source                      = "../../../../modules/net-vpc"
+  project_id                  = var.project_id
+  name                        = var.name
+  iam_members                 = var.iam_members
+  iam_roles                   = var.iam_roles
+  log_configs                 = var.log_configs
+  log_config_defaults         = var.log_config_defaults
+  peering_config              = var.peering_config
+  routes                      = var.routes
+  shared_vpc_host             = var.shared_vpc_host
+  shared_vpc_service_projects = var.shared_vpc_service_projects
+  subnets                     = var.subnets
+  subnet_descriptions         = var.subnet_descriptions
+  subnet_flow_logs            = var.subnet_flow_logs
+  subnet_private_access       = var.subnet_private_access
+  auto_create_subnetworks     = var.auto_create_subnetworks
+}