From 830b09c7566f32cbbbf25d557912e5013357a43e Mon Sep 17 00:00:00 2001 From: abhishek kumar tiwari Date: Wed, 14 Aug 2024 17:04:28 +0000 Subject: [PATCH] feat: Change serverless-connector input type and update metadata (#568) Co-authored-by: Bharath KKB --- Makefile | 1 + metadata.yaml | 483 +++++++++++------- modules/fabric-net-firewall/metadata.yaml | 368 ++++++------- modules/fabric-net-svpc-access/metadata.yaml | 226 ++++---- modules/firewall-rules/metadata.yaml | 294 +++++++---- .../metadata.yaml | 167 ++++++ modules/network-firewall-policy/metadata.yaml | 168 ++++++ modules/network-peering/metadata.yaml | 247 ++++----- modules/private-service-connect/metadata.yaml | 258 +++++----- modules/routes-beta/metadata.yaml | 208 ++++---- modules/routes/metadata.yaml | 199 ++++---- modules/subnets-beta/metadata.yaml | 225 ++++---- modules/subnets/metadata.yaml | 216 ++++---- .../vpc-serverless-connector-beta/README.md | 2 +- modules/vpc-serverless-connector-beta/main.tf | 14 +- .../metadata.yaml | 194 ++++--- .../variables.tf | 13 +- modules/vpc/metadata.yaml | 261 +++++----- 18 files changed, 2165 insertions(+), 1379 deletions(-) create mode 100644 modules/hierarchical-firewall-policy/metadata.yaml create mode 100644 modules/network-firewall-policy/metadata.yaml diff --git a/Makefile b/Makefile index 27924640..c49665d6 100644 --- a/Makefile +++ b/Makefile @@ -89,6 +89,7 @@ docker_restore_examples: .PHONY: docker_generate_docs docker_generate_docs: docker run --rm -it \ + -e ENABLE_BPMETADATA \ -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' diff --git a/metadata.yaml b/metadata.yaml index 8f8ffaa1..c2d77f44 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,183 +19,306 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Terraform Network Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - subBlueprints: - - name: fabric-net-firewall - location: modules/fabric-net-firewall - - name: fabric-net-svpc-access - location: modules/fabric-net-svpc-access - - name: firewall-rules - location: modules/firewall-rules - - name: network-peering - location: modules/network-peering - - name: private-service-connect - location: modules/private-service-connect - - name: routes - location: modules/routes - - name: routes-beta - location: modules/routes-beta - - name: subnets - location: modules/subnets - - name: subnets-beta - location: modules/subnets-beta - - name: vpc - location: modules/vpc - - name: vpc-serverless-connector-beta - location: modules/vpc-serverless-connector-beta - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: auto_create_subnetworks - description: When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. - type: bool - default: false - required: false - - name: delete_default_internet_gateway_routes - description: If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted - type: bool - default: false - required: false - - name: description - description: An optional description of this resource. The resource must be recreated to modify this field. - type: string - default: "" - required: false - - name: firewall_rules - description: List of firewall rules - type: any - default: [] - required: false - - name: mtu - description: 'The network MTU (If set to 0, meaning MTU is unset - defaults to ''1460''). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively.' - type: number - default: 0 - required: false - - name: network_name - description: The name of the network being created - type: string - required: true - - name: project_id - description: The ID of the project where this VPC will be created - type: string - required: true - - name: routes - description: List of routes being created in this VPC - type: list(map(string)) - default: [] - required: false - - name: routing_mode - description: The network routing mode (default 'GLOBAL') - type: string - default: GLOBAL - required: false - - name: secondary_ranges - description: Secondary ranges that will be used in some of the subnets - type: map(list(object({ range_name = string, ip_cidr_range = string }))) - default: {} - required: false - - name: shared_vpc_host - description: Makes this project a Shared VPC host if 'true' (default 'false') - type: bool - default: false - required: false - - name: subnets - description: The list of subnets being created - type: list(object({subnet_name = string, subnet_ip = string, subnet_region = string, subnet_private_access = optional(string), subnet_private_ipv6_access = optional(string), subnet_flow_logs = optional(string), subnet_flow_logs_interval = optional(string), subnet_flow_logs_sampling = optional(string), subnet_flow_logs_metadata = optional(string), subnet_flow_logs_filter = optional(string), subnet_flow_logs_metadata_fields = optional(list(string)), description = optional(string)})) - required: true - outputs: - - name: network - description: The created network - - name: network_id - description: The ID of the VPC being created - - name: network_name - description: The name of the VPC being created - - name: network_self_link - description: The URI of the VPC being created - - name: project_id - description: VPC project id - - name: route_names - description: The route names associated with this VPC - - name: subnets - description: A map with keys of form subnet_region/subnet_name and values being the outputs of the google_compute_subnetwork resources used to create corresponding subnets. - - name: subnets_flow_logs - description: Whether the subnets will have VPC flow logs enabled - - name: subnets_ids - description: The IDs of the subnets being created - - name: subnets_ips - description: The IPs and CIDRs of the subnets being created - - name: subnets_names - description: The names of the subnets being created - - name: subnets_private_access - description: Whether the subnets will have access to Google API's without a public IP - - name: subnets_regions - description: The region where the subnets will be created - - name: subnets_secondary_ranges - description: The secondary ranges associated with these subnets - - name: subnets_self_links - description: The self-links of subnets being created - roles: - - level: Project + info: + title: Terraform Network Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 1.3" + description: {} + content: + subBlueprints: + - name: fabric-net-firewall + location: modules/fabric-net-firewall + - name: fabric-net-svpc-access + location: modules/fabric-net-svpc-access + - name: firewall-rules + location: modules/firewall-rules + - name: hierarchical-firewall-policy + location: modules/hierarchical-firewall-policy + - name: network-firewall-policy + location: modules/network-firewall-policy + - name: network-peering + location: modules/network-peering + - name: private-service-connect + location: modules/private-service-connect + - name: routes + location: modules/routes + - name: routes-beta + location: modules/routes-beta + - name: subnets + location: modules/subnets + - name: subnets-beta + location: modules/subnets-beta + - name: vpc + location: modules/vpc + - name: vpc-serverless-connector-beta + location: modules/vpc-serverless-connector-beta + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: auto_create_subnetworks + description: When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. + varType: bool + defaultValue: false + - name: delete_default_internet_gateway_routes + description: If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted + varType: bool + defaultValue: false + - name: description + description: An optional description of this resource. The resource must be recreated to modify this field. + varType: string + defaultValue: "" + - name: egress_rules + description: List of egress rules. This will be ignored if variable 'rules' is non-empty + varType: |- + list(object({ + name = string + description = optional(string, null) + disabled = optional(bool, null) + priority = optional(number, null) + destination_ranges = optional(list(string), []) + source_ranges = optional(list(string), []) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + + allow = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + deny = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + log_config = optional(object({ + metadata = string + })) + })) + defaultValue: [] + - name: enable_ipv6_ula + description: Enabled IPv6 ULA, this is a permenant change and cannot be undone! (default 'false') + varType: bool + defaultValue: false + - name: firewall_rules + description: This is DEPRICATED and available for backward compatiblity. Use ingress_rules and egress_rules variables. List of firewall rules + varType: |- + list(object({ + name = string + description = optional(string, null) + direction = optional(string, "INGRESS") + disabled = optional(bool, null) + priority = optional(number, null) + ranges = optional(list(string), []) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + + allow = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + deny = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + log_config = optional(object({ + metadata = string + })) + })) + defaultValue: [] + - name: ingress_rules + description: List of ingress rules. This will be ignored if variable 'rules' is non-empty + varType: |- + list(object({ + name = string + description = optional(string, null) + disabled = optional(bool, null) + priority = optional(number, null) + destination_ranges = optional(list(string), []) + source_ranges = optional(list(string), []) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + + allow = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + deny = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + log_config = optional(object({ + metadata = string + })) + })) + defaultValue: [] + - name: internal_ipv6_range + description: When enabling IPv6 ULA, optionally, specify a /48 from fd20::/20 (default null) + varType: string + - name: mtu + description: "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively." + varType: number + defaultValue: 0 + - name: network_firewall_policy_enforcement_order + description: Set the order that Firewall Rules and Firewall Policies are evaluated. Valid values are `BEFORE_CLASSIC_FIREWALL` and `AFTER_CLASSIC_FIREWALL`. (default null or equivalent to `AFTER_CLASSIC_FIREWALL`) + varType: string + - name: network_name + description: The name of the network being created + varType: string + required: true + - name: project_id + description: The ID of the project where this VPC will be created + varType: string + required: true + - name: routes + description: List of routes being created in this VPC + varType: list(map(string)) + defaultValue: [] + - name: routing_mode + description: The network routing mode (default 'GLOBAL') + varType: string + defaultValue: GLOBAL + - name: secondary_ranges + description: Secondary ranges that will be used in some of the subnets + varType: map(list(object({ range_name = string, ip_cidr_range = string }))) + defaultValue: {} + - name: shared_vpc_host + description: Makes this project a Shared VPC host if 'true' (default 'false') + varType: bool + defaultValue: false + - name: subnets + description: The list of subnets being created + varType: |- + list(object({ + subnet_name = string + subnet_ip = string + subnet_region = string + subnet_private_access = optional(string) + subnet_private_ipv6_access = optional(string) + subnet_flow_logs = optional(string) + subnet_flow_logs_interval = optional(string) + subnet_flow_logs_sampling = optional(string) + subnet_flow_logs_metadata = optional(string) + subnet_flow_logs_filter = optional(string) + subnet_flow_logs_metadata_fields = optional(list(string)) + description = optional(string) + purpose = optional(string) + role = optional(string) + stack_type = optional(string) + ipv6_access_type = optional(string) + })) + required: true + outputs: + - name: network + description: The created network + - name: network_id + description: The ID of the VPC being created + - name: network_name + description: The name of the VPC being created + - name: network_self_link + description: The URI of the VPC being created + - name: project_id + description: VPC project id + - name: route_names + description: The route names associated with this VPC + - name: subnets + description: A map with keys of form subnet_region/subnet_name and values being the outputs of the google_compute_subnetwork resources used to create corresponding subnets. + - name: subnets_flow_logs + description: Whether the subnets will have VPC flow logs enabled + - name: subnets_ids + description: The IDs of the subnets being created + - name: subnets_ips + description: The IPs and CIDRs of the subnets being created + - name: subnets_names + description: The names of the subnets being created + - name: subnets_private_access + description: Whether the subnets will have access to Google API's without a public IP + - name: subnets_regions + description: The region where the subnets will be created + - name: subnets_secondary_ranges + description: The secondary ranges associated with these subnets + - name: subnets_self_links + description: The self-links of subnets being created + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/fabric-net-firewall/metadata.yaml b/modules/fabric-net-firewall/metadata.yaml index c309b37c..ac7ee87f 100644 --- a/modules/fabric-net-firewall/metadata.yaml +++ b/modules/fabric-net-firewall/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,183 +19,191 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Cloud VPC Firewall - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: admin_ranges - description: IP CIDR ranges that have complete access to all subnets. - type: list(string) - default: [] - required: false - - name: admin_ranges_enabled - description: Enable admin ranges-based rules. - type: bool - default: false - required: false - - name: custom_rules - description: List of custom rule definitions (refer to variables file for syntax). - type: |- - map(object({ - description = string - direction = string - action = string # (allow|deny) - ranges = list(string) - sources = list(string) - targets = list(string) - use_service_accounts = bool - rules = list(object({ - protocol = string - ports = list(string) - })) - extra_attributes = map(string) - })) - default: {} - required: false - - name: http_source_ranges - description: List of IP CIDR ranges for tag-based HTTP rule, defaults to 0.0.0.0/0. - type: list(string) - default: - - 0.0.0.0/0 - required: false - - name: http_target_tags - description: List of target tags for tag-based HTTP rule, defaults to http-server. - type: list(string) - default: - - http-server - required: false - - name: https_source_ranges - description: List of IP CIDR ranges for tag-based HTTPS rule, defaults to 0.0.0.0/0. - type: list(string) - default: - - 0.0.0.0/0 - required: false - - name: https_target_tags - description: List of target tags for tag-based HTTPS rule, defaults to https-server. - type: list(string) - default: - - https-server - required: false - - name: internal_allow - description: Allow rules for internal ranges. - type: |- - list(object({ - protocol = string - ports = optional(list(string)) - })) - default: - - protocol: icmp - required: false - - name: internal_ranges - description: IP CIDR ranges for intra-VPC rules. - type: list(string) - default: [] - required: false - - name: internal_ranges_enabled - description: Create rules for intra-VPC ranges. - type: bool - default: false - required: false - - name: internal_target_tags - description: List of target tags for intra-VPC rules. - type: list(string) - default: [] - required: false - - name: network - description: Name of the network this set of firewall rules applies to. - type: string - required: true - - name: project_id - description: Project id of the project that holds the network. - type: string - required: true - - name: ssh_source_ranges - description: List of IP CIDR ranges for tag-based SSH rule, defaults to 0.0.0.0/0. - type: list(string) - default: - - 0.0.0.0/0 - required: false - - name: ssh_target_tags - description: List of target tags for tag-based SSH rule, defaults to ssh. - type: list(string) - default: - - ssh - required: false - outputs: - - name: admin_ranges - description: Admin ranges data. - - name: custom_egress_allow_rules - description: Custom egress rules with allow blocks. - - name: custom_egress_deny_rules - description: Custom egress rules with allow blocks. - - name: custom_ingress_allow_rules - description: Custom ingress rules with allow blocks. - - name: custom_ingress_deny_rules - description: Custom ingress rules with deny blocks. - - name: internal_ranges - description: Internal ranges. - roles: - - level: Project + info: + title: Google Cloud VPC Firewall + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/fabric-net-firewall + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 1.3" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: admin_ranges + description: IP CIDR ranges that have complete access to all subnets. + varType: list(string) + defaultValue: [] + - name: admin_ranges_enabled + description: Enable admin ranges-based rules. + varType: bool + defaultValue: false + - name: custom_rules + description: List of custom rule definitions (refer to variables file for syntax). + varType: |- + map(object({ + description = string + direction = string + action = string # (allow|deny) + ranges = list(string) + sources = list(string) + targets = list(string) + use_service_accounts = bool + rules = list(object({ + protocol = string + ports = list(string) + })) + extra_attributes = map(string) + })) + defaultValue: {} + - name: http_source_ranges + description: List of IP CIDR ranges for tag-based HTTP rule, defaults to 0.0.0.0/0. + varType: list(string) + defaultValue: + - 0.0.0.0/0 + - name: http_target_tags + description: List of target tags for tag-based HTTP rule, defaults to http-server. + varType: list(string) + defaultValue: + - http-server + - name: https_source_ranges + description: List of IP CIDR ranges for tag-based HTTPS rule, defaults to 0.0.0.0/0. + varType: list(string) + defaultValue: + - 0.0.0.0/0 + - name: https_target_tags + description: List of target tags for tag-based HTTPS rule, defaults to https-server. + varType: list(string) + defaultValue: + - https-server + - name: internal_allow + description: Allow rules for internal ranges. + varType: |- + list(object({ + protocol = string + ports = optional(list(string)) + })) + defaultValue: + - protocol: icmp + - name: internal_ranges + description: IP CIDR ranges for intra-VPC rules. + varType: list(string) + defaultValue: [] + - name: internal_ranges_enabled + description: Create rules for intra-VPC ranges. + varType: bool + defaultValue: false + - name: internal_target_tags + description: List of target tags for intra-VPC rules. + varType: list(string) + defaultValue: [] + - name: network + description: Name of the network this set of firewall rules applies to. + varType: string + required: true + - name: project_id + description: Project id of the project that holds the network. + varType: string + required: true + - name: ssh_source_ranges + description: List of IP CIDR ranges for tag-based SSH rule, defaults to 0.0.0.0/0. + varType: list(string) + defaultValue: + - 0.0.0.0/0 + - name: ssh_target_tags + description: List of target tags for tag-based SSH rule, defaults to ssh. + varType: list(string) + defaultValue: + - ssh + outputs: + - name: admin_ranges + description: Admin ranges data. + - name: custom_egress_allow_rules + description: Custom egress rules with allow blocks. + - name: custom_egress_deny_rules + description: Custom egress rules with allow blocks. + - name: custom_ingress_allow_rules + description: Custom ingress rules with allow blocks. + - name: custom_ingress_deny_rules + description: Custom ingress rules with deny blocks. + - name: internal_ranges + description: Internal ranges. + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/fabric-net-svpc-access/metadata.yaml b/modules/fabric-net-svpc-access/metadata.yaml index bd6a5c0d..41d95bf5 100644 --- a/modules/fabric-net-svpc-access/metadata.yaml +++ b/modules/fabric-net-svpc-access/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,108 +19,124 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Cloud Shared VPC Access Configuration - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: host_project_id - description: Project id of the shared VPC host project. - type: string - required: true - - name: host_service_agent_role - description: Assign host service agent role to users in host_service_agent_users variable. - type: bool - default: false - required: false - - name: host_service_agent_users - description: List of IAM-style users that will be granted the host service agent role on the host project. - type: list(string) - default: [] - required: false - - name: host_subnet_regions - description: List of subnet regions, one per subnet. - type: list(string) - default: [] - required: false - - name: host_subnet_users - description: Map of comma-delimited IAM-style members to which network user roles for subnets will be assigned. - type: map(any) - default: {} - required: false - - name: host_subnets - description: List of subnet names on which to grant network user role. - type: list(string) - default: [] - required: false - - name: service_project_ids - description: Ids of the service projects that will be attached to the Shared VPC. - type: list(string) - required: true - outputs: - - name: service_projects - description: Project ids of the services with access to all subnets. - roles: - - level: Project + info: + title: Google Cloud Shared VPC Access Configuration + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/fabric-net-svpc-access + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 0.13.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: host_project_id + description: Project id of the shared VPC host project. + varType: string + required: true + - name: host_service_agent_role + description: Assign host service agent role to users in host_service_agent_users variable. + varType: bool + defaultValue: false + - name: host_service_agent_users + description: List of IAM-style users that will be granted the host service agent role on the host project. + varType: list(string) + defaultValue: [] + - name: host_subnet_regions + description: List of subnet regions, one per subnet. + varType: list(string) + defaultValue: [] + - name: host_subnet_users + description: Map of comma-delimited IAM-style members to which network user roles for subnets will be assigned. + varType: map(any) + defaultValue: {} + - name: host_subnets + description: List of subnet names on which to grant network user role. + varType: list(string) + defaultValue: [] + - name: service_project_ids + description: Ids of the service projects that will be attached to the Shared VPC. + varType: list(string) + required: true + outputs: + - name: service_projects + description: Project ids of the services with access to all subnets. + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/firewall-rules/metadata.yaml b/modules/firewall-rules/metadata.yaml index b16097b7..a17efa29 100644 --- a/modules/firewall-rules/metadata.yaml +++ b/modules/firewall-rules/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,110 +19,190 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Cloud VPC Firewall Rules - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: network_name - description: Name of the network this set of firewall rules applies to. - type: string - required: true - - name: project_id - description: Project id of the project that holds the network. - type: string - required: true - - name: rules - description: List of custom rule definitions (refer to variables file for syntax). - type: |- - list(object({ - name = string - description = string - direction = string - priority = number - ranges = list(string) - source_tags = list(string) - source_service_accounts = list(string) - target_tags = list(string) - target_service_accounts = list(string) - allow = list(object({ - protocol = string - ports = list(string) - })) - deny = list(object({ - protocol = string - ports = list(string) - })) - log_config = object({ - metadata = string - }) - })) - default: [] - required: false - outputs: - - name: firewall_rules - description: The created firewall rule resources - roles: - - level: Project + info: + title: Google Cloud VPC Firewall Rules + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/firewall-rules + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 1.3.