From ab159d8cce0bce87a71f1e2a9a77aa5f300b0e68 Mon Sep 17 00:00:00 2001 From: simonebruzzechesse <60114646+simonebruzzechesse@users.noreply.github.com> Date: Fri, 19 Apr 2024 12:41:02 +0200 Subject: [PATCH] fix cloud sql PSA after module upgrade (#2226) * fix cloud sql PSA after module upgrade add proxy subnet for ILB * fix cloud run service accessible from public url in case the service is privately deployed * add deletion_policy variable in psa_configs for net-vpc module fix destroy issue with phpIPAM blueprint --- .../third-party-solutions/phpipam/README.md | 22 +++++++++---------- .../third-party-solutions/phpipam/cloudsql.tf | 4 ++-- .../third-party-solutions/phpipam/main.tf | 11 +++++++++- .../phpipam/variables.tf | 2 ++ modules/net-vpc/README.md | 18 +++++++-------- modules/net-vpc/psa.tf | 1 + modules/net-vpc/variables.tf | 9 ++++++++ 7 files changed, 44 insertions(+), 23 deletions(-) diff --git a/blueprints/third-party-solutions/phpipam/README.md b/blueprints/third-party-solutions/phpipam/README.md index 7c7f2bd5a0..d98d5ae697 100644 --- a/blueprints/third-party-solutions/phpipam/README.md +++ b/blueprints/third-party-solutions/phpipam/README.md @@ -193,8 +193,8 @@ billable charges made afterwards. | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [prefix](variables.tf#L116) | Prefix used for resource names. | string | ✓ | | -| [project_id](variables.tf#L135) | Project id, references existing project if `project_create` is null. | string | ✓ | | +| [prefix](variables.tf#L118) | Prefix used for resource names. | string | ✓ | | +| [project_id](variables.tf#L137) | Project id, references existing project if `project_create` is null. | string | ✓ | | | [admin_principals](variables.tf#L19) | Users, groups and/or service accounts that are assigned roles, in IAM format (`group:foo@example.com`). | list(string) | | [] | | [cloud_run_invoker](variables.tf#L25) | IAM member authorized to access the end-point (for example, 'user:YOUR_IAM_USER' for only you or 'allUsers' for everyone). | string | | "allUsers" | | [cloudsql_password](variables.tf#L31) | CloudSQL password (will be randomly generated by default). | string | | null | @@ -203,14 +203,14 @@ billable charges made afterwards. | [custom_domain](variables.tf#L49) | Cloud Run service custom domain for GLB. | string | | null | | [deletion_protection](variables.tf#L55) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | bool | | false | | [iap](variables.tf#L62) | Identity-Aware Proxy for Cloud Run in the LB. | object({…}) | | {} | -| [ip_ranges](variables.tf#L74) | CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC. | object({…}) | | {…} | -| [phpipam_config](variables.tf#L88) | PHPIpam configuration. | object({…}) | | {…} | -| [phpipam_exposure](variables.tf#L100) | Whether to expose the application publicly via GLB or internally via ILB, default GLB. | string | | "EXTERNAL" | -| [phpipam_password](variables.tf#L110) | Password for the phpipam user (will be randomly generated by default). | string | | null | -| [project_create](variables.tf#L126) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | | null | -| [region](variables.tf#L140) | Region for the created resources. | string | | "europe-west4" | -| [security_policy](variables.tf#L146) | Security policy (Cloud Armor) to enforce in the LB. | object({…}) | | {} | -| [vpc_config](variables.tf#L156) | VPC Network and subnetwork self links for internal LB setup. | object({…}) | | null | +| [ip_ranges](variables.tf#L74) | CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC. | object({…}) | | {…} | +| [phpipam_config](variables.tf#L90) | PHPIpam configuration. | object({…}) | | {…} | +| [phpipam_exposure](variables.tf#L102) | Whether to expose the application publicly via GLB or internally via ILB, default GLB. | string | | "EXTERNAL" | +| [phpipam_password](variables.tf#L112) | Password for the phpipam user (will be randomly generated by default). | string | | null | +| [project_create](variables.tf#L128) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | | null | +| [region](variables.tf#L142) | Region for the created resources. | string | | "europe-west4" | +| [security_policy](variables.tf#L148) | Security policy (Cloud Armor) to enforce in the LB. | object({…}) | | {} | +| [vpc_config](variables.tf#L158) | VPC Network and subnetwork self links for internal LB setup. | object({…}) | | null | ## Outputs @@ -236,5 +236,5 @@ module "test" { } project_id = "test-prj" } -# tftest modules=8 resources=46 +# tftest modules=8 resources=47 ``` diff --git a/blueprints/third-party-solutions/phpipam/cloudsql.tf b/blueprints/third-party-solutions/phpipam/cloudsql.tf index 6c6cfaf6c7..3ff9797f1a 100644 --- a/blueprints/third-party-solutions/phpipam/cloudsql.tf +++ b/blueprints/third-party-solutions/phpipam/cloudsql.tf @@ -25,9 +25,9 @@ module "cloudsql" { databases = [local.cloudsql_conf.db] network_config = { connectivity = { - psa_configs = [{ + psa_config = { private_network = local.network - }] + } } } prefix = var.prefix diff --git a/blueprints/third-party-solutions/phpipam/main.tf b/blueprints/third-party-solutions/phpipam/main.tf