Define private-service-access module for peering

The module defines a network peering between a given VPC and the service
networks where Cloud SQL instances are created.

Added tests and modified the example.

Author: mmontan

README.md

@@ -29,6 +29,14 @@ In order to operate with the Service Account you must activate the following API
 
 - Cloud SQL API
 
+In order to use Private Service Access, required for using Private IPs, you must activate
+the following APIs on the project where your VPC resides:
+
+- Cloud SQL Admin API
+- Compute Engine API
+- Service Networking API
+- Cloud Resource Manager API
+
 #### Service Account Credentials
 
 You can pass the service account credentials into this module by setting the following environment variables:

examples/mysql-and-postgres/main.tf

@@ -110,32 +110,19 @@ module "postgresql-db" {
   }]
 }
 
-# We define a VPC peering subnet that will be peered with the
-# Cloud SQL instance network. The Cloud SQL instance will
-# have a private IP within the provided range.
-resource "google_compute_global_address" "google-managed-services-default" {
-  provider      = "google-beta"
-  project       = "${var.project_id}"
-  name          = "private-ip-address"
-  purpose       = "VPC_PEERING"
-  address_type  = "INTERNAL"
-  prefix_length = 16
-  network       = "${google_compute_network.default.self_link}"
-}
-
-# Creates the peering with the producer network.
-resource "google_service_networking_connection" "private_vpc_connection" {
-  provider                = "google-beta"
-  network                 = "${google_compute_network.default.self_link}"
-  service                 = "servicenetworking.googleapis.com"
-  reserved_peering_ranges = ["${google_compute_global_address.google-managed-services-default.name}"]
+// We define a connection with the VPC of the Cloud SQL instance.
+module "private-service-access" {
+  source      = "../../modules/private_service_access"
+  project_id  = "${var.project_id}"
+  vpc_network = "${google_compute_network.default.self_link}"
 }
 
 module "safer-mysql-db" {
   source           = "../../modules/safer_mysql"
   name             = "example-safer-mysql-${random_id.name.hex}"
   database_version = "${var.mysql_version}"
   project_id       = "${var.project_id}"
+  region           = "${var.region}"
   zone             = "c"
 
   # By default, all users will be permitted to connect only via the
@@ -151,8 +138,8 @@ module "safer-mysql-db" {
   assign_public_ip = true
   vpc_network      = "${google_compute_network.default.self_link}"
 
-  # Optional, but used to enforce ordering in the creation of resources.
-  vpc_peering = "${google_service_networking_connection.private_vpc_connection.self_link}"
+  // Used to enforce ordering in the creation of resources.
+  peering_completed = "${module.private-service-access.peering_completed}"
 }
 
 output "mysql_conn" {

kitchen.yml

@@ -42,3 +42,8 @@ suites:
       name: terraform
       root_module_directory: test/fixtures/safer-mysql-simple
       command_timeout: 1800
+  - name: private-service-access
+    driver:
+      name: terraform
+      root_module_directory: test/fixtures/private-service-access
+      command_timeout: 1800

modules/private_service_access/README.md

@@ -0,0 +1,34 @@
+# Submodule for VPC peering Cloud SQL services
+
+MySQL [Private IP](https://cloud.google.com/sql/docs/mysql/private-ip)
+configurations require a special peering between your VPC network and a
+VPC managed by Google. The module supports creating such a peering.
+
+It is sufficient to instantiate this module once for all MySQL instances
+that are connected to the same VPC.
+
+> NOTE: See the linked [documentation](https://cloud.google.com/sql/docs/mysql/private-ip)
+> for all requirements for accessing a MySQL instance via its Private IP.
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| address | First IP address of the IP range to allocate to CLoud SQL instances and other Private Service Access services. If not set, GCP will pick a valid one for you. | string | `""` | no |
+| ip\_version | IP Version for the allocation. Can be IPV4 or IPV6. | string | `""` | no |
+| labels | The key/value labels for the IP range allocated to the peered network. | map | `<map>` | no |
+| prefix\_length | Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16. | string | `"16"` | no |
+| project\_id | The project ID of the VPC network to peer. This can be a shared VPC host projec. | string | n/a | yes |
+| vpc\_network | Name of the VPC network to peer. | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| address | First IP of the reserved range. |
+| google\_compute\_global\_address\_name | URL of the reserved range. |
+| peering\_completed | Use for enforce ordering between resource creation |
+
+[^]: (autogen_docs_end)

