Merge branch 'master' into ooshrioo/compute-vm-gpu

GoogleCloudPlatform · Nov 18, 2024 · 28ffdd3 · 28ffdd3
2 parents 3694e13 + 2676010
commit 28ffdd3
Show file tree

Hide file tree

Showing 16 changed files with 144 additions and 83 deletions.
diff --git a/blueprints/apigee/apigee-x-foundations/README.md b/blueprints/apigee/apigee-x-foundations/README.md
@@ -491,10 +491,14 @@ module "apigee-x-foundations" {
 | [apigee_vpc_id](outputs.tf#L22) | Apigee VPC. |  |  |
 | [apigee_vpc_self_link](outputs.tf#L27) | Apigee VPC. |  |  |
 | [endpoint_attachment_hosts](outputs.tf#L31) | Endpoint attachment hosts. |  |  |
-| [ext_lb_ip_address](outputs.tf#L36) | External IP address. |  |  |
-| [instance_service_attachments](outputs.tf#L41) | Instance service attachments. |  |  |
-| [int_cross_region_lb_ip_addresses](outputs.tf#L46) | Internal IP addresses. |  |  |
-| [int_lb_ip_addresses](outputs.tf#L51) | Internal IP addresses. |  |  |
-| [project](outputs.tf#L56) | Project. |  |  |
-| [project_id](outputs.tf#L61) | Project id. |  |  |
+| [ext_lb](outputs.tf#L36) | External LB. |  |  |
+| [ext_lb_ip_address](outputs.tf#L41) | External IP address. |  |  |
+| [instance_service_attachments](outputs.tf#L46) | Instance service attachments. |  |  |
+| [instances](outputs.tf#L51) | Instances. |  |  |
+| [int_cross_region_lb](outputs.tf#L56) | Internal cross-region LBs. |  |  |
+| [int_cross_region_lb_ip_addresses](outputs.tf#L61) | Internal IP addresses. |  |  |
+| [int_lb_ip_addresses](outputs.tf#L66) | Internal IP addresses. |  |  |
+| [int_lbs](outputs.tf#L71) | Internal LBs. |  |  |
+| [project](outputs.tf#L76) | Project. |  |  |
+| [project_id](outputs.tf#L81) | Project id. |  |  |
 <!-- END TFDOC -->
diff --git a/blueprints/apigee/apigee-x-foundations/outputs.tf b/blueprints/apigee/apigee-x-foundations/outputs.tf
@@ -33,6 +33,11 @@ output "endpoint_attachment_hosts" {
   value       = module.apigee.endpoint_attachment_hosts
 }
 
+output "ext_lb" {
+  description = "External LB."
+  value       = var.ext_lb_config != null && length(local.ext_instances) > 0 ? module.ext_lb[0] : null
+}
+
 output "ext_lb_ip_address" {
   description = "External IP address."
   value       = var.ext_lb_config != null && length(local.ext_instances) > 0 ? module.ext_lb[0].address : null
@@ -43,6 +48,16 @@ output "instance_service_attachments" {
   value       = { for k, v in module.apigee.instances : k => v.service_attachment }
 }
 
+output "instances" {
+  description = "Instances."
+  value       = module.apigee.instances
+}
+
+output "int_cross_region_lb" {
+  description = "Internal cross-region LBs."
+  value       = var.int_cross_region_lb_config != null && length(local.int_cross_region_instances) > 0 ? module.int_cross_region_lb[0] : null
+}
+
 output "int_cross_region_lb_ip_addresses" {
   description = "Internal IP addresses."
   value       = var.int_cross_region_lb_config != null && length(local.int_cross_region_instances) > 0 ? module.int_cross_region_lb[0].addresses : null
@@ -53,6 +68,11 @@ output "int_lb_ip_addresses" {
   value       = var.int_lb_config != null && length(local.int_instances) > 0 ? { for k, v in module.int_lb : k => v.address } : null
 }
 
