Merge pull request #3499 from abbas1902/vpc_glowup

Enable optional creation of cloud router/nat for vpcs
GoogleCloudPlatform · Jan 9, 2025 · 110d820 · 110d820
2 parents 23bfeb3 + 7983eb5
commit 110d820
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 5 deletions.
diff --git a/modules/compute/vm-instance/README.md b/modules/compute/vm-instance/README.md
@@ -225,7 +225,7 @@ limitations under the License.
 | <a name="input_metadata"></a> [metadata](#input\_metadata) | Metadata, provided as a map | `map(string)` | `{}` | no |
 | <a name="input_min_cpu_platform"></a> [min\_cpu\_platform](#input\_min\_cpu\_platform) | The name of the minimum CPU platform that you want the instance to use. | `string` | `null` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | An optional name for all VM and disk resources.<br/>If not supplied, `deployment_name` will be used.<br/>When `name_prefix` is supplied, and `add_deployment_name_before_prefix` is set,<br/>then resources are named by "<`deployment_name`>-<`name_prefix`>-<#>". | `string` | `null` | no |
-| <a name="input_network_interfaces"></a> [network\_interfaces](#input\_network\_interfaces) | A list of network interfaces. The options match that of the terraform<br/>network\_interface block of google\_compute\_instance. For descriptions of the<br/>subfields or more information see the documentation:<br/>https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#nested_network_interface<br/><br/>**\_NOTE:\_** If `network_interfaces` are set, `network_self_link` and<br/>`subnetwork_self_link` will be ignored, even if they are provided through<br/>the `use` field. `bandwidth_tier` and `disable_public_ips` also do not apply<br/>to network interfaces defined in this variable.<br/><br/>Subfields:<br/>network            (string, required if subnetwork is not supplied)<br/>subnetwork         (string, required if network is not supplied)<br/>subnetwork\_project (string, optional)<br/>network\_ip         (string, optional)<br/>nic\_type           (string, optional, choose from ["GVNIC", "VIRTIO\_NET"])<br/>stack\_type         (string, optional, choose from ["IPV4\_ONLY", "IPV4\_IPV6"])<br/>queue\_count        (number, optional)<br/>access\_config      (object, optional)<br/>ipv6\_access\_config (object, optional)<br/>alias\_ip\_range     (list(object), optional) | <pre>list(object({<br/>    network            = string,<br/>    subnetwork         = string,<br/>    subnetwork_project = string,<br/>    network_ip         = string,<br/>    nic_type           = string,<br/>    stack_type         = string,<br/>    queue_count        = number,<br/>    access_config = list(object({<br/>      nat_ip                 = string,<br/>      public_ptr_domain_name = string,<br/>      network_tier           = string<br/>    })),<br/>    ipv6_access_config = list(object({<br/>      public_ptr_domain_name = string,<br/>      network_tier           = string<br/>    })),<br/>    alias_ip_range = list(object({<br/>      ip_cidr_range         = string,<br/>      subnetwork_range_name = string<br/>    }))<br/>  }))</pre> | `[]` | no |
+| <a name="input_network_interfaces"></a> [network\_interfaces](#input\_network\_interfaces) | A list of network interfaces. The options match that of the terraform<br/>network\_interface block of google\_compute\_instance. For descriptions of the<br/>subfields or more information see the documentation:<br/>https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#nested_network_interface<br/><br/>**\_NOTE:\_** If `network_interfaces` are set, `network_self_link` and<br/>`subnetwork_self_link` will be ignored, even if they are provided through<br/>the `use` field. `bandwidth_tier` and `disable_public_ips` also do not apply<br/>to network interfaces defined in this variable.<br/><br/>Subfields:<br/>network            (string, required if subnetwork is not supplied)<br/>subnetwork         (string, required if network is not supplied)<br/>subnetwork\_project (string, optional)<br/>network\_ip         (string, optional)<br/>nic\_type           (string, optional, choose from ["GVNIC", "VIRTIO\_NET", "MRDMA", "IRDMA"])<br/>stack\_type         (string, optional, choose from ["IPV4\_ONLY", "IPV4\_IPV6"])<br/>queue\_count        (number, optional)<br/>access\_config      (object, optional)<br/>ipv6\_access\_config (object, optional)<br/>alias\_ip\_range     (list(object), optional) | <pre>list(object({<br/>    network            = string,<br/>    subnetwork         = string,<br/>    subnetwork_project = string,<br/>    network_ip         = string,<br/>    nic_type           = string,<br/>    stack_type         = string,<br/>    queue_count        = number,<br/>    access_config = list(object({<br/>      nat_ip                 = string,<br/>      public_ptr_domain_name = string,<br/>      network_tier           = string<br/>    })),<br/>    ipv6_access_config = list(object({<br/>      public_ptr_domain_name = string,<br/>      network_tier           = string<br/>    })),<br/>    alias_ip_range = list(object({<br/>      ip_cidr_range         = string,<br/>      subnetwork_range_name = string<br/>    }))<br/>  }))</pre> | `[]` | no |
 | <a name="input_network_self_link"></a> [network\_self\_link](#input\_network\_self\_link) | The self link of the network to attach the VM. Can use "default" for the default network. | `string` | `null` | no |
 | <a name="input_network_storage"></a> [network\_storage](#input\_network\_storage) | An array of network attached storage mounts to be configured. | <pre>list(object({<br/>    server_ip             = string,<br/>    remote_mount          = string,<br/>    local_mount           = string,<br/>    fs_type               = string,<br/>    mount_options         = string,<br/>    client_install_runner = map(string)<br/>    mount_runner          = map(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_on_host_maintenance"></a> [on\_host\_maintenance](#input\_on\_host\_maintenance) | Describes maintenance behavior for the instance. If left blank this will default to `MIGRATE` except for when `placement_policy`, spot provisioning, or GPUs require it to be `TERMINATE` | `string` | `null` | no |