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: egress_rules + description: List of egress rules. This will be ignored if variable 'rules' is non-empty + varType: |- + list(object({ + name = string + description = optional(string, null) + disabled = optional(bool, null) + priority = optional(number, null) + destination_ranges = optional(list(string), []) + source_ranges = optional(list(string), []) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + + allow = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + deny = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + log_config = optional(object({ + metadata = string + })) + })) + defaultValue: [] + - name: ingress_rules + description: List of ingress rules. This will be ignored if variable 'rules' is non-empty + varType: |- + list(object({ + name = string + description = optional(string, null) + disabled = optional(bool, null) + priority = optional(number, null) + destination_ranges = optional(list(string), []) + source_ranges = optional(list(string), []) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + + allow = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + deny = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + log_config = optional(object({ + metadata = string + })) + })) + defaultValue: [] + - name: network_name + description: Name of the network this set of firewall rules applies to. + varType: string + required: true + - name: project_id + description: Project id of the project that holds the network. + varType: string + required: true + - name: rules + description: This is DEPRICATED and available for backward compatiblity. Use ingress_rules and egress_rules variables. List of custom rule definitions + varType: |- + list(object({ + name = string + description = optional(string, null) + direction = optional(string, "INGRESS") + disabled = optional(bool, null) + priority = optional(number, null) + ranges = optional(list(string), []) + source_tags = optional(list(string)) + source_service_accounts = optional(list(string)) + target_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + + allow = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + deny = optional(list(object({ + protocol = string + ports = optional(list(string)) + })), []) + log_config = optional(object({ + metadata = string + })) + })) + defaultValue: [] + outputs: + - name: firewall_rules + description: The created firewall rule resources + - name: firewall_rules_ingress_egress + description: The created firewall ingress/egress rule resources + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/hierarchical-firewall-policy/metadata.yaml b/modules/hierarchical-firewall-policy/metadata.yaml new file mode 100644 index 00000000..b5f71f87 --- /dev/null +++ b/modules/hierarchical-firewall-policy/metadata.yaml @@ -0,0 +1,167 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-network + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Google Cloud Hierarchical Firewall Policy + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/hierarchical-firewall-policy + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 1.3.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: description + description: An optional description of this resource. Provide this property when you create the resource + varType: string + - name: parent_node + description: The parent of the firewall policy. Parent should be in format organizations/ or folders/ + varType: string + required: true + - name: policy_name + description: User-provided name of the hierarchical firewall policy + varType: string + required: true + - name: rules + description: List of Ingress/Egress rules + varType: |- + list(object({ + priority = number + direction = string + action = string + rule_name = optional(string) + disabled = optional(bool) + description = optional(string) + enable_logging = optional(bool) + target_service_accounts = optional(list(string), []) + target_resources = optional(list(string), []) + match = object({ + src_ip_ranges = optional(list(string), []) + src_fqdns = optional(list(string), []) + src_region_codes = optional(list(string), []) + src_threat_intelligences = optional(list(string), []) + src_address_groups = optional(list(string), []) + dest_ip_ranges = optional(list(string), []) + dest_fqdns = optional(list(string), []) + dest_region_codes = optional(list(string), []) + dest_threat_intelligences = optional(list(string), []) + dest_address_groups = optional(list(string), []) + layer4_configs = optional(list(object({ + ip_protocol = optional(string, "all") + ports = optional(list(string), []) + })), [{}]) + }) + })) + defaultValue: [] + - name: target_folders + description: List of target folders IDs that the firewall policy will be attached to + varType: list(string) + defaultValue: [] + - name: target_org + description: Target org id that the firewall policy will be attached to + varType: string + outputs: + - name: fw_policy + description: Firewall policy created + - name: rules + description: Firewall policy rules created + - name: target_associations + description: folders/orgs associations created + requirements: + roles: + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/network-firewall-policy/metadata.yaml b/modules/network-firewall-policy/metadata.yaml new file mode 100644 index 00000000..8c80c89f --- /dev/null +++ b/modules/network-firewall-policy/metadata.yaml @@ -0,0 +1,168 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-network-network-firewall-policy + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Google Cloud Network Firewall Policy + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/network-firewall-policy + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 1.3.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: description + description: An optional description of this resource. Provide this property when you create the resource + varType: string + - name: policy_name + description: User-provided name of the Network firewall policy + varType: string + required: true + - name: policy_region + description: Location of the firewall policy. Needed for regional firewall policies. Default is null (Global firewall policy) + varType: string + - name: project_id + description: Project ID of the Network firewall policy + varType: string + required: true + - name: rules + description: List of Ingress/Egress rules + varType: |- + list(object({ + priority = number + direction = string + action = string + rule_name = optional(string) + disabled = optional(bool) + description = optional(string) + enable_logging = optional(bool) + target_secure_tags = optional(list(string)) + target_service_accounts = optional(list(string)) + match = object({ + src_ip_ranges = optional(list(string), []) + src_fqdns = optional(list(string), []) + src_region_codes = optional(list(string), []) + src_secure_tags = optional(list(string), []) + src_threat_intelligences = optional(list(string), []) + src_address_groups = optional(list(string), []) + dest_ip_ranges = optional(list(string), []) + dest_fqdns = optional(list(string), []) + dest_region_codes = optional(list(string), []) + dest_threat_intelligences = optional(list(string), []) + dest_address_groups = optional(list(string), []) + layer4_configs = optional(list(object({ + ip_protocol = optional(string, "all") + ports = optional(list(string), []) + })), [{}]) + }) + })) + defaultValue: [] + - name: target_vpcs + description: List of target VPC IDs that the firewall policy will be attached to + varType: list(string) + defaultValue: [] + outputs: + - name: fw_policy + description: Firewall policy created + - name: rules + description: Firewall policy rules created + - name: vpc_associations + description: VPC associations created + requirements: + roles: + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/network-peering/metadata.yaml b/modules/network-peering/metadata.yaml index 8ebd14e7..7c85aabd 100644 --- a/modules/network-peering/metadata.yaml +++ b/modules/network-peering/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,117 +19,136 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Network Peering - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: export_local_custom_routes - description: Export custom routes to peer network from local network. - type: bool - default: false - required: false - - name: export_local_subnet_routes_with_public_ip - description: Export custom routes to peer network from local network (defaults to true; causes the Local Peering Connection to align with the [provider default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_peering#export_subnet_routes_with_public_ip), and the Remote Peering Connection to be opposite the provider default). - type: bool - default: true - required: false - - name: export_peer_custom_routes - description: Export custom routes to local network from peer network. - type: bool - default: false - required: false - - name: export_peer_subnet_routes_with_public_ip - description: Export custom routes to local network from peer network (defaults to false; causes the Local Peering Connection to align with the [provider default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_peering#import_subnet_routes_with_public_ip), and the Remote Peering Connection to be opposite the provider default). - type: bool - default: false - required: false - - name: local_network - description: Resource link of the network to add a peering to. - type: string - required: true - - name: module_depends_on - description: List of modules or resources this module depends on. - type: list(any) - default: [] - required: false - - name: peer_network - description: Resource link of the peer network. - type: string - required: true - - name: prefix - description: Name prefix for the network peerings - type: string - default: network-peering - required: false - outputs: - - name: complete - description: Output to be used as a module dependency. - - name: local_network_peering - description: Network peering resource. - - name: peer_network_peering - description: Peer network peering resource. - roles: - - level: Project + info: + title: Google Network Peering + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/network-peering + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 0.13.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: export_local_custom_routes + description: Export custom routes to peer network from local network. + varType: bool + defaultValue: false + - name: export_local_subnet_routes_with_public_ip + description: Export custom routes to peer network from local network (defaults to true; causes the Local Peering Connection to align with the [provider default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_peering#export_subnet_routes_with_public_ip), and the Remote Peering Connection to be opposite the provider default). + varType: bool + defaultValue: true + - name: export_peer_custom_routes + description: Export custom routes to local network from peer network. + varType: bool + defaultValue: false + - name: export_peer_subnet_routes_with_public_ip + description: Export custom routes to local network from peer network (defaults to false; causes the Local Peering Connection to align with the [provider default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_peering#import_subnet_routes_with_public_ip), and the Remote Peering Connection to be opposite the provider default). + varType: bool + defaultValue: false + - name: local_network + description: Resource link of the network to add a peering to. + varType: string + required: true + - name: module_depends_on + description: List of modules or resources this module depends on. + varType: list(any) + defaultValue: [] + - name: peer_network + description: Resource link of the peer network. + varType: string + required: true + - name: prefix + description: Name prefix for the network peerings + varType: string + defaultValue: network-peering + - name: stack_type + description: "Which IP version(s) of traffic and routes are allowed to be imported or exported between peer networks. Possible values: [\"IPV4_ONLY\", \"IPV4_IPV6\"]." + varType: string + defaultValue: IPV4_ONLY + outputs: + - name: complete + description: Output to be used as a module dependency. + - name: local_network_peering + description: Network peering resource. + - name: peer_network_peering + description: Peer network peering resource. + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/private-service-connect/metadata.yaml b/modules/private-service-connect/metadata.yaml index 6e4fdcd9..ba4bbac1 100644 --- a/modules/private-service-connect/metadata.yaml +++ b/modules/private-service-connect/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,120 +19,144 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Private Service Connect - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: dns_code - description: Code to identify DNS resources in the form of `{dns_code}-{dns_type}` - type: string - default: dz - required: false - - name: forwarding_rule_name - description: Forwarding rule resource name. The forwarding rule name for PSC Google APIs must be an 1-20 characters string with lowercase letters and numbers and must start with a letter. Defaults to `globalrule` - type: string - default: globalrule - required: false - - name: forwarding_rule_target - description: Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid. - type: string - required: true - - name: network_self_link - description: Network self link for Private Service Connect. - type: string - required: true - - name: private_service_connect_ip - description: The internal IP to be used for the private service connect. - type: string - required: true - - name: private_service_connect_name - description: Private Service Connect endpoint name. Defaults to `global-psconnect-ip` - type: string - default: global-psconnect-ip - required: false - - name: project_id - description: Project ID for Private Service Connect. - type: string - required: true - outputs: - - name: dns_zone_gcr_name - description: Name for Managed DNS zone for GCR - - name: dns_zone_googleapis_name - description: Name for Managed DNS zone for GoogleAPIs - - name: dns_zone_pkg_dev_name - description: Name for Managed DNS zone for PKG_DEV - - name: forwarding_rule_name - description: Forwarding rule resource name. - - name: forwarding_rule_target - description: Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid. - - name: global_address_id - description: An identifier for the global address created for the private service connect with format `projects/{{project}}/global/addresses/{{name}}` - - name: private_service_connect_ip - description: Private service connect ip - - name: private_service_connect_name - description: Private service connect name - roles: - - level: Project + info: + title: Private Service Connect + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/private-service-connect + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: dns_code + description: Code to identify DNS resources in the form of `{dns_code}-{dns_type}` + varType: string + defaultValue: dz + - name: forwarding_rule_name + description: Forwarding rule resource name. The forwarding rule name for PSC Google APIs must be an 1-20 characters string with lowercase letters and numbers and must start with a letter. Defaults to `globalrule` + varType: string + defaultValue: globalrule + - name: forwarding_rule_target + description: Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid. + varType: string + required: true + - name: network_self_link + description: Network self link for Private Service Connect. + varType: string + required: true + - name: private_service_connect_ip + description: The internal IP to be used for the private service connect. + varType: string + required: true + - name: private_service_connect_name + description: Private Service Connect endpoint name. Defaults to `global-psconnect-ip` + varType: string + defaultValue: global-psconnect-ip + - name: project_id + description: Project ID for Private Service Connect. + varType: string + required: true + - name: service_directory_namespace + description: Service Directory namespace to register the forwarding rule under. + varType: string + - name: service_directory_region + description: Service Directory region to register this global forwarding rule under. Defaults to `us-central1` if not defined. + varType: string + outputs: + - name: dns_zone_gcr_name + description: Name for Managed DNS zone for GCR + - name: dns_zone_googleapis_name + description: Name for Managed DNS zone for GoogleAPIs + - name: dns_zone_pkg_dev_name + description: Name for Managed DNS zone for PKG_DEV + - name: forwarding_rule_name + description: Forwarding rule resource name. + - name: forwarding_rule_target + description: Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid. + - name: global_address_id + description: An identifier for the global address created for the private service connect with format `projects/{{project}}/global/addresses/{{name}}` + - name: private_service_connect_ip + description: Private service connect ip + - name: private_service_connect_name + description: Private service connect name + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/routes-beta/metadata.yaml b/modules/routes-beta/metadata.yaml index 2222a124..5bd4cca2 100644 --- a/modules/routes-beta/metadata.yaml +++ b/modules/routes-beta/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,98 +19,116 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Terraform Routes Beta Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: module_depends_on - description: List of modules or resources this module depends on. - type: list(any) - default: [] - required: false - - name: network_name - description: The name of the network where routes will be created - type: string - required: true - - name: project_id - description: The ID of the project where the routes will be created - type: string - required: true - - name: routes - description: List of routes being created in this VPC - type: list(map(string)) - default: [] - required: false - - name: routes_count - description: Amount of routes being created in this VPC - type: number - default: 0 - required: false - outputs: - - name: routes - description: The created routes resources - roles: - - level: Project + info: + title: Terraform Routes Beta Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/routes-beta + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 0.13.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: module_depends_on + description: List of modules or resources this module depends on. + varType: list(any) + defaultValue: [] + - name: network_name + description: The name of the network where routes will be created + varType: string + required: true + - name: project_id + description: The ID of the project where the routes will be created + varType: string + required: true + - name: routes + description: List of routes being created in this VPC + varType: list(map(string)) + defaultValue: [] + - name: routes_count + description: Amount of routes being created in this VPC + varType: number + defaultValue: 0 + outputs: + - name: routes + description: The created routes resources + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/routes/metadata.yaml b/modules/routes/metadata.yaml index 6ce05e04..7b446979 100644 --- a/modules/routes/metadata.yaml +++ b/modules/routes/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,93 +19,112 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Terraform Routes Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: module_depends_on - description: List of modules or resources this module depends on. - type: list(any) - default: [] - required: false - - name: network_name - description: The name of the network where routes will be created - type: string - required: true - - name: project_id - description: The ID of the project where the routes will be created - type: string - required: true - - name: routes - description: List of routes being created in this VPC - type: list(map(string)) - default: [] - required: false - outputs: - - name: routes - description: The created routes resources - roles: - - level: Project + info: + title: Terraform Routes Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/routes + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 0.13.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: module_depends_on + description: List of modules or resources this module depends on. + varType: list(any) + defaultValue: [] + - name: network_name + description: The name of the network where routes will be created + varType: string + required: true + - name: project_id + description: The ID of the project where the routes will be created + varType: string + required: true + - name: routes + description: List of routes being created in this VPC + varType: list(map(string)) + defaultValue: [] + outputs: + - name: routes + description: The created routes resources + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/subnets-beta/metadata.yaml b/modules/subnets-beta/metadata.yaml index a6544872..f45e17f0 100644 --- a/modules/subnets-beta/metadata.yaml +++ b/modules/subnets-beta/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,97 +19,134 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Terraform Subnets Beta Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: module_depends_on - description: List of modules or resources this module depends on. - type: list(any) - default: [] - required: false - - name: network_name - description: The name of the network where subnets will be created - type: string - required: true - - name: project_id - description: The ID of the project where subnets will be created - type: string - required: true - - name: secondary_ranges - description: Secondary ranges that will be used in some of the subnets - type: map(list(object({ range_name = string, ip_cidr_range = string }))) - default: {} - required: false - - name: subnets - description: The list of subnets being created - type: list(object({subnet_name = string, subnet_ip = string, subnet_region = string, subnet_private_access = optional(string), subnet_private_ipv6_access = optional(string), subnet_flow_logs = optional(string), subnet_flow_logs_interval = optional(string), subnet_flow_logs_sampling = optional(string), subnet_flow_logs_metadata = optional(string), subnet_flow_logs_filter = optional(string), subnet_flow_logs_metadata_fields = optional(list(string)), description = optional(string)})) - required: true - outputs: - - name: subnets - description: The created subnet resources - roles: - - level: Project + info: + title: Terraform Subnets Beta Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/subnets-beta + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 0.13.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: module_depends_on + description: List of modules or resources this module depends on. + varType: list(any) + defaultValue: [] + - name: network_name + description: The name of the network where subnets will be created + varType: string + required: true + - name: project_id + description: The ID of the project where subnets will be created + varType: string + required: true + - name: secondary_ranges + description: Secondary ranges that will be used in some of the subnets + varType: map(list(object({ range_name = string, ip_cidr_range = string }))) + defaultValue: {} + - name: subnets + description: The list of subnets being created + varType: |- + list(object({ + subnet_name = string + subnet_ip = string + subnet_region = string + subnet_private_access = optional(string, "false") + subnet_private_ipv6_access = optional(string) + subnet_flow_logs = optional(bool, false) + subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC") + subnet_flow_logs_sampling = optional(string, "0.5") + subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA") + subnet_flow_logs_filter = optional(string, "true") + subnet_flow_logs_metadata_fields = optional(list(string), []) + description = optional(string) + purpose = optional(string) + role = optional(string) + stack_type = optional(string) + ipv6_access_type = optional(string) + })) + required: true + outputs: + - name: subnets + description: The created subnet resources + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/subnets/metadata.yaml b/modules/subnets/metadata.yaml index 2d6dc944..8e0c8916 100644 --- a/modules/subnets/metadata.yaml +++ b/modules/subnets/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,92 +19,130 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Terraform Subnets Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: network_name - description: The name of the network where subnets will be created - type: string - required: true - - name: project_id - description: The ID of the project where subnets will be created - type: string - required: true - - name: secondary_ranges - description: Secondary ranges that will be used in some of the subnets - type: map(list(object({ range_name = string, ip_cidr_range = string }))) - default: {} - required: false - - name: subnets - description: The list of subnets being created - type: list(object({subnet_name = string, subnet_ip = string, subnet_region = string, subnet_private_access = optional(string), subnet_private_ipv6_access = optional(string), subnet_flow_logs = optional(string), subnet_flow_logs_interval = optional(string), subnet_flow_logs_sampling = optional(string), subnet_flow_logs_metadata = optional(string), subnet_flow_logs_filter = optional(string), subnet_flow_logs_metadata_fields = optional(list(string)), description = optional(string)})) - required: true - outputs: - - name: subnets - description: The created subnet resources - roles: - - level: Project + info: + title: Terraform Subnets Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/subnets + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 0.13.