Skip to content

Added support for NAT64 when configuring Router NAT #13522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rileykarson merged 8 commits into from
May 29, 2025
Merged

Added support for NAT64 when configuring Router NAT #13522

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
fc7d484
- Added sourceSubnetworkIpRangesToNat64 and nat64Subnetwork fields to…
matheusaleixo-cit Apr 2, 2025
f91cd7c
- Added default_from_api property to dns64Config field;
matheusaleixo-cit Apr 4, 2025
0a28bc0
Merge branch 'main' into add-new-nat64-support-for-compute-router-nat
matheusaleixo-cit Apr 24, 2025
7e68c99
- Configured dns64Config.scope field as required;
matheusaleixo-cit Apr 25, 2025
c95f143
Merge branch 'main' into add-new-nat64-support-for-compute-router-nat
matheusaleixo-cit May 14, 2025
7d58c0f
Merge branch 'main' into add-new-nat64-support-for-compute-router-nat
matheusaleixo-cit May 15, 2025
0fd4a64
- Promoted new NAT64 fields to GA;
matheusaleixo-cit May 15, 2025
3daaad4
- lint fix
matheusaleixo-cit May 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions mmv1/products/compute/RouterNat.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,36 @@ properties:
is_set: true
item_type:
type: String
- name: 'sourceSubnetworkIpRangesToNat64'
type: Enum
description: |
Specify the Nat option for NAT64, which can take one of the following values:
ALL_IPV6_SUBNETWORKS: All of the IP ranges in every Subnetwork are allowed to Nat.
LIST_OF_IPV6_SUBNETWORKS: A list of Subnetworks are allowed to Nat (specified in the field nat64Subnetwork below).
Note that if this field contains NAT64_ALL_V6_SUBNETWORKS no other Router.Nat section in this region can also enable NAT64 for any Subnetworks in this network.
Other Router.Nat sections can still be present to enable NAT44 only.
enum_values:
- 'ALL_IPV6_SUBNETWORKS'
- 'LIST_OF_IPV6_SUBNETWORKS'
- name: 'nat64Subnetwork'
type: Array
description: |
One or more subnetwork NAT configurations whose traffic should be translated by NAT64 Gateway.
Only used if `source_subnetwork_ip_ranges_to_nat64` is set to `LIST_OF_IPV6_SUBNETWORKS`
api_name: nat64Subnetworks
is_set: true
send_empty_value: true
set_hash_func: computeRouterNatSubnetworkHash
item_type:
type: NestedObject
properties:
- name: 'name'
type: ResourceRef
description: 'Self-link of the subnetwork resource that will use NAT64'
required: true
custom_expand: 'templates/terraform/custom_expand/resourceref_with_validation.go.tmpl'
resource: 'Subnetwork'
imports: 'selfLink'
- name: 'minPortsPerVm'
type: Integer
description: |
Expand Down
14 changes: 14 additions & 0 deletions mmv1/products/dns/Policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,20 @@ properties:
update_url: 'projects/{{project}}/policies/{{name}}'
update_verb: 'PATCH'
default_value: "Managed by Terraform"
- name: 'dns64Config'
type: NestedObject
default_from_api: true
description: Configurations related to DNS64 for this Policy.
properties:
Copy link
Member

@rileykarson rileykarson Apr 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these subfields be required or would it be valid to write dns64_config {}? The configurations below seem like we could start w/ required.

Copy link
Contributor Author

@matheusaleixo-cit matheusaleixo-cit Apr 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some testing and using dns64_config {} causes a permadiff, so I guess we should set it as required.
Setting dns64_config { scope {} } seems to be functional when creating a new resource and when updating existing dns64_config values, so maybe we can keep allQueries as optional?

- name: 'scope'
type: NestedObject
description: The scope to which DNS64 config will be applied to.
required: true
properties:
- name: 'allQueries'
type: Boolean
description: Controls whether DNS64 is enabled globally at the network level.
send_empty_value: true
- name: 'enableInboundForwarding'
type: Boolean
description: |
Expand Down
165 changes: 165 additions & 0 deletions mmv1/third_party/terraform/services/compute/resource_compute_router_nat_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -797,6 +797,38 @@ func testAccCheckComputeRouterNatDelete(t *testing.T, n string) resource.TestChe
}
}

func TestAccComputeRouterNat_withNat64Configuration(t *testing.T) {
t.Parallel()

context := map[string]interface{}{
"random_suffix": acctest.RandString(t, 10),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckComputeRouterNatDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccComputeRouterNatWithNat64Configuration(context),
},
{
ResourceName: "google_compute_router_nat.foobar",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccComputeRouterNatWithNat64ConfigurationUpdate(context),
},
{
ResourceName: "google_compute_router_nat.foobar",
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func testAccComputeRouterNatBasic(routerName string) string {
return fmt.Sprintf(`
resource "google_compute_network" "foobar" {
Expand Down Expand Up @@ -2047,3 +2079,136 @@ resource "google_compute_router_nat" "foobar" {
}
`, testAccComputeRouterNatBaseResourcesWithPrivateNatSubnetworks(routerName, hubName), routerName)
}

func testAccComputeRouterNatWithNat64Configuration(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_dns_policy" "foobar" {
name = "tf-test-example-policy%{random_suffix}"
enable_inbound_forwarding = false
enable_logging = false

