feat: support IP Masquerade agent (#54)

* feature: support IP Masquerade agent

* feature: support IP Masquerade agent

* feature: support IP Masquerade agent

* feature: support IP Masquerade agent

* feature: private_ip_google_access

Co-authored-by: Bharath KKB <[email protected]>

Author: diegolnasc

build/int.cloudbuild.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-timeout: 3600s
+timeout: 7200s
 steps:
 - id: prepare
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
@@ -30,39 +30,49 @@ steps:
 
 # ----- SUITE simple-composer-env-v1-local
 
-- id: converge simple-composer-env-v1-local
+- id: init-simple-composer-env-v1
   waitFor:
-    - create all
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage init --verbose']
+- id: apply-simple-composer-env-v1
+  waitFor:
+    - init-simple-composer-env-v1
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-composer-env-v1-local']
-- id: verify simple-composer-env-v1-local
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage apply --verbose']
+- id: verify-simple-composer-env-v1
   waitFor:
-    - converge simple-composer-env-v1-local
+    - apply-simple-composer-env-v1
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-composer-env-v1-local']
-- id: destroy simple-composer-env-v1-local
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage verify --verbose']
+- id: destroy-simple-composer-env-v1
   waitFor:
-    - verify simple-composer-env-v1-local
+    - verify-simple-composer-env-v1
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-composer-env-v1-local']
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV1Module --stage destroy --verbose']
 
   # ----- SUITE simple-composer-env-v2-local
 
-- id: converge simple-composer-env-v2-local
+- id: init-simple-composer-env-v2
   waitFor:
-    - create all
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage init --verbose']
+- id: apply-simple-composer-env-v2
+  waitFor:
+    - init-simple-composer-env-v2
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-composer-env-v2-local']
-- id: verify simple-composer-env-v2-local
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage apply --verbose']
+- id: verify-simple-composer-env-v2
   waitFor:
-    - converge simple-composer-env-v2-local
+    - apply-simple-composer-env-v2
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-composer-env-v2-local']
-- id: destroy simple-composer-env-v2-local
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage verify --verbose']
+- id: destroy-simple-composer-env-v2
   waitFor:
-    - verify simple-composer-env-v2-local
+    - verify-simple-composer-env-v2
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-composer-env-v2-local']
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleComposerEnvV2Module --stage destroy --verbose']
 
 # ----- SUITE airflow-connection-local
 

kitchen.yml

@@ -24,30 +24,6 @@ platforms:
   - name: local
 
 suites:
-  - name: simple-composer-env-v1
-    driver:
-      name: terraform
-      command_timeout: 3600
-      root_module_directory: test/fixtures/simple-composer-env-v1
-    verifier:
-      name: terraform
-      systems:
-        - name: simple-composer-env-v1
-          backend: local
-    provisioner:
-      name: terraform
-  - name: simple-composer-env-v2
-    driver:
-      name: terraform
-      command_timeout: 3600
-      root_module_directory: test/fixtures/simple-composer-env-v2
-    verifier:
-      name: terraform
-      systems:
-        - name: simple-composer-env-v2
-          backend: local
-    provisioner:
-      name: terraform
   - name: airflow-connection
     driver:
       name: terraform

modules/create_environment_v1/README.md

@@ -32,6 +32,7 @@ module "composer" {
 | composer\_env\_name | Name of Cloud Composer Environment | `string` | n/a | yes |
 | composer\_service\_account | Service Account for running Cloud Composer. | `string` | `null` | no |
 | disk\_size | The disk size for nodes. | `string` | `"100"` | no |
+| enable\_ip\_masq\_agent | Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic. | `bool` | `false` | no |
 | enable\_private\_endpoint | Configure public access to the cluster endpoint. | `bool` | `false` | no |
 | env\_variables | Variables of the airflow environment. | `map(string)` | `{}` | no |
 | image\_version | The version of the aiflow running in the cloud composer environment. | `string` | `null` | no |

modules/create_environment_v1/main.tf

@@ -31,14 +31,15 @@ resource "google_composer_environment" "composer_env" {
     node_count = var.node_count
 
     node_config {
-      zone            = var.zone
-      machine_type    = var.machine_type
-      network         = "projects/${local.network_project_id}/global/networks/${var.network}"
-      subnetwork      = "projects/${local.network_project_id}/regions/${local.subnetwork_region}/subnetworks/${var.subnetwork}"
-      service_account = var.composer_service_account
-      disk_size_gb    = var.disk_size
-      oauth_scopes    = var.oauth_scopes
-      tags            = var.tags
+      zone                 = var.zone
+      machine_type         = var.machine_type
+      network              = "projects/${local.network_project_id}/global/networks/${var.network}"
+      subnetwork           = "projects/${local.network_project_id}/regions/${local.subnetwork_region}/subnetworks/${var.subnetwork}"
+      service_account      = var.composer_service_account
+      disk_size_gb         = var.disk_size
+      oauth_scopes         = var.oauth_scopes
+      tags                 = var.tags
+      enable_ip_masq_agent = var.enable_ip_masq_agent
 