diff --git a/modules/compute/vm-instance/variables.tf b/modules/compute/vm-instance/variables.tf
@@ -185,7 +185,7 @@ variable "network_interfaces" {
     subnetwork         (string, required if network is not supplied)
     subnetwork_project (string, optional)
     network_ip         (string, optional)
-    nic_type           (string, optional, choose from ["GVNIC", "VIRTIO_NET"])
+    nic_type           (string, optional, choose from ["GVNIC", "VIRTIO_NET", "MRDMA", "IRDMA"])
     stack_type         (string, optional, choose from ["IPV4_ONLY", "IPV4_IPV6"])
     queue_count        (number, optional)
     access_config      (object, optional)

diff --git a/modules/network/vpc/README.md b/modules/network/vpc/README.md
@@ -181,6 +181,7 @@ limitations under the License.
 
 | Name | Type |
 |------|------|
+| [terraform_data.cloud_nat_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [terraform_data.secondary_ranges_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 
 ## Inputs
@@ -192,6 +193,8 @@ limitations under the License.
 | <a name="input_default_primary_subnetwork_size"></a> [default\_primary\_subnetwork\_size](#input\_default\_primary\_subnetwork\_size) | The size, in CIDR bits, of the default primary subnetwork unless explicitly defined in var.subnetworks | `number` | `15` | no |
 | <a name="input_delete_default_internet_gateway_routes"></a> [delete\_default\_internet\_gateway\_routes](#input\_delete\_default\_internet\_gateway\_routes) | If set, ensure that all routes within the network specified whose names begin with 'default-route' and with a next hop of 'default-internet-gateway' are deleted | `bool` | `false` | no |
 | <a name="input_deployment_name"></a> [deployment\_name](#input\_deployment\_name) | The name of the current deployment | `string` | n/a | yes |
+| <a name="input_enable_cloud_nat"></a> [enable\_cloud\_nat](#input\_enable\_cloud\_nat) | Enable the creation of Cloud NATs. | `bool` | `true` | no |
+| <a name="input_enable_cloud_router"></a> [enable\_cloud\_router](#input\_enable\_cloud\_router) | Enable the creation of a Cloud Router for your VPC. For more information on Cloud Routers see https://cloud.google.com/network-connectivity/docs/router/concepts/overview | `bool` | `true` | no |
 | <a name="input_enable_iap_rdp_ingress"></a> [enable\_iap\_rdp\_ingress](#input\_enable\_iap\_rdp\_ingress) | Enable a firewall rule to allow Windows Remote Desktop Protocol access using IAP tunnels | `bool` | `false` | no |
 | <a name="input_enable_iap_ssh_ingress"></a> [enable\_iap\_ssh\_ingress](#input\_enable\_iap\_ssh\_ingress) | Enable a firewall rule to allow SSH access using IAP tunnels | `bool` | `true` | no |
 | <a name="input_enable_iap_winrm_ingress"></a> [enable\_iap\_winrm\_ingress](#input\_enable\_iap\_winrm\_ingress) | Enable a firewall rule to allow Windows Remote Management (WinRM) access using IAP tunnels | `bool` | `false` | no |