dns64_config {
scope {
all_queries = true
}
}
networks {
network_url = google_compute_network.foobar.id
}
}

resource "google_compute_network" "foobar" {
name = "tf-test-network%{random_suffix}"
enable_ula_internal_ipv6 = true
auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "foobar" {
name = "tf-test-subnetwork-%{random_suffix}"
network = google_compute_network.foobar.self_link
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
}

resource "google_compute_subnetwork" "foobar2" {
name = "tf-test-subnetwork-2-%{random_suffix}"
network = google_compute_network.foobar.self_link
ip_cidr_range = "10.182.0.0/20"
ipv6_access_type = "EXTERNAL"
stack_type = "IPV4_IPV6"
region = "us-central1"
}

resource "google_compute_router" "foobar" {
name = "tf-test-router%{random_suffix}"
region = google_compute_subnetwork.foobar.region
network = google_compute_network.foobar.self_link
bgp {
asn = 64514
}
}

resource "google_compute_router_nat" "foobar" {
name = "tf-test-router-nat%{random_suffix}"
router = google_compute_router.foobar.name
region = google_compute_router.foobar.region
nat_ip_allocate_option = "AUTO_ONLY"

source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = google_compute_subnetwork.foobar.name
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}

source_subnetwork_ip_ranges_to_nat64 = "ALL_IPV6_SUBNETWORKS"
}
`, context)
}

func testAccComputeRouterNatWithNat64ConfigurationUpdate(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_dns_policy" "foobar" {
name = "tf-test-example-policy%{random_suffix}"
enable_inbound_forwarding = false
enable_logging = false

dns64_config {
scope {
all_queries = true
}
}
networks {
network_url = google_compute_network.foobar.id
}
}

resource "google_compute_network" "foobar" {
name = "tf-test-network%{random_suffix}"
enable_ula_internal_ipv6 = true
auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "foobar" {
name = "tf-test-subnetwork-%{random_suffix}"
network = google_compute_network.foobar.self_link
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
}

resource "google_compute_subnetwork" "foobar2" {
name = "tf-test-subnetwork-2-%{random_suffix}"
network = google_compute_network.foobar.self_link
ip_cidr_range = "10.182.0.0/20"
ipv6_access_type = "EXTERNAL"
stack_type = "IPV4_IPV6"
region = "us-central1"
}

resource "google_compute_router" "foobar" {
name = "tf-test-router%{random_suffix}"
region = google_compute_subnetwork.foobar.region
network = google_compute_network.foobar.self_link
bgp {
asn = 64514
}
}

resource "google_compute_router_nat" "foobar" {
name = "tf-test-router-nat%{random_suffix}"
router = google_compute_router.foobar.name
region = google_compute_router.foobar.region
nat_ip_allocate_option = "AUTO_ONLY"

source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = google_compute_subnetwork.foobar.name
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}

source_subnetwork_ip_ranges_to_nat64 = "LIST_OF_IPV6_SUBNETWORKS"
nat64_subnetwork {
name = google_compute_subnetwork.foobar2.name
}
}
`, context)
}
101 changes: 100 additions & 1 deletion mmv1/third_party/terraform/services/dns/resource_dns_policy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@ package dns_test

import (
"fmt"
"github.com/hashicorp/terraform-provider-google/google/acctest"
"testing"

"github.com/hashicorp/terraform-provider-google/google/acctest"

"github.com/hashicorp/terraform-plugin-testing/helper/resource"
)

Expand Down Expand Up @@ -70,3 +71,101 @@ resource "google_compute_network" "network-2" {
}
`, suffix, forwarding, first_nameserver, second_nameserver, network, suffix, suffix)
}

func TestAccDNSPolicy_dnsPolicyDns64(t *testing.T) {
t.Parallel()

context := map[string]interface{}{
"random_suffix": acctest.RandString(t, 10),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckDNSPolicyDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccDNSPolicy_dnsPolicyDns64(context),
},
{
ResourceName: "google_dns_policy.example-policy",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccDNSPolicy_dnsPolicyDns64Update(context),
},
{
ResourceName: "google_dns_policy.example-policy",
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func testAccDNSPolicy_dnsPolicyDns64(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_dns_policy" "example-policy" {
name = "tf-test-example-policy%{random_suffix}"
enable_inbound_forwarding = false

enable_logging = true

dns64_config {
scope {
all_queries = true
}
}

networks {
network_url = google_compute_network.network-1.id
}
networks {
network_url = google_compute_network.network-2.id
}
}

resource "google_compute_network" "network-1" {
name = "tf-test-network-1%{random_suffix}"
auto_create_subnetworks = false
}

resource "google_compute_network" "network-2" {
name = "tf-test-network-2%{random_suffix}"
auto_create_subnetworks = false
}
`, context)
}

func testAccDNSPolicy_dnsPolicyDns64Update(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_dns_policy" "example-policy" {
name = "tf-test-example-policy%{random_suffix}"
enable_inbound_forwarding = false

enable_logging = true

dns64_config {
scope {}
}

networks {
network_url = google_compute_network.network-1.id
}
networks {
network_url = google_compute_network.network-2.id
}
}

resource "google_compute_network" "network-1" {
name = "tf-test-network-1%{random_suffix}"
auto_create_subnetworks = false
}

resource "google_compute_network" "network-2" {
name = "tf-test-network-2%{random_suffix}"
auto_create_subnetworks = false
}
`, context)
}
Loading