refactor(modules/vpc)!: VPC module refactor

examples/panorama_standalone/README.md

@@ -110,7 +110,7 @@ No resources.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings | `string` | `""` | no |
-| <a name="input_networks"></a> [networks](#input\_networks) | A map containing each network setting.<br><br>Example of variable deployment :<pre>vpcs = {<br>  "panorama-vpc" = {<br>    vpc_name          = "panorama-vpc"<br>    subnet_name       = "panorama-subnet"<br>    cidr              = "172.21.21.0/24"<br>    allowed_sources   = ["1.1.1.1/32" , "2.2.2.2/32"]<br>    create_network    = true<br>    create_subnetwork = true<br>  }<br>}</pre>For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)<br><br>Multiple keys can be added and will be deployed by the code | `any` | n/a | yes |
+| <a name="input_networks"></a> [networks](#input\_networks) | A map containing each network setting.<br><br>Example of variable deployment :<pre>networks = {<br>  "panorama-vpc" = {<br>    vpc_name                        = "firewall-vpc"<br>    create_network                  = true<br>    delete_default_routes_on_create = "false"<br>    mtu                             = "1460"<br>    routing_mode                    = "REGIONAL"<br>    subnetworks = {<br>      "panorama-sub" = {<br>        subnetwork_name   = "panorama-subnet"<br>        create_subnetwork = true<br>        ip_cidr_range     = "172.21.21.0/24"<br>        region            = "us-central1"<br>      }<br>    }<br>    firewall_rules = {<br>      "allow-panorama-ingress" = {<br>        name             = "panorama-mgmt"<br>        source_ranges    = ["1.1.1.1/32", "2.2.2.2/32"]<br>        priority         = "1000"<br>        allowed_protocol = "all"<br>        allowed_ports    = []<br>      }<br>    }<br>  }</pre>For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)<br><br>Multiple keys can be added and will be deployed by the code | `any` | n/a | yes |
 | <a name="input_panoramas"></a> [panoramas](#input\_panoramas) | A map containing each panorama setting.<br><br>Example of variable deployment :<pre>panoramas = {<br>  "panorama-01" = {<br>    panorama_name     = "panorama-01"<br>    panorama_vpc      = "panorama-vpc"<br>    panorama_subnet   = "panorama-subnet"<br>    panorama_version  = "panorama-byol-1000"<br>    ssh_keys          = "admin:PUBLIC-KEY"<br>    attach_public_ip  = true<br>    private_static_ip = "172.21.21.2"<br>  }<br>}</pre>For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/panorama#inputs)<br><br>Multiple keys can be added and will be deployed by the code | `any` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region into which to deploy the infrastructure in to | `string` | `"us-central1"` | no |

examples/panorama_standalone/example.tfvars

@@ -7,12 +7,28 @@ name_prefix = ""
 
 networks = {
   "panorama-vpc" = {
-    create_network    = true
-    create_subnetwork = true
-    name              = "panorama-vpc"
-    subnetwork_name   = "panorama-subnet"
-    ip_cidr_range     = "172.21.21.0/24"
-    allowed_sources   = ["1.1.1.1/32", "2.2.2.2/32"]
+    vpc_name                        = "firewall-vpc"
+    create_network                  = true
+    delete_default_routes_on_create = "false"
+    mtu                             = "1460"
+    routing_mode                    = "REGIONAL"
+    subnetworks = {
+      "panorama-sub" = {
+        subnetwork_name   = "panorama-subnet"
+        create_subnetwork = true
+        ip_cidr_range     = "172.21.21.0/24"
+        region            = "us-central1"
+      }
+    }
+    firewall_rules = {
+      "allow-panorama-ingress" = {
+        name             = "panorama-mgmt"
+        source_ranges    = ["1.1.1.1/32", "2.2.2.2/32"]
+        priority         = "1000"
+        allowed_protocol = "all"
+        allowed_ports    = []
+      }
+    }
   }
 }
 
@@ -22,8 +38,8 @@ panoramas = {
   "panorama-01" = {
     zone              = "us-central1-a"
     panorama_name     = "panorama-01"
-    panorama_vpc      = "panorama-vpc"
-    panorama_subnet   = "panorama-subnet"
+    vpc_network_key   = "panorama-vpc"
+    subnetwork_key    = "panorama-sub"
     panorama_version  = "panorama-byol-1000"
     ssh_keys          = "admin:<ssh-rsa AAAA...>"
     attach_public_ip  = true

examples/panorama_standalone/main.tf

@@ -1,11 +1,22 @@
 module "vpc" {
   source = "../../modules/vpc"
 
