From ab159d8cce0bce87a71f1e2a9a77aa5f300b0e68 Mon Sep 17 00:00:00 2001
From: simonebruzzechesse
<60114646+simonebruzzechesse@users.noreply.github.com>
Date: Fri, 19 Apr 2024 12:41:02 +0200
Subject: [PATCH] fix cloud sql PSA after module upgrade (#2226)
* fix cloud sql PSA after module upgrade
add proxy subnet for ILB
* fix cloud run service accessible from public url in case the service is privately deployed
* add deletion_policy variable in psa_configs for net-vpc module
fix destroy issue with phpIPAM blueprint
---
.../third-party-solutions/phpipam/README.md | 22 +++++++++----------
.../third-party-solutions/phpipam/cloudsql.tf | 4 ++--
.../third-party-solutions/phpipam/main.tf | 11 +++++++++-
.../phpipam/variables.tf | 2 ++
modules/net-vpc/README.md | 18 +++++++--------
modules/net-vpc/psa.tf | 1 +
modules/net-vpc/variables.tf | 9 ++++++++
7 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/blueprints/third-party-solutions/phpipam/README.md b/blueprints/third-party-solutions/phpipam/README.md
index 7c7f2bd5a0..d98d5ae697 100644
--- a/blueprints/third-party-solutions/phpipam/README.md
+++ b/blueprints/third-party-solutions/phpipam/README.md
@@ -193,8 +193,8 @@ billable charges made afterwards.
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [prefix](variables.tf#L116) | Prefix used for resource names. | string
| ✓ | |
-| [project_id](variables.tf#L135) | Project id, references existing project if `project_create` is null. | string
| ✓ | |
+| [prefix](variables.tf#L118) | Prefix used for resource names. | string
| ✓ | |
+| [project_id](variables.tf#L137) | Project id, references existing project if `project_create` is null. | string
| ✓ | |
| [admin_principals](variables.tf#L19) | Users, groups and/or service accounts that are assigned roles, in IAM format (`group:foo@example.com`). | list(string)
| | []
|
| [cloud_run_invoker](variables.tf#L25) | IAM member authorized to access the end-point (for example, 'user:YOUR_IAM_USER' for only you or 'allUsers' for everyone). | string
| | "allUsers"
|
| [cloudsql_password](variables.tf#L31) | CloudSQL password (will be randomly generated by default). | string
| | null
|
@@ -203,14 +203,14 @@ billable charges made afterwards.
| [custom_domain](variables.tf#L49) | Cloud Run service custom domain for GLB. | string
| | null
|
| [deletion_protection](variables.tf#L55) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | bool
| | false
|
| [iap](variables.tf#L62) | Identity-Aware Proxy for Cloud Run in the LB. | object({…})
| | {}
|
-| [ip_ranges](variables.tf#L74) | CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC. | object({…})
| | {…}
|
-| [phpipam_config](variables.tf#L88) | PHPIpam configuration. | object({…})
| | {…}
|
-| [phpipam_exposure](variables.tf#L100) | Whether to expose the application publicly via GLB or internally via ILB, default GLB. | string
| | "EXTERNAL"
|
-| [phpipam_password](variables.tf#L110) | Password for the phpipam user (will be randomly generated by default). | string
| | null
|
-| [project_create](variables.tf#L126) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…})
| | null
|
-| [region](variables.tf#L140) | Region for the created resources. | string
| | "europe-west4"
|
-| [security_policy](variables.tf#L146) | Security policy (Cloud Armor) to enforce in the LB. | object({…})
| | {}
|
-| [vpc_config](variables.tf#L156) | VPC Network and subnetwork self links for internal LB setup. | object({…})
| | null
|
+| [ip_ranges](variables.tf#L74) | CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC. | object({…})
| | {…}
|
+| [phpipam_config](variables.tf#L90) | PHPIpam configuration. | object({…})
| | {…}
|
+| [phpipam_exposure](variables.tf#L102) | Whether to expose the application publicly via GLB or internally via ILB, default GLB. | string
| | "EXTERNAL"
|
+| [phpipam_password](variables.tf#L112) | Password for the phpipam user (will be randomly generated by default). | string
| | null
|
+| [project_create](variables.tf#L128) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…})
| | null
|
+| [region](variables.tf#L142) | Region for the created resources. | string
| | "europe-west4"
|
+| [security_policy](variables.tf#L148) | Security policy (Cloud Armor) to enforce in the LB. | object({…})
| | {}
|
+| [vpc_config](variables.tf#L158) | VPC Network and subnetwork self links for internal LB setup. | object({…})
| | null
|
## Outputs
@@ -236,5 +236,5 @@ module "test" {
}
project_id = "test-prj"
}
-# tftest modules=8 resources=46
+# tftest modules=8 resources=47
```
diff --git a/blueprints/third-party-solutions/phpipam/cloudsql.tf b/blueprints/third-party-solutions/phpipam/cloudsql.tf
index 6c6cfaf6c7..3ff9797f1a 100644
--- a/blueprints/third-party-solutions/phpipam/cloudsql.tf
+++ b/blueprints/third-party-solutions/phpipam/cloudsql.tf
@@ -25,9 +25,9 @@ module "cloudsql" {
databases = [local.cloudsql_conf.db]
network_config = {
connectivity = {
- psa_configs = [{
+ psa_config = {
private_network = local.network
- }]
+ }
}
}
prefix = var.prefix
