fix: psc endpoints (#875)

* fix psc for dual svpc

* fix psc endpoint for hub-and-spoke

* added integration tests

* updated docs

3-networks-dual-svpc/envs/development/main.tf

@@ -64,22 +64,24 @@ locals {
 module "base_env" {
   source = "../../modules/base_env"
 
-  env                                = local.env
-  environment_code                   = local.environment_code
-  access_context_manager_policy_id   = var.access_context_manager_policy_id
-  members                            = ["serviceAccount:${var.terraform_service_account}"]
-  default_region1                    = local.default_region1
-  default_region2                    = local.default_region2
-  domain                             = var.domain
-  ingress_policies                   = var.ingress_policies
-  egress_policies                    = var.egress_policies
-  enable_partner_interconnect        = false
-  base_private_service_cidr          = local.base_private_service_cidr
-  base_subnet_primary_ranges         = local.base_subnet_primary_ranges
-  base_subnet_secondary_ranges       = local.base_subnet_secondary_ranges
-  restricted_private_service_cidr    = local.restricted_private_service_cidr
-  restricted_subnet_primary_ranges   = local.restricted_subnet_primary_ranges
-  restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges
-  remote_state_bucket                = var.remote_state_bucket
+  env                                   = local.env
+  environment_code                      = local.environment_code
+  access_context_manager_policy_id      = var.access_context_manager_policy_id
+  members                               = ["serviceAccount:${var.terraform_service_account}"]
+  default_region1                       = local.default_region1
+  default_region2                       = local.default_region2
+  domain                                = var.domain
+  ingress_policies                      = var.ingress_policies
+  egress_policies                       = var.egress_policies
+  enable_partner_interconnect           = false
+  base_private_service_cidr             = local.base_private_service_cidr
+  base_subnet_primary_ranges            = local.base_subnet_primary_ranges
+  base_subnet_secondary_ranges          = local.base_subnet_secondary_ranges
+  base_private_service_connect_ip       = "10.2.64.5"
+  restricted_private_service_cidr       = local.restricted_private_service_cidr
+  restricted_subnet_primary_ranges      = local.restricted_subnet_primary_ranges
+  restricted_subnet_secondary_ranges    = local.restricted_subnet_secondary_ranges
+  restricted_private_service_connect_ip = "10.10.64.5"
+  remote_state_bucket                   = var.remote_state_bucket
 
 }

3-networks-dual-svpc/envs/non-production/main.tf

@@ -64,21 +64,23 @@ locals {
 module "base_env" {
   source = "../../modules/base_env"
 
-  env                                = local.env
-  environment_code                   = local.environment_code
-  access_context_manager_policy_id   = var.access_context_manager_policy_id
-  members                            = ["serviceAccount:${var.terraform_service_account}"]
-  default_region1                    = local.default_region1
-  default_region2                    = local.default_region2
-  domain                             = var.domain
-  ingress_policies                   = var.ingress_policies
-  egress_policies                    = var.egress_policies
-  enable_partner_interconnect        = false
-  base_private_service_cidr          = local.base_private_service_cidr
-  base_subnet_primary_ranges         = local.base_subnet_primary_ranges
-  base_subnet_secondary_ranges       = local.base_subnet_secondary_ranges
-  restricted_private_service_cidr    = local.restricted_private_service_cidr
-  restricted_subnet_primary_ranges   = local.restricted_subnet_primary_ranges
-  restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges
-  remote_state_bucket                = var.remote_state_bucket
+  env                                   = local.env
+  environment_code                      = local.environment_code
+  access_context_manager_policy_id      = var.access_context_manager_policy_id
+  members                               = ["serviceAccount:${var.terraform_service_account}"]
+  default_region1                       = local.default_region1
+  default_region2                       = local.default_region2
+  domain                                = var.domain
+  ingress_policies                      = var.ingress_policies
+  egress_policies                       = var.egress_policies
+  enable_partner_interconnect           = false
+  base_private_service_cidr             = local.base_private_service_cidr
+  base_subnet_primary_ranges            = local.base_subnet_primary_ranges
+  base_subnet_secondary_ranges          = local.base_subnet_secondary_ranges
+  base_private_service_connect_ip       = "10.2.128.5"
+  restricted_private_service_cidr       = local.restricted_private_service_cidr
+  restricted_subnet_primary_ranges      = local.restricted_subnet_primary_ranges
+  restricted_subnet_secondary_ranges    = local.restricted_subnet_secondary_ranges
+  restricted_private_service_connect_ip = "10.10.128.5"
+  remote_state_bucket                   = var.remote_state_bucket
 }

3-networks-dual-svpc/envs/production/main.tf

@@ -64,21 +64,23 @@ locals {
 module "base_env" {
   source = "../../modules/base_env"
 
