From 679a0254b4e29d3379c6b64e4c4288814fe373dd Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Tue, 8 Jun 2021 15:45:32 -0700 Subject: [PATCH 1/4] Add support for the google_compute_service_attachment resource --- mmv1/products/compute/api.yaml | 129 ++++++++++++++++++ mmv1/products/compute/terraform.yaml | 32 +++++ .../examples/service_attachment_basic.tf.erb | 97 +++++++++++++ ...ervice_attachment_explicit_projects.tf.erb | 104 ++++++++++++++ 4 files changed, 362 insertions(+) create mode 100644 mmv1/templates/terraform/examples/service_attachment_basic.tf.erb create mode 100644 mmv1/templates/terraform/examples/service_attachment_explicit_projects.tf.erb diff --git a/mmv1/products/compute/api.yaml b/mmv1/products/compute/api.yaml index b4e940283c78..3d45d9e57cb7 100644 --- a/mmv1/products/compute/api.yaml +++ b/mmv1/products/compute/api.yaml @@ -14119,6 +14119,135 @@ objects: required: true description: | The size of the disk in base-2 GB. + - !ruby/object:Api::Resource + name: 'ServiceAttachment' + kind: 'compute#ServiceAttachment' + base_url: projects/{{project}}/regions/{{region}}/serviceAttachments + has_self_link: true + input: true + min_version: beta + description: | + Represents a ServiceAttachment resource. + references: !ruby/object:Api::Resource::ReferenceLinks + guides: + 'TODO': 'https://cloud.google.com/' + api: 'https://cloud.google.com/compute/docs/reference/beta/serviceAttachments' + async: !ruby/object:Api::OpAsync + operation: !ruby/object:Api::OpAsync::Operation + kind: 'compute#operation' + path: 'name' + base_url: 'projects/{{project}}/regions/{{region}}/operations/{{op_id}}' + wait_ms: 1000 + result: !ruby/object:Api::OpAsync::Result + path: 'targetLink' + status: !ruby/object:Api::OpAsync::Status + path: 'status' + complete: 'DONE' + allowed: + - 'PENDING' + - 'RUNNING' + - 'DONE' + error: !ruby/object:Api::OpAsync::Error + path: 'error/errors' + message: 'message' + parameters: + - !ruby/object:Api::Type::ResourceRef + name: 'region' + resource: 'Region' + imports: 'name' + description: | + URL of the region where the resource resides. + required: true + properties: + - !ruby/object:Api::Type::String + name: 'name' + required: true + description: | + Name of the resource. The name must be 1-63 characters long, and + comply with RFC1035. Specifically, the name must be 1-63 characters + long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` + which means the first character must be a lowercase letter, and all + following characters must be a dash, lowercase letter, or digit, + except the last character, which cannot be a dash. + - !ruby/object:Api::Type::String + name: 'description' + description: | + An optional description of this resource. + - !ruby/object:Api::Type::String + name: 'connectionPreference' + required: true + description: | + The connection preference to use for this service attachment. Valid + values include "ACCEPT_AUTOMATIC", "ACCEPT_MANUAL". + - !ruby/object:Api::Type::Array + name: 'connectedEndpoints' + output: true + description: | + An array of the consumer forwarding rules connected to this service + attachment. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'endpoint' + output: true + description: | + The URL of the consumer forwarding rule. + - !ruby/object:Api::Type::String + name: 'status' + output: true + description: | + The status of the connection from the consumer forwarding rule to + this service attachment. + - !ruby/object:Api::Type::ResourceRef + name: targetService + required: true + resource: 'ForwardingRule' + imports: 'selfLink' + description: | + The URL of a forwarding rule that represents the service identified by + this service attachment. + - !ruby/object:Api::Type::Array + name: 'natSubnets' + required: true + description: | + An array of subnets that is provided for NAT in this service attachment. + item_type: !ruby/object:Api::Type::ResourceRef + name: 'subnet' + resource: 'Subnetwork' + imports: 'selfLink' + description: | + A subnet that is provided for NAT in this service attachment. + - !ruby/object:Api::Type::Boolean + name: 'enableProxyProtocol' + required: true + description: | + If true, enable the proxy protocol which is for supplying client TCP/IP + address data in TCP connections that traverse proxies on their way to + destination servers. + - !ruby/object:Api::Type::Array + name: 'consumerRejectList' + item_type: Api::Type::String + description: | + An array of projects that are not allowed to connect to this service + attachment. + - !ruby/object:Api::Type::Array + name: 'consumerAcceptList' + description: | + An array of projects that are allowed to connect to this service + attachment. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: 'projectIdOrNum' + required: true + description: | + A project that is allowed to connect to this service attachment. + - !ruby/object:Api::Type::Integer + name: 'connectionLimit' + required: true + description: | + The number of consumer forwarding rules the consumer project can + create. - !ruby/object:Api::Resource name: 'SslPolicy' kind: 'compute#sslPolicy' diff --git a/mmv1/products/compute/terraform.yaml b/mmv1/products/compute/terraform.yaml index 3afce6c35a77..7dbe1ce0a941 100644 --- a/mmv1/products/compute/terraform.yaml +++ b/mmv1/products/compute/terraform.yaml @@ -2198,6 +2198,38 @@ overrides: !ruby/object:Overrides::ResourceOverrides If it is not provided, the provider region is used. SecurityPolicy: !ruby/object:Overrides::Terraform::ResourceOverride exclude: true + ServiceAttachment: !ruby/object:Overrides::Terraform::ResourceOverride + examples: + - !ruby/object:Provider::Terraform::Examples + name: "service_attachment_basic" + primary_resource_id: "psc_ilb_service_attachment" + vars: + service_attachment_name: "my-psc-ilb" + network_name: "psc-ilb-network" + nat_subnetwork_name: "psc-ilb-nat" + producer_subnetwork_name: "psc-ilb-producer-subnetwork" + producer_health_check_name: "producer-service-health-check" + producer_service_name: "producer-service" + producer_forwarding_rule_name: "producer-forwarding-rule" + consumer_address_name: "psc-ilb-consumer-address" + consumer_forwarding_rule_name: "psc-ilb-consumer-forwarding-rule" + - !ruby/object:Provider::Terraform::Examples + name: "service_attachment_explicit_projects" + primary_resource_id: "psc_ilb_service_attachment" + vars: + service_attachment_name: "my-psc-ilb" + network_name: "psc-ilb-network" + nat_subnetwork_name: "psc-ilb-nat" + producer_subnetwork_name: "psc-ilb-producer-subnetwork" + producer_health_check_name: "producer-service-health-check" + producer_service_name: "producer-service" + producer_forwarding_rule_name: "producer-forwarding-rule" + consumer_address_name: "psc-ilb-consumer-address" + consumer_forwarding_rule_name: "psc-ilb-consumer-forwarding-rule" + properties: + region: !ruby/object:Overrides::Terraform::PropertyOverride + required: false + default_from_api: true Snapshot: !ruby/object:Overrides::Terraform::ResourceOverride timeouts: !ruby/object:Api::Timeouts insert_minutes: 5 diff --git a/mmv1/templates/terraform/examples/service_attachment_basic.tf.erb b/mmv1/templates/terraform/examples/service_attachment_basic.tf.erb new file mode 100644 index 000000000000..d282227e7457 --- /dev/null +++ b/mmv1/templates/terraform/examples/service_attachment_basic.tf.erb @@ -0,0 +1,97 @@ +resource "google_compute_service_attachment" "<%= ctx[:primary_resource_id] %>" { + provider = "google-beta" + + name = "<%= ctx[:vars]['service_attachment_name'] %>" + region = "us-west2" + description = "A service attachment configured with Terraform" + + enable_proxy_protocol = true + connection_preference = "ACCEPT_AUTOMATIC" + nat_subnets = [google_compute_subnetwork.psc_ilb_nat.id] + target_service = google_compute_forwarding_rule.psc_ilb_target_service.id +} + +resource "google_compute_address" "psc_ilb_consumer_address" { + provider = "google-beta" + + name = "<%= ctx[:vars]['consumer_address_name'] %>" + region = "us-west2" + + subnetwork = "default" + address_type = "INTERNAL" + address = "10.168.0.17" +} + +resource "google_compute_forwarding_rule" "psc_ilb_consumer" { + provider = "google-beta" + + name = "<%= ctx[:vars]['consumer_forwarding_rule_name'] %>" + region = "us-west2" + + target = google_compute_service_attachment.psc_ilb_service_attachment.id + load_balancing_scheme = "" # need to override EXTERNAL default when target is a service attachment + network = "default" + ip_address = google_compute_address.psc_ilb_consumer_address.id +} + +resource "google_compute_forwarding_rule" "psc_ilb_target_service" { + provider = "google-beta" + + name = "<%= ctx[:vars]['producer_forwarding_rule_name'] %>" + region = "us-west2" + + load_balancing_scheme = "INTERNAL" + backend_service = google_compute_region_backend_service.producer_service_backend.id + all_ports = true + network = google_compute_network.psc_ilb_network.name + subnetwork = google_compute_subnetwork.psc_ilb_producer_subnetwork.name +} + +resource "google_compute_region_backend_service" "producer_service_backend" { + provider = "google-beta" + + name = "<%= ctx[:vars]['producer_service_name'] %>" + region = "us-west2" + + health_checks = [google_compute_health_check.producer_service_health_check.id] +} + +resource "google_compute_health_check" "producer_service_health_check" { + provider = "google-beta" + + name = "<%= ctx[:vars]['producer_health_check_name'] %>" + + check_interval_sec = 1 + timeout_sec = 1 + tcp_health_check { + port = "80" + } +} + +resource "google_compute_network" "psc_ilb_network" { + provider = "google-beta" + + name = "<%= ctx[:vars]['network_name'] %>" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "psc_ilb_producer_subnetwork" { + provider = "google-beta" + + name = "<%= ctx[:vars]['producer_subnetwork_name'] %>" + region = "us-west2" + + network = google_compute_network.psc_ilb_network.id + ip_cidr_range = "10.0.0.0/16" +} + +resource "google_compute_subnetwork" "psc_ilb_nat" { + provider = "google-beta" + + name = "<%= ctx[:vars]['nat_subnetwork_name'] %>" + region = "us-west2" + + network = google_compute_network.psc_ilb_network.id + purpose = "PRIVATE_SERVICE_CONNECT" + ip_cidr_range = "10.1.0.0/16" +} diff --git a/mmv1/templates/terraform/examples/service_attachment_explicit_projects.tf.erb b/mmv1/templates/terraform/examples/service_attachment_explicit_projects.tf.erb new file mode 100644 index 000000000000..2bbf78d8e49e --- /dev/null +++ b/mmv1/templates/terraform/examples/service_attachment_explicit_projects.tf.erb @@ -0,0 +1,104 @@ +resource "google_compute_service_attachment" "<%= ctx[:primary_resource_id] %>" { + provider = "google-beta" + + name = "<%= ctx[:vars]['service_attachment_name'] %>" + region = "us-west2" + description = "A service attachment configured with Terraform" + + enable_proxy_protocol = true + connection_preference = "ACCEPT_MANUAL" + nat_subnets = [google_compute_subnetwork.psc_ilb_nat.id] + target_service = google_compute_forwarding_rule.psc_ilb_target_service.id + + consumer_reject_list = ["673497134629", "482878270665"] + + consumer_accept_list { + project_id_or_num = "658859330310" + connection_limit = 4 + } +} + +resource "google_compute_address" "psc_ilb_consumer_address" { + provider = "google-beta" + + name = "<%= ctx[:vars]['consumer_address_name'] %>" + region = "us-west2" + + subnetwork = "default" + address_type = "INTERNAL" + address = "10.168.1.17" +} + +resource "google_compute_forwarding_rule" "psc_ilb_consumer" { + provider = "google-beta" + + name = "<%= ctx[:vars]['consumer_forwarding_rule_name'] %>" + region = "us-west2" + + target = google_compute_service_attachment.psc_ilb_service_attachment.id + load_balancing_scheme = "" # need to override EXTERNAL default when target is a service attachment + network = "default" + ip_address = google_compute_address.psc_ilb_consumer_address.id +} + +resource "google_compute_forwarding_rule" "psc_ilb_target_service" { + provider = "google-beta" + + name = "<%= ctx[:vars]['producer_forwarding_rule_name'] %>" + region = "us-west2" + + load_balancing_scheme = "INTERNAL" + backend_service = google_compute_region_backend_service.producer_service_backend.id + all_ports = true + network = google_compute_network.psc_ilb_network.name + subnetwork = google_compute_subnetwork.psc_ilb_producer_subnetwork.name +} + +resource "google_compute_region_backend_service" "producer_service_backend" { + provider = "google-beta" + + name = "<%= ctx[:vars]['producer_service_name'] %>" + region = "us-west2" + + health_checks = [google_compute_health_check.producer_service_health_check.id] +} + +resource "google_compute_health_check" "producer_service_health_check" { + provider = "google-beta" + + name = "<%= ctx[:vars]['producer_health_check_name'] %>" + + check_interval_sec = 1 + timeout_sec = 1 + tcp_health_check { + port = "80" + } +} + +resource "google_compute_network" "psc_ilb_network" { + provider = "google-beta" + + name = "<%= ctx[:vars]['network_name'] %>" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "psc_ilb_producer_subnetwork" { + provider = "google-beta" + + name = "<%= ctx[:vars]['producer_subnetwork_name'] %>" + region = "us-west2" + + network = google_compute_network.psc_ilb_network.id + ip_cidr_range = "10.0.0.0/16" +} + +resource "google_compute_subnetwork" "psc_ilb_nat" { + provider = "google-beta" + + name = "<%= ctx[:vars]['nat_subnetwork_name'] %>" + region = "us-west2" + + network = google_compute_network.psc_ilb_network.id + purpose = "PRIVATE_SERVICE_CONNECT" + ip_cidr_range = "10.1.0.0/16" +} From e26cd24d6ceff444d3e76feca7ed37d907b8faae Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Tue, 8 Jun 2021 15:59:16 -0700 Subject: [PATCH 2/4] Exclude from Ansible, Inspec --- mmv1/products/compute/ansible.yaml | 4 ++++ mmv1/products/compute/inspec.yaml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/mmv1/products/compute/ansible.yaml b/mmv1/products/compute/ansible.yaml index 89e11055469a..9750d749aea7 100644 --- a/mmv1/products/compute/ansible.yaml +++ b/mmv1/products/compute/ansible.yaml @@ -53,6 +53,8 @@ datasources: !ruby/object:Overrides::ResourceOverrides exclude: true RouterNat: !ruby/object:Overrides::Ansible::ResourceOverride exclude: true + ServiceAttachment: !ruby/object:Overrides::Ansible::ResourceOverride + exclude: true SecurityPolicy: !ruby/object:Overrides::Ansible::ResourceOverride exclude: true Zone: !ruby/object:Overrides::Ansible::ResourceOverride @@ -400,6 +402,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides exclude: true RouterNat: !ruby/object:Overrides::Ansible::ResourceOverride exclude: true + ServiceAttachment: !ruby/object:Overrides::Ansible::ResourceOverride + exclude: true SecurityPolicy: !ruby/object:Overrides::Ansible::ResourceOverride exclude: true UrlMap: !ruby/object:Overrides::Ansible::ResourceOverride diff --git a/mmv1/products/compute/inspec.yaml b/mmv1/products/compute/inspec.yaml index 5c3418615289..5e9c181ade4f 100644 --- a/mmv1/products/compute/inspec.yaml +++ b/mmv1/products/compute/inspec.yaml @@ -174,6 +174,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides exclude: true RouterBgpPeer: !ruby/object:Overrides::Inspec::ResourceOverride exclude: true + ServiceAttachment: !ruby/object:Overrides::Inspec::ResourceOverride + exclude: true Subnetwork: !ruby/object:Overrides::Inspec::ResourceOverride additional_functions: third_party/inspec/custom_functions/google_compute_subnetwork.erb singular_extra_examples: third_party/inspec/documentation/google_compute_subnetwork.md From 1f28c23db569fe5c3de339c007aed4c1f148bd3f Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Wed, 9 Jun 2021 10:42:07 -0700 Subject: [PATCH 3/4] Fix field names that changed between private and public preview --- mmv1/products/compute/api.yaml | 4 ++-- .../examples/service_attachment_explicit_projects.tf.erb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/mmv1/products/compute/api.yaml b/mmv1/products/compute/api.yaml index 3d45d9e57cb7..ddea358e90d5 100644 --- a/mmv1/products/compute/api.yaml +++ b/mmv1/products/compute/api.yaml @@ -14225,13 +14225,13 @@ objects: address data in TCP connections that traverse proxies on their way to destination servers. - !ruby/object:Api::Type::Array - name: 'consumerRejectList' + name: 'consumerRejectLists' item_type: Api::Type::String description: | An array of projects that are not allowed to connect to this service attachment. - !ruby/object:Api::Type::Array - name: 'consumerAcceptList' + name: 'consumerAcceptLists' description: | An array of projects that are allowed to connect to this service attachment. diff --git a/mmv1/templates/terraform/examples/service_attachment_explicit_projects.tf.erb b/mmv1/templates/terraform/examples/service_attachment_explicit_projects.tf.erb index 2bbf78d8e49e..bc1a4ade7c42 100644 --- a/mmv1/templates/terraform/examples/service_attachment_explicit_projects.tf.erb +++ b/mmv1/templates/terraform/examples/service_attachment_explicit_projects.tf.erb @@ -10,9 +10,9 @@ resource "google_compute_service_attachment" "<%= ctx[:primary_resource_id] %>" nat_subnets = [google_compute_subnetwork.psc_ilb_nat.id] target_service = google_compute_forwarding_rule.psc_ilb_target_service.id - consumer_reject_list = ["673497134629", "482878270665"] + consumer_reject_lists = ["673497134629", "482878270665"] - consumer_accept_list { + consumer_accept_lists { project_id_or_num = "658859330310" connection_limit = 4 } From d0422a3fd9d8aed86f8009da959af11f28c63eff Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Wed, 9 Jun 2021 11:27:25 -0700 Subject: [PATCH 4/4] Add guide --- mmv1/products/compute/api.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/products/compute/api.yaml b/mmv1/products/compute/api.yaml index ddea358e90d5..7a2a1588b937 100644 --- a/mmv1/products/compute/api.yaml +++ b/mmv1/products/compute/api.yaml @@ -14130,7 +14130,7 @@ objects: Represents a ServiceAttachment resource. references: !ruby/object:Api::Resource::ReferenceLinks guides: - 'TODO': 'https://cloud.google.com/' + 'Configuring Private Service Connect to access services': 'https://cloud.google.com/vpc/docs/configure-private-service-connect-services' api: 'https://cloud.google.com/compute/docs/reference/beta/serviceAttachments' async: !ruby/object:Api::OpAsync operation: !ruby/object:Api::OpAsync::Operation