diff --git a/modules/compute/vm-instance/README.md b/modules/compute/vm-instance/README.md
index e75b70865d..8cb04bbf6d 100644
--- a/modules/compute/vm-instance/README.md
+++ b/modules/compute/vm-instance/README.md
@@ -225,7 +225,7 @@ limitations under the License.
| [metadata](#input\_metadata) | Metadata, provided as a map | `map(string)` | `{}` | no |
| [min\_cpu\_platform](#input\_min\_cpu\_platform) | The name of the minimum CPU platform that you want the instance to use. | `string` | `null` | no |
| [name\_prefix](#input\_name\_prefix) | An optional name for all VM and disk resources.
If not supplied, `deployment_name` will be used.
When `name_prefix` is supplied, and `add_deployment_name_before_prefix` is set,
then resources are named by "<`deployment_name`>-<`name_prefix`>-<#>". | `string` | `null` | no |
-| [network\_interfaces](#input\_network\_interfaces) | A list of network interfaces. The options match that of the terraform
network\_interface block of google\_compute\_instance. For descriptions of the
subfields or more information see the documentation:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#nested_network_interface
**\_NOTE:\_** If `network_interfaces` are set, `network_self_link` and
`subnetwork_self_link` will be ignored, even if they are provided through
the `use` field. `bandwidth_tier` and `disable_public_ips` also do not apply
to network interfaces defined in this variable.
Subfields:
network (string, required if subnetwork is not supplied)
subnetwork (string, required if network is not supplied)
subnetwork\_project (string, optional)
network\_ip (string, optional)
nic\_type (string, optional, choose from ["GVNIC", "VIRTIO\_NET"])
stack\_type (string, optional, choose from ["IPV4\_ONLY", "IPV4\_IPV6"])
queue\_count (number, optional)
access\_config (object, optional)
ipv6\_access\_config (object, optional)
alias\_ip\_range (list(object), optional) | list(object({
network = string,
subnetwork = string,
subnetwork_project = string,
network_ip = string,
nic_type = string,
stack_type = string,
queue_count = number,
access_config = list(object({
nat_ip = string,
public_ptr_domain_name = string,
network_tier = string
})),
ipv6_access_config = list(object({
public_ptr_domain_name = string,
network_tier = string
})),
alias_ip_range = list(object({
ip_cidr_range = string,
subnetwork_range_name = string
}))
})) | `[]` | no |
+| [network\_interfaces](#input\_network\_interfaces) | A list of network interfaces. The options match that of the terraform
network\_interface block of google\_compute\_instance. For descriptions of the
subfields or more information see the documentation:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#nested_network_interface
**\_NOTE:\_** If `network_interfaces` are set, `network_self_link` and
`subnetwork_self_link` will be ignored, even if they are provided through
the `use` field. `bandwidth_tier` and `disable_public_ips` also do not apply
to network interfaces defined in this variable.
Subfields:
network (string, required if subnetwork is not supplied)
subnetwork (string, required if network is not supplied)
subnetwork\_project (string, optional)
network\_ip (string, optional)
nic\_type (string, optional, choose from ["GVNIC", "VIRTIO\_NET", "MRDMA", "IRDMA"])
stack\_type (string, optional, choose from ["IPV4\_ONLY", "IPV4\_IPV6"])
queue\_count (number, optional)
access\_config (object, optional)
ipv6\_access\_config (object, optional)
alias\_ip\_range (list(object), optional) | list(object({
network = string,
subnetwork = string,
subnetwork_project = string,
network_ip = string,
nic_type = string,
stack_type = string,
queue_count = number,
access_config = list(object({
nat_ip = string,
public_ptr_domain_name = string,
network_tier = string
})),
ipv6_access_config = list(object({
public_ptr_domain_name = string,
network_tier = string
})),
alias_ip_range = list(object({
ip_cidr_range = string,
subnetwork_range_name = string
}))
})) | `[]` | no |
| [network\_self\_link](#input\_network\_self\_link) | The self link of the network to attach the VM. Can use "default" for the default network. | `string` | `null` | no |
| [network\_storage](#input\_network\_storage) | An array of network attached storage mounts to be configured. | list(object({
server_ip = string,
remote_mount = string,
local_mount = string,
fs_type = string,
mount_options = string,
client_install_runner = map(string)
mount_runner = map(string)
})) | `[]` | no |
| [on\_host\_maintenance](#input\_on\_host\_maintenance) | Describes maintenance behavior for the instance. If left blank this will default to `MIGRATE` except for when `placement_policy`, spot provisioning, or GPUs require it to be `TERMINATE` | `string` | `null` | no |
diff --git a/modules/compute/vm-instance/variables.tf b/modules/compute/vm-instance/variables.tf
index 1c32348587..7eae8fcf85 100644
--- a/modules/compute/vm-instance/variables.tf
+++ b/modules/compute/vm-instance/variables.tf
@@ -185,7 +185,7 @@ variable "network_interfaces" {
subnetwork (string, required if network is not supplied)
subnetwork_project (string, optional)
network_ip (string, optional)
- nic_type (string, optional, choose from ["GVNIC", "VIRTIO_NET"])
+ nic_type (string, optional, choose from ["GVNIC", "VIRTIO_NET", "MRDMA", "IRDMA"])
stack_type (string, optional, choose from ["IPV4_ONLY", "IPV4_IPV6"])
queue_count (number, optional)
access_config (object, optional)
diff --git a/modules/network/vpc/README.md b/modules/network/vpc/README.md
index ff0fd46c95..e63805b6b1 100644
--- a/modules/network/vpc/README.md
+++ b/modules/network/vpc/README.md
@@ -181,6 +181,7 @@ limitations under the License.