-  env                                = local.env
-  environment_code                   = local.environment_code
-  access_context_manager_policy_id   = var.access_context_manager_policy_id
-  members                            = ["serviceAccount:${var.terraform_service_account}"]
-  default_region1                    = local.default_region1
-  default_region2                    = local.default_region2
-  domain                             = var.domain
-  ingress_policies                   = var.ingress_policies
-  egress_policies                    = var.egress_policies
-  enable_partner_interconnect        = false
-  base_private_service_cidr          = local.base_private_service_cidr
-  base_subnet_primary_ranges         = local.base_subnet_primary_ranges
-  base_subnet_secondary_ranges       = local.base_subnet_secondary_ranges
-  restricted_private_service_cidr    = local.restricted_private_service_cidr
-  restricted_subnet_primary_ranges   = local.restricted_subnet_primary_ranges
-  restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges
-  remote_state_bucket                = var.remote_state_bucket
+  env                                   = local.env
+  environment_code                      = local.environment_code
+  access_context_manager_policy_id      = var.access_context_manager_policy_id
+  members                               = ["serviceAccount:${var.terraform_service_account}"]
+  default_region1                       = local.default_region1
+  default_region2                       = local.default_region2
+  domain                                = var.domain
+  ingress_policies                      = var.ingress_policies
+  egress_policies                       = var.egress_policies
+  enable_partner_interconnect           = false
+  base_private_service_cidr             = local.base_private_service_cidr
+  base_subnet_primary_ranges            = local.base_subnet_primary_ranges
+  base_subnet_secondary_ranges          = local.base_subnet_secondary_ranges
+  base_private_service_connect_ip       = "10.2.192.5"
+  restricted_private_service_cidr       = local.restricted_private_service_cidr
+  restricted_subnet_primary_ranges      = local.restricted_subnet_primary_ranges
+  restricted_subnet_secondary_ranges    = local.restricted_subnet_secondary_ranges
+  restricted_private_service_connect_ip = "10.10.192.5"
+  remote_state_bucket                   = var.remote_state_bucket
 }

3-networks-dual-svpc/modules/base_env/README.md

@@ -5,6 +5,7 @@
 |------|-------------|------|---------|:--------:|
 | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes |
 | base\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc. | `string` | n/a | yes |
+| base\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC | `string` | n/a | yes |
 | base\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes |
 | base\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Base Shared Vpc. | `map(list(map(string)))` | n/a | yes |
 | default\_region1 | First subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes |
@@ -18,6 +19,7 @@
 | members | An allowed list of members (users, service accounts)to be include in the VPC-SC perimeter. The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | `list(string)` | n/a | yes |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes |
+| restricted\_private\_service\_connect\_ip | The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC | `string` | n/a | yes |
 | restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes |
 | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes |
 

3-networks-dual-svpc/modules/base_env/main.tf

@@ -91,6 +91,7 @@ module "restricted_shared_vpc" {
   restricted_services              = ["bigquery.googleapis.com", "storage.googleapis.com"]
   members                          = var.members
   private_service_cidr             = var.restricted_private_service_cidr
+  private_service_connect_ip       = var.restricted_private_service_connect_ip
   org_id                           = local.org_id
   parent_folder                    = local.parent_folder
   bgp_asn_subnet                   = local.bgp_asn_number
@@ -130,17 +131,18 @@ module "restricted_shared_vpc" {
 *****************************************/
 
 module "base_shared_vpc" {
-  source               = "../base_shared_vpc"
-  project_id           = local.base_project_id
-  dns_hub_project_id   = local.dns_hub_project_id
-  environment_code     = var.environment_code
-  private_service_cidr = var.base_private_service_cidr
-  org_id               = local.org_id
-  parent_folder        = local.parent_folder
-  default_region1      = var.default_region1
-  default_region2      = var.default_region2
-  domain               = var.domain
-  bgp_asn_subnet       = local.bgp_asn_number
+  source                     = "../base_shared_vpc"
+  project_id                 = local.base_project_id
+  dns_hub_project_id         = local.dns_hub_project_id
+  environment_code           = var.environment_code
+  private_service_cidr       = var.base_private_service_cidr
+  private_service_connect_ip = var.base_private_service_connect_ip
+  org_id                     = local.org_id
+  parent_folder              = local.parent_folder
+  default_region1            = var.default_region1
+  default_region2            = var.default_region2
+  domain                     = var.domain
+  bgp_asn_subnet             = local.bgp_asn_number
 
   subnets = [
     {

3-networks-dual-svpc/modules/base_env/variables.tf

@@ -70,6 +70,11 @@ variable "base_subnet_secondary_ranges" {
   description = "The base subnet secondary IPTs ranges to the Base Shared Vpc."
 }
 
+variable "base_private_service_connect_ip" {
+  type        = string
+  description = "The base subnet internal IP to be used as the private service connect endpoint in the Base Shared VPC"
+}
+
 variable "restricted_private_service_cidr" {
   type        = string
   description = "CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc."
@@ -85,6 +90,11 @@ variable "restricted_subnet_secondary_ranges" {
   description = "The base subnet secondary IPTs ranges to the Restricted Shared Vpc"
 }
 
