create new gcp network module

GoogleCloudPlatform · Mar 28, 2024 · 92245b6 · 92245b6
1 parent f514921
commit 92245b6
Show file tree

Hide file tree

Showing 9 changed files with 241 additions and 74 deletions.
diff --git a/applications/rag/workloads.tfvars b/applications/rag/workloads.tfvars
@@ -20,7 +20,7 @@ subnetwork_cidr = "10.100.0.0/16"
 create_cluster    = true # Creates a GKE cluster in the specified network.
 cluster_name      = "<cluster-name>"
 cluster_location  = "us-central1"
-autopilot_cluster = true
+autopilot_cluster = false
 private_cluster   = false
 
 ## GKE environment variables

diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -50,11 +50,11 @@ data "google_compute_subnetwork" "subnetwork" {
 }
 
 module "custom-network" {
-  source       = "terraform-google-modules/network/google"
-  version      = "8.0.0"
+  source       = "../modules/gcp-network"
   count        = var.create_network ? 1 : 0
   project_id   = var.project_id
   network_name = var.network_name
+  create_psa   = true
 
   subnets = [
     {
@@ -67,33 +67,6 @@ module "custom-network" {
   ]
 }
 
-// TODO: Migrate to terraform-google-modules/sql-db/google//modules/private_service_access 
-// once https://github.com/terraform-google-modules/terraform-google-sql-db/issues/585 is resolved.
-// We define a VPC peering subnet that will be peered with the
-// Cloud SQL instance network. The Cloud SQL instance will
-// have a private IP within the provided range.
-// https://cloud.google.com/vpc/docs/configure-private-services-access
-
-resource "google_compute_global_address" "google-managed-services-range" {
-  count         = var.create_network ? 1 : 0
-  project       = var.project_id
-  name          = "google-managed-services-${var.network_name}"
-  purpose       = "VPC_PEERING"
-  address_type  = "INTERNAL"
-  prefix_length = 16
-  network       = module.custom-network[0].network_self_link
-}
-
-# Creates the peering with the producer network.
-resource "google_service_networking_connection" "private_service_access" {
-  count                   = var.create_network ? 1 : 0
-  network                 = module.custom-network[0].network_self_link
-  service                 = "servicenetworking.googleapis.com"
-  reserved_peering_ranges = [google_compute_global_address.google-managed-services-range[0].name]
-  # This will enable a successful terraform destroy when destroying CloudSQL instances
-  deletion_policy = "ABANDON"
-}
-
 locals {
   network_name    = var.create_network ? module.custom-network[0].network_name : var.network_name
   subnetwork_name = var.create_network ? module.custom-network[0].subnets_names[0] : var.subnetwork_name
@@ -143,7 +116,7 @@ module "public-gke-standard-cluster" {
   all_node_pools_labels       = var.all_node_pools_labels
   all_node_pools_metadata     = var.all_node_pools_metadata
   all_node_pools_tags         = var.all_node_pools_tags
-  depends_on                  = [module.custom-network, google_service_networking_connection.private_service_access]
+  depends_on                  = [module.custom-network]
 }
 
 ## create public GKE autopilot
@@ -168,7 +141,7 @@ module "public-gke-autopilot-cluster" {
   ip_range_services          = var.ip_range_services
   master_authorized_networks = var.master_authorized_networks
   deletion_protection        = var.deletion_protection
-  depends_on                 = [module.custom-network, google_service_networking_connection.private_service_access]
+  depends_on                 = [module.custom-network]
 
 }
 
@@ -208,7 +181,7 @@ module "private-gke-standard-cluster" {
   all_node_pools_labels       = var.all_node_pools_labels
   all_node_pools_metadata     = var.all_node_pools_metadata
   all_node_pools_tags         = var.all_node_pools_tags
-  depends_on                  = [module.custom-network, google_service_networking_connection.private_service_access]
+  depends_on                  = [module.custom-network]
 }
 
 ## create private GKE autopilot
@@ -234,7 +207,7 @@ module "private-gke-autopilot-cluster" {
   master_authorized_networks = length(var.master_authorized_networks) == 0 ? [{ cidr_block = "${local.subnetwork_cidr}", display_name = "${local.subnetwork_name}" }] : var.master_authorized_networks
   master_ipv4_cidr_block     = var.master_ipv4_cidr_block
   deletion_protection        = var.deletion_protection
-  depends_on                 = [module.custom-network, google_service_networking_connection.private_service_access]
+  depends_on                 = [module.custom-network]
 }
 