modules/private_service_access/main.tf

@@ -0,0 +1,46 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// We define a VPC peering subnet that will be peered with the
+// Cloud SQL instance network. The Cloud SQL instance will
+// have a private IP within the provided range.
+// https://cloud.google.com/vpc/docs/configure-private-services-access
+resource "google_compute_global_address" "google-managed-services-range" {
+  provider      = "google-beta"
+  project       = "${var.project_id}"
+  name          = "google-managed-services-${var.vpc_network}"
+  purpose       = "VPC_PEERING"
+  address       = "${var.address}"
+  prefix_length = "${var.prefix_length}"
+  ip_version    = "${var.ip_version}"
+  labels        = "${var.labels}"
+  address_type  = "INTERNAL"
+  network       = "${var.vpc_network}"
+}
+
+# Creates the peering with the producer network.
+resource "google_service_networking_connection" "private_service_access" {
+  provider                = "google-beta"
+  network                 = "${google_compute_global_address.google-managed-services-range.network}"
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = ["${google_compute_global_address.google-managed-services-range.name}"]
+}
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    "google_service_networking_connection.private_service_access",
+  ]
+}

modules/private_service_access/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "address" {
+  value       = "${google_compute_global_address.google-managed-services-range.address}"
+  description = "First IP of the reserved range."
+}
+
+output "google_compute_global_address_name" {
+  value       = "${google_compute_global_address.google-managed-services-range.name}"
+  description = "URL of the reserved range."
+}
+
+output "peering_completed" {
+  value       = "${null_resource.dependency_setter.id}"
+  description = "Use for enforce ordering between resource creation"
+}

modules/private_service_access/variables.tf

@@ -0,0 +1,43 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID of the VPC network to peer. This can be a shared VPC host projec."
+}
+
+variable "vpc_network" {
+  description = "Name of the VPC network to peer."
+}
+
+variable "address" {
+  description = "First IP address of the IP range to allocate to CLoud SQL instances and other Private Service Access services. If not set, GCP will pick a valid one for you."
+  default     = ""
+}
+
+variable "prefix_length" {
+  description = "Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16."
+  default     = "16"
+}
+
+variable "ip_version" {
+  description = "IP Version for the allocation. Can be IPV4 or IPV6."
+  default     = ""
+}
+
+variable "labels" {
+  description = "The key/value labels for the IP range allocated to the peered network."
+  default     = {}
+}

