Skip to content

Latest commit

 

History

History
314 lines (279 loc) · 14.2 KB

File metadata and controls

314 lines (279 loc) · 14.2 KB

Minimalistic VPC module

This module allows creation and management of VPC networks including subnetworks and subnetwork IAM bindings, Shared VPC activation and service project registration, and one-to-one peering.

Examples

The module allows for several different VPC configurations, some of the most common are shown below.

Simple VPC

module "vpc" {
  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  subnets = [
    {
      ip_cidr_range = "10.0.0.0/24"
      name          = "production"
      region        = "europe-west1"
      secondary_ip_range = {
        pods     = "172.16.0.0/20"
        services = "192.168.0.0/24"
      }
    },
    {
      ip_cidr_range = "10.0.16.0/24"
      name          = "production"
      region        = "europe-west2"
      secondary_ip_range = {}
    }
  ]
}
# tftest modules=1 resources=3

Peering

A single peering can be configured for the VPC, so as to allow management of simple scenarios, and more complex configurations like hub and spoke by defining the peering configuration on the spoke VPCs. Care must be taken so as a single peering is created/changed/destroyed at a time, due to the specific behaviour of the peering API calls.

If you only want to create the "local" side of the peering, use peering_create_remote_end to false. This is useful if you don't have permissions on the remote project/VPC to create peerings.

module "vpc-hub" {
  source     = "./fabric/modules/net-vpc"
  project_id = "hub"
  name       = "vpc-hub"
  subnets = [{
    ip_cidr_range      = "10.0.0.0/24"
    name               = "subnet-1"
    region             = "europe-west1"
    secondary_ip_range = null
  }]
}

module "vpc-spoke-1" {
  source     = "./fabric/modules/net-vpc"
  project_id = "spoke1"
  name       = "vpc-spoke1"
  subnets = [{
    ip_cidr_range      = "10.0.1.0/24"
    name               = "subnet-2"
    region             = "europe-west1"
    secondary_ip_range = null
  }]
  peering_config = {
    peer_vpc_self_link = module.vpc-hub.self_link
    export_routes      = false
    import_routes      = true
  }
}
# tftest modules=2 resources=6

Shared VPC

Shared VPC is a project-level functionality which enables a project to share its VPCs with other projects. The shared_vpc_host variable is here to help with rapid prototyping, we recommend leveraging the project module for production usage.

locals {
  service_project_1 = {
    project_id = "project1"
    gke_service_account = "gke"
    cloud_services_service_account = "cloudsvc"
  }
  service_project_2 = {
    project_id = "project2"
  }
}

module "vpc-host" {
  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-host-network"
  subnets = [
    {
      ip_cidr_range = "10.0.0.0/24"
      name          = "subnet-1"
      region        = "europe-west1"
      secondary_ip_range = {
        pods     = "172.16.0.0/20"
        services = "192.168.0.0/24"
      }
    }
  ]
  shared_vpc_host = true
  shared_vpc_service_projects = [
    local.service_project_1.project_id,
    local.service_project_2.project_id
  ]
  iam = {
    "europe-west1/subnet-1" = {
      "roles/compute.networkUser" = [
        local.service_project_1.cloud_services_service_account,
        local.service_project_1.gke_service_account
      ]
      "roles/compute.securityAdmin" = [
        local.service_project_1.gke_service_account
      ]
    }
  }
}
# tftest modules=1 resources=7

Private Service Networking

module "vpc" {
  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  subnets = [
    {
      ip_cidr_range      = "10.0.0.0/24"
      name               = "production"
      region             = "europe-west1"
      secondary_ip_range = null
    }
  ]
  psa_config = {
    ranges = { myrange = "10.0.1.0/24" }
    routes = null
  }
}
# tftest modules=1 resources=5

Private Service Networking with peering routes

Custom routes can be optionally exported/imported through the peering formed with the Google managed PSA VPC.

module "vpc" {
  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  subnets = [
    {
      ip_cidr_range      = "10.0.0.0/24"
      name               = "production"
      region             = "europe-west1"
      secondary_ip_range = null
    }
  ]
  psa_config = {
    ranges = { myrange = "10.0.1.0/24" }
    routes = { export=true, import=true }
  }
}
# tftest modules=1 resources=5

Subnets for Private Service Connect, Proxy-only subnets

Along with common private subnets module supports creation more service specific subnets for the following purposes:

module "vpc" {
  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"

  subnets_proxy_only = [
    {
      ip_cidr_range = "10.0.1.0/24"
      name          = "regional-proxy"
      region        = "europe-west1"
      active        = true
    }
  ]
  subnets_psc = [
    {
      ip_cidr_range = "10.0.3.0/24"
      name          = "psc"
      region        = "europe-west1"
    }
  ]
}
# tftest modules=1 resources=3

DNS Policies

module "vpc" {
  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  dns_policy = {
    inbound  = true
    logging  = false
    outbound = {
      private_ns = ["10.0.0.1"]
      public_ns  = ["8.8.8.8"]
    }
  }
  subnets = [
    {
      ip_cidr_range      = "10.0.0.0/24"
      name               = "production"
      region             = "europe-west1"
      secondary_ip_range = {}
    }
  ]
}
# tftest modules=1 resources=3

Subnet Factory

The net-vpc module includes a subnet factory (see Resource Factories) for the massive creation of subnets leveraging one configuration file per subnet.

module "vpc" {
  source      = "./fabric/modules/net-vpc"
  project_id  = "my-project"
  name        = "my-network"
  data_folder = "config/subnets"
}
# tftest skip
# ./config/subnets/subnet-name.yaml
region: europe-west1
description: Sample description
ip_cidr_range: 10.0.0.0/24
# optional attributes
private_ip_google_access: false   # defaults to true
iam_users: ["[email protected]"] # grant compute/networkUser to users
iam_groups: ["[email protected]"] # grant compute/networkUser to groups
iam_service_accounts: ["[email protected]"]
secondary_ip_range:              # map of secondary ip ranges
  secondary-range-a: 192.168.0.0/24
flow_logs:                        # enable, set to empty map to use defaults
  - aggregation_interval: "INTERVAL_5_SEC"
  - flow_sampling: 0.5
  - metadata: "INCLUDE_ALL_METADATA"

Variables

name description type required default
name The name of the network being created. string
project_id The ID of the project where this VPC will be created. string
auto_create_subnetworks Set to true to create an auto mode subnet, defaults to custom mode. bool false
data_folder An optional folder containing the subnet configurations in YaML format. string null
delete_default_routes_on_create Set to true to delete the default routes at creation time. bool false
description An optional description of this resource (triggers recreation on change). string "Terraform-managed."
dns_policy DNS policy setup for the VPC. object({…}) null
iam Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. map(map(list(string))) {}
log_config_defaults Default configuration for flow logs when enabled. object({…}) {…}
log_configs Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. map(map(string)) {}
mtu Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. null
peering_config VPC peering configuration. object({…}) null
peering_create_remote_end Skip creation of peering on the remote end when using peering_config. bool true
psa_config The Private Service Access configuration for Service Networking. object({…}) null
routes Network routes, keyed by name. map(object({…})) {}
routing_mode The network routing mode (default 'GLOBAL'). string "GLOBAL"
shared_vpc_host Enable shared VPC for this project. bool false
shared_vpc_service_projects Shared VPC service projects to register with this host. list(string) []
subnet_descriptions Optional map of subnet descriptions, keyed by subnet 'region/name'. map(string) {}
subnet_flow_logs Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. map(bool) {}
subnet_private_access Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. map(bool) {}
subnets List of subnets being created. list(object({…})) []
subnets_proxy_only List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. list(object({…})) []
subnets_psc List of subnets for Private Service Connect service producers. list(object({…})) []
vpc_create Create VPC. When set to false, uses a data source to reference existing VPC. bool true

Outputs

name description sensitive
bindings Subnet IAM bindings.
name The name of the VPC being created.
network Network resource.
project_id Project ID containing the network. Use this when you need to create resources after the VPC is fully set up (e.g. subnets created, shared VPC service projects attached, Private Service Networking configured).
self_link The URI of the VPC being created.
subnet_ips Map of subnet address ranges keyed by name.
subnet_regions Map of subnet regions keyed by name.
subnet_secondary_ranges Map of subnet secondary ranges keyed by name.
subnet_self_links Map of subnet self links keyed by name.
subnets Subnet resources.
subnets_proxy_only L7 ILB or L7 Regional LB subnet resources.
subnets_psc Private Service Connect subnet resources.

The key format is subnet_region/subnet_name. For example europe-west1/my_subnet.