       dynamic "ip_allocation_policy" {
         for_each = var.use_ip_aliases ? [1] : []

modules/create_environment_v1/variables.tf

@@ -100,6 +100,12 @@ variable "tags" {
   default     = []
 }
 
+variable "enable_ip_masq_agent" {
+  description = "Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic."
+  type        = bool
+  default     = false
+}
+
 variable "use_ip_aliases" {
   description = "Enable Alias IPs in the GKE cluster. If true, a VPC-native cluster is created."
   type        = bool

modules/create_environment_v1/versions.tf

@@ -33,4 +33,8 @@ terraform {
     module_name = "blueprints/terraform/terraform-google-composer:create_environment_v1/v3.2.0"
   }
 
+  provider_meta "google-beta" {
+    module_name = "blueprints/terraform/terraform-google-composer:create_environment_v1/v3.2.0"
+  }
+
 }

modules/create_environment_v2/README.md

@@ -22,6 +22,7 @@ module "composer" {
 | cloud\_sql\_ipv4\_cidr | The CIDR block from which IP range in tenant project will be reserved for Cloud SQL. | `string` | `null` | no |
 | composer\_env\_name | Name of Cloud Composer Environment | `string` | n/a | yes |
 | composer\_service\_account | Service Account for running Cloud Composer. | `string` | `null` | no |
+| enable\_ip\_masq\_agent | Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic. | `bool` | `false` | no |
 | enable\_private\_endpoint | Configure public access to the cluster endpoint. | `bool` | `false` | no |
 | env\_variables | Variables of the airflow environment. | `map(string)` | `{}` | no |
 | environment\_size | The environment size controls the performance parameters of the managed Cloud Composer infrastructure that includes the Airflow database. Values for environment size are: ENVIRONMENT\_SIZE\_SMALL, ENVIRONMENT\_SIZE\_MEDIUM, and ENVIRONMENT\_SIZE\_LARGE. | `string` | `"ENVIRONMENT_SIZE_MEDIUM"` | no |

modules/create_environment_v2/main.tf

@@ -37,10 +37,11 @@ resource "google_composer_environment" "composer_env" {
     environment_size = var.environment_size
 
     node_config {
-      network         = "projects/${local.network_project_id}/global/networks/${var.network}"
-      subnetwork      = "projects/${local.network_project_id}/regions/${local.subnetwork_region}/subnetworks/${var.subnetwork}"
-      service_account = var.composer_service_account
-      tags            = var.tags
+      network              = "projects/${local.network_project_id}/global/networks/${var.network}"
+      subnetwork           = "projects/${local.network_project_id}/regions/${local.subnetwork_region}/subnetworks/${var.subnetwork}"
+      service_account      = var.composer_service_account
+      tags                 = var.tags
+      enable_ip_masq_agent = var.enable_ip_masq_agent
 
       dynamic "ip_allocation_policy" {
         for_each = (var.pod_ip_allocation_range_name != null || var.service_ip_allocation_range_name != null) ? [1] : []

modules/create_environment_v2/variables.tf

@@ -42,6 +42,12 @@ variable "tags" {
   default     = []
 }
 
+variable "enable_ip_masq_agent" {
+  description = "Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic."
+  type        = bool
+  default     = false
+}
+
 variable "network" {
   type        = string
   description = "The VPC network to host the composer cluster."

test/fixtures/simple-composer-env-v1/network.tf

@@ -21,11 +21,12 @@ resource "google_compute_network" "main" {
 }
 
 resource "google_compute_subnetwork" "main" {
-  project       = var.project_id
-  name          = "ci-composer-test-${random_string.suffix.result}"
-  ip_cidr_range = "10.0.0.0/17"
-  region        = var.region
-  network       = google_compute_network.main.self_link
+  project                  = var.project_id
+  name                     = "ci-composer-test-${random_string.suffix.result}"
+  ip_cidr_range            = "10.0.0.0/17"
+  region                   = var.region
+  network                  = google_compute_network.main.self_link
+  private_ip_google_access = true
 
   secondary_ip_range {
     range_name    = "ci-composer-test-pods-${random_string.suffix.result}"