index 4d505aa986..36ee52e3c5 100644 --- a/blueprints/third-party-solutions/phpipam/main.tf +++ b/blueprints/third-party-solutions/phpipam/main.tf @@ -76,6 +76,7 @@ module "vpc" { project_id = module.project.project_id name = "${var.prefix}-sql-vpc" psa_configs = [{ + deletion_policy = "ABANDON" ranges = { cloud-sql = var.ip_ranges.psa } @@ -87,6 +88,14 @@ module "vpc" { region = var.region } ] + subnets_proxy_only = [ + { + ip_cidr_range = var.ip_ranges.proxy + name = "regional-proxy" + region = var.region + active = true + } + ] } resource "random_password" "phpipam_password" { @@ -99,7 +108,7 @@ module "cloud_run" { project_id = module.project.project_id name = "${var.prefix}-cr-phpipam" prefix = var.prefix - ingress_settings = "all" + ingress_settings = "internal-and-cloud-load-balancing" region = var.region containers = { diff --git a/blueprints/third-party-solutions/phpipam/variables.tf b/blueprints/third-party-solutions/phpipam/variables.tf index 0e68ca184e..0d78632ba3 100644 --- a/blueprints/third-party-solutions/phpipam/variables.tf +++ b/blueprints/third-party-solutions/phpipam/variables.tf @@ -75,11 +75,13 @@ variable "ip_ranges" { description = "CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC." type = object({ connector = string + proxy = string psa = string ilb = string }) default = { connector = "10.8.0.0/28" + proxy = "10.10.0.0/26" psa = "10.60.0.0/24" ilb = "10.128.0.0/28" } diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md index fecfc0b4ee..feee775cc6 100644 --- a/modules/net-vpc/README.md +++ b/modules/net-vpc/README.md @@ -656,15 +656,15 @@ module "vpc" { | [network_attachments](variables.tf#L100) | PSC network attachments, names as keys. | map(object({…})) | | {} | | [peering_config](variables.tf#L113) | VPC peering configuration. | object({…}) | | null | | [policy_based_routes](variables.tf#L124) | Policy based routes, keyed by name. | map(object({…})) | | {} | -| [psa_configs](variables.tf#L177) | The Private Service Access configuration. | list(object({…})) | | [] | -| [routes](variables.tf#L198) | Network routes, keyed by name. | map(object({…})) | | {} | -| [routing_mode](variables.tf#L219) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | -| [shared_vpc_host](variables.tf#L229) | Enable shared VPC for this project. | bool | | false | -| [shared_vpc_service_projects](variables.tf#L235) | Shared VPC service projects to register with this host. | list(string) | | [] | -| [subnets](variables.tf#L241) | Subnet configuration. | list(object({…})) | | [] | -| [subnets_proxy_only](variables.tf#L288) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | -| [subnets_psc](variables.tf#L322) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | -| [vpc_create](variables.tf#L354) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | +| [psa_configs](variables.tf#L177) | The Private Service Access configuration. | list(object({…})) | | [] | +| [routes](variables.tf#L207) | Network routes, keyed by name. | map(object({…})) | | {} | +| [routing_mode](variables.tf#L228) | The network routing mode (default 'GLOBAL'). | string | | "GLOBAL" | +| [shared_vpc_host](variables.tf#L238) | Enable shared VPC for this project. | bool | | false | +| [shared_vpc_service_projects](variables.tf#L244) | Shared VPC service projects to register with this host. | list(string) | | [] | +| [subnets](variables.tf#L250) | Subnet configuration. | list(object({…})) | | [] | +| [subnets_proxy_only](variables.tf#L297) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | list(object({…})) | | [] | +| [subnets_psc](variables.tf#L331) | List of subnets for Private Service Connect service producers. | list(object({…})) | | [] | +| [vpc_create](variables.tf#L363) | Create VPC. When set to false, uses a data source to reference existing VPC. | bool | | true | ## Outputs diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf index 401b7aa271..1e44a9accb 100644 --- a/modules/net-vpc/psa.tf +++ b/modules/net-vpc/psa.tf @@ -66,6 +66,7 @@ resource "google_service_networking_connection" "psa_connection" { for k, v in google_compute_global_address.psa_ranges : v.name if startswith(k, each.value.key) ] + deletion_policy = each.value.deletion_policy } resource "google_compute_network_peering_routes_config" "psa_routes" { diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf index 21fae5a76a..d8948a2640 100644 --- a/modules/net-vpc/variables.tf +++ b/modules/net-vpc/variables.tf @@ -177,6 +177,7 @@ variable "project_id" { variable "psa_configs" { description = "The Private Service Access configuration." type = list(object({ + deletion_policy = optional(string, null) ranges = map(string) export_routes = optional(bool, false) import_routes = optional(bool, false) @@ -193,6 +194,14 @@ variable "psa_configs" { ) error_message = "At most one configuration is possible for each service producer." } + validation { + condition = alltrue([ + for v in var.psa_configs : ( + v.deletion_policy == null || v.deletion_policy == "ABANDON" + ) + ]) + error_message = "Deletion policy supports only ABANDON." + } } variable "routes" {