Merge branch 'master' into bugfix/firewall-allow-internal

Author: aaron-lane

.kitchen.yml

@@ -64,9 +64,21 @@ suites:
       color: true
       systems:
         - name: local
+          attrs_outputs:
+            customized_inspec_attribute: output_network_name
+            customized_inspec_attribute: output_network_self_link
+            customized_inspec_attribute: output_subnets_ips
+            customized_inspec_attribute: output_routes
+            customized_inspec_attribute: output_subnets_flow_logs
+            customized_inspec_attribute: output_subnets_names
+            customized_inspec_attribute: output_subnets_private_access
+            customized_inspec_attribute: output_subnets_regions
+            customized_inspec_attribute: output_subnets_secondary_ranges
+            customized_inspec_attribute: output_project_id
           backend: local
           controls:
             - gcloud
+            - inspec_attributes
   - name: "multi_vpc"
     driver:
       name: "terraform"
@@ -107,9 +119,21 @@ suites:
           controls:
             - gcp
         - name: local
+          attrs_outputs:
+            customized_inspec_attribute: output_network_name
+            customized_inspec_attribute: output_network_self_link
+            customized_inspec_attribute: output_subnets_ips
+            customized_inspec_attribute: output_routes
+            customized_inspec_attribute: output_subnets_flow_logs
+            customized_inspec_attribute: output_subnets_names
+            customized_inspec_attribute: output_subnets_private_access
+            customized_inspec_attribute: output_subnets_regions
+            customized_inspec_attribute: output_subnets_secondary_ranges
+            customized_inspec_attribute: output_project_id
           backend: local
           controls:
             - gcloud
+            - inspec_attributes
   - name: "submodule_network_peering"
     driver:
       name: "terraform"

CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning][semver-site].
 
 ## [Unreleased]
 
+## [2.0.0] - 2019-12-09
+v2.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./docs/upgrading_to_v2.0.md).
+
+### Added
+
+- Split main module up into vpc, subnets, and routes submodules. [#103]
+
+### Fixed
+
+- Fixes subnet recreation when a subnet is updated. [#73]
+
+
 ## [1.5.0] - 2019-11-06
 
 ### Added
@@ -152,7 +164,8 @@ and this project adheres to [Semantic Versioning][semver-site].
 - Subnets within the VPC
 - Secondary ranges for the subnets (if applicable)
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.5.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-network/compare/v2.0.0...HEAD
+[2.0.0]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.5.0...v2.0.0
 [1.5.0]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.4.3...v1.5.0
 [1.4.3]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.4.2...v1.4.3
 [1.4.2]: https://github.com/terraform-google-modules/terraform-google-network/compare/v1.4.1...v1.4.2

Makefile

@@ -15,7 +15,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.5.0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.6.0
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

README.md

@@ -8,6 +8,8 @@ It supports creating:
 - Subnets within the VPC
 - Secondary ranges for the subnets (if applicable)
 
+Sub modules are provided for creating individual vpc, subnets, and routes. See the modules directory for the various sub modules usage.
+
 ## Compatibility
 