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: network_name + description: The name of the network where subnets will be created + varType: string + required: true + - name: project_id + description: The ID of the project where subnets will be created + varType: string + required: true + - name: secondary_ranges + description: Secondary ranges that will be used in some of the subnets + varType: map(list(object({ range_name = string, ip_cidr_range = string }))) + defaultValue: {} + - name: subnets + description: The list of subnets being created + varType: |- + list(object({ + subnet_name = string + subnet_ip = string + subnet_region = string + subnet_private_access = optional(string, "false") + subnet_private_ipv6_access = optional(string) + subnet_flow_logs = optional(string, "false") + subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC") + subnet_flow_logs_sampling = optional(string, "0.5") + subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA") + subnet_flow_logs_filter = optional(string, "true") + subnet_flow_logs_metadata_fields = optional(list(string), []) + description = optional(string) + purpose = optional(string) + role = optional(string) + stack_type = optional(string) + ipv6_access_type = optional(string) + })) + required: true + outputs: + - name: subnets + description: The created subnet resources + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/vpc-serverless-connector-beta/README.md b/modules/vpc-serverless-connector-beta/README.md index eb5ec048..7b42540d 100644 --- a/modules/vpc-serverless-connector-beta/README.md +++ b/modules/vpc-serverless-connector-beta/README.md @@ -34,7 +34,7 @@ module "serverless-connector" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | project\_id | Project in which the vpc connector will be deployed. | `string` | n/a | yes | -| vpc\_connectors | List of VPC serverless connectors. | `list(map(string))` | `[]` | no | +| vpc\_connectors | List of VPC serverless connectors. | 
list(object({
    name            = string,
    region          = string,
    network         = optional(string, null),
    subnet_name     = optional(string, null),
    ip_cidr_range   = optional(string, null),
    host_project_id = optional(string, null),
    machine_type    = optional(string, null),
    min_instances   = optional(number, null),
    max_instances   = optional(number, null),
    max_throughput  = optional(number, null)
  }))
| `[]` | no | ## Outputs diff --git a/modules/vpc-serverless-connector-beta/main.tf b/modules/vpc-serverless-connector-beta/main.tf index 9e6f2d47..002ef868 100644 --- a/modules/vpc-serverless-connector-beta/main.tf +++ b/modules/vpc-serverless-connector-beta/main.tf @@ -22,17 +22,17 @@ resource "google_vpc_access_connector" "connector_beta" { name = each.value.name project = var.project_id region = each.value.region - ip_cidr_range = lookup(each.value, "ip_cidr_range", null) - network = lookup(each.value, "network", null) + ip_cidr_range = each.value.ip_cidr_range + network = each.value.network dynamic "subnet" { for_each = each.value.subnet_name == null ? [] : [each.value] content { name = each.value.subnet_name - project_id = lookup(each.value, "host_project_id", null) + project_id = each.value.host_project_id } } - machine_type = lookup(each.value, "machine_type", null) - min_instances = lookup(each.value, "min_instances", null) - max_instances = lookup(each.value, "max_instances", null) - max_throughput = lookup(each.value, "max_throughput", null) + machine_type = each.value.machine_type + min_instances = each.value.min_instances + max_instances = each.value.max_instances + max_throughput = each.value.max_throughput } diff --git a/modules/vpc-serverless-connector-beta/metadata.yaml b/modules/vpc-serverless-connector-beta/metadata.yaml index adf7356a..e40fb486 100644 --- a/modules/vpc-serverless-connector-beta/metadata.yaml +++ b/modules/vpc-serverless-connector-beta/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,84 +19,116 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Terraform VPC Serverless Connector Beta - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: project_id - description: Project in which the vpc connector will be deployed. - type: string - required: true - - name: vpc_connectors - description: List of VPC serverless connectors. - type: list(map(string)) - default: [] - required: false - outputs: - - name: connector_ids - description: VPC serverless connector ID. - roles: - - level: Project + info: + title: Terraform VPC Serverless Connector Beta + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/vpc-serverless-connector-beta + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 0.13.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: project_id + description: Project in which the vpc connector will be deployed. + varType: string + required: true + - name: vpc_connectors + description: List of VPC serverless connectors. + varType: |- + list(object({ + name = string, + region = string, + network = optional(string, null), + subnet_name = optional(string, null), + ip_cidr_range = optional(string, null), + host_project_id = optional(string, null), + machine_type = optional(string, null), + min_instances = optional(number, null), + max_instances = optional(number, null), + max_throughput = optional(number, null) + })) + defaultValue: [] + outputs: + - name: connector_ids + description: VPC serverless connector ID. + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com diff --git a/modules/vpc-serverless-connector-beta/variables.tf b/modules/vpc-serverless-connector-beta/variables.tf index a4b3956a..e36c23cf 100644 --- a/modules/vpc-serverless-connector-beta/variables.tf +++ b/modules/vpc-serverless-connector-beta/variables.tf @@ -20,7 +20,18 @@ variable "project_id" { } variable "vpc_connectors" { - type = list(map(string)) + type = list(object({ + name = string, + region = string, + network = optional(string, null), + subnet_name = optional(string, null), + ip_cidr_range = optional(string, null), + host_project_id = optional(string, null), + machine_type = optional(string, null), + min_instances = optional(number, null), + max_instances = optional(number, null), + max_throughput = optional(number, null) + })) default = [] description = "List of VPC serverless connectors." } diff --git a/modules/vpc/metadata.yaml b/modules/vpc/metadata.yaml index 4fd47ce7..fdb7c783 100644 --- a/modules/vpc/metadata.yaml +++ b/modules/vpc/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,121 +19,146 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Terraform VPC Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-network - sourceType: git - version: 9.1.