Feature/103 submodules

CHANGELOG.md

@@ -8,6 +8,10 @@ and this project adheres to [Semantic Versioning][semver-site].
 ## [Unreleased]
 v2.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./docs/upgrading_to_v2.0.md).
 
+### Added
+
+- Split main module up into vpc, subnets, and routes submodules. Changed `routes` input to be comptiable with `for_each` `maps` [#103]
+
 ### Fixed
 
 - Fixes subnet recreation when a subnet is updated. [#73]

Makefile

@@ -15,7 +15,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.1.0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.6.0
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 
@@ -42,7 +42,7 @@ docker_test_prepare:
 
 # Clean up test environment within the docker container
 .PHONY: docker_test_cleanup
-docker_test_prepare:
+docker_test_cleanup:
 	docker run --rm -it \
 		-e SERVICE_ACCOUNT_JSON \
 		-e TF_VAR_org_id \

README.md

@@ -8,6 +8,8 @@ It supports creating:
 - Subnets within the VPC
 - Secondary ranges for the subnets (if applicable)
 
+Sub modules are provided for creating individual vpc, subnets, and routes. See the modules directory for the various sub modules usage.
+
 ## Compatibility
 
 This module is meant for use with Terraform 0.12. If you haven't [upgraded](https://www.terraform.io/upgrade-guides/0-12.html) and need a Terraform 0.11.x-compatible version of this module, the last released version intended for Terraform 0.11.x is [0.8.0](https://registry.terraform.io/modules/terraform-google-modules/network/google/0.8.0).
@@ -60,23 +62,21 @@ module "vpc" {
         subnet-02 = []
     }
 
