feat: add private service connect module (#368)

* added private-service-connect submodule

* added missing default value to environment_code

* added firewall usage condition

* added private service connect example

* fixed output vars for integration testing

* Docker image devloper tools bumped to 1.4

* added discover_test.go to test/integration. This was required to run tests

* added TestPrivateServiceConnect test

* developer tools version bumped to 1.5

* changed names and variables so it generalize to more escenarios

* updated private service connect example

* added tests for DNS zones, global address and forwarding rule

* added private service connect tests to cloudbuild

* added versions.tf to private service connect example

* fixed reviewed changes

* deleting discover_test.go

* deleting trailing space

* deleted unused comments

* fixed undefined variable at int.cloudbuild.yaml

* changed example network name

* enabled DNS api to test setup

* added DNS admin roles to test service account

* added requirements to private service connect README

* updated Cloud DNS version

* change assert functions from Equal to Equalf

* added provider meta google-beta

* added spaces on example outputs

* fixed typos in module private-service-connect README

* fixed README example

* retargeting output values

* Updated default value and name composition for DNS zones

* added cft support & cft usage on private-service-connect tests

* updated README

* updated int.cloudbuild.yaml

* bumping route example

* Update modules/private-service-connect/README.md

Co-authored-by: Bharath KKB <[email protected]>

Author: maxi-cit

build/int.cloudbuild.yaml

@@ -151,6 +151,21 @@ steps:
     - verify submodule-vpc-serverless-connector-beta
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && source_test_env && init_credentials && cd test/integration && RUN_STAGE=teardown go test -v ./... -p 1 -timeout 0 -run TestSubmoduleServerlessConnector']
+- id: converge private-service-connect
+  waitFor:
+    - create all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestPrivateServiceConnect --stage apply --verbose']
+- id: verify private-service-connect
+  waitFor:
+    - converge private-service-connect
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestPrivateServiceConnect --stage verify --verbose']
+- id: destroy private-service-connect
+  waitFor:
+    - verify private-service-connect
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestPrivateServiceConnect --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/private_service_connect/README.md

@@ -0,0 +1,26 @@
+# Private Service Connect
+This example configures a single VPC inside a project and enables it to consume a Private Service Connect endpoint.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | Project ID for Private Service Connect. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| dns\_zone\_gcr\_name | Name for Managed DNS zone for GCR |
+| dns\_zone\_googleapis\_name | Name for Managed DNS zone for GoogleAPIs |
+| dns\_zone\_pkg\_dev\_name | Name for Managed DNS zone for PKG\_DEV |
+| forwarding\_rule\_name | Forwarding rule resource name. |
+| forwarding\_rule\_target | Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid. |
+| global\_address\_id | An identifier for the global address created for the private service connect with format `projects/{{project}}/global/addresses/{{name}}` |
+| network\_name | The network name |
+| private\_service\_connect\_ip | The private service connect ip |
+| private\_service\_connect\_name | Private service connect name |
+| project\_id | The project id |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/private_service_connect/main.tf

@@ -0,0 +1,47 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# Whenever a new major version of the network module is released, the
+# version constraint below should be updated, e.g. to ~> 4.0.
+#
+# If that new version includes provider updates, validation of this
+# example may fail until that is done.
+
+module "private_service_connect" {
+  source                     = "../../modules/private-service-connect"
+  project_id                 = var.project_id
+  network_self_link          = module.simple_vpc.network_self_link
+  private_service_connect_ip = "10.3.0.5"
+  forwarding_rule_target     = "all-apis"
+}
+
+module "simple_vpc" {
+  source       = "terraform-google-modules/network/google"
+  version      = "~> 4.0.1"
+  project_id   = var.project_id
+  network_name = "my-custom-network"
+  mtu          = 1460
+
+  subnets = [
+    {
+      subnet_name           = "my-subnetwork"
+      subnet_ip             = "10.0.0.0/24"
+      subnet_region         = "us-west1"
+      subnet_private_access = "true"
+      subnet_flow_logs      = "true"
+    }
+  ]
+}

examples/private_service_connect/outputs.tf

@@ -0,0 +1,65 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = var.project_id
+  description = "The project id"
+}
+
+output "network_name" {
+  value       = module.simple_vpc.network_name
+  description = "The network name"
+}
+
+output "private_service_connect_name" {
+  value       = module.private_service_connect.private_service_connect_name
+  description = "Private service connect name"
+}
+
+output "private_service_connect_ip" {
+  value       = module.private_service_connect.private_service_connect_ip
+  description = "The private service connect ip"
+}
+
+output "global_address_id" {
+  value       = module.private_service_connect.global_address_id
+  description = "An identifier for the global address created for the private service connect with format `projects/{{project}}/global/addresses/{{name}}`"
+}
+
+output "forwarding_rule_name" {
+  value       = module.private_service_connect.forwarding_rule_name
+  description = "Forwarding rule resource name."
+}
+
+output "forwarding_rule_target" {
+  value       = module.private_service_connect.forwarding_rule_target
+  description = "Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid."
+}
+
+output "dns_zone_googleapis_name" {
+  value       = module.private_service_connect.dns_zone_googleapis_name
+  description = "Name for Managed DNS zone for GoogleAPIs"
+}
+
+output "dns_zone_gcr_name" {
+  value       = module.private_service_connect.dns_zone_gcr_name
+  description = "Name for Managed DNS zone for GCR"
+}
+
+output "dns_zone_pkg_dev_name" {
+  value       = module.private_service_connect.dns_zone_pkg_dev_name
+  description = "Name for Managed DNS zone for PKG_DEV"
+}

