From 4825e106bed6da17bead81c587f916e23967292e Mon Sep 17 00:00:00 2001 From: Brett Curtis Date: Sat, 20 Jul 2024 10:38:53 -0400 Subject: [PATCH 1/4] Initial development --- .github/dependabot.yml | 12 ++ .github/workflows/add-to-projects.yml | 21 ++++ .github/workflows/dependabot.yml | 13 +++ .github/workflows/test.yml | 23 ++++ .gitignore | 43 ++++++++ .pre-commit-config.yaml | 37 +++++++ .terraform-docs.yml | 14 +++ LICENSE | 0 README.md | 103 ++++++++++++++++++ SECURITY.md | 2 +- dns/README.md | 0 dns/main.tf | 34 ++++++ dns/outputs.tf | 14 +++ dns/variables.tf | 37 +++++++ locals.tf | 60 ++++++++++ main.tf | 69 ++++++++++++ outputs.tf | 17 +++ regional/README.md | 46 ++++++++ regional/main.tf | 35 ++++++ regional/nat/README.md | 44 ++++++++ regional/nat/locals.tf | 7 ++ regional/nat/main.tf | 36 ++++++ regional/nat/outputs.tf | 12 ++ regional/nat/variables.tf | 35 ++++++ regional/outputs.tf | 12 ++ regional/variables.tf | 54 +++++++++ tests/default.tftest.hcl | 26 +++++ tests/fixtures/default/dns/main.tf | 42 +++++++ tests/fixtures/default/dns/variables.tf | 4 + tests/fixtures/default/main.tf | 66 +++++++++++ tests/fixtures/default/regional/main.tf | 30 +++++ tests/fixtures/default/regional/outputs.tf | 3 + tests/fixtures/default/regional/variables.tf | 4 + tests/fixtures/default/regional_nat/main.tf | 24 ++++ .../fixtures/default/regional_nat/outputs.tf | 10 ++ .../default/regional_nat/variables.tf | 7 ++ tests/fixtures/default/variables.tf | 3 + variables.tf | 47 ++++++++ 38 files changed, 1045 insertions(+), 1 deletion(-) create mode 100755 .github/dependabot.yml create mode 100644 .github/workflows/add-to-projects.yml create mode 100644 .github/workflows/dependabot.yml create mode 100644 .github/workflows/test.yml create mode 100644 .gitignore create mode 100644 .pre-commit-config.yaml create mode 100644 .terraform-docs.yml mode change 100644 => 100755 LICENSE create mode 100644 README.md create mode 100644 dns/README.md create mode 100644 dns/main.tf create mode 100644 dns/outputs.tf create mode 100644 dns/variables.tf create mode 100644 locals.tf create mode 100644 main.tf create mode 100644 outputs.tf create mode 100644 regional/README.md create mode 100644 regional/main.tf create mode 100644 regional/nat/README.md create mode 100644 regional/nat/locals.tf create mode 100644 regional/nat/main.tf create mode 100644 regional/nat/outputs.tf create mode 100644 regional/nat/variables.tf create mode 100644 regional/outputs.tf create mode 100644 regional/variables.tf create mode 100644 tests/default.tftest.hcl create mode 100644 tests/fixtures/default/dns/main.tf create mode 100644 tests/fixtures/default/dns/variables.tf create mode 100644 tests/fixtures/default/main.tf create mode 100644 tests/fixtures/default/regional/main.tf create mode 100644 tests/fixtures/default/regional/outputs.tf create mode 100644 tests/fixtures/default/regional/variables.tf create mode 100644 tests/fixtures/default/regional_nat/main.tf create mode 100644 tests/fixtures/default/regional_nat/outputs.tf create mode 100644 tests/fixtures/default/regional_nat/variables.tf create mode 100644 tests/fixtures/default/variables.tf create mode 100644 variables.tf diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100755 index 0000000..ddd9e01 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +# Dependabot +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates + +version: 2 +updates: + - package-ecosystem: github-actions + + # NOTE: The "/" here is for checking for workflow files in .github/workflows + + directory: / + schedule: + interval: daily diff --git a/.github/workflows/add-to-projects.yml b/.github/workflows/add-to-projects.yml new file mode 100644 index 0000000..d95b0af --- /dev/null +++ b/.github/workflows/add-to-projects.yml @@ -0,0 +1,21 @@ +name: Add To GitHub Projects + +on: + issues: + types: + - opened + pull_request: + types: + - opened + +permissions: + issues: write + +jobs: + add-to-osinfra-project: + name: Open Source Infrastructure (as Code) + uses: osinfra-io/github-misc-called-workflows/.github/workflows/add-to-project.yml@v0.1.5 + with: + project_id: 1 + secrets: + add_to_project_pat: ${{ secrets.ADD_TO_PROJECT_PAT }} diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml new file mode 100644 index 0000000..e8e020c --- /dev/null +++ b/.github/workflows/dependabot.yml @@ -0,0 +1,13 @@ +name: Dependabot Approve and Merge + +on: pull_request_target + +permissions: + contents: read + +jobs: + dependabot: + name: Dependabot + uses: osinfra-io/github-misc-called-workflows/.github/workflows/dependabot.yml@v0.1.5 + secrets: + pr_approve_and_merge_pat: ${{ secrets.PR_APPROVE_AND_MERGE_PAT }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..9397b90 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,23 @@ +name: Terraform Tests + +on: + workflow_dispatch: + pull_request: + types: + - opened + - synchronize + paths-ignore: + - "**.md" + +permissions: + id-token: write + +jobs: + tests: + name: Tests + uses: osinfra-io/github-terraform-gcp-called-workflows/.github/workflows/test.yml@v0.2.4 + if: github.actor != 'dependabot[bot]' + with: + service_account: plt-lz-testing-github@ptl-lz-terraform-tf91-sb.iam.gserviceaccount.com + terraform_version: ${{ vars.TERRAFORM_VERSION }} + workload_identity_provider: projects/746490462722/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a543f04 --- /dev/null +++ b/.gitignore @@ -0,0 +1,43 @@ +# .gitignore +# https://docs.github.com/en/get-started/getting-started-with-git/ignoring-files + +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore provider lock file +.terraform.lock.hcl + +# Ignore any local.tfvars. Most .tfvars files are managed as part of configuration and so should +# be included in version control. +local.tfvars + +# Provider.tf is used for local development of modules and shouldn't be added to repos. +provider.tf + +# Ignore override files as they are usually used to override ressources locally +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Ignore plan output files +plan.out + +# Ignore Infracost directories and files +.infracost + +# Other Files +*.log +*.bak +*.swp +*.tmp +*.gz +*.tgz +*.tar diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..9bff724 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,37 @@ +# Pre-commit +# https://github.com/pre-commit/pre-commit + +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: check-yaml + - id: end-of-file-fixer + - id: trailing-whitespace + - id: check-symlinks + + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.92.0 + hooks: + - id: terraform_fmt + + # To speed up local validation add the following to your ~/.zshrc: + # export TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache + + - id: terraform_validate + args: + - --hook-config=--retry-once-with-cleanup=true + - --tf-init-args=-upgrade + exclude: tests/fixtures/shared + + # Always run after terraform_validate + + - id: terraform_docs + + - repo: https://github.com/bridgecrewio/checkov.git + rev: 3.2.186 + hooks: + - id: checkov + verbose: true + args: + - --quiet diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..9b7b9d3 --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,14 @@ +# Terraform Docs +# https://github.com/terraform-docs/terraform-docs + +formatter: markdown + +sections: + hide: + - requirements + +settings: + anchor: false + hide-empty: true + html: false + indent: 3 diff --git a/LICENSE b/LICENSE old mode 100644 new mode 100755 diff --git a/README.md b/README.md new file mode 100644 index 0000000..4fa2987 --- /dev/null +++ b/README.md @@ -0,0 +1,103 @@ +# Google Cloud Platform - Network Module + +**[GitHub Actions](https://github.com/osinfra-io/terraform-google-vpc/actions):** + +[![Terraform Tests](https://github.com/osinfra-io/terraform-google-vpc/actions/workflows/test.yml/badge.svg)](https://github.com/osinfra-io/terraform-google-vpc/actions/workflows/test.yml) [![Dependabot](https://github.com/osinfra-io/terraform-google-vpc/actions/workflows/dependabot.yml/badge.svg)](https://github.com/osinfra-io/terraform-google-vpc/actions/workflows/dependabot.yml) + +**[Infracost](https://www.infracost.io):** + +[![infracost](https://img.shields.io/endpoint?url=https://dashboard.api.infracost.io/shields/json/cbeecfe3-576f-4553-984c-e451a575ee47/repos/19c599ec-c2ad-4031-8480-2110b02be0eb/branch/d36a38e2-44a6-4e64-a082-5f81bd3f9f61)](https://dashboard.infracost.io/org/osinfra-io/repos/19c599ec-c2ad-4031-8480-2110b02be0eb?tab=settings) + +💵 Monthly estimates based on Infracost baseline costs. + +## Repository Description + +Terraform **example** module for a Google Cloud Platform network. + +> [!NOTE] +> We do not recommend consuming this module like you might a [public module](https://registry.terraform.io/browse/modules). It is a baseline, something you can fork, potentially maintain, and modify to fit your organization's needs. Using public modules vs. writing your own has various [drivers and trade-offs](https://docs.osinfra.io/fundamentals/architecture-decision-records/adr-0003) that your organization should evaluate. + +## 🔩 Usage + +> [!TIP] +> You can check the [tests/fixtures](tests/fixtures) directory for example configurations. These fixtures set up the system for testing by providing all the necessary initial code, thus creating good examples on which to base your configurations. + +## Development + +Our focus is on the core fundamental practice of platform engineering, Infrastructure as Code. + +>Open Source Infrastructure (as Code) is a development model for infrastructure that focuses on open collaboration and applying relative lessons learned from software development practices that organizations can use internally at scale. - [Open Source Infrastructure (as Code)](https://www.osinfra.io) + +To avoid slowing down stream-aligned teams, we want to open up the possibility for contributions. The Open Source Infrastructure (as Code) model allows team members external to the platform team to contribute with only a slight increase in cognitive load. This section is for developers who want to contribute to this repository, describing the tools used, the skills, and the knowledge required, along with Terraform documentation. + +See the documentation for setting up a local development environment [here](https://docs.osinfra.io/fundamentals/development-setup). + +### 🛠️ Tools + +- [checkov](https://github.com/bridgecrewio/checkov) +- [infracost](https://github.com/infracost/infracost) +- [pre-commit](https://github.com/pre-commit/pre-commit) +- [pre-commit-terraform](https://github.com/antonbabenko/pre-commit-terraform) +- [terraform-docs](https://github.com/terraform-docs/terraform-docs) + +### 📋 Skills and Knowledge + +Links to documentation and other resources required to develop and iterate in this repository successfully. + +- [cloud dns](https://cloud.google.com/dns/docs) +- [cloud nat](https://cloud.google.com/nat/docs/overview) +- [firewall](https://cloud.google.com/vpc/docs/firewalls) +- [shared vpc](https://cloud.google.com/vpc/docs/shared-vpc) +- [subnets](https://cloud.google.com/vpc/docs/subnets) +- [vpc](https://cloud.google.com/vpc/docs/vpc) + +### 🔍 Tests + +You'll need to be a member of the [platform-contributors](https://groups.google.com/a/osinfra.io/g/platform-contributors) Google Group to run the tests. This group manages access to the resource hierarchy's `Testing/Sandbox` folder. You can request access to this group by opening an issue [here](https://github.com/osinfra-io/google-cloud-hierarchy/issues/new?assignees=&labels=enhancement&projects=&template=add-update-identity-group.yml&title=Add+or+update+identity+group). + +```none +terraform init +``` + +```none +terraform test +``` + +## 📓 Terraform Documentation + +> A child module automatically inherits default (un-aliased) provider configurations from its parent. The provider versions below are informational only and do **not** need to align with the provider configurations from its parent. + + +### Providers + +| Name | Version | +|------|---------| +| google | 5.38.0 | + +### Resources + +| Name | Type | +|------|------| +| [google_compute_firewall.rules](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | +| [google_compute_network.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network) | resource | +| [google_compute_shared_vpc_host_project.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_shared_vpc_host_project) | resource | +| [google_compute_shared_vpc_service_project.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_shared_vpc_service_project) | resource | + +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| name | Name of the network to create | `string` | `"osinfra-vpc"` | no | +| project | The ID of the project in which the resource belongs | `any` | n/a | yes | +| rules | List of firewall rule definitions | ```list(object({ allow = optional(list(object({ ports = list(string) protocol = string })), []) deny = optional(list(object({ ports = list(string) protocol = string })), []) description = optional(string) direction = string log_config_enabled = optional(bool, true) log_config_metadata = optional(string, "INCLUDE_ALL_METADATA") name = string priority = optional(number) ranges = optional(list(string)) source_tags = optional(list(string)) target_tags = optional(list(string)) }))``` | `[]` | no | +| shared\_vpc | Enable VPC sharing | `bool` | `false` | no | +| shared\_vpc\_service\_projects | The set of service projects to attach to the shared VPC | `set(string)` | `[]` | no | + +### Outputs + +| Name | Description | +|------|-------------| +| name | The network name | +| project | The ID of the project in which the resource belongs | +| self\_link | The URI of the created resource | + diff --git a/SECURITY.md b/SECURITY.md index 81c7194..42ca6c1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,4 +7,4 @@ the community, but it does come with some risks. ## Reporting a Vulnerability Privately discuss, fix, and publish information about security vulnerabilities in this repository by drafting a new -[security advisory](https://github.com/osinfra-io/terraform-google-network/security/advisories/new). +[security advisory](https://github.com/osinfra-io/terraform-google-vpc/security/advisories/new). diff --git a/dns/README.md b/dns/README.md new file mode 100644 index 0000000..e69de29 diff --git a/dns/main.tf b/dns/main.tf new file mode 100644 index 0000000..192da9f --- /dev/null +++ b/dns/main.tf @@ -0,0 +1,34 @@ +# DNS Zone Managed Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone + +resource "google_dns_managed_zone" "this" { + + # Ensure that DNSSEC is enabled for Cloud DNS + # checkov:skip=CKV_GCP_16: False positive + + description = var.description + dns_name = var.dns_name + labels = var.labels + name = var.name + project = var.project + visibility = var.visibility + + dynamic "dnssec_config" { + for_each = var.visibility != "public" ? [] : [1] + content { + state = "on" + } + } + + dynamic "private_visibility_config" { + for_each = var.visibility != "private" ? [] : length(var.private_visibility_config_networks) == 0 ? [] : [1] + content { + dynamic "networks" { + for_each = var.private_visibility_config_networks + content { + network_url = networks.value + } + } + } + } +} diff --git a/dns/outputs.tf b/dns/outputs.tf new file mode 100644 index 0000000..490f77e --- /dev/null +++ b/dns/outputs.tf @@ -0,0 +1,14 @@ +output "name" { + description = "The DNS zone name" + value = google_dns_managed_zone.this.name +} + +output "dns_name" { + description = "The DNS zone domain name" + value = google_dns_managed_zone.this.dns_name +} + +output "name_servers" { + description = "The DNS zone name servers" + value = google_dns_managed_zone.this.name_servers +} diff --git a/dns/variables.tf b/dns/variables.tf new file mode 100644 index 0000000..967bc46 --- /dev/null +++ b/dns/variables.tf @@ -0,0 +1,37 @@ +variable "description" { + description = "A textual description field. Defaults to 'Managed by Terraform'" + type = string + default = null +} + +variable "dns_name" { + description = "The DNS name of this managed zone, for instance 'example.com.' (must end with a period)" + type = string +} + +variable "labels" { + description = "A map of key/value pairs to assign to the resources being created" + type = map(string) + default = {} +} + +variable "name" { + description = "User assigned name for this resource. Must be unique within the project" + type = string +} + +variable "private_visibility_config_networks" { + description = "For privately visible zones, the set of Virtual Private Cloud network resources that the zone is visible from" + type = list(string) + default = [] +} + +variable "project" { + description = "The ID of the project in which the resource belongs" + type = string +} + +variable "visibility" { + description = "The zone's visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources" + type = string +} diff --git a/locals.tf b/locals.tf new file mode 100644 index 0000000..d501ce8 --- /dev/null +++ b/locals.tf @@ -0,0 +1,60 @@ +# Local Values +# https://www.terraform.io/docs/configuration/locals.html + +locals { + rules = [ + { + + # This rule is to support the Google Cloud Load Balancer health check probes. + # https://cloud.google.com/load-balancing/docs/health-checks#firewall_rules + + allow = [ + { + ports = [] + protocol = "tcp" + } + ] + + deny = [] + description = "Allow Google cloud probers" + direction = "INGRESS" + log_config_enabled = true + log_config_metadata = "INCLUDE_ALL_METADATA" + name = "allow-google-cloud-probers" + priority = null + + ranges = [ + "130.211.0.0/22", + "35.191.0.0/16", + "209.85.152.0/22", + "209.85.204.0/22" + ] + + source_tags = null + target_tags = null + }, + + { + # This rule is to support remote SSH access via Google Cloud IAP. + # https://cloud.google.com/iap/docs/using-tcp-forwarding + + allow = [ + { + ports = ["22"] + protocol = "tcp" + } + ] + + deny = [] + description = "Allow SSH ingress from IAP" + direction = "INGRESS" + name = "allow-ssh-ingress-from-iap" + log_config_enabled = true + log_config_metadata = "INCLUDE_ALL_METADATA" + priority = null + ranges = ["35.235.240.0/20"] + source_tags = null + target_tags = null + } + ] +} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..9a06a5e --- /dev/null +++ b/main.tf @@ -0,0 +1,69 @@ +# Firewall Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall + +resource "google_compute_firewall" "rules" { + for_each = merge({ for rule in var.rules : rule.name => rule }, { for rule in local.rules : rule.name => rule }) + + description = each.value.description + destination_ranges = each.value.direction == "EGRESS" ? each.value.ranges : null + direction = each.value.direction + name = "${var.name}-${each.value.name}" + network = google_compute_network.this.name + priority = each.value.priority + project = var.project + source_ranges = each.value.direction == "INGRESS" ? each.value.ranges : null + source_tags = each.value.source_tags + target_tags = each.value.target_tags + + dynamic "allow" { + for_each = each.value.allow + content { + protocol = allow.value["protocol"] + ports = allow.value["ports"] + } + } + + dynamic "deny" { + for_each = each.value.deny + content { + protocol = deny.value["protocol"] + ports = deny.value["ports"] + } + } + + dynamic "log_config" { + for_each = each.value.log_config_enabled ? [each.value.log_config_metadata] : [] + content { + metadata = log_config.value + } + } +} + +# Compute Network Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network + +resource "google_compute_network" "this" { + auto_create_subnetworks = "false" + name = var.name + project = var.project + routing_mode = "GLOBAL" +} + +# Compute Shared VPC Host Project Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_shared_vpc_host_project + +resource "google_compute_shared_vpc_host_project" "this" { + count = var.shared_vpc ? 1 : 0 + + project = var.project +} + +# Compute Shared VPC Service Project Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_shared_vpc_service_project + +resource "google_compute_shared_vpc_service_project" "this" { + for_each = var.shared_vpc ? { for i in var.shared_vpc_service_projects : i => true } : {} + + host_project = google_compute_shared_vpc_host_project.this[0].id + service_project = each.key +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..8f7d355 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,17 @@ +# Output Values +# https://www.terraform.io/docs/language/values/outputs.html + +output "name" { + description = "The network name" + value = google_compute_network.this.name +} + +output "project" { + description = "The ID of the project in which the resource belongs" + value = var.project +} + +output "self_link" { + description = "The URI of the created resource" + value = google_compute_network.this.self_link +} diff --git a/regional/README.md b/regional/README.md new file mode 100644 index 0000000..5d1fff9 --- /dev/null +++ b/regional/README.md @@ -0,0 +1,46 @@ +# Terraform Documentation + +A child module automatically inherits its parent's default (un-aliased) provider configurations. The provider versions below are informational only and do **not** need to align with the provider configurations from its parent. + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | 5.38.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [google_compute_subnetwork.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [ip\_cidr\_range](#input\_ip\_cidr\_range) | The range of internal addresses that are owned by this subnetwork | `string` | n/a | yes | +| [name](#input\_name) | The name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply with RFC1035 | `string` | n/a | yes | +| [network](#input\_network) | The network this subnet belongs to. Only networks that are in the distributed mode can have subnetworks | `string` | n/a | yes | +| [private\_ip\_google\_access](#input\_private\_ip\_google\_access) | When enabled, VMs in this subnetwork without external IP addresses can access Google APIs and services by using Private Google Access | `bool` | `null` | no | +| [project](#input\_project) | The ID of the project in which the resource belongs | `string` | n/a | yes | +| [purpose](#input\_purpose) | The purpose of the resource. This field can be either `PRIVATE_RFC_1918`, `INTERNAL_HTTPS_LOAD_BALANCER` or `REGIONAL_MANAGED_PROXY` | `string` | `null` | no | +| [region](#input\_region) | The region for this subnetwork | `string` | n/a | yes | +| [role](#input\_role) | The role of subnetwork. The value can be set to `ACTIVE` or `BACKUP` | `string` | `null` | no | +| [secondary\_ip\_ranges](#input\_secondary\_ip\_ranges) | An array of configurations for secondary IP ranges for VM instances contained in this subnetwork | 
list(object({
    ip_cidr_range = string
    range_name    = string
  }))
| `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [name](#output\_name) | The name of the subnetwork | +| [project](#output\_project) | The project ID | + diff --git a/regional/main.tf b/regional/main.tf new file mode 100644 index 0000000..f3af9a7 --- /dev/null +++ b/regional/main.tf @@ -0,0 +1,35 @@ +# Compute Subnetwork Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork + +resource "google_compute_subnetwork" "this" { + + # Ensure that Private google access is enabled for IPV6 + # checkov:skip=CKV_GCP_76: We are not using IPV6 + + ip_cidr_range = var.ip_cidr_range + name = var.name + network = var.network + private_ip_google_access = var.private_ip_google_access + project = var.project + purpose = var.purpose + region = var.region + role = var.role + + dynamic "secondary_ip_range" { + for_each = var.secondary_ip_ranges + + content { + range_name = secondary_ip_range.value.range_name + ip_cidr_range = secondary_ip_range.value.ip_cidr_range + } + } + + dynamic "log_config" { + for_each = var.purpose != "INTERNAL_HTTPS_LOAD_BALANCER" ? [0] : [] + content { + flow_sampling = 1 + metadata = "INCLUDE_ALL_METADATA" + aggregation_interval = "INTERVAL_5_SEC" + } + } +} diff --git a/regional/nat/README.md b/regional/nat/README.md new file mode 100644 index 0000000..85f7cba --- /dev/null +++ b/regional/nat/README.md @@ -0,0 +1,44 @@ +# Terraform Documentation + +A child module automatically inherits its parent's default (un-aliased) provider configurations. The provider versions below are informational only and do **not** need to align with the provider configurations from its parent. + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | 5.38.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [google_compute_router.cloud_nat](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_router) | resource | +| [google_compute_router_nat.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_router_nat) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [network](#input\_network) | The network to enable Cloud NAT on | `string` | n/a | yes | +| [prefix](#input\_prefix) | The prefix for the resource name. Defaults to var.network | `string` | `""` | no | +| [project](#input\_project) | The ID of the project in which the resource belongs | `string` | n/a | yes | +| [region](#input\_region) | The region in which the resource belongs | `string` | n/a | yes | +| [source\_subnetwork\_ip\_ranges\_to\_nat](#input\_source\_subnetwork\_ip\_ranges\_to\_nat) | How NAT should be configured per Subnetwork. Possible values are ALL\_SUBNETWORKS\_ALL\_IP\_RANGES, ALL\_SUBNETWORKS\_ALL\_PRIMARY\_IP\_RANGES, and LIST\_OF\_SUBNETWORKS | `string` | `"ALL_SUBNETWORKS_ALL_IP_RANGES"` | no | +| [subnetwork\_names](#input\_subnetwork\_names) | Subnet names for NAT configuration. Only used if source\_subnetwork\_ip\_ranges\_to\_nat is set to LIST\_OF\_SUBNETWORKS | `list(string)` | `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [name](#output\_name) | The name of the cloud nat resources | +| [project](#output\_project) | The project ID | + diff --git a/regional/nat/locals.tf b/regional/nat/locals.tf new file mode 100644 index 0000000..e135d4e --- /dev/null +++ b/regional/nat/locals.tf @@ -0,0 +1,7 @@ +# Local Values +# https://www.terraform.io/docs/language/values/locals.html + +locals { + name = "${local.prefix}-${var.region}" + prefix = var.prefix == "" ? var.network : var.prefix +} diff --git a/regional/nat/main.tf b/regional/nat/main.tf new file mode 100644 index 0000000..c1fbe3a --- /dev/null +++ b/regional/nat/main.tf @@ -0,0 +1,36 @@ +# Compute Router Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_router + +resource "google_compute_router" "cloud_nat" { + name = local.name + network = var.network + project = var.project + region = var.region +} + +# Compute Router NAT Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_router_nat + +resource "google_compute_router_nat" "this" { + + log_config { + enable = true + filter = "ERRORS_ONLY" + } + + name = local.name + nat_ip_allocate_option = "AUTO_ONLY" + project = var.project + region = var.region + router = google_compute_router.cloud_nat.name + source_subnetwork_ip_ranges_to_nat = var.source_subnetwork_ip_ranges_to_nat + + dynamic "subnetwork" { + for_each = var.source_subnetwork_ip_ranges_to_nat == "LIST_OF_SUBNETWORKS" ? toset(var.subnetwork_names) : [] + + content { + name = subnetwork.value + source_ip_ranges_to_nat = ["ALL_IP_RANGES"] + } + } +} diff --git a/regional/nat/outputs.tf b/regional/nat/outputs.tf new file mode 100644 index 0000000..681e01a --- /dev/null +++ b/regional/nat/outputs.tf @@ -0,0 +1,12 @@ +# Terraform Output Values +# https://www.terraform.io/language/values/outputs + +output "name" { + description = "The name of the cloud nat resources" + value = local.name +} + +output "project" { + description = "The project ID" + value = var.project +} diff --git a/regional/nat/variables.tf b/regional/nat/variables.tf new file mode 100644 index 0000000..35042a3 --- /dev/null +++ b/regional/nat/variables.tf @@ -0,0 +1,35 @@ +# Terraform Input Variables +# https://www.terraform.io/language/values/variables + +variable "network" { + description = "The network to enable Cloud NAT on" + type = string +} + +variable "prefix" { + description = "The prefix for the resource name. Defaults to var.network" + type = string + default = "" +} + +variable "project" { + description = "The ID of the project in which the resource belongs" + type = string +} + +variable "region" { + description = "The region in which the resource belongs" + type = string +} + +variable "source_subnetwork_ip_ranges_to_nat" { + description = "How NAT should be configured per Subnetwork. Possible values are ALL_SUBNETWORKS_ALL_IP_RANGES, ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, and LIST_OF_SUBNETWORKS" + type = string + default = "ALL_SUBNETWORKS_ALL_IP_RANGES" +} + +variable "subnetwork_names" { + description = "Subnet names for NAT configuration. Only used if source_subnetwork_ip_ranges_to_nat is set to LIST_OF_SUBNETWORKS" + type = list(string) + default = [] +} diff --git a/regional/outputs.tf b/regional/outputs.tf new file mode 100644 index 0000000..255c803 --- /dev/null +++ b/regional/outputs.tf @@ -0,0 +1,12 @@ +# Output Values +# https://www.terraform.io/language/values/outputs + +output "project" { + description = "The project ID" + value = var.project +} + +output "name" { + description = "The name of the subnetwork" + value = google_compute_subnetwork.this.name +} diff --git a/regional/variables.tf b/regional/variables.tf new file mode 100644 index 0000000..f7241d0 --- /dev/null +++ b/regional/variables.tf @@ -0,0 +1,54 @@ +# Input Variables +# https://www.terraform.io/language/values/variables + +variable "ip_cidr_range" { + description = "The range of internal addresses that are owned by this subnetwork" + type = string +} + +variable "name" { + description = "The name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply with RFC1035" + type = string +} + +variable "network" { + description = "The network this subnet belongs to. Only networks that are in the distributed mode can have subnetworks" + type = string +} + +variable "private_ip_google_access" { + description = "When enabled, VMs in this subnetwork without external IP addresses can access Google APIs and services by using Private Google Access" + type = bool + default = null +} + +variable "project" { + description = "The ID of the project in which the resource belongs" + type = string +} + +variable "purpose" { + description = "The purpose of the resource. This field can be either `PRIVATE_RFC_1918`, `INTERNAL_HTTPS_LOAD_BALANCER` or `REGIONAL_MANAGED_PROXY`" + type = string + default = null +} + +variable "region" { + description = "The region for this subnetwork" + type = string +} + +variable "role" { + description = "The role of subnetwork. The value can be set to `ACTIVE` or `BACKUP`" + type = string + default = null +} + +variable "secondary_ip_ranges" { + description = "An array of configurations for secondary IP ranges for VM instances contained in this subnetwork" + type = list(object({ + ip_cidr_range = string + range_name = string + })) + default = [] +} diff --git a/tests/default.tftest.hcl b/tests/default.tftest.hcl new file mode 100644 index 0000000..6312099 --- /dev/null +++ b/tests/default.tftest.hcl @@ -0,0 +1,26 @@ +run "default" { + command = apply + + module { + source = "./tests/fixtures/default" + } + + assert { + condition = module.test.name == "test-vpc" + error_message = "The VPC name does not match the expected value 'test-vpc'." + } + + assert { + condition = module.test.project == "test-default-tf75-sb" + error_message = "The project ID does not match the expected value 'test-default-tf75-sb'." + } + + assert { + condition = module.test.self_link == "https://www.googleapis.com/compute/v1/projects/test-default-tf75-sb/global/networks/test-vpc" + error_message = "The self link does not match the expected URL." + } + + variables { + project = "test-default-tf75-sb" + } +} diff --git a/tests/fixtures/default/dns/main.tf b/tests/fixtures/default/dns/main.tf new file mode 100644 index 0000000..f086360 --- /dev/null +++ b/tests/fixtures/default/dns/main.tf @@ -0,0 +1,42 @@ +module "private_test" { + + # This module will be consumed using the source address of the github repo and not the "../../../global" used in this test. + # source = "github.com/osinfra-io/terraform-google-cloud-dns//global?ref=v0.0.0" + + source = "../../../../dns" + + dns_name = "gcp-priv.osinfra.io." + + labels = { + cost-center = "x000" + env = "sb" + repository = "terraform-google-cloud-dns" + team = "testing" + } + + name = "gcp-priv-osinfra-io" + private_visibility_config_networks = ["https://www.googleapis.com/compute/v1/projects/${var.project}/global/networks/terraform-test-vpc"] + project = var.project + visibility = "private" +} + +module "public_test" { + + # This module will be consumed using the source address of the github repo and not the "../../../global" used in this test. + # source = "github.com/osinfra-io/terraform-google-cloud-dns//global?ref=v0.0.0" + + source = "../../../../dns" + + dns_name = "gcp.osinfra.io." + + labels = { + cost-center = "x000" + env = "sb" + repository = "terraform-google-cloud-dns" + team = "testing" + } + + name = "gcp-osinfra-io" + project = var.project + visibility = "public" +} diff --git a/tests/fixtures/default/dns/variables.tf b/tests/fixtures/default/dns/variables.tf new file mode 100644 index 0000000..e47327f --- /dev/null +++ b/tests/fixtures/default/dns/variables.tf @@ -0,0 +1,4 @@ +variable "project" { + type = string + default = "test-default-tf75-sb" +} diff --git a/tests/fixtures/default/main.tf b/tests/fixtures/default/main.tf new file mode 100644 index 0000000..f02e267 --- /dev/null +++ b/tests/fixtures/default/main.tf @@ -0,0 +1,66 @@ +module "test" { + source = "../../.." + + name = "test-vpc" + project = var.project + + # The following rules test each of the dynamic blocks in various combinations. This should + # provide decent examples of how create different types of firewall rules. + + rules = [ + { + allow = [ + { + ports = ["22", "443"] + protocol = "tcp" + }, + { + ports = ["53"] + protocol = "udp" + } + ] + + direction = "INGRESS" + + name = "test-01" + + ranges = [ + "130.211.0.0/22", + "35.191.0.0/16" + ] + }, + + { + deny = [ + { + ports = ["80"] + protocol = "tcp" + } + ] + + direction = "EGRESS" + log_config_enabled = false + name = "test-02" + ranges = ["35.235.240.0/20"] + }, + + { + allow = [ + { + ports = ["5432"] + protocol = "tcp" + } + ] + + direction = "INGRESS" + log_config_metadata = "EXCLUDE_ALL_METADATA" + name = "test-03" + ranges = ["10.0.0.8/32"] + } + ] + + # In order to test this we would need a new project created in the google-cloud-terraform-testing + # repository. The existing projects are already a shared VPC host or service projects. + + shared_vpc = false +} diff --git a/tests/fixtures/default/regional/main.tf b/tests/fixtures/default/regional/main.tf new file mode 100644 index 0000000..8c8d822 --- /dev/null +++ b/tests/fixtures/default/regional/main.tf @@ -0,0 +1,30 @@ +module "test" { + source = "../../../../regional" + + ip_cidr_range = "10.60.32.0/20" + name = "terraform-test-subnet-us-east1" + network = "terraform-test-vpc" + + # When enabled, VMs in this subnetwork without external IP addresses can access Google APIs and + # services by using Private Google Access. This is required for private Kubernetes clusters. + + private_ip_google_access = true + project = var.project + region = "us-east1" + + # Secondary ranges are used to allocate IP addresses to resources in a subnetwork. In this example we create Pod IP address ranges + # and Service (ClusterIP) address ranges for a VPC-native cluster. + + # https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips + + secondary_ip_ranges = [ + { + range_name = "k8s-services-us-east1" + ip_cidr_range = "10.61.16.0/20" + }, + { + range_name = "k8s-pods-us-east1" + ip_cidr_range = "10.8.0.0/14" + } + ] +} diff --git a/tests/fixtures/default/regional/outputs.tf b/tests/fixtures/default/regional/outputs.tf new file mode 100644 index 0000000..f15193c --- /dev/null +++ b/tests/fixtures/default/regional/outputs.tf @@ -0,0 +1,3 @@ +output "project" { + value = var.project +} diff --git a/tests/fixtures/default/regional/variables.tf b/tests/fixtures/default/regional/variables.tf new file mode 100644 index 0000000..e47327f --- /dev/null +++ b/tests/fixtures/default/regional/variables.tf @@ -0,0 +1,4 @@ +variable "project" { + type = string + default = "test-default-tf75-sb" +} diff --git a/tests/fixtures/default/regional_nat/main.tf b/tests/fixtures/default/regional_nat/main.tf new file mode 100644 index 0000000..4199e70 --- /dev/null +++ b/tests/fixtures/default/regional_nat/main.tf @@ -0,0 +1,24 @@ +module "test" { + source = "../../../../regional/nat" + + # Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet. + # https://cloud.google.com/nat/docs/overview + + network = "terraform-test-vpc" + project = var.project + region = "us-east1" +} + +module "test1" { + source = "../../../../regional/nat" + + # Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet. + # https://cloud.google.com/nat/docs/overview + + network = "terraform-test-vpc" + prefix = "terraform-test-vpc-subnetworks" + project = var.project + region = "us-east1" + source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS" + subnetwork_names = ["fleet-member-us-east1"] +} diff --git a/tests/fixtures/default/regional_nat/outputs.tf b/tests/fixtures/default/regional_nat/outputs.tf new file mode 100644 index 0000000..29acc73 --- /dev/null +++ b/tests/fixtures/default/regional_nat/outputs.tf @@ -0,0 +1,10 @@ +# Terraform Output Values +# https://www.terraform.io/language/values/outputs + +output "name" { + value = module.test.name +} + +output "project" { + value = module.test.project +} diff --git a/tests/fixtures/default/regional_nat/variables.tf b/tests/fixtures/default/regional_nat/variables.tf new file mode 100644 index 0000000..78a3c04 --- /dev/null +++ b/tests/fixtures/default/regional_nat/variables.tf @@ -0,0 +1,7 @@ +# Terraform Input Variables +# https://www.terraform.io/language/values/variables + +variable "project" { + type = string + default = "test-default-tf75-sb" +} diff --git a/tests/fixtures/default/variables.tf b/tests/fixtures/default/variables.tf new file mode 100644 index 0000000..5d7b3ff --- /dev/null +++ b/tests/fixtures/default/variables.tf @@ -0,0 +1,3 @@ +variable "project" { + description = "The ID of the project in which the resource belongs" +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..c3d287d --- /dev/null +++ b/variables.tf @@ -0,0 +1,47 @@ +variable "name" { + description = "Name of the network to create" + type = string + default = "osinfra-vpc" +} + +variable "project" { + description = "The ID of the project in which the resource belongs" +} + +variable "rules" { + description = "List of firewall rule definitions" + type = list(object({ + allow = optional(list(object({ + ports = list(string) + protocol = string + })), []) + + deny = optional(list(object({ + ports = list(string) + protocol = string + })), []) + + description = optional(string) + direction = string + log_config_enabled = optional(bool, true) + log_config_metadata = optional(string, "INCLUDE_ALL_METADATA") + name = string + priority = optional(number) + ranges = optional(list(string)) + source_tags = optional(list(string)) + target_tags = optional(list(string)) + })) + default = [] +} + +variable "shared_vpc" { + description = "Enable VPC sharing" + type = bool + default = false +} + +variable "shared_vpc_service_projects" { + description = "The set of service projects to attach to the shared VPC" + type = set(string) + default = [] +} From 6395f3423de8eff0e6bd7490f2010f831daf6325 Mon Sep 17 00:00:00 2001 From: Brett Curtis Date: Sun, 21 Jul 2024 08:31:55 -0400 Subject: [PATCH 2/4] Use Terraform test mock providers --- .pre-commit-config.yaml | 2 +- tests/default.tftest.hcl | 39 +++++++++++++++++-- tests/fixtures/default/dns/main.tf | 39 ++++++++++--------- tests/fixtures/default/main.tf | 11 ++++++ tests/fixtures/default/regional/main.tf | 11 ++++++ tests/fixtures/default/regional_nat/main.tf | 21 ++++++---- .../fixtures/default/regional_nat/outputs.tf | 4 +- 7 files changed, 95 insertions(+), 32 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9bff724..550152e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -29,7 +29,7 @@ repos: - id: terraform_docs - repo: https://github.com/bridgecrewio/checkov.git - rev: 3.2.186 + rev: 3.2.195 hooks: - id: checkov verbose: true diff --git a/tests/default.tftest.hcl b/tests/default.tftest.hcl index 6312099..b3537cc 100644 --- a/tests/default.tftest.hcl +++ b/tests/default.tftest.hcl @@ -1,3 +1,5 @@ +mock_provider "google" {} + run "default" { command = apply @@ -15,9 +17,40 @@ run "default" { error_message = "The project ID does not match the expected value 'test-default-tf75-sb'." } - assert { - condition = module.test.self_link == "https://www.googleapis.com/compute/v1/projects/test-default-tf75-sb/global/networks/test-vpc" - error_message = "The self link does not match the expected URL." + variables { + project = "test-default-tf75-sb" + } +} + +run "dns" { + command = apply + + module { + source = "./tests/fixtures/default/dns" + } + + variables { + project = "test-default-tf75-sb" + } +} + +run "regional" { + command = apply + + module { + source = "./tests/fixtures/default/regional" + } + + variables { + project = "test-default-tf75-sb" + } +} + +run "regional_nat" { + command = apply + + module { + source = "./tests/fixtures/default/regional_nat" } variables { diff --git a/tests/fixtures/default/dns/main.tf b/tests/fixtures/default/dns/main.tf index f086360..5513957 100644 --- a/tests/fixtures/default/dns/main.tf +++ b/tests/fixtures/default/dns/main.tf @@ -1,11 +1,18 @@ -module "private_test" { - - # This module will be consumed using the source address of the github repo and not the "../../../global" used in this test. - # source = "github.com/osinfra-io/terraform-google-cloud-dns//global?ref=v0.0.0" +# Required Providers +# https://developer.hashicorp.com/terraform/language/providers/requirements + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} +module "public_test" { source = "../../../../dns" - dns_name = "gcp-priv.osinfra.io." + dns_name = "gcp.osinfra.io." labels = { cost-center = "x000" @@ -14,20 +21,15 @@ module "private_test" { team = "testing" } - name = "gcp-priv-osinfra-io" - private_visibility_config_networks = ["https://www.googleapis.com/compute/v1/projects/${var.project}/global/networks/terraform-test-vpc"] - project = var.project - visibility = "private" + name = "gcp-osinfra-io" + project = var.project + visibility = "public" } -module "public_test" { - - # This module will be consumed using the source address of the github repo and not the "../../../global" used in this test. - # source = "github.com/osinfra-io/terraform-google-cloud-dns//global?ref=v0.0.0" - +module "private_test" { source = "../../../../dns" - dns_name = "gcp.osinfra.io." + dns_name = "gcp-priv.osinfra.io." labels = { cost-center = "x000" @@ -36,7 +38,8 @@ module "public_test" { team = "testing" } - name = "gcp-osinfra-io" - project = var.project - visibility = "public" + name = "gcp-priv-osinfra-io" + private_visibility_config_networks = ["https://www.googleapis.com/compute/v1/projects/${var.project}/global/networks/terraform-test-vpc"] + project = var.project + visibility = "private" } diff --git a/tests/fixtures/default/main.tf b/tests/fixtures/default/main.tf index f02e267..9b5d6c7 100644 --- a/tests/fixtures/default/main.tf +++ b/tests/fixtures/default/main.tf @@ -1,3 +1,14 @@ +# Required Providers +# https://developer.hashicorp.com/terraform/language/providers/requirements + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + module "test" { source = "../../.." diff --git a/tests/fixtures/default/regional/main.tf b/tests/fixtures/default/regional/main.tf index 8c8d822..f23018d 100644 --- a/tests/fixtures/default/regional/main.tf +++ b/tests/fixtures/default/regional/main.tf @@ -1,3 +1,14 @@ +# Required Providers +# https://developer.hashicorp.com/terraform/language/providers/requirements + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + module "test" { source = "../../../../regional" diff --git a/tests/fixtures/default/regional_nat/main.tf b/tests/fixtures/default/regional_nat/main.tf index 4199e70..9349834 100644 --- a/tests/fixtures/default/regional_nat/main.tf +++ b/tests/fixtures/default/regional_nat/main.tf @@ -1,20 +1,25 @@ -module "test" { - source = "../../../../regional/nat" +# Required Providers +# https://developer.hashicorp.com/terraform/language/providers/requirements - # Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet. - # https://cloud.google.com/nat/docs/overview +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +module "all_subnets_test" { + source = "../../../../regional/nat" network = "terraform-test-vpc" project = var.project region = "us-east1" } -module "test1" { +module "list_of_subnets_test" { source = "../../../../regional/nat" - # Cloud NAT (network address translation) lets certain resources without external IP addresses create outbound connections to the internet. - # https://cloud.google.com/nat/docs/overview - network = "terraform-test-vpc" prefix = "terraform-test-vpc-subnetworks" project = var.project diff --git a/tests/fixtures/default/regional_nat/outputs.tf b/tests/fixtures/default/regional_nat/outputs.tf index 29acc73..4f38451 100644 --- a/tests/fixtures/default/regional_nat/outputs.tf +++ b/tests/fixtures/default/regional_nat/outputs.tf @@ -2,9 +2,9 @@ # https://www.terraform.io/language/values/outputs output "name" { - value = module.test.name + value = module.all_subnets_test.name } output "project" { - value = module.test.project + value = module.all_subnets_test.project } From 9e447dbc98fa71236fb9be3351c43ec98c7a2a79 Mon Sep 17 00:00:00 2001 From: Brett Curtis Date: Sun, 21 Jul 2024 08:51:35 -0400 Subject: [PATCH 3/4] Update variables.tf Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- variables.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index c3d287d..e1dff70 100644 --- a/variables.tf +++ b/variables.tf @@ -6,6 +6,7 @@ variable "name" { variable "project" { description = "The ID of the project in which the resource belongs" + type = string } variable "rules" { @@ -44,4 +45,4 @@ variable "shared_vpc_service_projects" { description = "The set of service projects to attach to the shared VPC" type = set(string) default = [] -} +} From c7a7de033e022d1c5264667022f2943720b3cd76 Mon Sep 17 00:00:00 2001 From: Brett Curtis Date: Sun, 21 Jul 2024 08:55:01 -0400 Subject: [PATCH 4/4] Fix formatting --- README.md | 2 +- variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4fa2987..608889d 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ terraform test | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | name | Name of the network to create | `string` | `"osinfra-vpc"` | no | -| project | The ID of the project in which the resource belongs | `any` | n/a | yes | +| project | The ID of the project in which the resource belongs | `string` | n/a | yes | | rules | List of firewall rule definitions | ```list(object({ allow = optional(list(object({ ports = list(string) protocol = string })), []) deny = optional(list(object({ ports = list(string) protocol = string })), []) description = optional(string) direction = string log_config_enabled = optional(bool, true) log_config_metadata = optional(string, "INCLUDE_ALL_METADATA") name = string priority = optional(number) ranges = optional(list(string)) source_tags = optional(list(string)) target_tags = optional(list(string)) }))``` | `[]` | no | | shared\_vpc | Enable VPC sharing | `bool` | `false` | no | | shared\_vpc\_service\_projects | The set of service projects to attach to the shared VPC | `set(string)` | `[]` | no | diff --git a/variables.tf b/variables.tf index e1dff70..3586461 100644 --- a/variables.tf +++ b/variables.tf @@ -6,7 +6,7 @@ variable "name" { variable "project" { description = "The ID of the project in which the resource belongs" - type = string + type = string } variable "rules" {