 This module is meant for use with Terraform 0.12. If you haven't [upgraded](https://www.terraform.io/upgrade-guides/0-12.html) and need a Terraform 0.11.x-compatible version of this module, the last released version intended for Terraform 0.11.x is [0.8.0](https://registry.terraform.io/modules/terraform-google-modules/network/google/0.8.0).
@@ -18,7 +20,7 @@ You can go to the examples folder, however the usage of the module could be like
 ```hcl
 module "vpc" {
     source  = "terraform-google-modules/network/google"
-    version = "~> 1.0.0"
+    version = "~> 2.0.0"
 
     project_id   = "<PROJECT ID>"
     network_name = "example-vpc"
@@ -38,6 +40,15 @@ module "vpc" {
             subnet_flow_logs      = "true"
             description           = "This subnet has a description"
         },
+        {
+            subnet_name               = "subnet-03"
+            subnet_ip                 = "10.10.30.0/24"
+            subnet_region             = "us-west1"
+            subnet_flow_logs          = "true"
+            subnet_flow_logs_interval = "INTERVAL_10_MIN"
+            subnet_flow_logs_sampling = 0.7
+            subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
+        }
     ]
 
     secondary_ranges = {
@@ -92,7 +103,7 @@ Then perform the following commands on the root folder:
 | routes | List of routes being created in this VPC | list(map(string)) | `<list>` | no |
 | routing\_mode | The network routing mode (default 'GLOBAL') | string | `"GLOBAL"` | no |
 | secondary\_ranges | Secondary ranges that will be used in some of the subnets | object | `<map>` | no |
-| shared\_vpc\_host | Makes this project a Shared VPC host if 'true' (default 'false') | string | `"false"` | no |
+| shared\_vpc\_host | Makes this project a Shared VPC host if 'true' (default 'false') | bool | `"false"` | no |
 | subnets | The list of subnets being created | list(map(string)) | n/a | yes |
 
 ## Outputs
@@ -101,19 +112,20 @@ Then perform the following commands on the root folder:
 |------|-------------|
 | network\_name | The name of the VPC being created |
 | network\_self\_link | The URI of the VPC being created |
-| routes | The routes associated with this VPC |
+| project\_id | VPC project id |
+| route\_names | The route names associated with this VPC |
 | subnets\_flow\_logs | Whether the subnets will have VPC flow logs enabled |
 | subnets\_ips | The IPs and CIDRs of the subnets being created |
 | subnets\_names | The names of the subnets being created |
 | subnets\_private\_access | Whether the subnets will have access to Google API's without a public IP |
 | subnets\_regions | The region where the subnets will be created |
 | subnets\_secondary\_ranges | The secondary ranges associated with these subnets |
 | subnets\_self\_links | The self-links of subnets being created |
-| svpc\_host\_project\_id | Shared VPC host project id. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ### Subnet Inputs
+
 The subnets list contains maps, where each object represents a subnet. Each map has the following inputs (please see examples folder for additional references):
 
 | Name | Description | Type | Default | Required |
@@ -125,7 +137,8 @@ The subnets list contains maps, where each object represents a subnet. Each map
 | subnet\_flow\_logs  | Whether the subnet will record and send flow log data to logging | string | `"false"` | no |
 
 ### Route Inputs
-The routes list contains maps, where each object represents a route. For the next\_hop\_* inputs, only one is possible to be used in each route. Having two next_hop_* inputs will produce an error. Each map has the following inputs (please see examples folder for additional references):
+
+The routes list contains maps, where each object represents a route. For the next_hop_* inputs, only one is possible to be used in each route. Having two next_hop_* inputs will produce an error. Each map has the following inputs (please see examples folder for additional references):
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
@@ -143,7 +156,7 @@ The routes list contains maps, where each object represents a route. For the nex
 ## Requirements
 ### Installed Software
 - [Terraform](https://www.terraform.io/downloads.html) ~> 0.12.0
-- [Terraform Provider for GCP][terraform-provider-google] ~> 2.10.0
+- [Terraform Provider for GCP][terraform-provider-google] ~> 2.19.0
 - [gcloud](https://cloud.google.com/sdk/gcloud/) >243.0.0
 
 ### Configure a Service Account

build/int.cloudbuild.yaml