 

diff --git a/infrastructure/platform.tfvars b/infrastructure/platform.tfvars
@@ -42,19 +42,7 @@ cpu_pools = [{
 
 ## make sure required gpu quotas are available in that region
 enable_gpu = true
-gpu_pools = [{
-  name               = "gpu-pool"
-  machine_type       = "n1-standard-16"
-  node_locations     = "us-central1-a" ## comment to autofill node_location based on cluster_location
-  autoscaling        = true
-  min_count          = 1
-  max_count          = 3
-  disk_size_gb       = 100
-  disk_type          = "pd-standard"
-  accelerator_count  = 2
-  accelerator_type   = "nvidia-tesla-t4"
-  gpu_driver_version = "DEFAULT"
-  },
+gpu_pools = [
   {
     name               = "gpu-pool-l4"
     machine_type       = "g2-standard-24"

diff --git a/infrastructure/tfvars_tests/standard-gke-public.platform.tfvars b/infrastructure/tfvars_tests/standard-gke-public.platform.tfvars
@@ -25,9 +25,9 @@ project_id = "<project-id>"
 # subnetwork_cidr   = "10.100.0.0/16"
 # subnetwork_region = "us-central1"
 
-create_network    = false
-network_name      = "default"
-subnetwork_name   = "default"
+create_network    = true
+network_name      = "default-test"
+subnetwork_name   = "default-test"
 subnetwork_region = "us-central1"
 
 ## gke variables
@@ -50,25 +50,11 @@ cpu_pools = [{
 ## make sure required gpu quotas are available in the corresponding region
 enable_gpu = true
 gpu_pools = [{
-  name               = "gpu-pool-t4"
-  machine_type       = "n1-standard-16"
-  node_locations     = "us-central1-b,us-central1-c"
-  autoscaling        = true
-  min_count          = 1
-  max_count          = 3
-  disk_size_gb       = 100
-  enable_gcfs        = true
-  logging_variant    = "DEFAULT"
-  disk_type          = "pd-balanced"
-  accelerator_count  = 2
-  accelerator_type   = "nvidia-tesla-t4"
-  gpu_driver_version = "LATEST"
-  },
-  {
     name               = "gpu-pool-l4"
     machine_type       = "g2-standard-24"
     node_locations     = "us-central1-a"
     autoscaling        = true
+
     min_count          = 2
     max_count          = 3
     accelerator_count  = 2

diff --git a/modules/cloudsql/main.tf b/modules/cloudsql/main.tf
@@ -12,15 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Enabled the SQLAdmin service 
-resource "google_project_service" "project_service" {
-  project = var.project_id
-  service = "sqladmin.googleapis.com"
-
-  disable_dependent_services = false
-  disable_on_destroy         = false
-}
-
 resource "random_password" "pwd" {
   length  = 16
   special = false

