From 95029cc5ac1122f31944bd120dc623424fdf1a09 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 2 Sep 2025 19:31:36 +0000 Subject: [PATCH 1/3] added producer vpc network spoke --- Makefile | 2 +- docs/upgrading_to_v12.0.0.md | 6 + examples/network_connectivity_center/main.tf | 4 +- metadata.yaml | 157 ++++++++++-------- modules/fabric-net-firewall/metadata.yaml | 120 +++++++------ modules/fabric-net-svpc-access/metadata.yaml | 32 ++-- modules/firewall-rules/metadata.yaml | 40 +++-- .../metadata.yaml | 31 ++-- modules/network-connectivity-center/README.md | 4 +- modules/network-connectivity-center/main.tf | 21 +++ .../network-connectivity-center/metadata.yaml | 74 +++++---- .../network-connectivity-center/outputs.tf | 4 + .../network-connectivity-center/variables.tf | 11 ++ modules/network-firewall-policy/metadata.yaml | 33 ++-- modules/network-peering/metadata.yaml | 54 +++--- modules/private-service-connect/metadata.yaml | 46 ++--- modules/routes-beta/metadata.yaml | 24 ++- modules/routes/metadata.yaml | 24 ++- modules/subnets-beta/metadata.yaml | 32 ++-- modules/subnets/metadata.yaml | 22 ++- .../metadata.yaml | 6 +- modules/vpc/metadata.yaml | 61 ++++--- 22 files changed, 442 insertions(+), 366 deletions(-) create mode 100644 docs/upgrading_to_v12.0.0.md diff --git a/Makefile b/Makefile index ba57f3c73..d3603e875 100644 --- a/Makefile +++ b/Makefile @@ -89,7 +89,7 @@ docker_restore_examples: .PHONY: docker_generate_docs docker_generate_docs: docker run --rm -it \ - -e ENABLE_BPMETADATA \ + -e ENABLE_BPMETADATA=1 \ -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' diff --git a/docs/upgrading_to_v12.0.0.md b/docs/upgrading_to_v12.0.0.md new file mode 100644 index 000000000..e36ee13ff --- /dev/null +++ b/docs/upgrading_to_v12.0.0.md @@ -0,0 +1,6 @@ +# Upgrading to v12.0.0 + +The v12.0 release contains backwards-incompatible changes. + +This update requires upgrading: +- minimum provider version of `hashicorp/google` to `6.49` for network-connectivity-center sub-module. diff --git a/examples/network_connectivity_center/main.tf b/examples/network_connectivity_center/main.tf index f625ce251..bd6ab21d9 100644 --- a/examples/network_connectivity_center/main.tf +++ b/examples/network_connectivity_center/main.tf @@ -15,7 +15,9 @@ */ module "network_connectivity_center" { - source = "terraform-google-modules/network/google//modules/network-connectivity-center" + source = "terraform-google-modules/network/google//modules/network-connectivity-center" + version = "~> 12.0" + project_id = var.project_id ncc_hub_name = var.ncc_hub_name ncc_hub_labels = { diff --git a/metadata.yaml b/metadata.yaml index a40479eb7..e1e2e07f5 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -118,28 +118,62 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: auto_create_subnetworks - description: When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. - varType: bool - defaultValue: false - - name: delete_default_internet_gateway_routes - description: If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted + - name: project_id + description: The ID of the project where this VPC will be created + varType: string + required: true + - name: network_name + description: The name of the network being created + varType: string + required: true + - name: routing_mode + description: The network routing mode (default 'GLOBAL') + varType: string + defaultValue: GLOBAL + - name: shared_vpc_host + description: Makes this project a Shared VPC host if 'true' (default 'false') varType: bool defaultValue: false - - name: description - description: An optional description of this resource. The resource must be recreated to modify this field. - varType: string - defaultValue: "" - - name: egress_rules - description: List of egress rules. This will be ignored if variable 'rules' is non-empty + - name: subnets + description: The list of subnets being created + varType: |- + list(object({ + subnet_name = string + subnet_ip = string + subnet_region = string + subnet_private_access = optional(string) + subnet_private_ipv6_access = optional(string) + subnet_flow_logs = optional(string) + subnet_flow_logs_interval = optional(string) + subnet_flow_logs_sampling = optional(string) + subnet_flow_logs_metadata = optional(string) + subnet_flow_logs_filter = optional(string) + subnet_flow_logs_metadata_fields = optional(list(string)) + description = optional(string) + purpose = optional(string) + role = optional(string) + stack_type = optional(string) + ipv6_access_type = optional(string) + })) + required: true + - name: secondary_ranges + description: Secondary ranges that will be used in some of the subnets + varType: map(list(object({ range_name = string, ip_cidr_range = string }))) + defaultValue: {} + - name: routes + description: List of routes being created in this VPC + varType: list(map(string)) + defaultValue: [] + - name: firewall_rules + description: This is DEPRECATED and available for backward compatibility. Use ingress_rules and egress_rules variables. List of firewall rules varType: |- list(object({ name = string description = optional(string, null) + direction = optional(string, "INGRESS") disabled = optional(bool, null) priority = optional(number, null) - destination_ranges = optional(list(string), []) - source_ranges = optional(list(string), []) + ranges = optional(list(string), []) source_tags = optional(list(string)) source_service_accounts = optional(list(string)) target_tags = optional(list(string)) @@ -158,20 +192,32 @@ spec: })) })) defaultValue: [] - - name: enable_ipv6_ula - description: Enabled IPv6 ULA, this is a permanent change and cannot be undone! (default 'false') + - name: delete_default_internet_gateway_routes + description: If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted varType: bool defaultValue: false - - name: firewall_rules - description: This is DEPRECATED and available for backward compatibility. Use ingress_rules and egress_rules variables. List of firewall rules + - name: description + description: An optional description of this resource. The resource must be recreated to modify this field. + varType: string + defaultValue: "" + - name: auto_create_subnetworks + description: When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. + varType: bool + defaultValue: false + - name: mtu + description: "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively." + varType: number + defaultValue: 0 + - name: ingress_rules + description: List of ingress rules. This will be ignored if variable 'rules' is non-empty varType: |- list(object({ name = string description = optional(string, null) - direction = optional(string, "INGRESS") disabled = optional(bool, null) priority = optional(number, null) - ranges = optional(list(string), []) + destination_ranges = optional(list(string), []) + source_ranges = optional(list(string), []) source_tags = optional(list(string)) source_service_accounts = optional(list(string)) target_tags = optional(list(string)) @@ -190,8 +236,8 @@ spec: })) })) defaultValue: [] - - name: ingress_rules - description: List of ingress rules. This will be ignored if variable 'rules' is non-empty + - name: egress_rules + description: List of egress rules. This will be ignored if variable 'rules' is non-empty varType: |- list(object({ name = string @@ -218,20 +264,16 @@ spec: })) })) defaultValue: [] + - name: enable_ipv6_ula + description: Enabled IPv6 ULA, this is a permanent change and cannot be undone! (default 'false') + varType: bool + defaultValue: false - name: internal_ipv6_range description: When enabling IPv6 ULA, optionally, specify a /48 from fd20::/20 (default null) varType: string - - name: mtu - description: "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively." - varType: number - defaultValue: 0 - name: network_firewall_policy_enforcement_order description: Set the order that Firewall Rules and Firewall Policies are evaluated. Valid values are `BEFORE_CLASSIC_FIREWALL` and `AFTER_CLASSIC_FIREWALL`. (default null or equivalent to `AFTER_CLASSIC_FIREWALL`) varType: string - - name: network_name - description: The name of the network being created - varType: string - required: true - name: network_profile description: | "A full or partial URL of the network profile to apply to this network. @@ -240,48 +282,17 @@ spec: * https://www.googleapis.com/compute/beta/projects/{projectId}/global/networkProfiles/{network_profile_name} * projects/{projectId}/global/networkProfiles/{network_profile_name} varType: string - - name: project_id - description: The ID of the project where this VPC will be created - varType: string - required: true - - name: routes - description: List of routes being created in this VPC - varType: list(map(string)) - defaultValue: [] - - name: routing_mode - description: The network routing mode (default 'GLOBAL') - varType: string - defaultValue: GLOBAL - - name: secondary_ranges - description: Secondary ranges that will be used in some of the subnets - varType: map(list(object({ range_name = string, ip_cidr_range = string }))) - defaultValue: {} - - name: shared_vpc_host - description: Makes this project a Shared VPC host if 'true' (default 'false') + - name: bgp_always_compare_med + description: If set to true, the Cloud Router will use MED values from the peer even if the AS paths differ. Default is false. varType: bool defaultValue: false - - name: subnets - description: The list of subnets being created - varType: |- - list(object({ - subnet_name = string - subnet_ip = string - subnet_region = string - subnet_private_access = optional(string) - subnet_private_ipv6_access = optional(string) - subnet_flow_logs = optional(string) - subnet_flow_logs_interval = optional(string) - subnet_flow_logs_sampling = optional(string) - subnet_flow_logs_metadata = optional(string) - subnet_flow_logs_filter = optional(string) - subnet_flow_logs_metadata_fields = optional(list(string)) - description = optional(string) - purpose = optional(string) - role = optional(string) - stack_type = optional(string) - ipv6_access_type = optional(string) - })) - required: true + - name: bgp_best_path_selection_mode + description: Specifies the BGP best path selection mode. Valid values are `STANDARD` or `LEGACY`. Default is `LEGACY`. + varType: string + defaultValue: LEGACY + - name: bgp_inter_region_cost + description: Specifies the BGP inter-region cost mode. Valid values are `DEFAULT` or `ADD_COST_TO_MED`. + varType: string outputs: - name: network description: The created network @@ -342,6 +353,6 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 4.64, < 8" - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 4.64, < 8" diff --git a/modules/fabric-net-firewall/metadata.yaml b/modules/fabric-net-firewall/metadata.yaml index d24295df8..019418469 100644 --- a/modules/fabric-net-firewall/metadata.yaml +++ b/modules/fabric-net-firewall/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -90,32 +90,53 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: admin_ranges - description: IP CIDR ranges that have complete access to all subnets. + - name: network + description: Name of the network this set of firewall rules applies to. + varType: string + required: true + - name: project_id + description: Project id of the project that holds the network. + varType: string + required: true + - name: internal_ranges_enabled + description: Create rules for intra-VPC ranges. + varType: bool + defaultValue: false + - name: internal_ranges + description: IP CIDR ranges for intra-VPC rules. varType: list(string) defaultValue: [] + - name: internal_target_tags + description: List of target tags for intra-VPC rules. + varType: list(string) + defaultValue: [] + - name: internal_allow + description: Allow rules for internal ranges. + varType: |- + list(object({ + protocol = string + ports = optional(list(string)) + })) + defaultValue: + - protocol: icmp - name: admin_ranges_enabled description: Enable admin ranges-based rules. varType: bool defaultValue: false - - name: custom_rules - description: List of custom rule definitions (refer to variables file for syntax). - varType: |- - map(object({ - description = string - direction = string - action = string # (allow|deny) - ranges = list(string) - sources = list(string) - targets = list(string) - use_service_accounts = bool - rules = list(object({ - protocol = string - ports = list(string) - })) - extra_attributes = map(string) - })) - defaultValue: {} + - name: admin_ranges + description: IP CIDR ranges that have complete access to all subnets. + varType: list(string) + defaultValue: [] + - name: ssh_source_ranges + description: List of IP CIDR ranges for tag-based SSH rule, defaults to 0.0.0.0/0. + varType: list(string) + defaultValue: + - 0.0.0.0/0 + - name: ssh_target_tags + description: List of target tags for tag-based SSH rule, defaults to ssh. + varType: list(string) + defaultValue: + - ssh - name: http_source_ranges description: List of IP CIDR ranges for tag-based HTTP rule, defaults to 0.0.0.0/0. varType: list(string) @@ -136,45 +157,24 @@ spec: varType: list(string) defaultValue: - https-server - - name: internal_allow - description: Allow rules for internal ranges. + - name: custom_rules + description: List of custom rule definitions (refer to variables file for syntax). varType: |- - list(object({ - protocol = string - ports = optional(list(string)) + map(object({ + description = string + direction = string + action = string # (allow|deny) + ranges = list(string) + sources = list(string) + targets = list(string) + use_service_accounts = bool + rules = list(object({ + protocol = string + ports = list(string) + })) + extra_attributes = map(string) })) - defaultValue: - - protocol: icmp - - name: internal_ranges - description: IP CIDR ranges for intra-VPC rules. - varType: list(string) - defaultValue: [] - - name: internal_ranges_enabled - description: Create rules for intra-VPC ranges. - varType: bool - defaultValue: false - - name: internal_target_tags - description: List of target tags for intra-VPC rules. - varType: list(string) - defaultValue: [] - - name: network - description: Name of the network this set of firewall rules applies to. - varType: string - required: true - - name: project_id - description: Project id of the project that holds the network. - varType: string - required: true - - name: ssh_source_ranges - description: List of IP CIDR ranges for tag-based SSH rule, defaults to 0.0.0.0/0. - varType: list(string) - defaultValue: - - 0.0.0.0/0 - - name: ssh_target_tags - description: List of target tags for tag-based SSH rule, defaults to ssh. - varType: list(string) - defaultValue: - - ssh + defaultValue: {} outputs: - name: admin_ranges description: Admin ranges data. @@ -217,6 +217,4 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 4.64, < 7" - - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 2.12, < 8" diff --git a/modules/fabric-net-svpc-access/metadata.yaml b/modules/fabric-net-svpc-access/metadata.yaml index 343506c8b..f30727ee6 100644 --- a/modules/fabric-net-svpc-access/metadata.yaml +++ b/modules/fabric-net-svpc-access/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: @@ -94,12 +94,12 @@ spec: description: Project id of the shared VPC host project. varType: string required: true - - name: host_service_agent_role - description: Assign host service agent role to users in host_service_agent_users variable. - varType: bool - defaultValue: false - - name: host_service_agent_users - description: List of IAM-style users that will be granted the host service agent role on the host project. + - name: service_project_ids + description: Ids of the service projects that will be attached to the Shared VPC. + varType: list(string) + required: true + - name: host_subnets + description: List of subnet names on which to grant network user role. varType: list(string) defaultValue: [] - name: host_subnet_regions @@ -110,14 +110,14 @@ spec: description: Map of comma-delimited IAM-style members to which network user roles for subnets will be assigned. varType: map(any) defaultValue: {} - - name: host_subnets - description: List of subnet names on which to grant network user role. + - name: host_service_agent_role + description: Assign host service agent role to users in host_service_agent_users variable. + varType: bool + defaultValue: false + - name: host_service_agent_users + description: List of IAM-style users that will be granted the host service agent role on the host project. varType: list(string) defaultValue: [] - - name: service_project_ids - description: Ids of the service projects that will be attached to the Shared VPC. - varType: list(string) - required: true outputs: - name: service_projects description: Project ids of the services with access to all subnets. @@ -150,6 +150,6 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 2.12, < 8" - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 2.12, < 8" diff --git a/modules/firewall-rules/metadata.yaml b/modules/firewall-rules/metadata.yaml index 768e80ec9..4ebc92bad 100644 --- a/modules/firewall-rules/metadata.yaml +++ b/modules/firewall-rules/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 1.3.0" + version: ">= 1.3" description: {} content: examples: @@ -90,16 +90,24 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: egress_rules - description: List of egress rules. This will be ignored if variable 'rules' is non-empty + - name: project_id + description: Project id of the project that holds the network. + varType: string + required: true + - name: network_name + description: Name of the network this set of firewall rules applies to. + varType: string + required: true + - name: rules + description: This is DEPRECATED and available for backward compatibility. Use ingress_rules and egress_rules variables. List of custom rule definitions varType: |- list(object({ name = string description = optional(string, null) + direction = optional(string, "INGRESS") disabled = optional(bool, null) priority = optional(number, null) - destination_ranges = optional(list(string), []) - source_ranges = optional(list(string), []) + ranges = optional(list(string), []) source_tags = optional(list(string)) source_service_accounts = optional(list(string)) target_tags = optional(list(string)) @@ -146,24 +154,16 @@ spec: })) })) defaultValue: [] - - name: network_name - description: Name of the network this set of firewall rules applies to. - varType: string - required: true - - name: project_id - description: Project id of the project that holds the network. - varType: string - required: true - - name: rules - description: This is DEPRECATED and available for backward compatibility. Use ingress_rules and egress_rules variables. List of custom rule definitions + - name: egress_rules + description: List of egress rules. This will be ignored if variable 'rules' is non-empty varType: |- list(object({ name = string description = optional(string, null) - direction = optional(string, "INGRESS") disabled = optional(bool, null) priority = optional(number, null) - ranges = optional(list(string), []) + destination_ranges = optional(list(string), []) + source_ranges = optional(list(string), []) source_tags = optional(list(string)) source_service_accounts = optional(list(string)) target_tags = optional(list(string)) @@ -215,7 +215,5 @@ spec: - networkconnectivity.googleapis.com - iam.googleapis.com providerVersions: - - source: hashicorp/google-beta - version: ">= 4.64, < 7" - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 3.33, < 8" diff --git a/modules/hierarchical-firewall-policy/metadata.yaml b/modules/hierarchical-firewall-policy/metadata.yaml index d012023df..8b0a54f75 100644 --- a/modules/hierarchical-firewall-policy/metadata.yaml +++ b/modules/hierarchical-firewall-policy/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 1.3.0" + version: ">= 1.3" description: {} content: examples: @@ -90,9 +90,6 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: description - description: An optional description of this resource. Provide this property when you create the resource - varType: string - name: parent_node description: The parent of the firewall policy. Parent should be in format organizations/ or folders/ varType: string @@ -101,6 +98,16 @@ spec: description: User-provided name of the hierarchical firewall policy varType: string required: true + - name: description + description: An optional description of this resource. Provide this property when you create the resource + varType: string + - name: target_folders + description: List of target folders IDs that the firewall policy will be attached to + varType: list(string) + defaultValue: [] + - name: target_org + description: Target org id that the firewall policy will be attached to + varType: string - name: rules description: List of Ingress/Egress rules varType: |- @@ -129,16 +136,12 @@ spec: ip_protocol = optional(string, "all") ports = optional(list(string), []) })), [{}]) + src_networks = optional(list(string), []) + src_network_scope = optional(string) + dest_network_scope = optional(string) }) })) defaultValue: [] - - name: target_folders - description: List of target folders IDs that the firewall policy will be attached to - varType: list(string) - defaultValue: [] - - name: target_org - description: Target org id that the firewall policy will be attached to - varType: string outputs: - name: fw_policy description: Firewall policy created @@ -175,6 +178,6 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 6.18, < 7" + version: ">= 6.18, < 8" - source: hashicorp/google-beta - version: ">= 6.18, < 7" + version: ">= 6.18, < 8" diff --git a/modules/network-connectivity-center/README.md b/modules/network-connectivity-center/README.md index 83c19f412..d10be24ee 100644 --- a/modules/network-connectivity-center/README.md +++ b/modules/network-connectivity-center/README.md @@ -9,7 +9,7 @@ Basic usage of this submodule is as follows: ```hcl module "ncc" { source = "terraform-google-modules/network/google//modules/network-connectivity-center" - version = "~> 11.1" + version = "~> 12.0" project_id = "" } @@ -27,6 +27,7 @@ An extensive example that also contains the creation and attachment of multiple | ncc\_hub\_description | The description of the NCC Hub | `string` | `null` | no | | ncc\_hub\_labels | These labels will be added the NCC hub | `map(string)` | `{}` | no | | ncc\_hub\_name | The Name of the NCC Hub | `string` | n/a | yes | +| producer\_vpc\_network\_spokes | Producer VPC network that is associated with the spoke. | 
map(object({
    network_name          = string
    peering               = string
    include_export_ranges = optional(list(string))
    exclude_export_ranges = optional(list(string))
  }))
| `{}` | no | | project\_id | Project ID of the project that holds the network. | `string` | n/a | yes | | router\_appliance\_spokes | Router appliance instances that are associated with the spoke. | 
map(object({
    instances = set(object({
      virtual_machine = string
      ip_address      = string
    }))
    location                   = string
    site_to_site_data_transfer = optional(bool, false)
    description                = optional(string)
    labels                     = optional(map(string))
    include_import_ranges      = optional(list(string), [])
  }))
| `{}` | no | | spoke\_labels | These labels will be added to all NCC spokes | `map(string)` | `{}` | no | @@ -38,6 +39,7 @@ An extensive example that also contains the creation and attachment of multiple |------|-------------| | hybrid\_spokes | All hybrid spoke objects | | ncc\_hub | The NCC Hub object | +| producer\_vpc\_network\_spoke | All producer network vpc spoke objects | | router\_appliance\_spokes | All router appliance spoke objects | | spokes | All spoke objects prefixed with the type of spoke (vpc, hybrid, appliance) | | vpc\_spokes | All vpc spoke objects | diff --git a/modules/network-connectivity-center/main.tf b/modules/network-connectivity-center/main.tf index a5bf784b6..8c67c750b 100644 --- a/modules/network-connectivity-center/main.tf +++ b/modules/network-connectivity-center/main.tf @@ -27,6 +27,10 @@ locals { for k, v in google_network_connectivity_spoke.router_appliance_spoke : k => v } + producer_vpc_network_spoke = { + for k, v in google_network_connectivity_spoke.producer_vpc_network_spoke : + k => v + } } resource "google_network_connectivity_hub" "hub" { @@ -54,6 +58,23 @@ resource "google_network_connectivity_spoke" "vpc_spoke" { } } +resource "google_network_connectivity_spoke" "producer_vpc_network_spoke" { + for_each = var.producer_vpc_network_spokes + project = var.project_id + name = each.key + location = "global" + description = each.value.description + hub = google_network_connectivity_hub.hub.id + labels = merge(var.spoke_labels, each.value.labels) + + linked_producer_vpc_network { + network = each.value.network_name + peering = each.value.peering + exclude_export_ranges = each.value.exclude_export_ranges + include_export_ranges = each.value.include_export_ranges + } +} + resource "google_network_connectivity_spoke" "hybrid_spoke" { for_each = var.hybrid_spokes project = var.project_id diff --git a/modules/network-connectivity-center/metadata.yaml b/modules/network-connectivity-center/metadata.yaml index ecab932f1..95aa50238 100644 --- a/modules/network-connectivity-center/metadata.yaml +++ b/modules/network-connectivity-center/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 1.3.0" + version: ">= 1.3" description: {} content: examples: @@ -90,10 +90,46 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: + - name: project_id + description: Project ID of the project that holds the network. + varType: string + required: true + - name: ncc_hub_name + description: The Name of the NCC Hub + varType: string + required: true + - name: ncc_hub_description + description: The description of the NCC Hub + varType: string + - name: ncc_hub_labels + description: These labels will be added the NCC hub + varType: map(string) + defaultValue: {} - name: export_psc description: Whether Private Service Connect transitivity is enabled for the hub varType: bool defaultValue: false + - name: vpc_spokes + description: VPC network that is associated with the spoke + varType: |- + map(object({ + uri = string + exclude_export_ranges = optional(set(string), []) + include_export_ranges = optional(set(string), []) + description = optional(string) + labels = optional(map(string)) + })) + defaultValue: {} + - name: producer_vpc_network_spokes + description: Producer VPC network that is associated with the spoke. + varType: |- + map(object({ + network_name = string + peering = string + include_export_ranges = optional(list(string)) + exclude_export_ranges = optional(list(string)) + })) + defaultValue: {} - name: hybrid_spokes description: VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`. varType: |- @@ -104,23 +140,9 @@ spec: type = string description = optional(string) labels = optional(map(string)) + include_import_ranges = optional(list(string), []) })) defaultValue: {} - - name: ncc_hub_description - description: The description of the NCC Hub - varType: string - - name: ncc_hub_labels - description: These labels will be added the NCC hub - varType: map(string) - defaultValue: {} - - name: ncc_hub_name - description: The Name of the NCC Hub - varType: string - required: true - - name: project_id - description: Project ID of the project that holds the network. - varType: string - required: true - name: router_appliance_spokes description: Router appliance instances that are associated with the spoke. varType: |- @@ -133,28 +155,20 @@ spec: site_to_site_data_transfer = optional(bool, false) description = optional(string) labels = optional(map(string)) + include_import_ranges = optional(list(string), []) })) defaultValue: {} - name: spoke_labels description: These labels will be added to all NCC spokes varType: map(string) defaultValue: {} - - name: vpc_spokes - description: VPC network that is associated with the spoke - varType: |- - map(object({ - uri = string - exclude_export_ranges = optional(set(string), []) - include_export_ranges = optional(set(string), []) - description = optional(string) - labels = optional(map(string)) - })) - defaultValue: {} outputs: - name: hybrid_spokes description: All hybrid spoke objects - name: ncc_hub description: The NCC Hub object + - name: producer_vpc_network_spoke + description: All producer network vpc spoke objects - name: router_appliance_spokes description: All router appliance spoke objects - name: spokes @@ -189,7 +203,5 @@ spec: - networkconnectivity.googleapis.com - iam.googleapis.com providerVersions: - - source: hashicorp/google-beta - version: ">= 6.2, < 7" - source: hashicorp/google - version: ">= 6.2, < 7" + version: ">= 6.49, < 8" diff --git a/modules/network-connectivity-center/outputs.tf b/modules/network-connectivity-center/outputs.tf index 3b306adf9..a503ce074 100644 --- a/modules/network-connectivity-center/outputs.tf +++ b/modules/network-connectivity-center/outputs.tf @@ -24,6 +24,10 @@ output "vpc_spokes" { value = local.vpc_spokes } +output "producer_vpc_network_spoke" { + description = "All producer network vpc spoke objects" + value = local.producer_vpc_network_spoke +} output "hybrid_spokes" { description = "All hybrid spoke objects" diff --git a/modules/network-connectivity-center/variables.tf b/modules/network-connectivity-center/variables.tf index fc1a0e3ad..7f5433418 100644 --- a/modules/network-connectivity-center/variables.tf +++ b/modules/network-connectivity-center/variables.tf @@ -53,6 +53,17 @@ variable "vpc_spokes" { default = {} } +variable "producer_vpc_network_spokes" { + type = map(object({ + network_name = string + peering = string + include_export_ranges = optional(list(string)) + exclude_export_ranges = optional(list(string)) + })) + description = "Producer VPC network that is associated with the spoke." + default = {} +} + variable "hybrid_spokes" { description = "VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`." type = map(object({ diff --git a/modules/network-firewall-policy/metadata.yaml b/modules/network-firewall-policy/metadata.yaml index 470237ee9..55e54fd59 100644 --- a/modules/network-firewall-policy/metadata.yaml +++ b/modules/network-firewall-policy/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 1.3.0" + version: ">= 1.3" description: {} content: examples: @@ -90,20 +90,24 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: description - description: An optional description of this resource. Provide this property when you create the resource + - name: project_id + description: Project ID of the Network firewall policy varType: string + required: true - name: policy_name description: User-provided name of the Network firewall policy varType: string required: true + - name: description + description: An optional description of this resource. Provide this property when you create the resource + varType: string + - name: target_vpcs + description: List of target VPC IDs that the firewall policy will be attached to + varType: list(string) + defaultValue: [] - name: policy_region description: Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy) varType: string - - name: project_id - description: Project ID of the Network firewall policy - varType: string - required: true - name: rules description: List of Ingress/Egress rules varType: |- @@ -137,12 +141,11 @@ spec: is_mirroring = optional(bool, false) tls_inspect = optional(bool, false) security_profile_group_id = optional(string) + src_networks = optional(list(string), []) + src_network_scope = optional(string) + dest_network_scope = optional(string) })) defaultValue: [] - - name: target_vpcs - description: List of target VPC IDs that the firewall policy will be attached to - varType: list(string) - defaultValue: [] outputs: - name: fw_policy description: Firewall policy created @@ -178,7 +181,7 @@ spec: - networkconnectivity.googleapis.com - iam.googleapis.com providerVersions: - - source: hashicorp/google-beta - version: ">= 6.28, < 7" - source: hashicorp/google - version: ">= 6.28, < 7" + version: ">= 6.28, < 8" + - source: hashicorp/google-beta + version: ">= 6.28, < 8" diff --git a/modules/network-peering/metadata.yaml b/modules/network-peering/metadata.yaml index 182f7a642..d14902ed7 100644 --- a/modules/network-peering/metadata.yaml +++ b/modules/network-peering/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: @@ -90,38 +90,38 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: export_local_custom_routes - description: Export custom routes to peer network from local network. - varType: bool - defaultValue: false - - name: export_local_subnet_routes_with_public_ip - description: Export custom routes to peer network from local network (defaults to true; causes the Local Peering Connection to align with the [provider default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_peering#export_subnet_routes_with_public_ip), and the Remote Peering Connection to be opposite the provider default). - varType: bool - defaultValue: true + - name: prefix + description: Name prefix for the network peerings + varType: string + defaultValue: network-peering + - name: local_network + description: Resource link of the network to add a peering to. + varType: string + required: true + - name: peer_network + description: Resource link of the peer network. + varType: string + required: true - name: export_peer_custom_routes description: Export custom routes to local network from peer network. varType: bool defaultValue: false + - name: export_local_custom_routes + description: Export custom routes to peer network from local network. + varType: bool + defaultValue: false - name: export_peer_subnet_routes_with_public_ip description: Export custom routes to local network from peer network (defaults to false; causes the Local Peering Connection to align with the [provider default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_peering#import_subnet_routes_with_public_ip), and the Remote Peering Connection to be opposite the provider default). varType: bool defaultValue: false - - name: local_network - description: Resource link of the network to add a peering to. - varType: string - required: true + - name: export_local_subnet_routes_with_public_ip + description: Export custom routes to peer network from local network (defaults to true; causes the Local Peering Connection to align with the [provider default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_peering#export_subnet_routes_with_public_ip), and the Remote Peering Connection to be opposite the provider default). + varType: bool + defaultValue: true - name: module_depends_on description: List of modules or resources this module depends on. varType: list(any) defaultValue: [] - - name: peer_network - description: Resource link of the peer network. - varType: string - required: true - - name: prefix - description: Name prefix for the network peerings - varType: string - defaultValue: network-peering - name: stack_type description: "Which IP version(s) of traffic and routes are allowed to be imported or exported between peer networks. Possible values: [\"IPV4_ONLY\", \"IPV4_IPV6\"]." varType: string @@ -161,7 +161,11 @@ spec: - networkconnectivity.googleapis.com - iam.googleapis.com providerVersions: - - source: hashicorp/google-beta - version: ">= 4.64, < 7" - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 4.65, < 8" + - source: hashicorp/google-beta + version: ">= 4.65, < 8" + - source: hashicorp/null + version: ">= 3.2" + - source: hashicorp/random + version: ">= 3.4" diff --git a/modules/private-service-connect/metadata.yaml b/modules/private-service-connect/metadata.yaml index 3496eaff7..cc7befbf3 100644 --- a/modules/private-service-connect/metadata.yaml +++ b/modules/private-service-connect/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 0.13" + version: ">= 1.3" description: {} content: examples: @@ -90,44 +90,44 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: dns_code - description: Code to identify DNS resources in the form of `{dns_code}-{dns_type}` - varType: string - defaultValue: dz - - name: forwarding_rule_name - description: Forwarding rule resource name. The forwarding rule name for PSC Google APIs must be an 1-20 characters string with lowercase letters and numbers and must start with a letter. Defaults to `globalrule` - varType: string - defaultValue: globalrule - - name: forwarding_rule_target - description: Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid. + - name: project_id + description: Project ID for Private Service Connect. varType: string required: true - name: network_self_link description: Network self link for Private Service Connect. varType: string required: true - - name: private_service_connect_ip - description: The internal IP to be used for the private service connect. + - name: dns_code + description: Code to identify DNS resources in the form of `{dns_code}-{dns_type}` varType: string - required: true + defaultValue: dz - name: private_service_connect_name description: Private Service Connect endpoint name. Defaults to `global-psconnect-ip` varType: string defaultValue: global-psconnect-ip - - name: project_id - description: Project ID for Private Service Connect. + - name: private_service_connect_ip + description: The internal IP to be used for the private service connect. + varType: string + required: true + - name: forwarding_rule_name + description: Forwarding rule resource name. The forwarding rule name for PSC Google APIs must be an 1-20 characters string with lowercase letters and numbers and must start with a letter. Defaults to `globalrule` + varType: string + defaultValue: globalrule + - name: forwarding_rule_target + description: Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid. varType: string required: true - - name: psc_global_access - description: This is used in PSC consumer ForwardingRule to control whether the PSC endpoint can be accessed from another region. Defaults to `false` - varType: bool - defaultValue: false - name: service_directory_namespace description: Service Directory namespace to register the forwarding rule under. varType: string - name: service_directory_region description: Service Directory region to register this global forwarding rule under. Defaults to `us-central1` if not defined. varType: string + - name: psc_global_access + description: This is used in PSC consumer ForwardingRule to control whether the PSC endpoint can be accessed from another region. Defaults to `false` + varType: bool + defaultValue: false outputs: - name: dns_zone_gcr_name description: Name for Managed DNS zone for GCR @@ -174,6 +174,6 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 5.8, < 8" - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 5.8, < 8" diff --git a/modules/routes-beta/metadata.yaml b/modules/routes-beta/metadata.yaml index a8b34835c..b338cfc1f 100644 --- a/modules/routes-beta/metadata.yaml +++ b/modules/routes-beta/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: @@ -90,18 +90,14 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: module_depends_on - description: List of modules or resources this module depends on. - varType: list(any) - defaultValue: [] - - name: network_name - description: The name of the network where routes will be created - varType: string - required: true - name: project_id description: The ID of the project where the routes will be created varType: string required: true + - name: network_name + description: The name of the network where routes will be created + varType: string + required: true - name: routes description: List of routes being created in this VPC varType: list(map(string)) @@ -110,6 +106,10 @@ spec: description: Amount of routes being created in this VPC varType: number defaultValue: 0 + - name: module_depends_on + description: List of modules or resources this module depends on. + varType: list(any) + defaultValue: [] outputs: - name: routes description: The created routes resources @@ -141,7 +141,5 @@ spec: - networkconnectivity.googleapis.com - iam.googleapis.com providerVersions: - - source: hashicorp/google - version: ">= 4.64, < 7" - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 3.0, < 8" diff --git a/modules/routes/metadata.yaml b/modules/routes/metadata.yaml index b2fc90373..54c0403b6 100644 --- a/modules/routes/metadata.yaml +++ b/modules/routes/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: @@ -90,22 +90,22 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: module_depends_on - description: List of modules or resources this module depends on. - varType: list(any) - defaultValue: [] - - name: network_name - description: The name of the network where routes will be created - varType: string - required: true - name: project_id description: The ID of the project where the routes will be created varType: string required: true + - name: network_name + description: The name of the network where routes will be created + varType: string + required: true - name: routes description: List of routes being created in this VPC varType: list(map(string)) defaultValue: [] + - name: module_depends_on + description: List of modules or resources this module depends on. + varType: list(any) + defaultValue: [] outputs: - name: routes description: The created routes resources @@ -138,6 +138,4 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 4.64, < 7" - - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 3.83, < 8" diff --git a/modules/subnets-beta/metadata.yaml b/modules/subnets-beta/metadata.yaml index 3d6bbeeba..b0a0e7fb5 100644 --- a/modules/subnets-beta/metadata.yaml +++ b/modules/subnets-beta/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 11.1.1 actuationTool: flavor: Terraform - version: ">= 0.13.0" + version: ">= 1.3" description: {} content: examples: @@ -90,22 +90,14 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: module_depends_on - description: List of modules or resources this module depends on. - varType: list(any) - defaultValue: [] - - name: network_name - description: The name of the network where subnets will be created - varType: string - required: true - name: project_id description: The ID of the project where subnets will be created varType: string required: true - - name: secondary_ranges - description: Secondary ranges that will be used in some of the subnets - varType: map(list(object({ range_name = string, ip_cidr_range = string }))) - defaultValue: {} + - name: network_name + description: The name of the network where subnets will be created + varType: string + required: true - name: subnets description: The list of subnets being created varType: |- @@ -128,6 +120,14 @@ spec: ipv6_access_type = optional(string) })) required: true + - name: secondary_ranges + description: Secondary ranges that will be used in some of the subnets + varType: map(list(object({ range_name = string, ip_cidr_range = string }))) + defaultValue: {} + - name: module_depends_on + description: List of modules or resources this module depends on. + varType: list(any) + defaultValue: [] outputs: - name: subnets description: The created subnet resources @@ -160,6 +160,4 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google-beta - version: ">= 4.64, < 7" - - source: hashicorp/google - version: ">= 4.64, < 7" + version: ">= 2.19, < 8" diff --git a/modules/subnets/metadata.yaml b/modules/subnets/metadata.yaml index 2489730c0..f30bda711 100644 --- a/modules/subnets/metadata.yaml +++ b/modules/subnets/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -90,18 +90,14 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: - - name: network_name - description: The name of the network where subnets will be created - varType: string - required: true - name: project_id description: The ID of the project where subnets will be created varType: string required: true - - name: secondary_ranges - description: Secondary ranges that will be used in some of the subnets - varType: map(list(object({ range_name = string, ip_cidr_range = string }))) - defaultValue: {} + - name: network_name + description: The name of the network where subnets will be created + varType: string + required: true - name: subnets description: The list of subnets being created varType: |- @@ -124,6 +120,10 @@ spec: ipv6_access_type = optional(string) })) required: true + - name: secondary_ranges + description: Secondary ranges that will be used in some of the subnets + varType: map(list(object({ range_name = string, ip_cidr_range = string }))) + defaultValue: {} outputs: - name: subnets description: The created subnet resources @@ -156,6 +156,4 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 4.64, < 7" - - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 4.25.0, < 8" diff --git a/modules/vpc-serverless-connector-beta/metadata.yaml b/modules/vpc-serverless-connector-beta/metadata.yaml index 3a563ae6c..2903d7467 100644 --- a/modules/vpc-serverless-connector-beta/metadata.yaml +++ b/modules/vpc-serverless-connector-beta/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -141,7 +141,5 @@ spec: - networkconnectivity.googleapis.com - iam.googleapis.com providerVersions: - - source: hashicorp/google - version: ">= 4.64, < 7" - source: hashicorp/google-beta - version: ">= 4.64, < 7" + version: ">= 3.62, < 8" diff --git a/modules/vpc/metadata.yaml b/modules/vpc/metadata.yaml index 81dbe3698..38016829a 100644 --- a/modules/vpc/metadata.yaml +++ b/modules/vpc/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -90,6 +90,26 @@ spec: location: examples/submodule_vpc_serverless_connector interfaces: variables: + - name: project_id + description: The ID of the project where this VPC will be created + varType: string + required: true + - name: network_name + description: The name of the network being created + varType: string + required: true + - name: routing_mode + description: The network routing mode (default 'GLOBAL') + varType: string + defaultValue: GLOBAL + - name: shared_vpc_host + description: Makes this project a Shared VPC host if 'true' (default 'false') + varType: bool + defaultValue: false + - name: description + description: An optional description of this resource. The resource must be recreated to modify this field. + varType: string + defaultValue: "" - name: auto_create_subnetworks description: When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. varType: bool @@ -98,10 +118,10 @@ spec: description: If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted varType: bool defaultValue: false - - name: description - description: An optional description of this resource. The resource must be recreated to modify this field. - varType: string - defaultValue: "" + - name: mtu + description: "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively." + varType: number + defaultValue: 0 - name: enable_ipv6_ula description: Enabled IPv6 ULA, this is a permanent change and cannot be undone! (default 'false') varType: bool @@ -109,17 +129,9 @@ spec: - name: internal_ipv6_range description: When enabling IPv6 ULA, optionally, specify a /48 from fd20::/20 (default null) varType: string - - name: mtu - description: "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively." - varType: number - defaultValue: 0 - name: network_firewall_policy_enforcement_order description: Set the order that Firewall Rules and Firewall Policies are evaluated. Valid values are `BEFORE_CLASSIC_FIREWALL` and `AFTER_CLASSIC_FIREWALL`. (default null or equivalent to `AFTER_CLASSIC_FIREWALL`) varType: string - - name: network_name - description: The name of the network being created - varType: string - required: true - name: network_profile description: | "A full or partial URL of the network profile to apply to this network. @@ -128,18 +140,17 @@ spec: * https://www.googleapis.com/compute/beta/projects/{projectId}/global/networkProfiles/{network_profile_name} * projects/{projectId}/global/networkProfiles/{network_profile_name} varType: string - - name: project_id - description: The ID of the project where this VPC will be created - varType: string - required: true - - name: routing_mode - description: The network routing mode (default 'GLOBAL') - varType: string - defaultValue: GLOBAL - - name: shared_vpc_host - description: Makes this project a Shared VPC host if 'true' (default 'false') + - name: bgp_always_compare_med + description: If set to true, the Cloud Router will use MED values from the peer even if the AS paths differ. Default is false. varType: bool defaultValue: false + - name: bgp_best_path_selection_mode + description: Specifies the BGP best path selection mode. Valid values are `STANDARD` or `LEGACY`. Default is `LEGACY`. + varType: string + defaultValue: LEGACY + - name: bgp_inter_region_cost + description: Specifies the BGP inter-region cost mode. Valid values are `DEFAULT` or `ADD_COST_TO_MED`. + varType: string outputs: - name: network description: The VPC resource being created @@ -180,6 +191,6 @@ spec: - iam.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 6.19, < 7" + version: ">= 6.19, < 8" - source: hashicorp/google-beta - version: ">= 6.19, < 7" + version: ">= 6.19, < 8" From 0748f88b40ffab399e065184c3c422284a930e5b Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Tue, 2 Sep 2025 23:28:48 +0000 Subject: [PATCH 2/3] updated --- examples/network_connectivity_center/main.tf | 49 ++++++++++++++++++- .../network_connectivity_center/versions.tf | 4 +- metadata.yaml | 1 + modules/fabric-net-firewall/metadata.yaml | 1 + modules/fabric-net-svpc-access/metadata.yaml | 1 + modules/firewall-rules/metadata.yaml | 1 + .../metadata.yaml | 1 + modules/network-connectivity-center/README.md | 3 +- modules/network-connectivity-center/main.tf | 5 +- .../network-connectivity-center/metadata.yaml | 22 ++++----- .../network-connectivity-center/outputs.tf | 4 ++ .../network-connectivity-center/variables.tf | 31 +++++++----- modules/network-firewall-policy/metadata.yaml | 1 + modules/network-peering/metadata.yaml | 1 + modules/private-service-connect/metadata.yaml | 1 + modules/routes-beta/metadata.yaml | 1 + modules/routes/metadata.yaml | 1 + modules/subnets-beta/metadata.yaml | 1 + modules/subnets/metadata.yaml | 1 + .../metadata.yaml | 1 + modules/vpc/metadata.yaml | 1 + test/setup/main.tf | 1 + 22 files changed, 103 insertions(+), 30 deletions(-) diff --git a/examples/network_connectivity_center/main.tf b/examples/network_connectivity_center/main.tf index bd6ab21d9..fe9fe051d 100644 --- a/examples/network_connectivity_center/main.tf +++ b/examples/network_connectivity_center/main.tf @@ -15,8 +15,9 @@ */ module "network_connectivity_center" { - source = "terraform-google-modules/network/google//modules/network-connectivity-center" - version = "~> 12.0" + # source = "terraform-google-modules/network/google//modules/network-connectivity-center" + # version = "~> 12.0" + source = "../../modules/network-connectivity-center" project_id = var.project_id ncc_hub_name = var.ncc_hub_name @@ -26,6 +27,7 @@ module "network_connectivity_center" { spoke_labels = { "created-by" = "terraform-google-ncc-example" } + vpc_spokes = { "vpc-1" = { uri = module.vpc_spoke_vpc.network_id @@ -33,7 +35,25 @@ module "network_connectivity_center" { "spoke-type" = "vpc" } } + "producer-conn" = { + uri = google_compute_network.producer_connected_network.id + labels = { + "spoke-type" = "producer-connected" + } + link_producer_vpc_network = { + network_name = google_compute_network.producer_connected_network.name + peering = google_service_networking_connection.producer_connected_network_peering.peering + labels = { + "spoke-type" = "linked-producer" + } + exclude_export_ranges = [ + "198.51.100.0/24", + "10.10.0.0/16" + ] + } + } } + hybrid_spokes = { "vpn-1" = { type = "vpn" @@ -247,3 +267,28 @@ resource "google_compute_instance" "router_appliance_1" { } } } + +################################ +# Producer VPC Spoke # +################################ +resource "google_compute_network" "producer_connected_network" { + name = "producer-connected-network" + project = var.project_id + auto_create_subnetworks = false +} + +resource "google_compute_global_address" "producer_connected_network_psa_ip" { + name = "producer-connected-network-psa" + project = var.project_id + purpose = "VPC_PEERING" + address_type = "INTERNAL" + prefix_length = 16 + network = google_compute_network.producer_connected_network.id +} + +resource "google_service_networking_connection" "producer_connected_network_peering" { + network = google_compute_network.producer_connected_network.id + service = "servicenetworking.googleapis.com" + deletion_policy = "ABANDON" + reserved_peering_ranges = [google_compute_global_address.producer_connected_network_psa_ip.name] +} diff --git a/examples/network_connectivity_center/versions.tf b/examples/network_connectivity_center/versions.tf index 5ebf93932..8aedf1350 100644 --- a/examples/network_connectivity_center/versions.tf +++ b/examples/network_connectivity_center/versions.tf @@ -15,12 +15,12 @@ */ terraform { - required_version = ">=0.13.0" + required_version = ">=1.3.0" required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0" + version = ">= 6.49" } } diff --git a/metadata.yaml b/metadata.yaml index e1e2e07f5..7cc6d2007 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -351,6 +351,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 4.64, < 8" diff --git a/modules/fabric-net-firewall/metadata.yaml b/modules/fabric-net-firewall/metadata.yaml index 019418469..9f2701417 100644 --- a/modules/fabric-net-firewall/metadata.yaml +++ b/modules/fabric-net-firewall/metadata.yaml @@ -215,6 +215,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 2.12, < 8" diff --git a/modules/fabric-net-svpc-access/metadata.yaml b/modules/fabric-net-svpc-access/metadata.yaml index f30727ee6..d4e1057a2 100644 --- a/modules/fabric-net-svpc-access/metadata.yaml +++ b/modules/fabric-net-svpc-access/metadata.yaml @@ -148,6 +148,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 2.12, < 8" diff --git a/modules/firewall-rules/metadata.yaml b/modules/firewall-rules/metadata.yaml index 4ebc92bad..52f0a84fa 100644 --- a/modules/firewall-rules/metadata.yaml +++ b/modules/firewall-rules/metadata.yaml @@ -214,6 +214,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 3.33, < 8" diff --git a/modules/hierarchical-firewall-policy/metadata.yaml b/modules/hierarchical-firewall-policy/metadata.yaml index 8b0a54f75..9a27b33f0 100644 --- a/modules/hierarchical-firewall-policy/metadata.yaml +++ b/modules/hierarchical-firewall-policy/metadata.yaml @@ -176,6 +176,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 6.18, < 8" diff --git a/modules/network-connectivity-center/README.md b/modules/network-connectivity-center/README.md index d10be24ee..423372080 100644 --- a/modules/network-connectivity-center/README.md +++ b/modules/network-connectivity-center/README.md @@ -27,11 +27,10 @@ An extensive example that also contains the creation and attachment of multiple | ncc\_hub\_description | The description of the NCC Hub | `string` | `null` | no | | ncc\_hub\_labels | These labels will be added the NCC hub | `map(string)` | `{}` | no | | ncc\_hub\_name | The Name of the NCC Hub | `string` | n/a | yes | -| producer\_vpc\_network\_spokes | Producer VPC network that is associated with the spoke. | 
map(object({
    network_name          = string
    peering               = string
    include_export_ranges = optional(list(string))
    exclude_export_ranges = optional(list(string))
  }))
| `{}` | no | | project\_id | Project ID of the project that holds the network. | `string` | n/a | yes | | router\_appliance\_spokes | Router appliance instances that are associated with the spoke. | 
map(object({
    instances = set(object({
      virtual_machine = string
      ip_address      = string
    }))
    location                   = string
    site_to_site_data_transfer = optional(bool, false)
    description                = optional(string)
    labels                     = optional(map(string))
    include_import_ranges      = optional(list(string), [])
  }))
| `{}` | no | | spoke\_labels | These labels will be added to all NCC spokes | `map(string)` | `{}` | no | -| vpc\_spokes | VPC network that is associated with the spoke | 
map(object({
    uri                   = string
    exclude_export_ranges = optional(set(string), [])
    include_export_ranges = optional(set(string), [])
    description           = optional(string)
    labels                = optional(map(string))
  }))
| `{}` | no | +| vpc\_spokes | VPC network that is associated with the spoke. link\_producer\_vpc\_network: Producer VPC network that is peered with vpc network | 
map(object({
    uri                   = string
    exclude_export_ranges = optional(set(string), [])
    include_export_ranges = optional(set(string), [])
    description           = optional(string)
    labels                = optional(map(string))

    link_producer_vpc_network = optional(object({
      network_name          = string
      peering               = string
      include_export_ranges = optional(list(string))
      exclude_export_ranges = optional(list(string))
      description           = optional(string)
      labels                = optional(map(string))
    }))
  }))