-    routes = [
-        {
-            name                   = "egress-internet"
+    routes = {
+        "egress-internet" = {
             description            = "route through IGW to access internet"
             destination_range      = "0.0.0.0/0"
             tags                   = "egress-inet"
             next_hop_internet      = "true"
-        },
-        {
-            name                   = "app-proxy"
+        }
+        "app-proxy" = {
             description            = "route through proxy to reach app"
             destination_range      = "10.50.10.0/24"
             tags                   = "app-proxy"
             next_hop_instance      = "app-proxy-instance"
             next_hop_instance_zone = "us-west1-a"
-        },
-    ]
+        }
+    }
 }
 ```
 
@@ -97,7 +97,7 @@ Then perform the following commands on the root folder:
 | description | An optional description of this resource. The resource must be recreated to modify this field. | string | `""` | no |
 | network\_name | The name of the network being created | string | n/a | yes |
 | project\_id | The ID of the project where this VPC will be created | string | n/a | yes |
-| routes | List of routes being created in this VPC | list(map(string)) | `<list>` | no |
+| routes | Map of routes being created in this VPC | map(any) | `<map>` | no |
 | routing\_mode | The network routing mode (default 'GLOBAL') | string | `"GLOBAL"` | no |
 | secondary\_ranges | Secondary ranges that will be used in some of the subnets | object | `<map>` | no |
 | shared\_vpc\_host | Makes this project a Shared VPC host if 'true' (default 'false') | string | `"false"` | no |
@@ -122,6 +122,7 @@ Then perform the following commands on the root folder:
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ### Subnet Inputs
+
 The subnets list contains maps, where each object represents a subnet. Each map has the following inputs (please see examples folder for additional references):
 
 | Name | Description | Type | Default | Required |
@@ -133,11 +134,12 @@ The subnets list contains maps, where each object represents a subnet. Each map
 | subnet\_flow\_logs  | Whether the subnet will record and send flow log data to logging | string | `"false"` | no |
 
 ### Route Inputs
-The routes list contains maps, where each object represents a route. For the next\_hop\_* inputs, only one is possible to be used in each route. Having two next_hop_* inputs will produce an error. Each map has the following inputs (please see examples folder for additional references):
+
+The `routes` map `key` is the unique route `name` and the `value` object represents the route input options. For the next\_hop\_* inputs, only one is possible to be used in each route. Having two next_hop_* inputs will produce an error. Each route has the following inputs (please see examples folder for additional references):
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| name | The name of the route being created  | string | - | no |
+| key | The name of the route being created  | string | - | yes |
 | description | The description of the route being created | string | - | no |
 | tags | The network tags assigned to this route. This is a list in string format. Eg. "tag-01,tag-02"| string | - | yes |
 | destination\_range | The destination range of outgoing packets that this route applies to. Only IPv4 is supported | string | - | yes

build/int.cloudbuild.yaml

@@ -38,4 +38,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.6.0'

build/lint.cloudbuild.yaml

@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.6.0'

examples/multi_vpc/main.tf

@@ -29,32 +29,29 @@ locals {
   network_02_subnet_01 = "${var.network_02_name}-subnet-01"
   network_02_subnet_02 = "${var.network_02_name}-subnet-02"
 
-  network_01_routes = [
-    {
-      name              = "${var.network_01_name}-egress-inet"
+  network_01_routes = {
+    "${var.network_01_name}-egress-inet" = {
       description       = "route through IGW to access internet"
       destination_range = "0.0.0.0/0"
       tags              = "egress-inet"
       next_hop_internet = "true"
-    },
-  ]
+    }
+  }
 
-  network_02_routes = [
-    {
-      name              = "${var.network_02_name}-egress-inet"
+  network_02_routes = {
+    "${var.network_02_name}-egress-inet" = {
       description       = "route through IGW to access internet"
       destination_range = "0.0.0.0/0"
       tags              = "egress-inet"
       next_hop_internet = "true"
-    },
-    {
-      name              = "${var.network_02_name}-testapp-proxy"
+    }
+    "${var.network_02_name}-testapp-proxy" = {
       description       = "route through proxy to reach app"
       destination_range = "10.50.10.0/24"
       tags              = "app-proxy"
       next_hop_ip       = "10.10.40.10"
-    },
-  ]
+    }
+  }
 }
 
 module "test-vpc-module-01" {

main.tf

@@ -14,107 +14,40 @@
  * limitations under the License.
  */
 
-locals {
-  subnets = {
-    for x in var.subnets :
-    "${x.subnet_region}/${x.subnet_name}" => x
-  }
-}
-
 /******************************************
 	VPC configuration
  *****************************************/
-resource "google_compute_network" "network" {
-  name                    = var.network_name
+module "vpc" {
+  source                  = "./modules/vpc"
+  network_name            = var.network_name
   auto_create_subnetworks = var.auto_create_subnetworks
   routing_mode            = var.routing_mode
-  project                 = var.project_id
+  project_id              = var.project_id
   description             = var.description
-}
-
-/******************************************
-	Shared VPC
- *****************************************/
-resource "google_compute_shared_vpc_host_project" "shared_vpc_host" {
-  count      = var.shared_vpc_host == "true" ? 1 : 0