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - examples: - - name: basic_auto_mode - location: examples/basic_auto_mode - - name: basic_custom_mode - location: examples/basic_custom_mode - - name: basic_firewall_rule - location: examples/basic_firewall_rule - - name: basic_secondary_ranges - location: examples/basic_secondary_ranges - - name: basic_shared_vpc - location: examples/basic_shared_vpc - - name: basic_vpc_peering - location: examples/basic_vpc_peering - - name: delete_default_gateway_routes - location: examples/delete_default_gateway_routes - - name: firewall_logging - location: examples/firewall_logging - - name: ilb_routing - location: examples/ilb_routing - - name: multi_vpc - location: examples/multi_vpc - - name: network_service_tiers - location: examples/network_service_tiers - - name: packet_mirroring - location: examples/packet_mirroring - - name: private_service_connect - location: examples/private_service_connect - - name: private_service_connect_google_apis - location: examples/private_service_connect_google_apis - - name: routes - location: examples/routes - - name: secondary_ranges - location: examples/secondary_ranges - - name: simple_project - location: examples/simple_project - - name: simple_project_with_regional_network - location: examples/simple_project_with_regional_network - - name: submodule_firewall - location: examples/submodule_firewall - - name: submodule_network_peering - location: examples/submodule_network_peering - - name: submodule_svpc_access - location: examples/submodule_svpc_access - - name: submodule_vpc_serverless_connector - location: examples/submodule_vpc_serverless_connector - variables: - - name: auto_create_subnetworks - description: When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. - type: bool - default: false - required: false - - name: delete_default_internet_gateway_routes - description: If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted - type: bool - default: false - required: false - - name: description - description: An optional description of this resource. The resource must be recreated to modify this field. - type: string - default: "" - required: false - - name: mtu - description: 'The network MTU (If set to 0, meaning MTU is unset - defaults to ''1460''). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively.' - type: number - default: 0 - required: false - - name: network_name - description: The name of the network being created - type: string - required: true - - name: project_id - description: The ID of the project where this VPC will be created - type: string - required: true - - name: routing_mode - description: The network routing mode (default 'GLOBAL') - type: string - default: GLOBAL - required: false - - name: shared_vpc_host - description: Makes this project a Shared VPC host if 'true' (default 'false') - type: bool - default: false - required: false - outputs: - - name: network - description: The VPC resource being created - - name: network_id - description: The ID of the VPC being created - - name: network_name - description: The name of the VPC being created - - name: network_self_link - description: The URI of the VPC being created - - name: project_id - description: VPC project id - roles: - - level: Project + info: + title: Terraform VPC Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-network.git + sourceType: git + dir: /modules/vpc + version: 9.1.0 + actuationTool: + flavor: Terraform + version: ">= 0.13.0" + description: {} + content: + examples: + - name: basic_auto_mode + location: examples/basic_auto_mode + - name: basic_custom_mode + location: examples/basic_custom_mode + - name: basic_firewall_rule + location: examples/basic_firewall_rule + - name: basic_secondary_ranges + location: examples/basic_secondary_ranges + - name: basic_shared_vpc + location: examples/basic_shared_vpc + - name: basic_vpc_peering + location: examples/basic_vpc_peering + - name: bidirectional-firewall-rules + location: examples/bidirectional-firewall-rules + - name: delete_default_gateway_routes + location: examples/delete_default_gateway_routes + - name: firewall_logging + location: examples/firewall_logging + - name: global-network-firewall-policy + location: examples/global-network-firewall-policy + - name: hierarchical-firewall-policy + location: examples/hierarchical-firewall-policy + - name: ilb_routing + location: examples/ilb_routing + - name: multi_vpc + location: examples/multi_vpc + - name: network_service_tiers + location: examples/network_service_tiers + - name: packet_mirroring + location: examples/packet_mirroring + - name: private_service_connect + location: examples/private_service_connect + - name: private_service_connect_google_apis + location: examples/private_service_connect_google_apis + - name: regional-network-firewall-policy + location: examples/regional-network-firewall-policy + - name: routes + location: examples/routes + - name: secondary_ranges + location: examples/secondary_ranges + - name: simple_ipv6_project + location: examples/simple_ipv6_project + - name: simple_project + location: examples/simple_project + - name: simple_project_with_regional_network + location: examples/simple_project_with_regional_network + - name: submodule_firewall + location: examples/submodule_firewall + - name: submodule_network_peering + location: examples/submodule_network_peering + - name: submodule_svpc_access + location: examples/submodule_svpc_access + - name: submodule_vpc_serverless_connector + location: examples/submodule_vpc_serverless_connector + interfaces: + variables: + - name: auto_create_subnetworks + description: When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources. + varType: bool + defaultValue: false + - name: delete_default_internet_gateway_routes + description: If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted + varType: bool + defaultValue: false + - name: description + description: An optional description of this resource. The resource must be recreated to modify this field. + varType: string + defaultValue: "" + - name: enable_ipv6_ula + description: Enabled IPv6 ULA, this is a permenant change and cannot be undone! (default 'false') + varType: bool + defaultValue: false + - name: internal_ipv6_range + description: When enabling IPv6 ULA, optionally, specify a /48 from fd20::/20 (default null) + varType: string + - name: mtu + description: "The network MTU (If set to 0, meaning MTU is unset - defaults to '1460'). Recommended values: 1460 (default for historic reasons), 1500 (Internet default), or 8896 (for Jumbo packets). Allowed are all values in the range 1300 to 8896, inclusively." + varType: number + defaultValue: 0 + - name: network_firewall_policy_enforcement_order + description: Set the order that Firewall Rules and Firewall Policies are evaluated. Valid values are `BEFORE_CLASSIC_FIREWALL` and `AFTER_CLASSIC_FIREWALL`. (default null or equivalent to `AFTER_CLASSIC_FIREWALL`) + varType: string + - name: network_name + description: The name of the network being created + varType: string + required: true + - name: project_id + description: The ID of the project where this VPC will be created + varType: string + required: true + - name: routing_mode + description: The network routing mode (default 'GLOBAL') + varType: string + defaultValue: GLOBAL + - name: shared_vpc_host + description: Makes this project a Shared VPC host if 'true' (default 'false') + varType: bool + defaultValue: false + outputs: + - name: network + description: The VPC resource being created + - name: network_id + description: The ID of the VPC being created + - name: network_name + description: The name of the VPC being created + - name: network_self_link + description: The URI of the VPC being created + - name: project_id + description: VPC project id + requirements: roles: - - roles/compute.networkAdmin - - roles/compute.securityAdmin - - roles/iam.serviceAccountUser - - roles/vpcaccess.admin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - services: - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - serviceusage.googleapis.com - - vpcaccess.googleapis.com - - dns.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/compute.securityAdmin + - roles/iam.serviceAccountUser + - roles/vpcaccess.admin + - roles/serviceusage.serviceUsageAdmin + - roles/dns.admin + - roles/resourcemanager.tagAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.orgFirewallPolicyAdmin + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com + - vpcaccess.googleapis.com + - dns.googleapis.com + - networksecurity.googleapis.com + - iam.googleapis.com