| `{}` | no | ## Outputs diff --git a/modules/network-connectivity-center/main.tf b/modules/network-connectivity-center/main.tf index 8c67c750b..e7c0d835c 100644 --- a/modules/network-connectivity-center/main.tf +++ b/modules/network-connectivity-center/main.tf @@ -59,9 +59,9 @@ resource "google_network_connectivity_spoke" "vpc_spoke" { } resource "google_network_connectivity_spoke" "producer_vpc_network_spoke" { - for_each = var.producer_vpc_network_spokes + for_each = { for x, y in var.vpc_spokes : x => y.link_producer_vpc_network if y.link_producer_vpc_network != null } project = var.project_id - name = each.key + name = "${each.key}-linked-spoke" location = "global" description = each.value.description hub = google_network_connectivity_hub.hub.id @@ -73,6 +73,7 @@ resource "google_network_connectivity_spoke" "producer_vpc_network_spoke" { exclude_export_ranges = each.value.exclude_export_ranges include_export_ranges = each.value.include_export_ranges } + depends_on = [google_network_connectivity_spoke.vpc_spoke] } resource "google_network_connectivity_spoke" "hybrid_spoke" { diff --git a/modules/network-connectivity-center/metadata.yaml b/modules/network-connectivity-center/metadata.yaml index 95aa50238..52955359b 100644 --- a/modules/network-connectivity-center/metadata.yaml +++ b/modules/network-connectivity-center/metadata.yaml @@ -110,7 +110,7 @@ spec: varType: bool defaultValue: false - name: vpc_spokes - description: VPC network that is associated with the spoke + description: "VPC network that is associated with the spoke. link_producer_vpc_network: Producer VPC network that is peered with vpc network" varType: |- map(object({ uri = string @@ -118,16 +118,15 @@ spec: include_export_ranges = optional(set(string), []) description = optional(string) labels = optional(map(string)) - })) - defaultValue: {} - - name: producer_vpc_network_spokes - description: Producer VPC network that is associated with the spoke. - varType: |- - map(object({ - network_name = string - peering = string - include_export_ranges = optional(list(string)) - exclude_export_ranges = optional(list(string)) + + link_producer_vpc_network = optional(object({ + network_name = string + peering = string + include_export_ranges = optional(list(string)) + exclude_export_ranges = optional(list(string)) + description = optional(string) + labels = optional(map(string)) + })) })) defaultValue: {} - name: hybrid_spokes @@ -202,6 +201,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 6.49, < 8" diff --git a/modules/network-connectivity-center/outputs.tf b/modules/network-connectivity-center/outputs.tf index a503ce074..d90245b9d 100644 --- a/modules/network-connectivity-center/outputs.tf +++ b/modules/network-connectivity-center/outputs.tf @@ -54,5 +54,9 @@ output "spokes" { for k, v in local.router_appliance_spokes : "appliance/${k}" => v }, + { + for k, v in local.producer_vpc_network_spoke : + "producer-vpc/${k}" => v + }, ]) } diff --git a/modules/network-connectivity-center/variables.tf b/modules/network-connectivity-center/variables.tf index 7f5433418..cf860950f 100644 --- a/modules/network-connectivity-center/variables.tf +++ b/modules/network-connectivity-center/variables.tf @@ -42,27 +42,36 @@ variable "export_psc" { } variable "vpc_spokes" { - description = "VPC network that is associated with the spoke" + description = "VPC network that is associated with the spoke. link_producer_vpc_network: Producer VPC network that is peered with vpc network" type = map(object({ uri = string exclude_export_ranges = optional(set(string), []) include_export_ranges = optional(set(string), []) description = optional(string) labels = optional(map(string)) + + link_producer_vpc_network = optional(object({ + network_name = string + peering = string + include_export_ranges = optional(list(string)) + exclude_export_ranges = optional(list(string)) + description = optional(string) + labels = optional(map(string)) + })) })) default = {} } -variable "producer_vpc_network_spokes" { - type = map(object({ - network_name = string - peering = string - include_export_ranges = optional(list(string)) - exclude_export_ranges = optional(list(string)) - })) - description = "Producer VPC network that is associated with the spoke." - default = {} -} +# variable "producer_vpc_network_spokes" { +# type = map(object({ +# network_name = string +# peering = string +# include_export_ranges = optional(list(string)) +# exclude_export_ranges = optional(list(string)) +# })) +# description = "Producer VPC network that is associated with the spoke." +# default = {} +# } variable "hybrid_spokes" { description = "VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`." diff --git a/modules/network-firewall-policy/metadata.yaml b/modules/network-firewall-policy/metadata.yaml index 55e54fd59..0863226f6 100644 --- a/modules/network-firewall-policy/metadata.yaml +++ b/modules/network-firewall-policy/metadata.yaml @@ -180,6 +180,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 6.28, < 8" diff --git a/modules/network-peering/metadata.yaml b/modules/network-peering/metadata.yaml index d14902ed7..34692194f 100644 --- a/modules/network-peering/metadata.yaml +++ b/modules/network-peering/metadata.yaml @@ -160,6 +160,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 4.65, < 8" diff --git a/modules/private-service-connect/metadata.yaml b/modules/private-service-connect/metadata.yaml index cc7befbf3..ce1ee65bb 100644 --- a/modules/private-service-connect/metadata.yaml +++ b/modules/private-service-connect/metadata.yaml @@ -172,6 +172,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 5.8, < 8" diff --git a/modules/routes-beta/metadata.yaml b/modules/routes-beta/metadata.yaml index b338cfc1f..a2d63af71 100644 --- a/modules/routes-beta/metadata.yaml +++ b/modules/routes-beta/metadata.yaml @@ -140,6 +140,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google-beta version: ">= 3.0, < 8" diff --git a/modules/routes/metadata.yaml b/modules/routes/metadata.yaml index 54c0403b6..1482a2604 100644 --- a/modules/routes/metadata.yaml +++ b/modules/routes/metadata.yaml @@ -136,6 +136,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 3.83, < 8" diff --git a/modules/subnets-beta/metadata.yaml b/modules/subnets-beta/metadata.yaml index b0a0e7fb5..3debf7748 100644 --- a/modules/subnets-beta/metadata.yaml +++ b/modules/subnets-beta/metadata.yaml @@ -158,6 +158,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google-beta version: ">= 2.19, < 8" diff --git a/modules/subnets/metadata.yaml b/modules/subnets/metadata.yaml index f30bda711..1e8f585a8 100644 --- a/modules/subnets/metadata.yaml +++ b/modules/subnets/metadata.yaml @@ -154,6 +154,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 4.25.0, < 8" diff --git a/modules/vpc-serverless-connector-beta/metadata.yaml b/modules/vpc-serverless-connector-beta/metadata.yaml index 2903d7467..8bacce022 100644 --- a/modules/vpc-serverless-connector-beta/metadata.yaml +++ b/modules/vpc-serverless-connector-beta/metadata.yaml @@ -140,6 +140,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google-beta version: ">= 3.62, < 8" diff --git a/modules/vpc/metadata.yaml b/modules/vpc/metadata.yaml index 38016829a..7813945d1 100644 --- a/modules/vpc/metadata.yaml +++ b/modules/vpc/metadata.yaml @@ -189,6 +189,7 @@ spec: - networksecurity.googleapis.com - networkconnectivity.googleapis.com - iam.googleapis.com + - servicenetworking.googleapis.com providerVersions: - source: hashicorp/google version: ">= 6.19, < 8" diff --git a/test/setup/main.tf b/test/setup/main.tf index 3b5b07b8c..c501ee884 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -59,5 +59,6 @@ module "project" { "networksecurity.googleapis.com", "networkconnectivity.googleapis.com", "iam.googleapis.com", + "servicenetworking.googleapis.com", ] } From 21ad636b2f3ff86f71ae5ea9be764fa392ef862b Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Wed, 3 Sep 2025 16:26:54 +0000 Subject: [PATCH 3/3] fixed module source in example --- examples/network_connectivity_center/main.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/examples/network_connectivity_center/main.tf b/examples/network_connectivity_center/main.tf index fe9fe051d..3a14c0674 100644 --- a/examples/network_connectivity_center/main.tf +++ b/examples/network_connectivity_center/main.tf @@ -15,9 +15,8 @@ */ module "network_connectivity_center" { - # source = "terraform-google-modules/network/google//modules/network-connectivity-center" - # version = "~> 12.0" - source = "../../modules/network-connectivity-center" + source = "terraform-google-modules/network/google//modules/network-connectivity-center" + version = "~> 12.0" project_id = var.project_id ncc_hub_name = var.ncc_hub_name