-  networks = { for k, v in var.networks : k => merge(v, {
-    name            = "${var.name_prefix}${v.name}"
+  for_each = var.networks
+
+  project_id                      = var.project
+  name                            = "${var.name_prefix}${each.value.vpc_name}"
+  create_network                  = each.value.create_network
+  delete_default_routes_on_create = each.value.delete_default_routes_on_create
+  mtu                             = each.value.mtu
+  routing_mode                    = each.value.routing_mode
+  subnetworks = { for k, v in each.value.subnetworks : k => merge(v, {
     subnetwork_name = "${var.name_prefix}${v.subnetwork_name}"
     })
   }
+  firewall_rules = try({ for k, v in each.value.firewall_rules : k => merge(v, {
+    name = "${var.name_prefix}${v.name}"
+    })
+  }, {})
 }
 
 module "panorama" {
@@ -19,7 +30,7 @@ module "panorama" {
   zone              = each.value.zone
   panorama_version  = each.value.panorama_version
   ssh_keys          = each.value.ssh_keys
-  subnet            = module.vpc.subnetworks["${var.name_prefix}${each.value.panorama_subnet}"].self_link
+  subnet            = module.vpc[each.value.vpc_network_key].subnetworks[each.value.subnetwork_key].self_link
   private_static_ip = each.value.private_static_ip
   attach_public_ip  = each.value.attach_public_ip
   log_disks         = try(each.value.log_disks, [])

examples/panorama_standalone/variables.tf

@@ -23,16 +23,31 @@ variable "networks" {
     Example of variable deployment :
 
     ```
-    vpcs = {
+    networks = {
       "panorama-vpc" = {
-        vpc_name          = "panorama-vpc"
-        subnet_name       = "panorama-subnet"
-        cidr              = "172.21.21.0/24"
-        allowed_sources   = ["1.1.1.1/32" , "2.2.2.2/32"]
-        create_network    = true
-        create_subnetwork = true
+        vpc_name                        = "firewall-vpc"
+        create_network                  = true
+        delete_default_routes_on_create = "false"
+        mtu                             = "1460"
+        routing_mode                    = "REGIONAL"
+        subnetworks = {
+          "panorama-sub" = {
+            subnetwork_name   = "panorama-subnet"
+            create_subnetwork = true
+            ip_cidr_range     = "172.21.21.0/24"
+            region            = "us-central1"
+          }
+        }
+        firewall_rules = {
+          "allow-panorama-ingress" = {
+            name             = "panorama-mgmt"
+            source_ranges    = ["1.1.1.1/32", "2.2.2.2/32"]
+            priority         = "1000"
+            allowed_protocol = "all"
+            allowed_ports    = []
+          }
+        }
       }
-    }
     ```
 
     For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)

examples/standalone_vmseries_with_metadata_bootstrap/README.md

@@ -23,8 +23,8 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_management_vpc"></a> [management\_vpc](#module\_management\_vpc) | ../../modules/vpc | n/a |
 | <a name="module_vmseries"></a> [vmseries](#module\_vmseries) | ../../modules/vmseries | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../modules/vpc | n/a |
 