-  project    = var.project_id
-  depends_on = [google_compute_network.network]
+  shared_vpc_host         = var.shared_vpc_host
 }
 
 /******************************************
 	Subnet configuration
  *****************************************/
-resource "google_compute_subnetwork" "subnetwork" {
-  for_each                 = local.subnets
-  name                     = each.value.subnet_name
-  ip_cidr_range            = each.value.subnet_ip
-  region                   = each.value.subnet_region
-  private_ip_google_access = lookup(each.value, "subnet_private_access", "false")
-  dynamic "log_config" {
-    for_each = lookup(each.value, "subnet_flow_logs", false) ? [{
-      aggregation_interval = lookup(each.value, "subnet_flow_logs_interval", null)
-      flow_sampling        = lookup(each.value, "subnet_flow_logs_sampling", null)
-      metadata             = lookup(each.value, "subnet_flow_logs_metadata", null)
-    }] : []
-    content {
-      aggregation_interval = log_config.value.aggregation_interval
-      flow_sampling        = log_config.value.flow_sampling
-      metadata             = log_config.value.metadata
-    }
-  }
-  network     = google_compute_network.network.name
-  project     = var.project_id
-  description = lookup(each.value, "description", null)
-  secondary_ip_range = [
-    for i in range(
-      length(
-        contains(
-        keys(var.secondary_ranges), each.value.subnet_name) == true
-        ? var.secondary_ranges[each.value.subnet_name]
-        : []
-    )) :
-    var.secondary_ranges[each.value.subnet_name][i]
-  ]
+module "subnets" {
+  source           = "./modules/subnets"
+  project_id       = var.project_id
+  network_name     = module.vpc.network_name
+  description      = var.description
+  subnets          = var.subnets
+  secondary_ranges = var.secondary_ranges
 }
 
 /******************************************
 	Routes
  *****************************************/
-resource "google_compute_route" "route" {
-  count                  = length(var.routes)
-  project                = var.project_id
-  network                = var.network_name
-  name                   = lookup(var.routes[count.index], "name", format("%s-%s-%d", lower(var.network_name), "route", count.index))
-  description            = lookup(var.routes[count.index], "description", "")
-  tags                   = compact(split(",", lookup(var.routes[count.index], "tags", "")))
-  dest_range             = lookup(var.routes[count.index], "destination_range", "")
-  next_hop_gateway       = lookup(var.routes[count.index], "next_hop_internet", "false") == "true" ? "default-internet-gateway" : ""
-  next_hop_ip            = lookup(var.routes[count.index], "next_hop_ip", "")
-  next_hop_instance      = lookup(var.routes[count.index], "next_hop_instance", "")
-  next_hop_instance_zone = lookup(var.routes[count.index], "next_hop_instance_zone", "")
-  next_hop_vpn_tunnel    = lookup(var.routes[count.index], "next_hop_vpn_tunnel", "")
-  priority               = lookup(var.routes[count.index], "priority", "1000")
-
-  depends_on = [
-    google_compute_network.network,
-    google_compute_subnetwork.subnetwork,
-  ]
-}
-
-resource "null_resource" "delete_default_internet_gateway_routes" {
-  count = var.delete_default_internet_gateway_routes ? 1 : 0
-
-  provisioner "local-exec" {
-    command = "${path.module}/scripts/delete-default-gateway-routes.sh ${var.project_id} ${var.network_name}"
-  }
-
-  triggers = {
-    number_of_routes = length(var.routes)
-  }
-
-  depends_on = [
-    google_compute_network.network,
-    google_compute_subnetwork.subnetwork,
-    google_compute_route.route,
-  ]
+module "routes" {
+  source                                 = "./modules/routes"
+  project_id                             = var.project_id
+  network_name                           = module.vpc.network_name
+  routes                                 = var.routes
+  delete_default_internet_gateway_routes = var.delete_default_internet_gateway_routes
+  network                                = module.vpc.network
+  subnets                                = module.subnets.subnets
 }

modules/fabric-net-firewall/README.md

@@ -74,7 +74,7 @@ module "net-firewall" {
 |------|-------------|:----:|:-----:|:-----:|
 | admin\_ranges | IP CIDR ranges that have complete access to all subnets. | list | `<list>` | no |
 | admin\_ranges\_enabled | Enable admin ranges-based rules. | string | `"false"` | no |
-| custom\_rules | List of custom rule definitions (refer to variables file for syntax). | map | `<map>` | no |
+| custom\_rules | List of custom rule definitions (refer to variables file for syntax). | object | `<map>` | no |
 | http\_source\_ranges | List of IP CIDR ranges for tag-based HTTP rule, defaults to 0.0.0.0/0. | list | `<list>` | no |
 | https\_source\_ranges | List of IP CIDR ranges for tag-based HTTPS rule, defaults to 0.0.0.0/0. | list | `<list>` | no |
 | internal\_allow | Allow rules for internal ranges. | list | `<list>` | no |
@@ -89,6 +89,10 @@ module "net-firewall" {
 | Name | Description |
 |------|-------------|
 | admin\_ranges | Admin ranges data. |
+| custom\_egress\_allow\_rules | Custom egress rules with allow blocks. |
+| custom\_egress\_deny\_rules | Custom egress rules with allow blocks. |
+| custom\_ingress\_allow\_rules | Custom ingress rules with allow blocks. |
+| custom\_ingress\_deny\_rules | Custom ingress rules with deny blocks. |
 | internal\_ranges | Internal ranges. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/fabric-net-firewall/versions.tf

@@ -17,3 +17,7 @@
 terraform {
   required_version = "~> 0.12.0"
 }
+
+provider "google" {
+  version = "~> 2.18.0"
+}

modules/fabric-net-svpc-access/versions.tf

@@ -17,3 +17,7 @@
 terraform {
   required_version = "~> 0.12.0"
 }
+
+provider "google" {
+  version = "~> 2.18.0"
+}