modules/safer_mysql/README.md

@@ -168,7 +168,7 @@ mysql -S $HOME/mysql_sockets/myproject:region:instance -u user -p
 | activation\_policy | The activation policy for the master instance. Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. | string | `"ALWAYS"` | no |
 | additional\_databases | A list of databases to be created in your cluster | list | `<list>` | no |
 | additional\_users | A list of users to be created in your cluster | list | `<list>` | no |
-| assign\_public\_ip | Set tp true if the master instance should also have a public IP. | string | `"false"` | no |
+| assign\_public\_ip | Set to true if the master instance should also have a public IP (less secure). | string | `"false"` | no |
 | authorized\_gae\_applications | The list of authorized App Engine project names | list | `<list>` | no |
 | backup\_configuration | The backup configuration block of the Cloud SQL resources This argument will be passed through the master instance directrly.<br><br>See [more details](https://www.terraform.io/docs/providers/google/r/sql_database_instance.html). | map | `<map>` | no |
 | create\_timeout | The optional timout that is applied to limit long database creates. | string | `"15m"` | no |
@@ -199,8 +199,9 @@ mysql -S $HOME/mysql_sockets/myproject:region:instance -u user -p
 | failover\_replica\_zone | The zone for the failover replica instance, it should be something like: `a`, `c`. | string | `""` | no |
 | maintenance\_window\_day | The day of week (1-7) for the master instance maintenance. | string | `"1"` | no |
 | maintenance\_window\_hour | The hour of day (0-23) maintenance window for the master instance maintenance. | string | `"23"` | no |
-| maintenance\_window\_update\_track | The update track of maintenance window for the master instance maintenance. Can be either `canary` or `stable`. | string | `"canary"` | no |
+| maintenance\_window\_update\_track | The update track of maintenance window for the master instance maintenance. Can be either `canary` or `stable`. | string | `"stable"` | no |
 | name | The name of the Cloud SQL resources | string | n/a | yes |
+| peering\_completed | Optional. This is used to ensure that resources are created in the proper order when using private IPs and service network peering. | string | `""` | no |
 | pricing\_plan | The pricing plan for the master instance. | string | `"PER_USE"` | no |
 | project\_id | The project ID to manage the Cloud SQL resources | string | n/a | yes |
 | read\_replica\_activation\_policy | The activation policy for the read replica instances. Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. | string | `"ALWAYS"` | no |
@@ -219,14 +220,13 @@ mysql -S $HOME/mysql_sockets/myproject:region:instance -u user -p
 | read\_replica\_tier | The tier for the read replica instances. | string | `""` | no |
 | read\_replica\_user\_labels | The key/value labels for the read replica instances. | map | `<map>` | no |
 | read\_replica\_zones | The zones for the read replica instancess, it should be something like: `a,b,c`. Given zones are used rotationally for creating read replicas. | string | `""` | no |
-| region | The region of the Cloud SQL resources | string | `"us-central1"` | no |
+| region | The region of the Cloud SQL resources | string | n/a | yes |
 | tier | The tier for the master instance. | string | `"db-n1-standard-1"` | no |
 | update\_timeout | The optional timout that is applied to limit long database updates. | string | `"15m"` | no |
 | user\_labels | The key/value labels for the master instances. | map | `<map>` | no |
 | user\_name | The name of the default user | string | `"default"` | no |
 | user\_password | The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable. | string | `""` | no |
 | vpc\_network | Existing VPC network to which instances are connected. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access. | string | n/a | yes |
-| vpc\_peering | google_service_networking_connection object identifying the peering between the producer network and the project subnet. This is not used, but needed to ensure that elements are created in the proper order | string | n/a | yes |
 | zone | The zone for the master instance, it should be something like: `a`, `c`. | string | n/a | yes |
 
 ## Outputs
@@ -247,4 +247,4 @@ mysql -S $HOME/mysql_sockets/myproject:region:instance -u user -p
 | replicas\_instance\_self\_links | The URIs of the replica instances |
 | replicas\_instance\_service\_account\_email\_addresses | The service account email addresses assigned to the replica instances |
 
-[^]: (autogen_docs_end)
+[^]: (autogen_docs_end)

modules/safer_mysql/main.tf

@@ -32,8 +32,15 @@ module "safer_mysql" {
   maintenance_window_hour         = "${var.maintenance_window_hour}"
   maintenance_window_update_track = "${var.maintenance_window_update_track}"
   database_flags                  = "${var.database_flags}"
-  user_labels                     = "${var.user_labels}"
-  backup_configuration            = "${var.backup_configuration}"
+
+  // Define a label to force a dependency to the creation of the network peering.
+  // Substitute this with a module dependency once the module is migrated to
+  // Terraform 0.12
+  user_labels = "${merge(
+    map("tf_dependency", var.peering_completed),
+    var.user_labels)}"
+
+  backup_configuration = "${var.backup_configuration}"
 
   ip_configuration = [
     {

modules/safer_mysql/variables.tf

@@ -37,8 +37,9 @@ variable "vpc_network" {
   description = "Existing VPC network to which instances are connected. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access."
 }
 
-variable "vpc_peering" {
-  description = "google_service_networking_connection object identifying the peering between the producer network and the project subnet. This is not used, but needed to ensure that elements are created in the proper order"
+variable "peering_completed" {
+  description = "Optional. This is used to ensure that resources are created in the proper order when using private IPs and service network peering."
+  default     = ""
 }
 
 // Master