@@ -38,4 +38,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.5.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.6.0'

build/lint.cloudbuild.yaml

@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.5.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.6.0'

docs/upgrading_to_v2.0.md

@@ -0,0 +1,134 @@
+# Upgrading to v2.x
+
+The v2.x release of _google-network_ is a backwards incompatible
+release.
+
+Because v2.x changed how the subnet resource is iterated on, resources in Terraform state need to be migrated in order to avoid the resources from getting destroyed and recreated.
+
+## Migration Instructions
+
+First, upgrade to the new version of this module.
+
+```diff
+ module "kubernetes_engine_private_cluster" {
+   source  = "terraform-google-modules/network/google"
+-  version = "~> 1.5"
++  version = "~> 2.0"
+
+   # ...
+ }
+```
+
+If you run `terraform plan` at this point, Terraform will inform you that it will attempt to delete and recreate your existing subnets. This is almost certainly not the behavior you want.
+
+You will need to migrate your state, either [manually](#manual-migration-steps) or [automatically](#migration-script).
+
+### Migration Script
+
+1.  Download the script:
+
+    ```sh
+    curl -O https://raw.githubusercontent.com/terraform-google-modules/terraform-google-network/master/helpers/migrate.py
+    chmod +x migrate.py
+    ```
+
+2.  Back up your Terraform state:
+
+    ```sh
+    terraform state pull >> state.bak
+    ```
+
+2.  Run the script to output the migration commands:
+
+    ```sh
+    $  ./migrate.py --dryrun
+    terraform state mv 'module.example.module.test-vpc-module-02.google_compute_network.network[0]' 'module.example.module.test-vpc-module-02.module.vpc.google_compute_network.network'
+    terraform state mv 'module.example.module.test-vpc-module-02.google_compute_subnetwork.subnetwork' 'module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork'
+    terraform state mv 'module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork[0]' 'module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork["us-west1/multi-vpc-a1-02-subnet-01"]'
+    terraform state mv 'module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork[1]' 'module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork["us-west1/multi-vpc-a1-02-subnet-02"]'
+    terraform state mv 'module.example.module.test-vpc-module-02.google_compute_route.route' 'module.example.module.test-vpc-module-02.module.routes.google_compute_route.route'
+    terraform state mv 'module.example.module.test-vpc-module-02.module.routes.google_compute_route.route[0]' 'module.example.module.test-vpc-module-02.module.routes.google_compute_route.route["multi-vpc-a1-02-egress-inet"]'
+    terraform state mv 'module.example.module.test-vpc-module-02.module.routes.google_compute_route.route[1]' 'module.example.module.test-vpc-module-02.module.routes.google_compute_route.route["multi-vpc-a1-02-testapp-proxy"]'
+
+    ```
+
+3.  Execute the migration script:
+
+    ```sh
+    $ ./migrate.py
+    ---- Migrating the following modules:
+    -- module.example.module.test-vpc-module-02
+    ---- Commands to run:
+    Move "module.example.module.test-vpc-module-02.google_compute_network.network[0]" to "module.example.module.test-vpc-module-02.module.vpc.google_compute_network.network"
+    Successfully moved 1 object(s).
+    Move "module.example.module.test-vpc-module-02.google_compute_subnetwork.subnetwork" to "module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork"
+    Successfully moved 1 object(s).
+    Move "module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork[0]" to "module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork[\"us-west1/multi-vpc-a1-02-subnet-01\"]"
+    Successfully moved 1 object(s).
+    Move "module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork[1]" to "module.example.module.test-vpc-module-02.module.subnets.google_compute_subnetwork.subnetwork[\"us-west1/multi-vpc-a1-02-subnet-02\"]"
+    Successfully moved 1 object(s).
+    Move "module.example.module.test-vpc-module-02.google_compute_route.route" to "module.example.module.test-vpc-module-02.module.routes.google_compute_route.route"
+    Successfully moved 1 object(s).
+    Move "module.example.module.test-vpc-module-02.module.routes.google_compute_route.route[0]" to "module.example.module.test-vpc-module-02.module.routes.google_compute_route.route[\"multi-vpc-a1-02-egress-inet\"]"
+    Successfully moved 1 object(s).
