Skip to content

Latest commit

 

History

History
 
 

net-vpc

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

Minimalistic VPC module

This module allows creation and management of VPC networks including subnetworks and subnetwork IAM bindings, Shared VPC activation and service project registration, and one-to-one peering.

Examples

The module allows for several different VPC configurations, some of the most common are shown below.

Simple VPC

module "vpc" {
  source     = "./modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  subnets = [
    {
      ip_cidr_range = "10.0.0.0/24"
      name          = "production"
      region        = "europe-west1"
      secondary_ip_range = {
        pods     = "172.16.0.0/20"
        services = "192.168.0.0/24"
      }
    },
    {
      ip_cidr_range = "10.0.16.0/24"
      name          = "production"
      region        = "europe-west2"
      secondary_ip_range = {}
    }
  ]
}
# tftest:modules=1:resources=3

Peering

A single peering can be configured for the VPC, so as to allow management of simple scenarios, and more complex configurations like hub and spoke by defining the peering configuration on the spoke VPCs. Care must be taken so as a single peering is created/changed/destroyed at a time, due to the specific behaviour of the peering API calls.

If you only want to create the "local" side of the peering, use peering_create_remote_end to false. This is useful if you don't have permissions on the remote project/VPC to create peerings.

module "vpc-hub" {
  source     = "./modules/net-vpc"
  project_id = "hub"
  name       = "vpc-hub"
  subnets = [{
    ip_cidr_range      = "10.0.0.0/24"
    name               = "subnet-1"
    region             = "europe-west1"
    secondary_ip_range = null
  }]
}

module "vpc-spoke-1" {
  source     = "./modules/net-vpc"
  project_id = "spoke1"
  name       = "vpc-spoke1"
  subnets = [{
    ip_cidr_range      = "10.0.1.0/24"
    name               = "subnet-2"
    region             = "europe-west1"
    secondary_ip_range = null
  }]
  peering_config = {
    peer_vpc_self_link = module.vpc-hub.self_link
    export_routes      = false
    import_routes      = true
  }
}
# tftest:modules=2:resources=6

Shared VPC

Shared VPC is a project-level functionality which enables a project to share its VPCs with other projects. The shared_vpc_host variable is here to help with rapid prototyping, we recommend leveraging the project module for production usage.

locals {
  service_project_1 = {
    project_id = "project1"
    gke_service_account = "gke"
    cloud_services_service_account = "cloudsvc"
  }
  service_project_2 = {
    project_id = "project2"
  }
}

module "vpc-host" {
  source     = "./modules/net-vpc"
  project_id = "my-project"
  name       = "my-host-network"
  subnets = [
    {
      ip_cidr_range = "10.0.0.0/24"
      name          = "subnet-1"
      region        = "europe-west1"
      secondary_ip_range = {
        pods     = "172.16.0.0/20"
        services = "192.168.0.0/24"
      }
    }
  ]
  shared_vpc_host = true
  shared_vpc_service_projects = [
    local.service_project_1.project_id,
    local.service_project_2.project_id
  ]
  iam = {
    "europe-west1/subnet-1" = {
      "roles/compute.networkUser" = [
        local.service_project_1.cloud_services_service_account,
        local.service_project_1.gke_service_account
      ]
      "roles/compute.securityAdmin" = [
        local.service_project_1.gke_service_account
      ]
    }
  }
}
# tftest:modules=1:resources=7

Private Service Networking

module "vpc" {
  source     = "./modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  subnets = [
    {
      ip_cidr_range      = "10.0.0.0/24"
      name               = "production"
      region             = "europe-west1"
      secondary_ip_range = null
    }
  ]
  private_service_networking_range = "10.10.0.0/16"
}
# tftest:modules=1:resources=4

DNS Policies

module "vpc" {
  source     = "./modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  dns_policy = {
    inbound  = true
    logging  = false
    outbound = {
      private_ns = ["10.0.0.1"]
      public_ns  = ["8.8.8.8"]
    }
  }
  subnets = [
    {
      ip_cidr_range      = "10.0.0.0/24"
      name               = "production"
      region             = "europe-west1"
      secondary_ip_range = {}
    }
  ]
}
# tftest:modules=1:resources=3

Variables

name description type required default
name The name of the network being created string
project_id The ID of the project where this VPC will be created string
auto_create_subnetworks Set to true to create an auto mode subnet, defaults to custom mode. bool false
delete_default_routes_on_create Set to true to delete the default routes at creation time. bool false
description An optional description of this resource (triggers recreation on change). string Terraform-managed.
dns_policy None object({...}) null
iam Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. map(map(list(string))) {}
log_config_defaults Default configuration for flow logs when enabled. object({...}) ...
log_configs Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. map(map(string)) {}
mtu Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. null
peering_config VPC peering configuration. object({...}) null
peering_create_remote_end Skip creation of peering on the remote end when using peering_config bool true
private_service_networking_range RFC1919 CIDR range used for Google services that support private service networking. string ...
routes Network routes, keyed by name. map(object({...})) {}
routing_mode The network routing mode (default 'GLOBAL') string ...
shared_vpc_host Enable shared VPC for this project. bool false
shared_vpc_service_projects Shared VPC service projects to register with this host list(string) []
subnet_descriptions Optional map of subnet descriptions, keyed by subnet 'region/name'. map(string) {}
subnet_flow_logs Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. map(bool) {}
subnet_private_access Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. map(bool) {}
subnets The list of subnets being created list(object({...})) []
vpc_create Create VPC. When set to false, uses a data source to reference existing VPC. bool true

Outputs

name description sensitive
bindings Subnet IAM bindings.
name The name of the VPC being created.
network Network resource.
project_id Shared VPC host project id.
self_link The URI of the VPC being created.
subnet_ips Map of subnet address ranges keyed by name.
subnet_regions Map of subnet regions keyed by name.
subnet_secondary_ranges Map of subnet secondary ranges keyed by name.
subnet_self_links Map of subnet self links keyed by name.
subnets Subnet resources.

The key format is subnet_region/subnet_name. For example europe-west1/my_subnet.