+variable "restricted_private_service_connect_ip" {
+  type        = string
+  description = "The base subnet internal IP to be used as the private service connect endpoint in the Restricted Shared VPC"
+}
+
 variable "egress_policies" {
   description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress_from and egress_to.\n\nExample: `[{ from={ identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions)"
   type = list(object({

3-networks-dual-svpc/modules/base_shared_vpc/README.md

@@ -23,6 +23,7 @@
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
 | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no |
+| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint | `string` | n/a | yes |
 | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes |
 | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no |
 | subnets | The list of subnets being created | `list(map(string))` | `[]` | no |

3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf

@@ -21,6 +21,6 @@ module "private_service_connect" {
   project_id                 = var.project_id
   dns_code                   = "dz-${var.environment_code}-shared-base"
   network_self_link          = module.main.network_self_link
-  private_service_connect_ip = "10.3.0.5"
+  private_service_connect_ip = var.private_service_connect_ip
   forwarding_rule_target     = "all-apis"
 }

3-networks-dual-svpc/modules/base_shared_vpc/variables.tf

@@ -114,6 +114,11 @@ variable "private_service_cidr" {
   default     = null
 }
 
+variable "private_service_connect_ip" {
+  type        = string
+  description = "Internal IP to be used as the private service connect endpoint"
+}
+
 variable "windows_activation_enabled" {
   type        = bool
   description = "Enable Windows license activation for Windows workloads."

3-networks-dual-svpc/modules/restricted_shared_vpc/README.md

@@ -26,6 +26,7 @@
 | org\_id | Organization ID | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
 | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no |
+| private\_service\_connect\_ip | Internal IP to be used as the private service connect endpoint. | `string` | n/a | yes |
 | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes |
 | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes |
 | restricted\_services | List of services to restrict. | `list(string)` | n/a | yes |

3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf

@@ -21,6 +21,6 @@ module "private_service_connect" {
   project_id                 = var.project_id
   dns_code                   = "dz-${var.environment_code}-shared-restricted"
   network_self_link          = module.main.network_self_link
-  private_service_connect_ip = "10.3.0.5"
+  private_service_connect_ip = var.private_service_connect_ip
   forwarding_rule_target     = "vpc-sc"
 }

3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf

@@ -124,6 +124,11 @@ variable "private_service_cidr" {
   default     = null
 }
 
+variable "private_service_connect_ip" {
+  type        = string
+  description = "Internal IP to be used as the private service connect endpoint."
+}
+
 variable "windows_activation_enabled" {
   type        = bool
   description = "Enable Windows license activation for Windows workloads."

3-networks-hub-and-spoke/envs/development/main.tf

@@ -64,22 +64,24 @@ locals {
 module "base_env" {
   source = "../../modules/base_env"
 
-  env                                = local.env
-  environment_code                   = local.environment_code
-  access_context_manager_policy_id   = var.access_context_manager_policy_id
-  members                            = ["serviceAccount:${var.terraform_service_account}"]
-  default_region1                    = local.default_region1
-  default_region2                    = local.default_region2
-  domain                             = var.domain
-  ingress_policies                   = var.ingress_policies
-  egress_policies                    = var.egress_policies
-  enable_partner_interconnect        = false
-  enable_hub_and_spoke_transitivity  = var.enable_hub_and_spoke_transitivity
-  base_private_service_cidr          = local.base_private_service_cidr
-  base_subnet_primary_ranges         = local.base_subnet_primary_ranges
-  base_subnet_secondary_ranges       = local.base_subnet_secondary_ranges
-  restricted_private_service_cidr    = local.restricted_private_service_cidr
-  restricted_subnet_primary_ranges   = local.restricted_subnet_primary_ranges
-  restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges
-  remote_state_bucket                = var.remote_state_bucket
+  env                                   = local.env
+  environment_code                      = local.environment_code
+  access_context_manager_policy_id      = var.access_context_manager_policy_id
+  members                               = ["serviceAccount:${var.terraform_service_account}"]
+  default_region1                       = local.default_region1
+  default_region2                       = local.default_region2
+  domain                                = var.domain
+  ingress_policies                      = var.ingress_policies
+  egress_policies                       = var.egress_policies
+  enable_partner_interconnect           = false
+  enable_hub_and_spoke_transitivity     = var.enable_hub_and_spoke_transitivity
+  base_private_service_cidr             = local.base_private_service_cidr
+  base_subnet_primary_ranges            = local.base_subnet_primary_ranges
+  base_subnet_secondary_ranges          = local.base_subnet_secondary_ranges
+  base_private_service_connect_ip       = "10.2.64.5"
+  restricted_private_service_cidr       = local.restricted_private_service_cidr
+  restricted_subnet_primary_ranges      = local.restricted_subnet_primary_ranges
+  restricted_subnet_secondary_ranges    = local.restricted_subnet_secondary_ranges
+  restricted_private_service_connect_ip = "10.10.64.5"
+  remote_state_bucket                   = var.remote_state_bucket
 }