+    Move "module.example.module.test-vpc-module-02.module.routes.google_compute_route.route[1]" to "module.example.module.test-vpc-module-02.module.routes.google_compute_route.route[\"multi-vpc-a1-02-testapp-proxy\"]"
+    Successfully moved 1 object(s).
+
+    ```
+
+4.  Run `terraform plan` to confirm no changes are expected.
+
+### Manual Migration Steps
+
+In this example here are the commands used migrate the vpc and subnets created by the `simple_project` in the examples directory.  _please note the need to escape the quotes on the new resource_. You may also use the migration script.
+
+-   `terraform state mv module.example.module.test-vpc-module.google_compute_network.network module.example.module.test-vpc-module.module.vpc.google_compute_subnetwork.network`
+
+-   `terraform state mv module.example.module.test-vpc-module.google_compute_subnetwork.subnetwork module.example.module.test-vpc-module.module.subnets.google_compute_subnetwork.subnetwork`
+
+-   `terraform state mv module.example.module.test-vpc-module.module.subnets.google_compute_subnetwork.subnetwork[0] module.example.module.test-vpc-module.module.subnets.google_compute_subnetwork.subnetwork[\"us-west1/simple-project-timh-subnet-01\"]`
+
+-   `terraform state mv module.example.module.test-vpc-module.module.subnets.google_compute_subnetwork.subnetwork[1] module.example.module.test-vpc-module.module.subnets.google_compute_subnetwork.subnetwork[\"us-west1/simple-project-timh-subnet-02\"]`
+
+*You'll notice that because of a terraform [issue](https://github.com/hashicorp/terraform/issues/22301), we need to move the whole resource collection first before renaming to the `for_each` keys*
+
+`terraform plan` should now return a no-op and show no new changes.
+
+```Shell
+$ terraform plan
+Refreshing Terraform state in-memory prior to plan...
+The refreshed state will be used to calculate this plan, but will not be
+persisted to local or remote state storage.
+
+module.example.module.test-vpc-module.google_compute_network.network: Refreshing state... [id=simple-project-timh]
+module.example.module.test-vpc-module.google_compute_subnetwork.subnetwork["us-west1/simple-project-timh-subnet-02"]: Refreshing state... [id=us-west1/simple-project-timh-subnet-02]
+module.example.module.test-vpc-module.google_compute_subnetwork.subnetwork["us-west1/simple-project-timh-subnet-01"]: Refreshing state... [id=us-west1/simple-project-timh-subnet-01]
+
+------------------------------------------------------------------------
+
+No changes. Infrastructure is up-to-date.
+
+This means that Terraform did not detect any differences between your
+configuration and real physical resources that exist. As a result, no
+actions need to be performed.
+```
+
+### Known Issues
+
+If your previous state only contains a **single** subnet or route then `terraform mv` will throw an error similar to the following during migration:
+
+```
+Error: Invalid target address
+
+Cannot move to
+module.example.module.test-vpc-module-01.module.routes.google_compute_route.route["multi-vpc-a1-01-egress-inet"]:
+module.example.module.test-vpc-module-01.module.routes.google_compute_route.route
+does not exist in the current state.
+```
+
+This is due to a terraform mv [issue](https://github.com/hashicorp/terraform/issues/22301)
+
+The workaround is to either
+
+1. Create a temporary subnet or route prior to migration
+2. Manually updating the state file. Update the `index_key` of the appropriate user and push the to the remote state if necessary.

examples/delete_default_gateway_routes/README.md

@@ -18,7 +18,7 @@ This VPC has a single subnet with no secondary ranges, and ensures the default i
 |------|-------------|
 | network\_name | The name of the VPC being created |
 | network\_self\_link | The URI of the VPC being created |
-| routes | The routes associated with this VPC |
+| route\_names | The routes associated with this VPC |
 | subnets\_flow\_logs | Whether the subnets will have VPC flow logs enabled |
 | subnets\_ips | The IP and cidrs of the subnets being created |
 | subnets\_names | The names of the subnets being created |

examples/delete_default_gateway_routes/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 2.10.0"
+  version = "~> 2.19.0"
 }
 
 provider "null" {

examples/delete_default_gateway_routes/outputs.tf

@@ -54,7 +54,7 @@ output "subnets_secondary_ranges" {
   description = "The secondary ranges associated with these subnets"
 }
 
-output "routes" {
-  value       = module.test-vpc-module.routes
+output "route_names" {
+  value       = module.test-vpc-module.route_names
   description = "The routes associated with this VPC"
 }