From 92245b6f05bf74557c5280e445aa54c845c2b4a8 Mon Sep 17 00:00:00 2001 From: umeshkumhar Date: Thu, 28 Mar 2024 15:56:22 +0530 Subject: [PATCH] create new gcp network module --- applications/rag/workloads.tfvars | 2 +- infrastructure/main.tf | 39 +------ infrastructure/platform.tfvars | 14 +-- .../standard-gke-public.platform.tfvars | 22 +--- modules/cloudsql/main.tf | 9 -- modules/gcp-network/main.tf | 103 ++++++++++++++++++ modules/gcp-network/outputs.tf | 25 +++++ modules/gcp-network/variables.tf | 80 ++++++++++++++ modules/gcp-network/versions.tf | 21 ++++ 9 files changed, 241 insertions(+), 74 deletions(-) create mode 100644 modules/gcp-network/main.tf create mode 100644 modules/gcp-network/outputs.tf create mode 100644 modules/gcp-network/variables.tf create mode 100644 modules/gcp-network/versions.tf diff --git a/applications/rag/workloads.tfvars b/applications/rag/workloads.tfvars index 7fb5cfcf5..9bdb80f61 100644 --- a/applications/rag/workloads.tfvars +++ b/applications/rag/workloads.tfvars @@ -20,7 +20,7 @@ subnetwork_cidr = "10.100.0.0/16" create_cluster = true # Creates a GKE cluster in the specified network. cluster_name = "" cluster_location = "us-central1" -autopilot_cluster = true +autopilot_cluster = false private_cluster = false ## GKE environment variables diff --git a/infrastructure/main.tf b/infrastructure/main.tf index 8eabb0ed2..64000e87b 100644 --- a/infrastructure/main.tf +++ b/infrastructure/main.tf @@ -50,11 +50,11 @@ data "google_compute_subnetwork" "subnetwork" { } module "custom-network" { - source = "terraform-google-modules/network/google" - version = "8.0.0" + source = "../modules/gcp-network" count = var.create_network ? 1 : 0 project_id = var.project_id network_name = var.network_name + create_psa = true subnets = [ { @@ -67,33 +67,6 @@ module "custom-network" { ] } -// TODO: Migrate to terraform-google-modules/sql-db/google//modules/private_service_access -// once https://github.com/terraform-google-modules/terraform-google-sql-db/issues/585 is resolved. -// We define a VPC peering subnet that will be peered with the -// Cloud SQL instance network. The Cloud SQL instance will -// have a private IP within the provided range. -// https://cloud.google.com/vpc/docs/configure-private-services-access - -resource "google_compute_global_address" "google-managed-services-range" { - count = var.create_network ? 1 : 0 - project = var.project_id - name = "google-managed-services-${var.network_name}" - purpose = "VPC_PEERING" - address_type = "INTERNAL" - prefix_length = 16 - network = module.custom-network[0].network_self_link -} - -# Creates the peering with the producer network. -resource "google_service_networking_connection" "private_service_access" { - count = var.create_network ? 1 : 0 - network = module.custom-network[0].network_self_link - service = "servicenetworking.googleapis.com" - reserved_peering_ranges = [google_compute_global_address.google-managed-services-range[0].name] - # This will enable a successful terraform destroy when destroying CloudSQL instances - deletion_policy = "ABANDON" -} - locals { network_name = var.create_network ? module.custom-network[0].network_name : var.network_name subnetwork_name = var.create_network ? module.custom-network[0].subnets_names[0] : var.subnetwork_name @@ -143,7 +116,7 @@ module "public-gke-standard-cluster" { all_node_pools_labels = var.all_node_pools_labels all_node_pools_metadata = var.all_node_pools_metadata all_node_pools_tags = var.all_node_pools_tags - depends_on = [module.custom-network, google_service_networking_connection.private_service_access] + depends_on = [module.custom-network] } ## create public GKE autopilot @@ -168,7 +141,7 @@ module "public-gke-autopilot-cluster" { ip_range_services = var.ip_range_services master_authorized_networks = var.master_authorized_networks deletion_protection = var.deletion_protection - depends_on = [module.custom-network, google_service_networking_connection.private_service_access] + depends_on = [module.custom-network] } @@ -208,7 +181,7 @@ module "private-gke-standard-cluster" { all_node_pools_labels = var.all_node_pools_labels all_node_pools_metadata = var.all_node_pools_metadata all_node_pools_tags = var.all_node_pools_tags - depends_on = [module.custom-network, google_service_networking_connection.private_service_access] + depends_on = [module.custom-network] } ## create private GKE autopilot @@ -234,7 +207,7 @@ module "private-gke-autopilot-cluster" { master_authorized_networks = length(var.master_authorized_networks) == 0 ? [{ cidr_block = "${local.subnetwork_cidr}", display_name = "${local.subnetwork_name}" }] : var.master_authorized_networks master_ipv4_cidr_block = var.master_ipv4_cidr_block deletion_protection = var.deletion_protection - depends_on = [module.custom-network, google_service_networking_connection.private_service_access] + depends_on = [module.custom-network] } diff --git a/infrastructure/platform.tfvars b/infrastructure/platform.tfvars index 48003cc03..1299427f1 100644 --- a/infrastructure/platform.tfvars +++ b/infrastructure/platform.tfvars @@ -42,19 +42,7 @@ cpu_pools = [{ ## make sure required gpu quotas are available in that region enable_gpu = true -gpu_pools = [{ - name = "gpu-pool" - machine_type = "n1-standard-16" - node_locations = "us-central1-a" ## comment to autofill node_location based on cluster_location - autoscaling = true - min_count = 1 - max_count = 3 - disk_size_gb = 100 - disk_type = "pd-standard" - accelerator_count = 2 - accelerator_type = "nvidia-tesla-t4" - gpu_driver_version = "DEFAULT" - }, +gpu_pools = [ { name = "gpu-pool-l4" machine_type = "g2-standard-24" diff --git a/infrastructure/tfvars_tests/standard-gke-public.platform.tfvars b/infrastructure/tfvars_tests/standard-gke-public.platform.tfvars index 21c8c2bcc..0204fd50e 100644 --- a/infrastructure/tfvars_tests/standard-gke-public.platform.tfvars +++ b/infrastructure/tfvars_tests/standard-gke-public.platform.tfvars @@ -25,9 +25,9 @@ project_id = "" # subnetwork_cidr = "10.100.0.0/16" # subnetwork_region = "us-central1" -create_network = false -network_name = "default" -subnetwork_name = "default" +create_network = true +network_name = "default-test" +subnetwork_name = "default-test" subnetwork_region = "us-central1" ## gke variables @@ -50,25 +50,11 @@ cpu_pools = [{ ## make sure required gpu quotas are available in the corresponding region enable_gpu = true gpu_pools = [{ - name = "gpu-pool-t4" - machine_type = "n1-standard-16" - node_locations = "us-central1-b,us-central1-c" - autoscaling = true - min_count = 1 - max_count = 3 - disk_size_gb = 100 - enable_gcfs = true - logging_variant = "DEFAULT" - disk_type = "pd-balanced" - accelerator_count = 2 - accelerator_type = "nvidia-tesla-t4" - gpu_driver_version = "LATEST" - }, - { name = "gpu-pool-l4" machine_type = "g2-standard-24" node_locations = "us-central1-a" autoscaling = true + min_count = 2 max_count = 3 accelerator_count = 2 diff --git a/modules/cloudsql/main.tf b/modules/cloudsql/main.tf index b0b24f52a..2ce93450e 100644 --- a/modules/cloudsql/main.tf +++ b/modules/cloudsql/main.tf @@ -12,15 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Enabled the SQLAdmin service -resource "google_project_service" "project_service" { - project = var.project_id - service = "sqladmin.googleapis.com" - - disable_dependent_services = false - disable_on_destroy = false -} - resource "random_password" "pwd" { length = 16 special = false diff --git a/modules/gcp-network/main.tf b/modules/gcp-network/main.tf new file mode 100644 index 000000000..0afdba460 --- /dev/null +++ b/modules/gcp-network/main.tf @@ -0,0 +1,103 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +## Create network +resource "google_compute_network" "network" { + project = var.project_id + name = var.network_name + auto_create_subnetworks = var.auto_create_subnetworks + routing_mode = var.routing_mode + description = var.description +} + +locals { + subnets = { + for x in var.subnets : + "${x.subnet_region}/${x.subnet_name}" => x + } +} + +## Create subnetwork +resource "google_compute_subnetwork" "subnetwork" { + for_each = local.subnets + name = each.value.subnet_name + ip_cidr_range = each.value.subnet_ip + region = each.value.subnet_region + private_ip_google_access = lookup(each.value, "subnet_private_access", "false") + private_ipv6_google_access = lookup(each.value, "subnet_private_ipv6_access", null) + dynamic "log_config" { + for_each = coalesce(lookup(each.value, "subnet_flow_logs", null), false) ? [{ + aggregation_interval = each.value.subnet_flow_logs_interval + flow_sampling = each.value.subnet_flow_logs_sampling + metadata = each.value.subnet_flow_logs_metadata + filter_expr = each.value.subnet_flow_logs_filter + metadata_fields = each.value.subnet_flow_logs_metadata_fields + }] : [] + content { + aggregation_interval = log_config.value.aggregation_interval + flow_sampling = log_config.value.flow_sampling + metadata = log_config.value.metadata + filter_expr = log_config.value.filter_expr + metadata_fields = log_config.value.metadata == "CUSTOM_METADATA" ? log_config.value.metadata_fields : null + } + } + network = google_compute_network.network.name + project = var.project_id + description = lookup(each.value, "description", null) + dynamic "secondary_ip_range" { + for_each = contains(keys(var.secondary_ranges), each.value.subnet_name) == true ? var.secondary_ranges[each.value.subnet_name] : [] + + content { + range_name = secondary_ip_range.value.range_name + ip_cidr_range = secondary_ip_range.value.ip_cidr_range + } + } + + purpose = lookup(each.value, "purpose", null) + role = lookup(each.value, "role", null) + stack_type = lookup(each.value, "stack_type", null) + ipv6_access_type = lookup(each.value, "ipv6_access_type", null) + + lifecycle { + ignore_changes = [ secondary_ip_range ] + } +} + +// TODO: Migrate to terraform-google-modules/sql-db/google//modules/private_service_access +// once https://github.com/terraform-google-modules/terraform-google-sql-db/issues/585 is resolved. +// We define a VPC peering subnet that will be peered with the +// Cloud SQL instance network. The Cloud SQL instance will +// have a private IP within the provided range. +// https://cloud.google.com/vpc/docs/configure-private-services-access + +resource "google_compute_global_address" "google-managed-services-range" { + count = var.create_psa ? 1 : 0 + project = var.project_id + name = "google-managed-services-${var.network_name}" + purpose = "VPC_PEERING" + address_type = "INTERNAL" + prefix_length = 16 + network = google_compute_network.network.self_link +} + +# Creates the peering with the producer network. +resource "google_service_networking_connection" "private_service_access" { + count = var.create_psa ? 1 : 0 + network = google_compute_network.network.self_link + service = "servicenetworking.googleapis.com" + reserved_peering_ranges = [google_compute_global_address.google-managed-services-range[0].name] + # This will enable a successful terraform destroy when destroying CloudSQL instances + deletion_policy = "ABANDON" +} diff --git a/modules/gcp-network/outputs.tf b/modules/gcp-network/outputs.tf new file mode 100644 index 000000000..b22a7a531 --- /dev/null +++ b/modules/gcp-network/outputs.tf @@ -0,0 +1,25 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +output "network_name" { + value = google_compute_network.network.name +} + +output "subnets_names" { + value = [ for sb in google_compute_subnetwork.subnetwork : sb.name ] +} + +output "subnets_ips" { + value = [ for sb in google_compute_subnetwork.subnetwork : sb.ip_cidr_range ] +} \ No newline at end of file diff --git a/modules/gcp-network/variables.tf b/modules/gcp-network/variables.tf new file mode 100644 index 000000000..cec6a4488 --- /dev/null +++ b/modules/gcp-network/variables.tf @@ -0,0 +1,80 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +variable "project_id" { + description = "The ID of the project where this VPC will be created" + type = string +} + +variable "network_name" { + description = "The name of the network being created" + type = string +} + +variable "routing_mode" { + type = string + default = "GLOBAL" + description = "The network routing mode (default 'GLOBAL')" +} + +variable "shared_vpc_host" { + type = bool + description = "Makes this project a Shared VPC host if 'true' (default 'false')" + default = false +} + +variable "description" { + type = string + description = "An optional description of this resource. The resource must be recreated to modify this field." + default = "" +} + +variable "auto_create_subnetworks" { + type = bool + description = "When set to true, the network is created in 'auto subnet mode' and it will create a subnet for each region automatically across the 10.128.0.0/9 address range. When set to false, the network is created in 'custom subnet mode' so the user can explicitly connect subnetwork resources." + default = false +} + +variable "subnets" { + type = list(object({ + subnet_name = string + subnet_ip = string + subnet_region = string + subnet_private_access = optional(string, "false") + subnet_private_ipv6_access = optional(string) + subnet_flow_logs = optional(string, "false") + subnet_flow_logs_interval = optional(string, "INTERVAL_5_SEC") + subnet_flow_logs_sampling = optional(string, "0.5") + subnet_flow_logs_metadata = optional(string, "INCLUDE_ALL_METADATA") + subnet_flow_logs_filter = optional(string, "true") + subnet_flow_logs_metadata_fields = optional(list(string), []) + description = optional(string) + purpose = optional(string) + role = optional(string) + stack_type = optional(string) + ipv6_access_type = optional(string) + })) + description = "The list of subnets being created" +} + +variable "secondary_ranges" { + type = map(list(object({ range_name = string, ip_cidr_range = string }))) + description = "Secondary ranges that will be used in some of the subnets" + default = {} +} + +variable "create_psa" { + type = bool + description = "Enable PSA for the network" +} diff --git a/modules/gcp-network/versions.tf b/modules/gcp-network/versions.tf new file mode 100644 index 000000000..68a420513 --- /dev/null +++ b/modules/gcp-network/versions.tf @@ -0,0 +1,21 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +}