Skip to content

Commit

Permalink
feat: support IP Masquerade agent (#54)
Browse files Browse the repository at this point in the history
* feature: support IP Masquerade agent

* feature: support IP Masquerade agent

* feature: support IP Masquerade agent

* feature: support IP Masquerade agent

* feature: private_ip_google_access

Co-authored-by: Bharath KKB <[email protected]>
  • Loading branch information
diegolnasc and bharathkkb authored Jul 28, 2022
1 parent a482a8a commit 5d8ea7f
Show file tree
Hide file tree
Showing 19 changed files with 1,595 additions and 226 deletions.
48 changes: 29 additions & 19 deletions build/int.cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

timeout: 3600s
timeout: 7200s
steps:
- id: prepare
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
Expand All @@ -30,39 +30,49 @@ steps:

# ----- SUITE simple-composer-env-v1-local

- id: converge simple-composer-env-v1-local
- id: init-simple-composer-env-v1
waitFor:
- create all
- prepare
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage init --verbose']
- id: apply-simple-composer-env-v1
waitFor:
- init-simple-composer-env-v1
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-composer-env-v1-local']
- id: verify simple-composer-env-v1-local
args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage apply --verbose']
- id: verify-simple-composer-env-v1
waitFor:
- converge simple-composer-env-v1-local
- apply-simple-composer-env-v1
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-composer-env-v1-local']
- id: destroy simple-composer-env-v1-local
args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage verify --verbose']
- id: destroy-simple-composer-env-v1
waitFor:
- verify simple-composer-env-v1-local
- verify-simple-composer-env-v1
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-composer-env-v1-local']
args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage destroy --verbose']

# ----- SUITE simple-composer-env-v2-local

- id: converge simple-composer-env-v2-local
- id: init-simple-composer-env-v2
waitFor:
- create all
- prepare
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage init --verbose']
- id: apply-simple-composer-env-v2
waitFor:
- init-simple-composer-env-v2
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-composer-env-v2-local']
- id: verify simple-composer-env-v2-local
args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage apply --verbose']
- id: verify-simple-composer-env-v2
waitFor:
- converge simple-composer-env-v2-local
- apply-simple-composer-env-v2
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-composer-env-v2-local']
- id: destroy simple-composer-env-v2-local
args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage verify --verbose']
- id: destroy-simple-composer-env-v2
waitFor:
- verify simple-composer-env-v2-local
- verify-simple-composer-env-v2
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-composer-env-v2-local']
args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage destroy --verbose']

# ----- SUITE airflow-connection-local

Expand Down
24 changes: 0 additions & 24 deletions kitchen.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,30 +24,6 @@ platforms:
- name: local

suites:
- name: simple-composer-env-v1
driver:
name: terraform
command_timeout: 3600
root_module_directory: test/fixtures/simple-composer-env-v1
verifier:
name: terraform
systems:
- name: simple-composer-env-v1
backend: local
provisioner:
name: terraform
- name: simple-composer-env-v2
driver:
name: terraform
command_timeout: 3600
root_module_directory: test/fixtures/simple-composer-env-v2
verifier:
name: terraform
systems:
- name: simple-composer-env-v2
backend: local
provisioner:
name: terraform
- name: airflow-connection
driver:
name: terraform
Expand Down
1 change: 1 addition & 0 deletions modules/create_environment_v1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ module "composer" {
| composer\_env\_name | Name of Cloud Composer Environment | `string` | n/a | yes |
| composer\_service\_account | Service Account for running Cloud Composer. | `string` | `null` | no |
| disk\_size | The disk size for nodes. | `string` | `"100"` | no |
| enable\_ip\_masq\_agent | Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic. | `bool` | `false` | no |
| enable\_private\_endpoint | Configure public access to the cluster endpoint. | `bool` | `false` | no |
| env\_variables | Variables of the airflow environment. | `map(string)` | `{}` | no |
| image\_version | The version of the aiflow running in the cloud composer environment. | `string` | `null` | no |
Expand Down
17 changes: 9 additions & 8 deletions modules/create_environment_v1/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,15 @@ resource "google_composer_environment" "composer_env" {
node_count = var.node_count

node_config {
zone = var.zone
machine_type = var.machine_type
network = "projects/${local.network_project_id}/global/networks/${var.network}"
subnetwork = "projects/${local.network_project_id}/regions/${local.subnetwork_region}/subnetworks/${var.subnetwork}"
service_account = var.composer_service_account
disk_size_gb = var.disk_size
oauth_scopes = var.oauth_scopes
tags = var.tags
zone = var.zone
machine_type = var.machine_type
network = "projects/${local.network_project_id}/global/networks/${var.network}"
subnetwork = "projects/${local.network_project_id}/regions/${local.subnetwork_region}/subnetworks/${var.subnetwork}"
service_account = var.composer_service_account
disk_size_gb = var.disk_size
oauth_scopes = var.oauth_scopes
tags = var.tags
enable_ip_masq_agent = var.enable_ip_masq_agent

dynamic "ip_allocation_policy" {
for_each = var.use_ip_aliases ? [1] : []
Expand Down
6 changes: 6 additions & 0 deletions modules/create_environment_v1/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,12 @@ variable "tags" {
default = []
}

variable "enable_ip_masq_agent" {
description = "Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic."
type = bool
default = false
}

variable "use_ip_aliases" {
description = "Enable Alias IPs in the GKE cluster. If true, a VPC-native cluster is created."
type = bool
Expand Down
4 changes: 4 additions & 0 deletions modules/create_environment_v1/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,8 @@ terraform {
module_name = "blueprints/terraform/terraform-google-composer:create_environment_v1/v3.2.0"
}

provider_meta "google-beta" {
module_name = "blueprints/terraform/terraform-google-composer:create_environment_v1/v3.2.0"
}