+output "int_lbs" {
+  description = "Internal LBs."
+  value       = module.int_lb
+}
+
 output "project" {
   description = "Project."
   value       = module.project

diff --git a/fast/stages/2-project-factory/README.md b/fast/stages/2-project-factory/README.md
@@ -353,5 +353,5 @@ The approach is not shown here but reasonably easy to implement. The main projec
 | name | description | sensitive | consumers |
 |---|---|:---:|---|
 | [projects](outputs.tf#L17) | Created projects. |  |  |
-| [service_accounts](outputs.tf#L27) | Created service accounts. |  |  |
+| [service_accounts](outputs.tf#L22) | Created service accounts. |  |  |
 <!-- END TFDOC -->
diff --git a/fast/stages/2-project-factory/outputs.tf b/fast/stages/2-project-factory/outputs.tf
@@ -16,12 +16,7 @@
 
 output "projects" {
   description = "Created projects."
-  value = {
-    for k, v in module.projects.projects : k => {
-      number     = v.number
-      project_id = v.id
-    }
-  }
+  value       = module.projects.projects
 }
 
 output "service_accounts" {

diff --git a/modules/alloydb/main.tf b/modules/alloydb/main.tf
@@ -302,14 +302,6 @@ resource "google_alloydb_cluster" "secondary" {
     }
   }
 
-  dynamic "initial_user" {
-    for_each = var.initial_user != null ? [""] : []
-    content {
-      user     = var.initial_user.user
-      password = var.initial_user.password
-    }
-  }
-
   dynamic "maintenance_update_policy" {
     for_each = var.maintenance_config.enabled ? [""] : []
     content {

diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md
@@ -7,7 +7,7 @@ Cloud Run Services and Jobs, with support for IAM roles and Eventarc trigger cre
 - [Mounting secrets as volumes](#mounting-secrets-as-volumes)
 - [Mounting GCS buckets](#mounting-gcs-buckets)
 - [Connecting to Cloud SQL database](#connecting-to-cloud-sql-database)
-- [Beta features](#beta-features)
+- [Direct VPC Egress](#direct-vpc-egress)
 - [VPC Access Connector](#vpc-access-connector)
 - [Using Customer-Managed Encryption Key](#using-customer-managed-encryption-key)
 - [Eventarc triggers](#eventarc-triggers)
@@ -101,14 +101,22 @@ module "cloud_run" {
       }
     }
   }
+  revision = {
+    gen2_execution_environment = true
+  }
   volumes = {
     bucket = {
       gcs = {
         bucket       = var.bucket
         is_read_only = false
+        mount_options = [ # Beta feature
+          "metadata-cache-ttl-secs=120s",
+          "type-cache-max-size-mb=4",
+        ]
       }
     }
   }
+  deletion_protection = false
 }
 # tftest inventory=gcs-mount.yaml e2e
 ```
@@ -139,18 +147,13 @@ module "cloud_run" {
 # tftest fixtures=fixtures/cloudsql-instance.tf inventory=cloudsql.yaml e2e
 ```
 
-
-## Beta features
-
-To use beta features like Direct VPC Egress, set the launch stage to a preview stage.
-
+## Direct VPC Egress
 ```hcl
 module "cloud_run" {
-  source       = "./fabric/modules/cloud-run-v2"
-  project_id   = var.project_id
-  name         = "hello"
-  region       = var.region
-  launch_stage = "BETA"
+  source     = "./fabric/modules/cloud-run-v2"
+  project_id = var.project_id
+  name       = "hello"
+  region     = var.region
   containers = {
     hello = {
       image = "us-docker.pkg.dev/cloudrun/container/hello"
@@ -161,12 +164,13 @@ module "cloud_run" {
     max_instance_count         = 20
     vpc_access = {
       egress = "ALL_TRAFFIC"
-      subnet = "default"
+      subnet = var.subnet.name
       tags   = ["tag1", "tag2", "tag3"]
     }
   }
+  deletion_protection = false
 }
-# tftest modules=1 resources=1 inventory=service-beta-features.yaml
+# tftest modules=1 resources=1 inventory=service-direct-vpc.yaml e2e
 ```
 
