terraform-google-modules · aaron-lane · Jun 18, 2019 · Jun 13, 2019 · Jun 14, 2019 · Jun 14, 2019
diff --git a/Gemfile b/Gemfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-ruby '2.5.3'
+ruby '2.6.3'
 
 source 'https://rubygems.org/' do
   gem 'kitchen-terraform', '~> 4.3'

diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@ SHELL := /usr/bin/env bash
 # Docker build config variables
 CREDENTIALS_PATH 			?= /cft/workdir/credentials.json
 DOCKER_ORG 				:= gcr.io/cloud-foundation-cicd
-DOCKER_TAG_BASE_KITCHEN_TERRAFORM 	?= 0.11.10_216.0.0_1.19.1_0.1.10
+DOCKER_TAG_BASE_KITCHEN_TERRAFORM 	?= 2.0.0
 DOCKER_REPO_BASE_KITCHEN_TERRAFORM 	:= ${DOCKER_ORG}/cft/kitchen-terraform:${DOCKER_TAG_BASE_KITCHEN_TERRAFORM}
 
 # All is the first target in the file so it will get picked up when you just run 'make' on its own

diff --git a/examples/submodule_firewall/main.tf b/examples/submodule_firewall/main.tf
@@ -49,11 +49,11 @@ module "test-firewall-submodule" {
   project_id              = "${var.project_id}"
   network                 = "${module.test-vpc-module.network_name}"
   internal_ranges_enabled = true
-  internal_ranges         = ["${module.test-vpc-module.subnets_ips}"]
+  internal_ranges         = "${module.test-vpc-module.subnets_ips}"
 
   internal_allow = [{
-    protocol = "icmp"
-  },
+      protocol = "icmp"
+    },
     {
       protocol = "tcp"
     },

diff --git a/main.tf b/main.tf
@@ -18,86 +18,83 @@
 	VPC configuration
  *****************************************/
 resource "google_compute_network" "network" {
-  name                    = "${var.network_name}"
+  name                    = var.network_name
   auto_create_subnetworks = "false"
-  routing_mode            = "${var.routing_mode}"
-  project                 = "${var.project_id}"
+  routing_mode            = var.routing_mode
+  project                 = var.project_id
 }
 
 /******************************************
 	Shared VPC
  *****************************************/
 resource "google_compute_shared_vpc_host_project" "shared_vpc_host" {
-  count   = "${var.shared_vpc_host == "true" ? 1 : 0}"
-  project = "${var.project_id}"
-  depends_on = ["google_compute_network.network"]
-
+  count      = var.shared_vpc_host == "true" ? 1 : 0
+  project    = var.project_id
+  depends_on = [google_compute_network.network]
 }
 
 /******************************************
 	Subnet configuration
  *****************************************/
 resource "google_compute_subnetwork" "subnetwork" {
-  count = "${length(var.subnets)}"
-
-  name                     = "${lookup(var.subnets[count.index], "subnet_name")}"
-  ip_cidr_range            = "${lookup(var.subnets[count.index], "subnet_ip")}"
-  region                   = "${lookup(var.subnets[count.index], "subnet_region")}"
-  private_ip_google_access = "${lookup(var.subnets[count.index], "subnet_private_access", "false")}"
-  enable_flow_logs         = "${lookup(var.subnets[count.index], "subnet_flow_logs", "false")}"
-  network                  = "${google_compute_network.network.name}"
-  project                  = "${var.project_id}"
+  count = length(var.subnets)
 
-  secondary_ip_range = "${var.secondary_ranges[lookup(var.subnets[count.index], "subnet_name")]}"
+  name                     = var.subnets[count.index]["subnet_name"]
+  ip_cidr_range            = var.subnets[count.index]["subnet_ip"]
+  region                   = var.subnets[count.index]["subnet_region"]
+  private_ip_google_access = lookup(var.subnets[count.index], "subnet_private_access", "false")
+  enable_flow_logs         = lookup(var.subnets[count.index], "subnet_flow_logs", "false")
+  network                  = google_compute_network.network.name
+  project                  = var.project_id
+  secondary_ip_range       = var.secondary_ranges[lookup(var.subnets[count.index], "subnet_name", null)]
 }
 
 data "google_compute_subnetwork" "created_subnets" {
-  count = "${length(var.subnets)}"
-
-  name    = "${element(google_compute_subnetwork.subnetwork.*.name, count.index)}"
-  region  = "${element(google_compute_subnetwork.subnetwork.*.region, count.index)}"
-  project = "${var.project_id}"
+  count   = length(var.subnets)
+  name    = element(google_compute_subnetwork.subnetwork.*.name, count.index)
+  region  = element(google_compute_subnetwork.subnetwork.*.region, count.index)
+  project = var.project_id
 }
 