}
1 change: 1 addition & 0 deletions modules/create_environment_v2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ module "composer" {
| cloud\_sql\_ipv4\_cidr | The CIDR block from which IP range in tenant project will be reserved for Cloud SQL. | `string` | `null` | no |
| composer\_env\_name | Name of Cloud Composer Environment | `string` | n/a | yes |
| composer\_service\_account | Service Account for running Cloud Composer. | `string` | `null` | no |
| enable\_ip\_masq\_agent | Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic. | `bool` | `false` | no |
| enable\_private\_endpoint | Configure public access to the cluster endpoint. | `bool` | `false` | no |
| env\_variables | Variables of the airflow environment. | `map(string)` | `{}` | no |
| environment\_size | The environment size controls the performance parameters of the managed Cloud Composer infrastructure that includes the Airflow database. Values for environment size are: ENVIRONMENT\_SIZE\_SMALL, ENVIRONMENT\_SIZE\_MEDIUM, and ENVIRONMENT\_SIZE\_LARGE. | `string` | `"ENVIRONMENT_SIZE_MEDIUM"` | no |
Expand Down
9 changes: 5 additions & 4 deletions modules/create_environment_v2/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,11 @@ resource "google_composer_environment" "composer_env" {
environment_size = var.environment_size

node_config {
network = "projects/${local.network_project_id}/global/networks/${var.network}"
subnetwork = "projects/${local.network_project_id}/regions/${local.subnetwork_region}/subnetworks/${var.subnetwork}"
service_account = var.composer_service_account
tags = var.tags
network = "projects/${local.network_project_id}/global/networks/${var.network}"
subnetwork = "projects/${local.network_project_id}/regions/${local.subnetwork_region}/subnetworks/${var.subnetwork}"
service_account = var.composer_service_account
tags = var.tags
enable_ip_masq_agent = var.enable_ip_masq_agent

dynamic "ip_allocation_policy" {
for_each = (var.pod_ip_allocation_range_name != null || var.service_ip_allocation_range_name != null) ? [1] : []
Expand Down
6 changes: 6 additions & 0 deletions modules/create_environment_v2/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,12 @@ variable "tags" {
default = []
}

variable "enable_ip_masq_agent" {
description = "Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic."
type = bool
default = false
}

variable "network" {
type = string
description = "The VPC network to host the composer cluster."
Expand Down
11 changes: 6 additions & 5 deletions test/fixtures/simple-composer-env-v1/network.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,12 @@ resource "google_compute_network" "main" {
}

resource "google_compute_subnetwork" "main" {
project = var.project_id
name = "ci-composer-test-${random_string.suffix.result}"
ip_cidr_range = "10.0.0.0/17"
region = var.region
network = google_compute_network.main.self_link
project = var.project_id
name = "ci-composer-test-${random_string.suffix.result}"
ip_cidr_range = "10.0.0.0/17"
region = var.region
network = google_compute_network.main.self_link
private_ip_google_access = true

secondary_ip_range {
range_name = "ci-composer-test-pods-${random_string.suffix.result}"
Expand Down
29 changes: 29 additions & 0 deletions test/integration/discover_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package test

import (
// should be imported to enable testing for GO modules
"testing"

// should be imported to use terraform helpers in blueprints test framework
"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
)

// entry function for the test; can be named as Test*
func TestAll(t *testing.T) {
// the helper to autodiscover and test blueprint examples
tft.AutoDiscoverAndTest(t)
}
73 changes: 73 additions & 0 deletions test/integration/go.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
module github.com/terraform-google-modules/terraform-google-composer/test/integration

go 1.17

require (
github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.0
github.com/stretchr/testify v1.8.0
)

require (
cloud.google.com/go v0.83.0 // indirect
cloud.google.com/go/storage v1.10.0 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
github.com/aws/aws-sdk-go v1.40.56 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
github.com/go-openapi/jsonpointer v0.19.3 // indirect
github.com/go-openapi/jsonreference v0.19.3 // indirect
github.com/go-openapi/swag v0.19.5 // indirect
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/golang/snappy v0.0.3 // indirect
github.com/googleapis/gax-go/v2 v2.0.5 // indirect
github.com/gruntwork-io/terratest v0.40.18 // indirect
github.com/hashicorp/errwrap v1.0.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-getter v1.6.1 // indirect
github.com/hashicorp/go-multierror v1.1.0 // indirect
github.com/hashicorp/go-safetemp v1.0.0 // indirect
github.com/hashicorp/go-version v1.3.0 // indirect
github.com/hashicorp/hcl/v2 v2.9.1 // indirect
github.com/hashicorp/terraform-json v0.13.0 // indirect
github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/jstemmer/go-junit-report v0.9.1 // indirect
github.com/klauspost/compress v1.13.0 // indirect
github.com/mailru/easyjson v0.7.0 // indirect
github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-testing-interface v1.14.2-0.20210217184823-a52172cd2f64 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/tidwall/gjson v1.12.1 // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.0 // indirect
github.com/tidwall/sjson v1.2.4 // indirect
github.com/tmccombs/hcl2json v0.3.3 // indirect
github.com/ulikunitz/xz v0.5.8 // indirect
github.com/zclconf/go-cty v1.9.1 // indirect
go.opencensus.io v0.23.0 // indirect
golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a // indirect
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
golang.org/x/mod v0.4.2 // indirect
golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect
golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
golang.org/x/text v0.3.6 // indirect
golang.org/x/tools v0.1.2 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/api v0.47.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
google.golang.org/grpc v1.38.0 // indirect
google.golang.org/protobuf v1.26.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect
)
Loading

0 comments on commit 5d8ea7f

Please sign in to comment.