diff --git a/modules/gcp-network/main.tf b/modules/gcp-network/main.tf
@@ -0,0 +1,103 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+## Create network
+resource "google_compute_network" "network" {
+  project                                   = var.project_id
+  name                                      = var.network_name
+  auto_create_subnetworks                   = var.auto_create_subnetworks
+  routing_mode                              = var.routing_mode
+  description                               = var.description
+}
+
+locals {
+  subnets = {
+    for x in var.subnets :
+    "${x.subnet_region}/${x.subnet_name}" => x
+  }
+}
+
+## Create subnetwork
+resource "google_compute_subnetwork" "subnetwork" {
+  for_each                   = local.subnets
+  name                       = each.value.subnet_name
+  ip_cidr_range              = each.value.subnet_ip
+  region                     = each.value.subnet_region
+  private_ip_google_access   = lookup(each.value, "subnet_private_access", "false")
+  private_ipv6_google_access = lookup(each.value, "subnet_private_ipv6_access", null)
+  dynamic "log_config" {
+    for_each = coalesce(lookup(each.value, "subnet_flow_logs", null), false) ? [{
+      aggregation_interval = each.value.subnet_flow_logs_interval
+      flow_sampling        = each.value.subnet_flow_logs_sampling
+      metadata             = each.value.subnet_flow_logs_metadata
+      filter_expr          = each.value.subnet_flow_logs_filter
+      metadata_fields      = each.value.subnet_flow_logs_metadata_fields
+    }] : []
+    content {
+      aggregation_interval = log_config.value.aggregation_interval
+      flow_sampling        = log_config.value.flow_sampling
+      metadata             = log_config.value.metadata
+      filter_expr          = log_config.value.filter_expr
+      metadata_fields      = log_config.value.metadata == "CUSTOM_METADATA" ? log_config.value.metadata_fields : null
+    }
+  }
+  network     = google_compute_network.network.name
+  project     = var.project_id
+  description = lookup(each.value, "description", null)
+  dynamic "secondary_ip_range" {
+    for_each = contains(keys(var.secondary_ranges), each.value.subnet_name) == true ? var.secondary_ranges[each.value.subnet_name] : []
+
+    content {
+      range_name    = secondary_ip_range.value.range_name
+      ip_cidr_range = secondary_ip_range.value.ip_cidr_range
+    }
+  }
+
+  purpose          = lookup(each.value, "purpose", null)
+  role             = lookup(each.value, "role", null)
+  stack_type       = lookup(each.value, "stack_type", null)
+  ipv6_access_type = lookup(each.value, "ipv6_access_type", null)
+
+  lifecycle {
+    ignore_changes = [ secondary_ip_range ]
+  }
+}
+
+// TODO: Migrate to terraform-google-modules/sql-db/google//modules/private_service_access 
+// once https://github.com/terraform-google-modules/terraform-google-sql-db/issues/585 is resolved.
+// We define a VPC peering subnet that will be peered with the
+// Cloud SQL instance network. The Cloud SQL instance will
+// have a private IP within the provided range.
+// https://cloud.google.com/vpc/docs/configure-private-services-access
+
+resource "google_compute_global_address" "google-managed-services-range" {
+  count         = var.create_psa ? 1 : 0
+  project       = var.project_id
+  name          = "google-managed-services-${var.network_name}"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 16
+  network       = google_compute_network.network.self_link
+}
+
+# Creates the peering with the producer network.
+resource "google_service_networking_connection" "private_service_access" {
+  count                   = var.create_psa ? 1 : 0
+  network                 = google_compute_network.network.self_link
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = [google_compute_global_address.google-managed-services-range[0].name]
+  # This will enable a successful terraform destroy when destroying CloudSQL instances
+  deletion_policy = "ABANDON"
+}
diff --git a/modules/gcp-network/outputs.tf b/modules/gcp-network/outputs.tf
@@ -0,0 +1,25 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "network_name" {
+  value = google_compute_network.network.name
+}
+
+output "subnets_names" {
+  value = [ for sb in google_compute_subnetwork.subnetwork : sb.name ]
+}
+
+output "subnets_ips" {
+  value = [ for sb in google_compute_subnetwork.subnetwork : sb.ip_cidr_range ] 
+}
diff --git a/modules/gcp-network/variables.tf b/modules/gcp-network/variables.tf
@@ -0,0 +1,80 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "project_id" {
+  description = "The ID of the project where this VPC will be created"
+  type        = string
+}
+
+variable "network_name" {
+  description = "The name of the network being created"
+  type        = string
+}
+
+variable "routing_mode" {
+  type        = string
+  default     = "GLOBAL"
+  description = "The network routing mode (default 'GLOBAL')"
+}
+
+variable "shared_vpc_host" {
+  type        = bool
+  description = "Makes this project a Shared VPC host if 'true' (default 'false')"
+  default     = false
+}
+
+variable "description" {
+  type        = string
+  description = "An optional description of this resource. The resource must be recreated to modify this field."
+  default     = ""
+}
+
+variable "auto_create_subnetworks" {
+  type        = bool
+  description = "When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources."
+  default     = false
+}
+
+variable "subnets" {
+  type = list(object({
+    subnet_name                      = string
+    subnet_ip                        = string
+    subnet_region                    = string
+    subnet_private_access            = optional(string, "false")
+    subnet_private_ipv6_access       = optional(string)
+    subnet_flow_logs                 = optional(string, "false")
+    subnet_flow_logs_interval        = optional(string, "INTERVAL_5_SEC")
+    subnet_flow_logs_sampling        = optional(string, "0.5")
+    subnet_flow_logs_metadata        = optional(string, "INCLUDE_ALL_METADATA")
+    subnet_flow_logs_filter          = optional(string, "true")
+    subnet_flow_logs_metadata_fields = optional(list(string), [])
+    description                      = optional(string)
+    purpose                          = optional(string)
+    role                             = optional(string)
+    stack_type                       = optional(string)
+    ipv6_access_type                 = optional(string)
+  }))
+  description = "The list of subnets being created"
+}
+
+variable "secondary_ranges" {
+  type        = map(list(object({ range_name = string, ip_cidr_range = string })))
+  description = "Secondary ranges that will be used in some of the subnets"
+  default     = {}
+}
+
+variable "create_psa" {
+    type = bool
+    description = "Enable PSA for the network"
+}