diff --git a/modules/network/vpc/main.tf b/modules/network/vpc/main.tf
@@ -64,7 +64,8 @@ locals {
   ]
 
   # gather the unique regions for purposes of creating Router/NAT
-  regions = distinct([for subnet in local.subnetworks : subnet.subnet_region])
+  cloud_router_regions = var.enable_cloud_router ? distinct([for subnet in local.subnetworks : subnet.subnet_region]) : []
+  cloud_nat_regions    = var.enable_cloud_nat ? local.cloud_router_regions : []
 
   # this comprehension should have 1 and only 1 match
   output_primary_subnetwork               = one([for k, v in module.vpc.subnets : v if k == "${local.subnetworks[0].subnet_region}/${local.subnetworks[0].subnet_name}"])
@@ -177,6 +178,17 @@ module "vpc" {
   network_profile                        = var.network_profile
 }
 
+resource "terraform_data" "cloud_nat_validation" {
+  lifecycle {
+    precondition {
+      condition     = var.enable_cloud_router == true || var.enable_cloud_nat == false
+      error_message = <<-EOD
+        "Cannot have Cloud NAT without a Cloud Router. If you desire Cloud NAT functionality please set `enable_cloud_router` to true."
+      EOD
+    }
+  }
+}
+
 # This use of the module may appear odd when var.ips_per_nat = 0. The module
 # will be called for all regions with subnetworks but names will be set to the
 # empty list. This is a perfectly valid value (the default!). In this scenario,
@@ -188,7 +200,9 @@ module "nat_ip_addresses" {
   source  = "terraform-google-modules/address/google"
   version = "~> 4.1"
 
-  for_each = toset(local.regions)
+  depends_on = [terraform_data.cloud_nat_validation]
+
+  for_each = toset(local.cloud_nat_regions)
 
   project_id = var.project_id
   region     = each.value
@@ -203,7 +217,9 @@ module "cloud_router" {
   source  = "terraform-google-modules/cloud-router/google"
   version = "~> 6.0"
 
-  for_each = toset(local.regions)
+  depends_on = [terraform_data.cloud_nat_validation]
+
+  for_each = toset(local.cloud_router_regions)
 
   project = var.project_id
   name    = "${local.network_name}-router"

diff --git a/modules/network/vpc/variables.tf b/modules/network/vpc/variables.tf
@@ -228,6 +228,18 @@ variable "enable_internal_traffic" {
   default     = true
 }
 
+variable "enable_cloud_router" {
+  type        = bool
+  description = "Enable the creation of a Cloud Router for your VPC. For more information on Cloud Routers see https://cloud.google.com/network-connectivity/docs/router/concepts/overview"
+  default     = true
+}
+
+variable "enable_cloud_nat" {
+  type        = bool
+  description = "Enable the creation of Cloud NATs."
+  default     = true
+}
+
 variable "extra_iap_ports" {
   type        = list(string)
   description = "A list of TCP ports for which to create firewall rules that enable IAP for TCP forwarding (use dedicated enable_iap variables for standard ports)"