 ## VPC Access Connector

diff --git a/modules/cloud-run-v2/job.tf b/modules/cloud-run-v2/job.tf
@@ -87,7 +87,15 @@ resource "google_cloud_run_v2_job" "job" {
             }
           }
           dynamic "volume_mounts" {
-            for_each = coalesce(containers.value.volume_mounts, tomap({}))
+            for_each = { for k, v in coalesce(containers.value.volume_mounts, tomap({})) : k => v if k != "cloudsql" }
+            content {
+              name       = volume_mounts.key
+              mount_path = volume_mounts.value
+            }
+          }
+          # CloudSQL is the last mount in the list returned by API
+          dynamic "volume_mounts" {
+            for_each = { for k, v in coalesce(containers.value.volume_mounts, tomap({})) : k => v if k == "cloudsql" }
             content {
               name       = volume_mounts.key
               mount_path = volume_mounts.value
@@ -96,7 +104,7 @@ resource "google_cloud_run_v2_job" "job" {
         }
       }
       dynamic "volumes" {
-        for_each = var.volumes
+        for_each = { for k, v in var.volumes : k => v if v.cloud_sql_instances == null }
         content {
           name = volumes.key
           dynamic "secret" {
@@ -114,12 +122,7 @@ resource "google_cloud_run_v2_job" "job" {
               }
             }
           }
-          dynamic "cloud_sql_instance" {
-            for_each = length(coalesce(volumes.value.cloud_sql_instances, [])) == 0 ? [] : [""]
-            content {
-              instances = volumes.value.cloud_sql_instances
-            }
-          }
+
           dynamic "empty_dir" {
             for_each = volumes.value.empty_dir_size == null ? [] : [""]
             content {
@@ -144,6 +147,19 @@ resource "google_cloud_run_v2_job" "job" {
           }
         }
       }
+      # CloudSQL is the last volume in the list returned by API
+      dynamic "volumes" {
+        for_each = { for k, v in var.volumes : k => v if v.cloud_sql_instances != null }
+        content {
+          name = volumes.key
+          dynamic "cloud_sql_instance" {
+            for_each = length(coalesce(volumes.value.cloud_sql_instances, [])) == 0 ? [] : [""]
+            content {
+              instances = volumes.value.cloud_sql_instances
+            }
+          }
+        }
+      }
     }
   }
 
@@ -162,4 +178,3 @@ resource "google_cloud_run_v2_job_iam_binding" "binding" {
   role     = each.key
   members  = each.value
 }
-
diff --git a/modules/cloud-run-v2/service.tf b/modules/cloud-run-v2/service.tf
@@ -101,7 +101,15 @@ resource "google_cloud_run_v2_service" "service" {
           }
         }
         dynamic "volume_mounts" {
-          for_each = coalesce(containers.value.volume_mounts, tomap({}))
+          for_each = { for k, v in coalesce(containers.value.volume_mounts, tomap({})) : k => v if k != "cloudsql" }
+          content {
+            name       = volume_mounts.key
+            mount_path = volume_mounts.value
+          }
+        }
+        # CloudSQL is the last mount in the list returned by API
+        dynamic "volume_mounts" {
+          for_each = { for k, v in coalesce(containers.value.volume_mounts, tomap({})) : k => v if k == "cloudsql" }
           content {
             name       = volume_mounts.key
             mount_path = volume_mounts.value
@@ -174,7 +182,7 @@ resource "google_cloud_run_v2_service" "service" {
       }
     }
     dynamic "volumes" {
-      for_each = var.volumes
+      for_each = { for k, v in var.volumes : k => v if v.cloud_sql_instances == null }
       content {
         name = volumes.key
         dynamic "secret" {
@@ -192,12 +200,7 @@ resource "google_cloud_run_v2_service" "service" {
             }
           }
         }
-        dynamic "cloud_sql_instance" {
-          for_each = length(coalesce(volumes.value.cloud_sql_instances, [])) == 0 ? [] : [""]
-          content {
-            instances = volumes.value.cloud_sql_instances
-          }
-        }
+
         dynamic "empty_dir" {
           for_each = volumes.value.empty_dir_size == null ? [] : [""]
           content {
@@ -222,6 +225,19 @@ resource "google_cloud_run_v2_service" "service" {
         }
       }
     }
+    # CloudSQL is the last volume in the list returned by API
+    dynamic "volumes" {
+      for_each = { for k, v in var.volumes : k => v if v.cloud_sql_instances != null }
+      content {
+        name = volumes.key
+        dynamic "cloud_sql_instance" {
+          for_each = length(coalesce(volumes.value.cloud_sql_instances, [])) == 0 ? [] : [""]
+          content {
+            instances = volumes.value.cloud_sql_instances
+          }
+        }
+      }
+    }
   }
 