 /******************************************
 	Routes
  *****************************************/
 resource "google_compute_route" "route" {
-  count   = "${length(var.routes)}"
-  project = "${var.project_id}"
-  network = "${var.network_name}"
-
-  name                   = "${lookup(var.routes[count.index], "name", format("%s-%s-%d", lower(var.network_name), "route",count.index))}"
-  description            = "${lookup(var.routes[count.index], "description","")}"
-  tags                   = "${compact(split(",",lookup(var.routes[count.index], "tags","")))}"
-  dest_range             = "${lookup(var.routes[count.index], "destination_range","")}"
-  next_hop_gateway       = "${lookup(var.routes[count.index], "next_hop_internet","") == "true" ? "default-internet-gateway":""}"
-  next_hop_ip            = "${lookup(var.routes[count.index], "next_hop_ip","")}"
-  next_hop_instance      = "${lookup(var.routes[count.index], "next_hop_instance","")}"
-  next_hop_instance_zone = "${lookup(var.routes[count.index], "next_hop_instance_zone","")}"
-  next_hop_vpn_tunnel    = "${lookup(var.routes[count.index], "next_hop_vpn_tunnel","")}"
-  priority               = "${lookup(var.routes[count.index], "priority", "1000")}"
+  count                  = length(var.routes)
+  project                = var.project_id
+  network                = var.network_name
+  name                   = "${lookup(var.routes[count.index], "name", format("%s-%s-%d", lower(var.network_name), "route", count.index))}"
+  description            = lookup(var.routes[count.index], "description", "")
+  tags                   = compact(split(",", lookup(var.routes[count.index], "tags", "")))
+  dest_range             = lookup(var.routes[count.index], "destination_range", "")
+  next_hop_gateway       = lookup(var.routes[count.index], "next_hop_internet", "") == "true" ? "default-internet-gateway" : ""
+  next_hop_ip            = lookup(var.routes[count.index], "next_hop_ip", "")
+  next_hop_instance      = lookup(var.routes[count.index], "next_hop_instance", "")
+  next_hop_instance_zone = lookup(var.routes[count.index], "next_hop_instance_zone", "")
+  next_hop_vpn_tunnel    = lookup(var.routes[count.index], "next_hop_vpn_tunnel", "")
+  priority               = lookup(var.routes[count.index], "priority", "1000")
 
   depends_on = [
-    "google_compute_network.network",
-    "google_compute_subnetwork.subnetwork",
+    google_compute_network.network,
+    google_compute_subnetwork.subnetwork,
   ]
 }
 
 resource "null_resource" "delete_default_internet_gateway_routes" {
-  count = "${var.delete_default_internet_gateway_routes ? 1 : 0}"
+  count = var.delete_default_internet_gateway_routes ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/delete-default-gateway-routes.sh ${var.project_id} ${var.network_name}"
   }
 
-  triggers {
-    number_of_routes = "${length(var.routes)}"
+  triggers = {
+    number_of_routes = length(var.routes)
   }
 
   depends_on = [
-    "google_compute_network.network",
-    "google_compute_subnetwork.subnetwork",
-    "google_compute_route.route",
+    google_compute_network.network,
+    google_compute_subnetwork.subnetwork,
+    google_compute_route.route,
   ]
 }
+
diff --git a/modules/fabric-net-firewall/main.tf b/modules/fabric-net-firewall/main.tf
@@ -19,22 +19,29 @@
 ###############################################################################
 