| Name | Type |
|------|------|
+| [terraform_data.cloud_nat_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
| [terraform_data.secondary_ranges_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
## Inputs
@@ -192,6 +193,8 @@ limitations under the License.
| [default\_primary\_subnetwork\_size](#input\_default\_primary\_subnetwork\_size) | The size, in CIDR bits, of the default primary subnetwork unless explicitly defined in var.subnetworks | `number` | `15` | no |
| [delete\_default\_internet\_gateway\_routes](#input\_delete\_default\_internet\_gateway\_routes) | If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted | `bool` | `false` | no |
| [deployment\_name](#input\_deployment\_name) | The name of the current deployment | `string` | n/a | yes |
+| [enable\_cloud\_nat](#input\_enable\_cloud\_nat) | Enable the creation of Cloud NATs. | `bool` | `true` | no |
+| [enable\_cloud\_router](#input\_enable\_cloud\_router) | Enable the creation of a Cloud Router for your VPC. For more information on Cloud Routers see https://cloud.google.com/network-connectivity/docs/router/concepts/overview | `bool` | `true` | no |
| [enable\_iap\_rdp\_ingress](#input\_enable\_iap\_rdp\_ingress) | Enable a firewall rule to allow Windows Remote Desktop Protocol access using IAP tunnels | `bool` | `false` | no |
| [enable\_iap\_ssh\_ingress](#input\_enable\_iap\_ssh\_ingress) | Enable a firewall rule to allow SSH access using IAP tunnels | `bool` | `true` | no |
| [enable\_iap\_winrm\_ingress](#input\_enable\_iap\_winrm\_ingress) | Enable a firewall rule to allow Windows Remote Management (WinRM) access using IAP tunnels | `bool` | `false` | no |
diff --git a/modules/network/vpc/main.tf b/modules/network/vpc/main.tf
index 3ad533a957..500ff6e62d 100644
--- a/modules/network/vpc/main.tf
+++ b/modules/network/vpc/main.tf
@@ -64,7 +64,8 @@ locals {
]
# gather the unique regions for purposes of creating Router/NAT
- regions = distinct([for subnet in local.subnetworks : subnet.subnet_region])
+ cloud_router_regions = var.enable_cloud_router ? distinct([for subnet in local.subnetworks : subnet.subnet_region]) : []
+ cloud_nat_regions = var.enable_cloud_nat ? local.cloud_router_regions : []
# this comprehension should have 1 and only 1 match
output_primary_subnetwork = one([for k, v in module.vpc.subnets : v if k == "${local.subnetworks[0].subnet_region}/${local.subnetworks[0].subnet_name}"])
@@ -177,6 +178,17 @@ module "vpc" {
network_profile = var.network_profile
}
+resource "terraform_data" "cloud_nat_validation" {
+ lifecycle {
+ precondition {
+ condition = var.enable_cloud_router == true || var.enable_cloud_nat == false
+ error_message = <<-EOD
+ "Cannot have Cloud NAT without a Cloud Router. If you desire Cloud NAT functionality please set `enable_cloud_router` to true."
+ EOD
+ }
+ }
+}
+
# This use of the module may appear odd when var.ips_per_nat = 0. The module
# will be called for all regions with subnetworks but names will be set to the
# empty list. This is a perfectly valid value (the default!). In this scenario,
@@ -188,7 +200,9 @@ module "nat_ip_addresses" {
source = "terraform-google-modules/address/google"
version = "~> 4.1"
- for_each = toset(local.regions)
+ depends_on = [terraform_data.cloud_nat_validation]
+
+ for_each = toset(local.cloud_nat_regions)
project_id = var.project_id
region = each.value
@@ -203,7 +217,7 @@ module "cloud_router" {
source = "terraform-google-modules/cloud-router/google"
version = "~> 6.0"
- for_each = toset(local.regions)
+ for_each = toset(local.cloud_router_regions)
project = var.project_id
name = "${local.network_name}-router"
diff --git a/modules/network/vpc/variables.tf b/modules/network/vpc/variables.tf
index f4e7321784..a74a78e577 100644
--- a/modules/network/vpc/variables.tf
+++ b/modules/network/vpc/variables.tf
@@ -228,6 +228,18 @@ variable "enable_internal_traffic" {
default = true
}
+variable "enable_cloud_router" {
+ type = bool
+ description = "Enable the creation of a Cloud Router for your VPC. For more information on Cloud Routers see https://cloud.google.com/network-connectivity/docs/router/concepts/overview"
+ default = true
+}
+
+variable "enable_cloud_nat" {
+ type = bool
+ description = "Enable the creation of Cloud NATs."
+ default = true
+}
+
variable "extra_iap_ports" {
type = list(string)
description = "A list of TCP ports for which to create firewall rules that enable IAP for TCP forwarding (use dedicated enable_iap variables for standard ports)"