Add service attachment roncile connections (GoogleCloudPlatform#8164)

bschaatsbergen · Aug 2, 2023 · c355525 · c355525
1 parent da577c0
commit c355525
Show file tree

Hide file tree

Showing 2 changed files with 95 additions and 0 deletions.
diff --git a/mmv1/products/compute/ServiceAttachment.yaml b/mmv1/products/compute/ServiceAttachment.yaml
@@ -68,6 +68,19 @@ examples:
       producer_forwarding_rule_name: 'producer-forwarding-rule'
       consumer_address_name: 'psc-ilb-consumer-address'
       consumer_forwarding_rule_name: 'psc-ilb-consumer-forwarding-rule'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'service_attachment_reconcile_connections'
+    primary_resource_id: 'psc_ilb_service_attachment'
+    vars:
+      service_attachment_name: 'my-psc-ilb'
+      network_name: 'psc-ilb-network'
+      nat_subnetwork_name: 'psc-ilb-nat'
+      producer_subnetwork_name: 'psc-ilb-producer-subnetwork'
+      producer_health_check_name: 'producer-service-health-check'
+      producer_service_name: 'producer-service'
+      producer_forwarding_rule_name: 'producer-forwarding-rule'
+      consumer_address_name: 'psc-ilb-consumer-address'
+      consumer_forwarding_rule_name: 'psc-ilb-consumer-forwarding-rule'
 custom_code: !ruby/object:Provider::Terraform::CustomCode
   update_encoder: 'templates/terraform/update_encoder/compute_service_attachment.go.erb'
 parameters:
@@ -193,3 +206,15 @@ properties:
           description: |
             The number of consumer forwarding rules the consumer project can
             create.
+  - !ruby/object:Api::Type::Boolean
+    name: reconcileConnections
+    default_value: true
+    immutable: true
+    send_empty_value: true
+    description: |
+      This flag determines whether a consumer accept/reject list change can reconcile the statuses of existing ACCEPTED or REJECTED PSC endpoints.
+
+      If false, connection policy update will only affect existing PENDING PSC endpoints. Existing ACCEPTED/REJECTED endpoints will remain untouched regardless how the connection policy is modified .
+      If true, update will affect both PENDING and ACCEPTED/REJECTED PSC endpoints. For example, an ACCEPTED PSC endpoint will be moved to REJECTED if its project is added to the reject list.
+
+      For newly created service attachment, this boolean defaults to true.
diff --git a/mmv1/templates/terraform/examples/service_attachment_reconcile_connections.tf.erb b/mmv1/templates/terraform/examples/service_attachment_reconcile_connections.tf.erb
@@ -0,0 +1,70 @@
+resource "google_compute_service_attachment" "<%= ctx[:primary_resource_id] %>" {
+  name        = "<%= ctx[:vars]['service_attachment_name'] %>"
+  region      = "us-west2"
+  description = "A service attachment configured with Terraform"
+
+  domain_names             = ["gcp.tfacc.hashicorptest.com."]
+  enable_proxy_protocol    = true
+  connection_preference    = "ACCEPT_MANUAL"
+  nat_subnets              = [google_compute_subnetwork.psc_ilb_nat.id]
+  target_service           = google_compute_forwarding_rule.psc_ilb_target_service.id
+
+  consumer_reject_lists = ["673497134629", "482878270665"]
+
+  consumer_accept_lists {
+    project_id_or_num = "658859330310"
+    connection_limit  = 4
+  }
+
+  reconcile_connections    = false
+}
+
+resource "google_compute_forwarding_rule" "psc_ilb_target_service" {
+  name   = "<%= ctx[:vars]['producer_forwarding_rule_name'] %>"
+  region = "us-west2"
+
+  load_balancing_scheme = "INTERNAL"
+  backend_service       = google_compute_region_backend_service.producer_service_backend.id
+  all_ports             = true
+  network               = google_compute_network.psc_ilb_network.name
+  subnetwork            = google_compute_subnetwork.psc_ilb_producer_subnetwork.name
+}
+
+resource "google_compute_region_backend_service" "producer_service_backend" {
+  name   = "<%= ctx[:vars]['producer_service_name'] %>"
+  region = "us-west2"
+
+  health_checks = [google_compute_health_check.producer_service_health_check.id]
+}
+
+resource "google_compute_health_check" "producer_service_health_check" {
+  name = "<%= ctx[:vars]['producer_health_check_name'] %>"
+
+  check_interval_sec = 1
+  timeout_sec        = 1
+  tcp_health_check {
+    port = "80"
+  }
+}
+
+resource "google_compute_network" "psc_ilb_network" {
+  name = "<%= ctx[:vars]['network_name'] %>"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "psc_ilb_producer_subnetwork" {
+  name   = "<%= ctx[:vars]['producer_subnetwork_name'] %>"
+  region = "us-west2"
+
+  network       = google_compute_network.psc_ilb_network.id
+  ip_cidr_range = "10.0.0.0/16"
+}
+
+resource "google_compute_subnetwork" "psc_ilb_nat" {
+  name   = "<%= ctx[:vars]['nat_subnetwork_name'] %>"
+  region = "us-west2"
+
+  network       = google_compute_network.psc_ilb_network.id
+  purpose       =  "PRIVATE_SERVICE_CONNECT"
+  ip_cidr_range = "10.1.0.0/16"
+}