 resource "google_compute_firewall" "allow-internal" {
-  count         = "${var.internal_ranges_enabled && length(var.internal_allow) > 0 ? 1 : 0}"
+  count         = var.internal_ranges_enabled == true && length(var.internal_allow) > 0 ? 1 : 0
   name          = "${var.network}-ingress-internal"
   description   = "Allow ingress traffic from internal IP ranges"
-  network       = "${var.network}"
-  project       = "${var.project_id}"
-  source_ranges = ["${var.internal_ranges}"]
-  allow         = ["${var.internal_allow}"]
+  network       = var.network
+  project       = var.project_id
+  source_ranges = var.internal_ranges
+
+  dynamic "allow" {
+    for_each = [var.internal_allow]
+    content {
+      protocol = lookup(allow.value[count.index], "protocol", null)
+      ports    = lookup(allow.value[count.index], "ports", null)
+    }
+  }
 }
 
 resource "google_compute_firewall" "allow-admins" {
-  count         = "${var.admin_ranges_enabled > 0 ? 1 : 0}"
+  count         = var.admin_ranges_enabled == true ? 1 : 0
   name          = "${var.network}-ingress-admins"
   description   = "Access from the admin subnet to all subnets"
-  network       = "${var.network}"
-  project       = "${var.project_id}"
-  source_ranges = ["${var.admin_ranges}"]
+  network       = var.network
+  project       = var.project_id
+  source_ranges = var.admin_ranges
 
   allow {
     protocol = "icmp"
@@ -54,12 +61,12 @@ resource "google_compute_firewall" "allow-admins" {
 ###############################################################################
 
 resource "google_compute_firewall" "allow-tag-ssh" {
-  count         = "${length(var.ssh_source_ranges) > 0 ? 1 : 0}"
+  count         = length(var.ssh_source_ranges) > 0 ? 1 : 0
   name          = "${var.network}-ingress-tag-ssh"
   description   = "Allow SSH to machines with the 'ssh' tag"
-  network       = "${var.network}"
-  project       = "${var.project_id}"
-  source_ranges = ["${var.ssh_source_ranges}"]
+  network       = var.network
+  project       = var.project_id
+  source_ranges = var.ssh_source_ranges
   target_tags   = ["ssh"]
 
   allow {
@@ -69,12 +76,12 @@ resource "google_compute_firewall" "allow-tag-ssh" {
 }
 
 resource "google_compute_firewall" "allow-tag-http" {
-  count         = "${length(var.http_source_ranges) > 0 ? 1 : 0}"
+  count         = length(var.http_source_ranges) > 0 ? 1 : 0
   name          = "${var.network}-ingress-tag-http"
   description   = "Allow HTTP to machines with the 'http-server' tag"
-  network       = "${var.network}"
-  project       = "${var.project_id}"
-  source_ranges = ["${var.http_source_ranges}"]
+  network       = var.network
+  project       = var.project_id
+  source_ranges = var.http_source_ranges
   target_tags   = ["http-server"]
 
   allow {
@@ -84,12 +91,12 @@ resource "google_compute_firewall" "allow-tag-http" {
 }
 
 resource "google_compute_firewall" "allow-tag-https" {
-  count         = "${length(var.https_source_ranges) > 0 ? 1 : 0}"
+  count         = length(var.https_source_ranges) > 0 ? 1 : 0
   name          = "${var.network}-ingress-tag-https"
   description   = "Allow HTTPS to machines with the 'https' tag"
-  network       = "${var.network}"
-  project       = "${var.project_id}"
-  source_ranges = ["${var.https_source_ranges}"]
+  network       = var.network
+  project       = var.project_id
+  source_ranges = var.https_source_ranges
   target_tags   = ["https-server"]
 
   allow {

diff --git a/modules/fabric-net-firewall/outputs.tf b/modules/fabric-net-firewall/outputs.tf
@@ -18,16 +18,17 @@ output "internal_ranges" {
   description = "Internal ranges."
 
   value = {
-    enabled = "${var.internal_ranges_enabled}"
-    ranges  = "${var.internal_ranges_enabled ? join(",", var.internal_ranges) : ""}"
+    enabled = var.internal_ranges_enabled
+    ranges  = var.internal_ranges_enabled ? join(",", var.internal_ranges) : ""
   }
 }
 
 output "admin_ranges" {
   description = "Admin ranges data."
 