   deletion_protection = var.deletion_protection

diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md
@@ -70,8 +70,8 @@ module "myproject-default-service-accounts" {
 | [email](outputs.tf#L17) | Service account email. |  |
 | [iam_email](outputs.tf#L25) | IAM-format service account email. |  |
 | [id](outputs.tf#L33) | Fully qualified service account id. |  |
-| [key](outputs.tf#L42) | Service account key. | ✓ |
-| [name](outputs.tf#L48) | Service account name. |  |
-| [service_account](outputs.tf#L57) | Service account resource. |  |
-| [service_account_credentials](outputs.tf#L62) | Service account json credential templates for uploaded public keys data. |  |
+| [key](outputs.tf#L41) | Service account key. | ✓ |
+| [name](outputs.tf#L47) | Service account name. |  |
+| [service_account](outputs.tf#L55) | Service account resource. |  |
+| [service_account_credentials](outputs.tf#L60) | Service account json credential templates for uploaded public keys data. |  |
 <!-- END TFDOC -->
diff --git a/modules/iam-service-account/outputs.tf b/modules/iam-service-account/outputs.tf
@@ -18,24 +18,23 @@ output "email" {
   description = "Service account email."
   value       = local.resource_email_static
   depends_on = [
-    local.service_account
+    local.service_account,
   ]
 }
 
 output "iam_email" {
   description = "IAM-format service account email."
   value       = local.resource_iam_email_static
   depends_on = [
-    local.service_account
+    local.service_account,
   ]
 }
 
 output "id" {
   description = "Fully qualified service account id."
   value       = local.service_account_id_static
   depends_on = [
-    data.google_service_account.service_account,
-    google_service_account.service_account
+    local.service_account,
   ]
 }
 
@@ -49,8 +48,7 @@ output "name" {
   description = "Service account name."
   value       = local.service_account_id_static
   depends_on = [
-    data.google_service_account.service_account,
-    google_service_account.service_account
+    local.service_account,
   ]
 }
 

diff --git a/modules/project-factory/README.md b/modules/project-factory/README.md
@@ -449,8 +449,8 @@ update_rules:
 | name | description | sensitive |
 |---|---|:---:|
 | [folders](outputs.tf#L17) | Folder ids. |  |
-| [projects](outputs.tf#L22) | Project module outputs. |  |
-| [service_accounts](outputs.tf#L27) | Service account emails. |  |
+| [projects](outputs.tf#L22) | Created projects. |  |
+| [service_accounts](outputs.tf#L43) | Service account emails. |  |
 <!-- END TFDOC -->
 ## Tests
 

diff --git a/modules/project-factory/outputs.tf b/modules/project-factory/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,8 +20,24 @@ output "folders" {
 }
 
 output "projects" {
-  description = "Project module outputs."
-  value       = module.projects
+  description = "Created projects."
+  value = {
+    for k, v in module.projects : k => {
+      number     = v.number
+      project_id = v.id
+      project    = v
+      automation_buckets = {
+        for kk, vv in module.automation-buckets :
+        trimprefix(kk, "${k}/") => vv.name
+        if startswith(kk, "${k}/")
+      }
+      automation_service_accounts = {
+        for kk, vv in module.automation-service-accounts :
+        trimprefix(kk, "${k}/") => vv.email
+        if startswith(kk, "${k}/")
+      }
+    }
+  }
 }
 
 output "service_accounts" {