examples/private_service_connect/variables.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "Project ID for Private Service Connect."
+  type        = string
+}

examples/private_service_connect/versions.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.50"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 3.50"
+    }
+  }
+}

examples/routes/main.tf

@@ -23,7 +23,7 @@
 # [START vpc_static_route_create]
 module "google_compute_route" {
   source       = "terraform-google-modules/network/google//modules/routes"
-  version      = "~> 3.2.0"
+  version      = "~> 5.0"
   project_id   = var.project_id # Replace this with your project ID in quotes
   network_name = "default"
 

examples/routes/versions.tf

@@ -19,7 +19,7 @@ terraform {
 
   required_providers {
     google = {
-      version = "~> 3.45.0"
+      version = "~> 4.0"
     }
     null = {
       version = "~> 2.1"

modules/private-service-connect/README.md

@@ -0,0 +1,74 @@
+# Private Service Connect
+
+This module enables the usage of [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect) for a specific subnetwork.
+
+The resources created/managed by this module are:
+
+- Private DNS zone to configure `private.googleapis.com.`
+- Private DNS zone to configure `gcr.io.`
+- Private DNS zone to configure `pdk.dev.`
+- Global Address resource to configure `Private Service Connect` endpoint
+- Global Forwarding Rule resource to forward traffic to respective HTTP(S) load balancing
+
+## Usage
+
+Basic usage of this module is as follows:
+
+```hcl
+module "private_service_connect" {
+  source                     = "terraform-google-modules/network/google//modules/private_service_connect"
+
+  project_id                 = "<PROJECT_ID>"
+  network_self_link          = "<NETWORK_SELF_LINK>"
+  private_service_connect_ip = "10.3.0.5"
+  forwarding_rule_target     = "all-apis"
+}
+```
+
+Private Service Connect IP must fulfill requirements detailed [here](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis#ip-address-requirements).
+
+Target subnetwork must have Private Google Access enabled.
+
+**Note:**  All egress traffic is allowed from VPC internal networks by default.
+
+If you have a firewall rule blocking egress traffic, you will need to configure a [new egress rule](https://cloud.google.com/vpc/docs/using-firewalls#creating_firewall_rules) with following attributes:
+
+- Direction: Egress
+- Priority: Higher than blocking egress rule
+- Target tags: <FIREWALL_RULE_TAG>
+- Destination filters:
+   - IP ranges: <PRIVATE_SERVICE_CONNECT_IP>
+   - Protocols and ports: tcp:443
+
+## Requirements
+
+- Cloud DNS API must be enabled.
+- Service Account running Terraform must have `dns.managedZones.*` permissions. You can add them by assigning `DNS Admin` default role to the Service Account.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| dns\_code | Code to identify DNS resources in the form of `{dns_code}-{dns_type}` | `string` | `"dz"` | no |
+| forwarding\_rule\_name | Forwarding rule resource name. The forwarding rule name for PSC Google APIs must be an 1-20 characters string with lowercase letters and numbers and must start with a letter. Defaults to `globalrule` | `string` | `"globalrule"` | no |
+| forwarding\_rule\_target | Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid. | `string` | n/a | yes |
+| network\_self\_link | Network self link for Private Service Connect. | `string` | n/a | yes |
+| private\_service\_connect\_ip | The internal IP to be used for the private service connect. | `string` | n/a | yes |
+| private\_service\_connect\_name | Private Service Connect endpoint name. Defaults to `global-psconnect-ip` | `string` | `"global-psconnect-ip"` | no |
+| project\_id | Project ID for Private Service Connect. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| dns\_zone\_gcr\_name | Name for Managed DNS zone for GCR |
+| dns\_zone\_googleapis\_name | Name for Managed DNS zone for GoogleAPIs |
+| dns\_zone\_pkg\_dev\_name | Name for Managed DNS zone for PKG\_DEV |
+| forwarding\_rule\_name | Forwarding rule resource name. |
+| forwarding\_rule\_target | Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid. |
+| global\_address\_id | An identifier for the global address created for the private service connect with format `projects/{{project}}/global/addresses/{{name}}` |
+| private\_service\_connect\_ip | Private service connect ip |
+| private\_service\_connect\_name | Private service connect name |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->