   value = {
-    enabled = "${var.admin_ranges_enabled}"
-    ranges  = "${var.admin_ranges_enabled ? join(",", var.admin_ranges) : ""}"
+    enabled = var.admin_ranges_enabled
+    ranges  = var.admin_ranges_enabled ? join(",", var.admin_ranges) : ""
   }
 }
+
diff --git a/modules/fabric-net-firewall/variables.tf b/modules/fabric-net-firewall/variables.tf
@@ -34,7 +34,6 @@ variable "internal_ranges" {
 
 variable "internal_allow" {
   description = "Allow rules for internal ranges."
-
   default = [
     {
       protocol = "icmp"

diff --git a/outputs.tf b/outputs.tf
@@ -15,12 +15,12 @@
  */
 
 output "network_name" {
-  value       = "${google_compute_network.network.name}"
+  value       = google_compute_network.network.name
   description = "The name of the VPC being created"
 }
 
 output "network_self_link" {
-  value       = "${google_compute_network.network.self_link}"
+  value       = google_compute_network.network.self_link
   description = "The URI of the VPC being created"
 }
 
@@ -30,41 +30,42 @@ output "svpc_host_project_id" {
 }
 
 output "subnets_names" {
-  value       = "${google_compute_subnetwork.subnetwork.*.name}"
+  value       = google_compute_subnetwork.subnetwork.*.name
   description = "The names of the subnets being created"
 }
 
 output "subnets_ips" {
-  value       = "${google_compute_subnetwork.subnetwork.*.ip_cidr_range}"
+  value       = google_compute_subnetwork.subnetwork.*.ip_cidr_range
   description = "The IPs and CIDRs of the subnets being created"
 }
 
 output "subnets_self_links" {
-  value       = "${google_compute_subnetwork.subnetwork.*.self_link}"
+  value       = google_compute_subnetwork.subnetwork.*.self_link
   description = "The self-links of subnets being created"
 }
 
 output "subnets_regions" {
-  value       = "${google_compute_subnetwork.subnetwork.*.region}"
+  value       = google_compute_subnetwork.subnetwork.*.region
   description = "The region where the subnets will be created"
 }
 
 output "subnets_private_access" {
-  value       = "${google_compute_subnetwork.subnetwork.*.private_ip_google_access}"
+  value       = google_compute_subnetwork.subnetwork.*.private_ip_google_access
   description = "Whether the subnets will have access to Google API's without a public IP"
 }
 
 output "subnets_flow_logs" {
-  value       = "${google_compute_subnetwork.subnetwork.*.enable_flow_logs}"
+  value       = google_compute_subnetwork.subnetwork.*.enable_flow_logs
   description = "Whether the subnets will have VPC flow logs enabled"
 }
 
 output "subnets_secondary_ranges" {
-  value       = "${data.google_compute_subnetwork.created_subnets.*.secondary_ip_range}"
+  value       = data.google_compute_subnetwork.created_subnets.*.secondary_ip_range
   description = "The secondary ranges associated with these subnets"
 }
 
 output "routes" {
-  value       = "${google_compute_route.route.*.name}"
+  value       = google_compute_route.route.*.name
   description = "The routes associated with this VPC"
 }
+
diff --git a/test/make.sh b/test/make.sh
@@ -74,11 +74,16 @@ function docker() {
 # directory paths which contain *.tf files.
 function check_terraform() {
   echo "Running terraform validate"
-  find_files . -name "*.tf" -print0 \
-    | compat_xargs -0 -n1 dirname \
-    | sort -u \
-    | grep -xv './test/fixtures/shared' \
-    | compat_xargs -t -n1 terraform validate --check-variables=false
+  find . -name "*.tf" \
+    -not -path "./.terraform/*" \
+    -not -path "./test/fixtures/*/.terraform/*" \
+    -not -path "./test/fixtures/all_examples/*" \
+    -not -path "./test/fixtures/shared/*" \
+    -print0 \
+    | xargs -0 dirname | sort | uniq \
+    | xargs -L 1 -i{} bash -c 'terraform init "{}" > /dev/null && terraform validate "{}"'
+  echo "Running terraform fmt"
+  terraform fmt -check=true -write=false
 }
 
 # This function runs 'go fmt' and 'go vet' on every file