diff --git a/blueprints/third-party-solutions/phpipam/main.tf b/blueprints/third-party-solutions/phpipam/main.tf
index 4d505aa986..36ee52e3c5 100644
--- a/blueprints/third-party-solutions/phpipam/main.tf
+++ b/blueprints/third-party-solutions/phpipam/main.tf
@@ -76,6 +76,7 @@ module "vpc" {
project_id = module.project.project_id
name = "${var.prefix}-sql-vpc"
psa_configs = [{
+ deletion_policy = "ABANDON"
ranges = {
cloud-sql = var.ip_ranges.psa
}
@@ -87,6 +88,14 @@ module "vpc" {
region = var.region
}
]
+ subnets_proxy_only = [
+ {
+ ip_cidr_range = var.ip_ranges.proxy
+ name = "regional-proxy"
+ region = var.region
+ active = true
+ }
+ ]
}
resource "random_password" "phpipam_password" {
@@ -99,7 +108,7 @@ module "cloud_run" {
project_id = module.project.project_id
name = "${var.prefix}-cr-phpipam"
prefix = var.prefix
- ingress_settings = "all"
+ ingress_settings = "internal-and-cloud-load-balancing"
region = var.region
containers = {
diff --git a/blueprints/third-party-solutions/phpipam/variables.tf b/blueprints/third-party-solutions/phpipam/variables.tf
index 0e68ca184e..0d78632ba3 100644
--- a/blueprints/third-party-solutions/phpipam/variables.tf
+++ b/blueprints/third-party-solutions/phpipam/variables.tf
@@ -75,11 +75,13 @@ variable "ip_ranges" {
description = "CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC."
type = object({
connector = string
+ proxy = string
psa = string
ilb = string
})
default = {
connector = "10.8.0.0/28"
+ proxy = "10.10.0.0/26"
psa = "10.60.0.0/24"
ilb = "10.128.0.0/28"
}
diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index fecfc0b4ee..feee775cc6 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -656,15 +656,15 @@ module "vpc" {
| [network_attachments](variables.tf#L100) | PSC network attachments, names as keys. | map(object({…}))
| | {}
|
| [peering_config](variables.tf#L113) | VPC peering configuration. | object({…})
| | null
|
| [policy_based_routes](variables.tf#L124) | Policy based routes, keyed by name. | map(object({…}))
| | {}
|
-| [psa_configs](variables.tf#L177) | The Private Service Access configuration. | list(object({…}))
| | []
|
-| [routes](variables.tf#L198) | Network routes, keyed by name. | map(object({…}))
| | {}
|
-| [routing_mode](variables.tf#L219) | The network routing mode (default 'GLOBAL'). | string
| | "GLOBAL"
|
-| [shared_vpc_host](variables.tf#L229) | Enable shared VPC for this project. | bool
| | false
|
-| [shared_vpc_service_projects](variables.tf#L235) | Shared VPC service projects to register with this host. | list(string)
| | []
|
-| [subnets](variables.tf#L241) | Subnet configuration. | list(object({…}))
| | []
|
-| [subnets_proxy_only](variables.tf#L288) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
-| [subnets_psc](variables.tf#L322) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
-| [vpc_create](variables.tf#L354) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
+| [psa_configs](variables.tf#L177) | The Private Service Access configuration. | list(object({…}))
| | []
|
+| [routes](variables.tf#L207) | Network routes, keyed by name. | map(object({…}))
| | {}
|
+| [routing_mode](variables.tf#L228) | The network routing mode (default 'GLOBAL'). | string
| | "GLOBAL"
|
+| [shared_vpc_host](variables.tf#L238) | Enable shared VPC for this project. | bool
| | false
|
+| [shared_vpc_service_projects](variables.tf#L244) | Shared VPC service projects to register with this host. | list(string)
| | []
|
+| [subnets](variables.tf#L250) | Subnet configuration. | list(object({…}))
| | []
|
+| [subnets_proxy_only](variables.tf#L297) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…}))
| | []
|
+| [subnets_psc](variables.tf#L331) | List of subnets for Private Service Connect service producers. | list(object({…}))
| | []
|
+| [vpc_create](variables.tf#L363) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool
| | true
|
## Outputs
diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf
index 401b7aa271..1e44a9accb 100644
--- a/modules/net-vpc/psa.tf
+++ b/modules/net-vpc/psa.tf
@@ -66,6 +66,7 @@ resource "google_service_networking_connection" "psa_connection" {
for k, v in google_compute_global_address.psa_ranges :
v.name if startswith(k, each.value.key)
]
+ deletion_policy = each.value.deletion_policy
}
resource "google_compute_network_peering_routes_config" "psa_routes" {
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index 21fae5a76a..d8948a2640 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -177,6 +177,7 @@ variable "project_id" {
variable "psa_configs" {
description = "The Private Service Access configuration."
type = list(object({
+ deletion_policy = optional(string, null)
ranges = map(string)
export_routes = optional(bool, false)
import_routes = optional(bool, false)
@@ -193,6 +194,14 @@ variable "psa_configs" {
)
error_message = "At most one configuration is possible for each service producer."
}
+ validation {
+ condition = alltrue([
+ for v in var.psa_configs : (
+ v.deletion_policy == null || v.deletion_policy == "ABANDON"
+ )
+ ])
+ error_message = "Deletion policy supports only ABANDON."
+ }
}
variable "routes" {