 ### Resources
 
@@ -34,18 +34,16 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowed_sources"></a> [allowed\_sources](#input\_allowed\_sources) | n/a | `any` | n/a | yes |
-| <a name="input_bootstrap_options"></a> [bootstrap\_options](#input\_bootstrap\_options) | n/a | `any` | n/a | yes |
-| <a name="input_name"></a> [name](#input\_name) | n/a | `any` | n/a | yes |
-| <a name="input_project"></a> [project](#input\_project) | n/a | `any` | n/a | yes |
-| <a name="input_region"></a> [region](#input\_region) | n/a | `any` | n/a | yes |
-| <a name="input_ssh_keys"></a> [ssh\_keys](#input\_ssh\_keys) | n/a | `any` | n/a | yes |
-| <a name="input_vmseries_image"></a> [vmseries\_image](#input\_vmseries\_image) | n/a | `any` | n/a | yes |
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings | `string` | `""` | no |
+| <a name="input_networks"></a> [networks](#input\_networks) | A map containing each network setting.<br><br>Example of variable deployment :<pre>networks = {<br>  "vmseries-vpc" = {<br>    vpc_name                        = "firewall-vpc"<br>    create_network                  = true<br>    delete_default_routes_on_create = "false"<br>    mtu                             = "1460"<br>    routing_mode                    = "REGIONAL"<br>    subnetworks = {<br>      "vmseries-sub" = {<br>        subnetwork_name   = "vmseries-subnet"<br>        create_subnetwork = true<br>        ip_cidr_range     = "172.21.21.0/24"<br>        region            = "us-central1"<br>      }<br>    }<br>    firewall_rules = {<br>      "allow-vmseries-ingress" = {<br>        name             = "vmseries-mgmt"<br>        source_ranges    = ["1.1.1.1/32", "2.2.2.2/32"]<br>        priority         = "1000"<br>        allowed_protocol = "all"<br>        allowed_ports    = []<br>      }<br>    }<br>  }</pre>For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)<br><br>Multiple keys can be added and will be deployed by the code | `any` | n/a | yes |
+| <a name="input_project"></a> [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no |
+| <a name="input_vmseries"></a> [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.<br><br>Example of variable deployment :<pre>vmseries = {<br>    "fw-vmseries-01" = {<br>      name             = "fw-vmseries-01"<br>      zone             = "us-central1-b"<br>      vmseries_image   = "vmseries-flex-byol-1022h2"<br>      ssh_keys         = "admin:<YOUR_SSH_KEY>"<br>      machine_type     = "n2-standard-4"<br>      min_cpu_platform = "Intel Cascade Lake"<br>      tags             = ["vmseries"]<br>      scopes = [<br>        "https://www.googleapis.com/auth/compute.readonly",<br>        "https://www.googleapis.com/auth/cloud.useraccounts.readonly",<br>        "https://www.googleapis.com/auth/devstorage.read_only",<br>        "https://www.googleapis.com/auth/logging.write",<br>        "https://www.googleapis.com/auth/monitoring.write",<br>      ]<br>      bootstrap_options = {<br>        panorama-server = "1.1.1.1" # Modify this value as per deployment requirements<br>        dns-primary     = "8.8.8.8" # Modify this value as per deployment requirements<br>        dns-secondary   = "8.8.4.4" # Modify this value as per deployment requirements<br>      }<br>      named_ports = [<br>        {<br>          name = "http"<br>          port = 80<br>        },<br>        {<br>          name = "https"<br>          port = 443<br>        }<br>      ]<br>      network_interfaces = [<br>        {<br>          vpc_network_key  = "vmseries-vpc"<br>          subnetwork_key   = "fw-mgmt-sub"<br>          private_ip       = "10.10.10.2"<br>          create_public_ip = true<br>        }<br>      ]<br>    }<br>  }</pre>For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)<br><br>The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.<br>Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
+| <a name="input_vmseries_common"></a> [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.<br><br>Example of variable deployment :<pre>vmseries_common = {<br>  ssh_keys            = "admin:AAAABBBB..."<br>  vmseries_image      = "vmseries-flex-byol-1022h2"<br>  machine_type        = "n2-standard-4"<br>  min_cpu_platform    = "Intel Cascade Lake"<br>  service_account_key = "sa-vmseries-01"<br>  bootstrap_options = {<br>    type                = "dhcp-client"<br>    mgmt-interface-swap = "enable"<br>  }<br>}</pre>Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `map` | `{}` | no |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_vmseries_address"></a> [vmseries\_address](#output\_vmseries\_address) | n/a |
-| <a name="output_vmseries_ssh_command"></a> [vmseries\_ssh\_command](#output\_vmseries\_ssh\_command) | n/a |
+| <a name="output_vmseries_private_ips"></a> [vmseries\_private\_ips](#output\_vmseries\_private\_ips) | Private IP addresses of the vmseries instances. |
+| <a name="output_vmseries_public_ips"></a> [vmseries\_public\_ips](#output\_vmseries\_public\_ips) | Public IP addresses of the vmseries instances. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars

@@ -1,12 +1,71 @@
-project         = "example"
-region          = "us-central1"
-name            = "example-vmseries"
-allowed_sources = ["1.1.1.1/32", "2.2.2.2/32"] # Replace these values with your own source CIDRs.
-ssh_keys        = "admin:<public key>"
-vmseries_image  = "vmseries-flex-byol-1020"
-bootstrap_options = {
-  hostname           = "vms01"
-  panorama-server    = "10.1.2.3"
-  plugin-op-commands = "numa-perf-optimize:enable,set-dp-cores:2"
-  type               = "dhcp-client"
+project     = "<PROJECT_ID>"
+name_prefix = ""
+
+networks = {
+  "vmseries-vpc" = {
+    vpc_name                        = "firewall-vpc"
+    create_network                  = true
+    delete_default_routes_on_create = false
+    mtu                             = "1460"
+    routing_mode                    = "REGIONAL"
+    subnetworks = {
+      "vmseries-sub" = {
+        subnetwork_name   = "vmseries-subnet"
+        create_subnetwork = true
+        ip_cidr_range     = "10.10.10.0/24"
+        region            = "us-central1"
+      }
+    }
+    firewall_rules = {
+      "allow-vmseries-ingress" = {
+        name             = "vmseries-mgmt"
+        source_ranges    = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+        priority         = "1000"
+        allowed_protocol = "all"
+        allowed_ports    = []
+      }
+    }
+  }
 }
+
+vmseries = {
+  "fw-vmseries-01" = {
+    name             = "fw-vmseries-01"
+    zone             = "us-central1-b"
+    vmseries_image   = "vmseries-flex-byol-1022h2"
+    ssh_keys         = "admin:<YOUR_SSH_KEY>"
+    machine_type     = "n2-standard-4"
+    min_cpu_platform = "Intel Cascade Lake"
+    tags             = ["vmseries"]
+    scopes = [
+      "https://www.googleapis.com/auth/compute.readonly",
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+    ]
+    bootstrap_options = {
+      panorama-server = "1.1.1.1" # Modify this value as per deployment requirements
+      dns-primary     = "8.8.8.8" # Modify this value as per deployment requirements
+      dns-secondary   = "8.8.4.4" # Modify this value as per deployment requirements
+    }
+    named_ports = [
+      {
+        name = "http"
+        port = 80
+      },
+      {
+        name = "https"
+        port = 443
+      }
+    ]
+    network_interfaces = [
+      {
+        vpc_network_key  = "vmseries-vpc"
+        subnetwork_key   = "vmseries-sub"
+        private_ip       = "10.10.10.2"
+        create_public_ip = true
+      }
+    ]
+  }
+}

examples/standalone_vmseries_with_metadata_bootstrap/main.tf

@@ -1,31 +1,47 @@
-module "management_vpc" {
+module "vpc" {
   source = "../../modules/vpc"
 
-  networks = [
-    {
-      name            = "example-mgmt"
-      subnetwork_name = "example-mgmt"
-      ip_cidr_range   = "10.236.64.0/28"
-      allowed_sources = var.allowed_sources
-    }
-  ]
+  for_each = var.networks
+
+  project_id                      = var.project
+  name                            = "${var.name_prefix}${each.value.vpc_name}"
+  create_network                  = each.value.create_network
+  delete_default_routes_on_create = each.value.delete_default_routes_on_create
+  mtu                             = each.value.mtu
+  routing_mode                    = each.value.routing_mode
+  subnetworks = { for k, v in each.value.subnetworks : k => merge(v, {
+    subnetwork_name = "${var.name_prefix}${v.subnetwork_name}"
+    })
+  }
+  firewall_rules = try({ for k, v in each.value.firewall_rules : k => merge(v, {
+    name = "${var.name_prefix}${v.name}"
+    })
+  }, {})
 }
 
 module "vmseries" {
   source = "../../modules/vmseries"
 
-  name = "example-vmseries"
-  zone = "us-central1-a"
+  for_each = var.vmseries
+
+  name                  = "${var.name_prefix}${each.value.name}"
+  zone                  = each.value.zone
+  ssh_keys              = try(each.value.ssh_keys, var.vmseries_common.ssh_keys)
+  vmseries_image        = try(each.value.vmseries_image, var.vmseries_common.vmseries_image)
+  machine_type          = try(each.value.machine_type, var.vmseries_common.machine_type)
+  min_cpu_platform      = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake")
+  tags                  = try(each.value.tags, var.vmseries_common.tags, [])
+  scopes                = try(each.value.scopes, var.vmseries_common.scopes, [])
+  create_instance_group = true
 
-  ssh_keys       = var.ssh_keys
-  vmseries_image = var.vmseries_image
+  bootstrap_options = try(each.value.bootstrap_options, {})
 
-  bootstrap_options = var.bootstrap_options
+  named_ports = try(each.value.named_ports, [])
 
-  network_interfaces = [
+  network_interfaces = [for v in each.value.network_interfaces :
     {
-      subnetwork       = module.management_vpc.subnetworks["example-mgmt"].self_link
-      create_public_ip = true
-    },
-  ]
+      subnetwork       = module.vpc[v.vpc_network_key].subnetworks[v.subnetwork_key].self_link
+      private_ip       = v.private_ip
+      create_public_ip = try(v.create_public_ip, false)
+  }]
 }

examples/standalone_vmseries_with_metadata_bootstrap/main_test.go

@@ -21,7 +21,7 @@ func CreateTerraformOptions(t *testing.T) *terraform.Options {
 		TerraformDir: ".",
 		VarFiles:     []string{"example.tfvars"},
 		Vars: map[string]interface{}{
-			"name":    varsInfo.NamePrefix,
+			"name_prefix":    varsInfo.NamePrefix,
 			"project": varsInfo.GoogleProjectId,
 		},
 		Logger:               logger.Default,

examples/standalone_vmseries_with_metadata_bootstrap/outputs.tf

@@ -1,7 +1,9 @@
-output "vmseries_address" {
-  value = module.vmseries.public_ips[0]
+output "vmseries_private_ips" {
+  description = "Private IP addresses of the vmseries instances."
+  value       = { for k, v in module.vmseries : k => v.private_ips }
 }
 
-output "vmseries_ssh_command" {
-  value = "ssh admin@${module.vmseries.public_ips[0]}"
+output "vmseries_public_ips" {
+  description = "Public IP addresses of the vmseries instances."
+  value       = { for k, v in module.vmseries : k => v.public_ips }
 }